Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: UPB: Discussion Board/Web-Site Takeover
From: rgod () autistici org
Date: 19 Jul 2005 05:41:18 -0000
this is probably a hoax or an error, the system command is not executed, it's invisibile and inside the html... :) you 
can put a javascript instead and steal cookies. This is my proof of concept exploit:

http://www.rgod.altervista.org/upbgold196poc.php.txt

(if you have troubles with this script set allow_call_time_pass_reference = on
and register_globals = On)

otherwise you can make with telnet but in the user agent field you can make something like:

<script>alert(document.cookie)</script>

and when admin open ip log file the javascript will run in the security contest of his system...

however, you can craft some special urls, (look at this link: http://www.rgod.altervista.org/upbgold196xssurlspoc.txt ) 
to have same results...

sorry for my bad English

rgod

email: rgod () autistici org
site: http://rgod () altervista org

  By Date           By Thread  

Current thread:
  • Re: UPB: Discussion Board/Web-Site Takeover rgod (Jul 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]