Lucene search
SecurityvulnsSECURITYVULNS:DOC:16294HistoryMar 09, 2007 - 12:00 a.m.
dynaliens v2.0/v2.1 bypass admin authentification + XSS
2007-03-0900:00:00
vulners.com
24
-
dynaliens v2.0/v2.1 bypass admin authentification + XSS
-
By : sn0oPy
-
Risk : high
-
Dork : inurl:"/dynaliens"
-
exploit :
normaly when we add "/admin" to the link, like that http://www.target.ma/dynaliens/admin we are face to face with a restricted zone area, but if we add "validlien.php3" after the admin folder we are redirected to the consol admin without authentification.
the AUTH_USER is present just in/for the index :
if ($auth == 0)
{
if(!$PHP_AUTH_USER)
{
Header("WWW-authenticate: basic realm=\"$domaine\"");
Header("HTTP/1.0 401 Unauthorized");
// Ci dessous le code qui est affichΠΉ si l'on click le bouton Cancel
EnteteADMIN();
β¦
if ($PHP_AUTH_USER==$login && $PHP_AUTH_PW==$pwd)
{
if (@mysql_connect ($cfgHote, $cfgUser, $cfgPass))
{
$sql = "SELECT * FROM $tb_rub";
$sql = mysql_db_query($cfgBase,$sql);
$nbrub = mysql_num_rows($sql);
$sql2 = "SELECT * FROM $tb_liens WHERE valid=0";
$sql2 = mysql_db_query($cfgBase,$sql2);
$addlien = mysql_num_rows($sql2);
$sql3 = "SELECT * FROM $tb_liens WHERE valid=1";
$sql3 = mysql_db_query($cfgBase,$sql3);
$dellien = mysql_num_rows($sql3);
EnteteADMIN();
br(4);
echo "<center>";
DebutTableau("#FFFFFF", "1", "0", "30%");
DebutTableau("#5A6BA5", "20", "0", "100%");
echo "<center>";
echo "<font color='#FDFC65'><b>CONSOLE D'ADMINISTRATION</b></font>";
echo "</center>";
you can do it with any one of this files when the admin has forget to reedit his files:
validlien.php3
supprlien.php3
supprub.php3
validlien.php3
confsuppr.php3
modiflien.php3
confmodif.php3
XSS : http://www.target.ma/dynaliens/recherche.php3
XSS : http://www.target.ma/dynaliens/ajouter.php3
-
contact : [email protected]
-
greetz : [subzero], Avg Team(forums.avenir-geopolitique.net).
-
Reference : http://forums.avenir-geopolitique.net/viewtopic.php?t=2722