Next Page >>
Magic Quotes
8.2 Reflected Cross Site Scripting in index.php
------------------------------------------------------------------------------------------------------------------------
Severity: Medium
Requires: Register globals to be on
The victim user must be logged out
Magic quotes must be off
8.2.1 Proof of concept exploit
http://test/cutenews/index.php?lastusername='%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
II. DESCRIPTION
This application is affected by many SQL Injection
security flaws. In order to exploit they, the Magic Quotes
GPG (php.ini) must be Off except one.
I tested 1.4.1 version only, however other versions may be
also vulnerable.
II. DESCRIPTION
This application is affected by many SQL Injection
security flaws. In order to exploit they, the Magic Quotes
GPG (php.ini) must be Off.
In this security advisory I reported only some of the
vulnerable files.
I tested 0.1.5c version only, however other versions may
be also vulnerable.
>
> A) Remote Code Execution
>
> A Remote Code Execution issue has been found in Zabbix version
> 1.6.2 and no authentication is required in order to exploit this
> vulnerability. The Magic Quotes must be off in order to exploit
> this vulnerability, however this feature will not be supported
> starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes).
>
> Zabbix has a security feature that parses all incoming input for
> possible bad chars with the help of the function check_fields() defined
A) Blind SQL Injection
All field that I tested are vulnerable to Blind SQL
Injection.
I can't report all vulnerable files because they are many.
The most injections don't require that Magic Quotes GPC
(php.ini) is setted to Off.
However an attacker may try to exploit this vulnerability
using the full path disclosure released by the MySQL error
to write a file into the remote file system, using as
destination path the gallery directories, where the
#
#------------
#CONDITIONS:
#------------
#
#gpc_magic_quotes=OFF
#
#-------
#NEED:
#-------
#
###################
Autor: Brainhead
Type: XSS
Version: 4.01.02
Files: usergallery.php, calendar.php
Magic Quotes :off
###################
Examples:
http://site.tld/[PATH]/index.php?site=usergallery&action=upload&galleryID=">[your code]
http://site.tld/[PATH]/index.php?site=calendar&action=announce&upID=">[your code]
passthru($exec_wordtrans);
break;
...
To exploit this vulnerability, the "Magic Quotes" option needs to be
unset.
But since this option was removed from PHP since version 6.0.0, this is
a
critical vulnerability.
$exec_wordtrans .= "\"".$_POST['word']."\"";
passthru($exec_wordtrans);
...
To exploit this vulnerability, the "Magic Quotes" option needs to be
unset.
But since this option was removed from PHP since version 6.0.0, this is
a
critical vulnerability.
A) SQL Injection
A) SQL Injection
All parameters are not properly sanitised and in order to
exploit they, the Magic Quotes GPG may be On.
IV. SAMPLE CODE
http://site/hotel_tiempolibre_ext.php?HotelID=4&NoticiaID=-1 UNION ALL
#Founded: 21, January 2008
#Autor: NBBN
#Type: XSS
#DeluxeBB Version: 1.1
#Register Globals: ON
#Magic Quotes; OFF
########################################################
poc:
http://www.site.tld/path/templates/default/admincp/attachments_header.php?lang_listofmatches=<script>alert("XSS")</script>
Ps. u gotta use nullbyte not encoded, like: \0
if u try to use %00 it will be not considered like nullbyte ;)
---------------------------------------------------------------
Remote Command Execution Exploit (Works only whit Magic Quotes OFF):
<!-- This code will make "31337.php" in http://[target]/[pblang_path], u can execute a malicious code via GET as 31337.php?php=[YOUR_CODE] -->
<form action='[target]/ntopic.php?idnum=[idtopic]' name='postmodify' enctype='multipart/form-data' method='POST' onSubmit='submitonce(this);'target='_self'>
<input type='text' name='subject' value='Owned by KiNgOfThEwOrLd's Exploit'>
<input type='hidden' name='fid' value='../../../../31337.php\0'>
Solution
************************
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags
are not going to be executed. You should also work with the "mysql_real_escape_string()" php-function to ensure that sql statements
can't be delivered over the "get" variables. It's also possible to turn on magic_quotes, depending on how you handle the quotes inside
of your script to make sure magic_quotes doesn't double escape the quotes.
Example:
# clean = array();
# $html = array();
~~~~~~~~~~~~~~
Input passed to the "arcmonth" parameter in blog's page is not properly verified before being used
in an sql query.
This can be exploited thru the browser to manipulate SQL queries and pull the username and password
from admin and users in plain text. Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~~
Description:
ViArt Shop is a full featured online ecommerce solution written
in php. There is a high risk SQL Injection in ViArt that allows
for an attacker to take over the ViArt installation. This
vulnerability is present regardless of magic_quotes configuration.
An updated version of ViArt has been released and all users are
encouraged to upgrade their ViArt installation as soon as possible.
SQL Injection:
Vulnerability:
~~~~~~~~~~~~~
Input passed to the "cid" parameter in index.php page is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users and also retrieve users session id.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~
~~~~~~~~~~~~~~
Input passed to the "cid" parameter in showcategory.php page and "id" parameter
in software-description.php are not properly verified before being used to sql query.
This can be exploited thru the browser and get password from admin in plain text.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~~
Input passed to the "id" parameter in index.php page is not properly verified before
being used to sql query. This can be exploited thru the browser and get password
from admin in plain text.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~~
Input passed to the "listing_id" parameter in index.php is not properly verified before being used
in an sql query.
This can be exploited thru the browser to manipulate SQL queries and pull the username and password from realtors
and users in plain text.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~~
Input passed to the "pid" parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the username and hash md5 password from admin.
Successful exploitation requires that "magic_quotes" is off
Poc/Exploit:
~~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~~
Input passed to the "cat_id" parameter in backlinkspider's page is not properly verified before being used to sql query.
This can be exploited to execute sql query through the browser.
Successful exploitation requires that "magic_quotes" is enabled.
Poc/Exploit:
~~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~~
Input passed to the "id" parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the username and hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off
Poc/Exploit:
~~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~~
Input passed to the "cat" parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the username and hash md5 password from admin.
Successful exploitation requires that "magic_quotes" is off
Poc/Exploit:
~~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~
Input passed to the "cat_id" parameter in directory.php is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off
Poc/Exploit:
~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~
Input passed to the "host_id" parameter in search_result.php is not properly verified before being used to sql query.
This can be exploited thru the browser and get the username and password from admin in plain text.
Successful exploitation requires that "magic_quotes" is off
Poc/Exploit:
~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~
Input passed to the "catid" parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~
Input passed to the "id" parameter in profiles-codes, video-codes, and arcade-games modules is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~
Vulnerability:
~~~~~~~~~~~~~~
Input passed to the "seid" parameter in events modules is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from members and retrieve admin session id.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~~
1.Retrieve Admin SessionID :
$sxPhotoResults = sxPhotoSearchResults($search);
------------>[/source code]<-----------
As we can see, stripslashes() is used against search string, so that
"magic_quotes" will not help against sql injection. And following function
"sxPhotoSearchResults()" is not sanitizing search string either.
So let's have a test:
http://victim.com/search.php?search=O'Brien
> local file path. Despite that it's possible to include every target
> file truncating the filename using %00 (nullbyte):
>
> /locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%00%22
>
> Nullbyte injection normally requires magic quotes off.
>
> The vulnerable code is the following:
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
>
Next Page>>
|
