Advertise

Tuesday, 11 February 2014

Open Source Multi Hosting Control Panel - Kloxo SQL Injection and Remote Code Execution Vulnerability

Open Source Multi-Hosting Kloxo Control Panel has been found with getting wildly exploited with an unauthenticated SQL injection vulnerability The SQL injection issue can be abused in order to retrieve the Kloxo admin cleartext password from the database. With admin access to the web control panel, remote PHP code execution can be achieved by abusing the Command Center function. The module tries to find the first server in the tree view, unless the server information is provided, in which case it executes the payload there.

 You can find References here :- 
Kloxo Exploited :- https://vpsboard.com/topic/3384-kloxo-installations-compromised
Kloxo Exploired :- http://www.webhostingtalk.com/showthread.php?p=8996984
Patch Discussion :- http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646

here is metasploit module URL :- http://packetstormsecurity.com/files/125152/kloxo_sqli.rb.txt

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/kloxo_sqli
msf exploit(kloxo_sqli) > show targets ...targets... msf exploit(kloxo_sqli) > set TARGET msf exploit(kloxo_sqli) > show options ...show and set options... msf exploit(kloxo_sqli) > exploit

Kindly Update your Kloxo to Latest Version. Kloxo has now latest release version 6.1.16


at
Labels: , ,
 
World of Hacker © 2011 Creative Commons License
World of Hacker by KroKite is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Based on a work at http://www.worldofhacker.com.
Permissions beyond the scope of this license may be available at https://groups.google.com/forum/#!newtopic/hackerforum.