Today we are going to check RMS admin panel for bugs.
After studying the whole sorc, I found out that the work with the database goes through PDO, which means that it was almost pointless to catch skul-injections. As luck would have it, I tried to look for second order injection, but it didn’t work either, because the content from the database was almost never used in the queries (for anyone wondering how it could be used _http://stackoverflow.com/questions/12952187).
It remained only to look for bugs in the client side. It was rather sad here too: all variables were either converted to int, or filtered through htmlspecialchars. However, some of the variables were inside single quotes of the onclick event (which htmlspecialchars does not convert by default), which allowed to introduce a crooked stored XSS.
index.php, line 98:
index.php, line 107:
Gate where bots knock tick.php:
In the admin panel, click the edit or focus button:
The author said that flooding the admin panel is not considered a bug, but you’ll have to flood a bit to get at least some results:
The principle is as follows:
Botmaster goes into admin. Sees a bunch of lefty bots. Tries to remove/edit them If he is lucky (oh dear god, I pray you are) he runs our js code And the admin cookie flies to the sniffer:
PROFIT! Set a cookie in your browser, log into the admin panel, fuck up bot IDs/give everyone a task to upload their software/remove bots.
I would like to note that this admin is significantly different in terms of security from what I have encountered before. All I could find is one xss, which is not exploited in the easiest way. Plus, the robots.txt file has closed indexing and finding more such admins just didn’t work out.
P.S. there’s one more little bug Prodigy clip in iframe doesn’t open.
credit card dumps reddit