Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

KOPANEL security hole

Newbie Spellweaver
Joined
Jun 29, 2007
Messages
22
Reaction score
0
hi,
recently i was testing kopanel security and i found a way to get dbpass on any site who has kopanel installed
(then sql connect->exec master xp cmdshell net user add....administrator->remote and ur server is mine)

i wont tell u the exploit here, turks would abuse it.


if u want me to check if ur server is vulnerable or not write me a pm.


if i ll find the fix i ll post it here
 
Last edited by a moderator:
Experienced Elementalist
Loyal Member
Joined
Jun 11, 2006
Messages
214
Reaction score
0
hi,
recently i was testing kopanel security and i found a way to get dbpass on any site who has kopanel installed
(then sql connect->exec master xp cmdshell net user add....administrator->remote and ur server is mine)

i wont tell u the exploit here, turks would abuse it.


if u want me to check if ur server is vulnerable or not write me a pm.


if i ll find the fix i ll post it here

is this apache based panels or all?
 
Newbie Spellweaver
Joined
Jun 29, 2007
Messages
22
Reaction score
0
all
just tested it on lostsoulzko.net -- worked
 
Junior Spellweaver
Joined
Jun 5, 2006
Messages
133
Reaction score
0
yup :(. Thanks for helping me fix it gerydeft xD
 
Newbie Spellweaver
Joined
Dec 26, 2006
Messages
5
Reaction score
0
seems like most server got it fixed tho

or atleast have it fixed now :eek:
 
Newbie Spellweaver
Joined
Jun 29, 2007
Messages
22
Reaction score
0
nah jonny if u read this u can tell them the fix^^
 
Newbie Spellweaver
Joined
Feb 23, 2006
Messages
25
Reaction score
0
interesting..my guess is that its an sql injection which lets you upload a php file which has the following line you just mentioned.
 
Newbie Spellweaver
Joined
Dec 26, 2006
Messages
5
Reaction score
0
interesting..my guess is that its an sql injection which lets you upload a php file which has the following line you just mentioned.
it is

well 2 more lines to be exact i think... then open the server via command on your pc
the method of this thing is pretty old (well, if it is the thing i think it is :D)
 
Newbie Spellweaver
Joined
Jun 29, 2007
Messages
22
Reaction score
0
nah with the exploit i can include any file instead of register.php or debug.php etc..
 
Newbie Spellweaver
Joined
Jun 29, 2007
Messages
22
Reaction score
0
ok if u want to make ur kopanel secure then go index.php

and make all $_GET[act] part test($_GET[act]) if u have heteric's anti sql injection.php

my msn is gerydeft@yahoo.com
 
Junior Spellweaver
Joined
Jun 5, 2006
Messages
133
Reaction score
0
Don't worry about it Asian yours is fine. Gerydeft, This only works on IIS. Apache servers have built in protection. Infact, if you setup your security properties correctly for the IIS user, it doesn't work then either. It seems most peopleusing IIS are giving the IIS full administrative permissions.
 
Newbie Spellweaver
Joined
Jun 20, 2008
Messages
57
Reaction score
0
Spamman, I would like to see this as well, as I have a very nice defensive system. It would be a good test to my defense system.. However I need a new power supply first.
 
Newbie Spellweaver
Joined
Feb 14, 2008
Messages
17
Reaction score
0
guys can someone share me the files that used on lostsoulz.net ( i mean there was an older version of that i need this i don't mean give me files of lostsoulz.net ) thanks a lot
 
Experienced Elementalist
Joined
Jan 3, 2008
Messages
299
Reaction score
1
guys can someone share me the files that used on lostsoulz.net ( i mean there was an older version of that i need this i don't mean give me files of lostsoulz.net ) thanks a lot
LOL

On-Topic : I would suggest using Heretic's KO Panel because I heard it was the most protected from SQL Inject of the released KO Panels...
 
Back
Top