Home / exploitsPDF  

dalogin 2.2 multiple vulnerabilites

Posted on 11 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>dalogin 2.2 multiple vulnerabilites</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================
dalogin 2.2 multiple vulnerabilites
===================================


dalogin 2.2 multiple vulnerabilites
app desc: Configurable WebSite. PHP + Mysql: news zone with rss feed,
private zone, languages, themes, administration panel
app source: http://dalogin.sourceforge.net/
author: hc0
 
[1] config file disclosure
you can access config.ini file from [path]/admin/include/config.ini
this file contains mysql connection informations (user, pass, host etc..)
its says &quot;come here and ownz by box!!&quot;
 
[2] sql injection
at line 115 requested http parameter id use in sql query without filtering.
 
114 - //LEER COMENTARIOS
115 - $Sql=&quot;SELECT * from news_comments WHERE id_new=&quot;.$_REQUEST['id'].&quot;
AND state=1&quot;;
116 - $result_comments = mysql_query($Sql);
117 - while ($row_comments=mysql_fetch_array($result_comments))
118 - {
119 - echo '&lt;table class=&quot;CommentTable&quot;&gt;';
120 - echo '&lt;tr&gt;
121 - &lt;td
width=&quot;100px&quot;&gt;'.strftime(DATE_TIME_FORMAT,strtotime($row_comments['date_comment'])).'
 
122 - &lt;br /&gt;&lt;b&gt;'.$row_comments['user_name'].'&lt;/b&gt;
123 - &lt;/td&gt;
124 - &lt;td class=&quot;CommentTableImg&quot;&gt;
125 - '.$row_comments['comment'].'
126 - &lt;/td&gt;
127 - &lt;/tr&gt;';
128 - echo '&lt;/table&gt;&lt;br /&gt;';
129 - }
 
[3] xss
 
181 - function InsertComment()
182 - {
183 - global $link;
184 - $Sql=&quot;INSERT INTO news_comments
(id_new,comment,date_comment,state,user_name) VALUES
(&quot;.$_REQUEST['id'].&quot;,'&quot;.$_POST['comment_text'].&quot;',Now(),0,'&quot;.$_POST['comment_user'].&quot;')&quot;;
 
185 - mysql_query($Sql);
186 - echo '&lt;div class=&quot;CommentAlert&quot; style=&quot; background-color:
#c5fbcd&quot;&gt;'.COMMENT_SENT_LABEL.'&lt;/div&gt;';
187 - }
 
you need post a comment that includes your xss attack payload and its saved
database. its so simple :)
 
[4] just for fun i'm so bored..................


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-11]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :