exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

geeklog2.txt

geeklog2.txt
Posted Sep 29, 2003
Authored by Lorenzo Hernandez Garcia-Hierro | Site security.novappc.com

Geeklog versions 2.x and below are susceptible to cross site scripting vulnerabilities and various SQL injection attacks.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | 00084a1aaef68a8f9088d25e72f314aded4e7fda302ffd1525cd89404e07df72

geeklog2.txt

Change Mirror Download
Geeklog Multiple Versions Vulnerabilities
------
PRODUCT: Geeklog
VENDOR: Geeklog
VULNERABLE VERSIONS:

- 2.x ( TESTED ) (T.I.N.P)
- 1.x ( TESTED ) (T.I.N.P)
- And older versions possible affected too.

NO VULNERABLE VERSIONS

- ?

---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:



---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------

I found XSS and SQL Injection vulnerabilities in the Geeklog
Content Management System.
The XSS can be used for stole authentication data and cookies, and , in some
conditions you can deface the website homepage.
The SQL Injections can be used for hack the backend database and
modify/read/delete/stole data in the backend database.
I found some security holes ( miscelaneous ).
---------
| XSS |
---------
I found XSS holes:
You can send code to the Shoutbox system for be displayed... IN THE HOME
PAGE !!!
This is the most important bug that i discovered in geeklog because any user
( not authenticated )
can send messages to shoutbox and these messages will be displayed in the
home page of the cms in a block.
-
Proof of Concept:
-
insert your code into the text box under the shoutbox block and press Shout
it ! thats all.

Another XSS:

http://[TARGET]/faqman/index.php?op=view&t=518">[XSS ATTACK CODE]

http://[TARGET]/filemgmt/brokenfile.php?lid=17'/%22%3[XSS ATTACK CODE]

Its very possible that other files using lid variable are vulnerable to this
and SQL Injection attacks.

------------------
| SQL INJECTIONS |
------------------

I found some SQL injections :

http://[TARGET]/index.php?topic=te'st/[SQL INJECTION CODE]

http://[TARGET]/forum/viewtopic.php?forum=1&showtopic=1'0/[SQL INJECTION
CODE]

http://[TARGET]/staticpages/index.php?page=test'test/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/visit.php?lid=1'1'0/[SQL INJECTION CODE]

http://[TARGET]/filemgmt/viewcat.php?cid='6/[SQL INJECTION CODE]

http://[TARGET]/comment.php?type=filemgmt&cid=filemgmt-1'70/[SQL INJECTION
CODE]

http://[TARGET]/comment.php?mode=display&sid=filemgmt-XXX&title=[SQL
INJECTION CODE]

http://[TARGET]/filemgmt/singlefile.php?lid=17'/0/[SQL INJECTION CODE]

With this you can perform malformed sql queries for access privileged
information such as passwords ( md5 hashes ),
email addresses...


---------------
| MISCELANEoUS|
---------------
_____________
IP Detection ->
_____________

Geeklog only detects ips in front of a proxy , if you are
behind a proxy , geeklog's logs , scripts will be logging the proxy ip.
This can be patched by using HTTP_X_FORWARDED_FOR detection like:

<?php

/* ------------------------
/ Geeklog possible Hard IP
/ Detection System.
/ Use seeyou() instead of
/ declaring other ip variables.
/ ------------------------
/ by Lorenzo Hernandez G-H
/ ------------------------
*/ ________________________

function seeyou()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

/*-------seeyou()-------*/
/* <<EOF */
// ;-)
// dedicado a Pocholo
// Poxolo for president !
// FIEEEESSSSSSSSTAAAAAAAA

?>

and calling it from the main ip variable like:

$ip = seeyou();

________________________
Automatic IP Blocking ->
________________________

I'm suggesting this to the Geeklog development team .
Instead of logging facilities use a proactive system for deny ips of
attackers in real time.
I explain it:

An attacker checks those SQL Injection vulnerabilities.
Uses on or more possible bugs and the system adds this attempts to the
database:

-KIDDIE->
- IP -> uses seeyou() routine for detection
- ATTEMPTS -> COUNT-
|_> IF THIS IS x ( F.EX. 3) go to the block
routine ------
-------------------------------------------------------------------------
----|
|> Blocking routine:
- a file ( F.EX. blockthatsh*t.php )
|________________________________|
|
|
|> This adds an entry to another php
file that is
included in the common lib that is
loaded with
all the scripts with:
include
("blocked-sh*ts");

|________________________|
|
blocked-sh*ts.php source : <|


<?
/* No Secure Root Group Security Research
/ By Lorenzo Hernandez Garcia-Hierro
/ This is part of the Security Application Server ( unreleased ) by
/ Lorenzo Hernandez Garcia-Hierro
/ ---- Licensed under GPL ----
*/

$denyip = array("202.108.250.",
"200.147.47.97",
"148.221.148.38",
"80.117.13.97",
"212.142.214.63",
"213.97.249.145"
);

/* IP Detection
// ----------------------
// EXPERIMENTAL IN THIS SCRIPT
// THIS WILL BLOCK IPs USING
// THE "HARD DETECTION ROUTINE
// AND MATCHING THE denyip ARRAY
// -----------------------

function seeyou()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"),
"unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") &&
strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"),
"unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

// -------------------------
// -------END seeyou()-------*/

// For use only with seeyou() routine

// $ip = echoIP();

// Under this you don't need to change nothing.
// ----------------------------------------------

$ip = $_SERVER['REMOTE_ADDR']; // if you want seeyou() routine comment this
and uncomment the another one

$blockmsg = array('<h1>Access Blocked</h1><br><br>Your Internet Address was
blocked in our servers due to incorrect use or improper actions in the
servers , if you attempt to access again thi servers , your ISP will be
adviced about you.BlockedIPs are: <br><br>'."$denyip".'<br><br>Take care for
be out of this list.Shits smell bad.');

// Nothing to change below this line ------------------

$x = count($denyip);

for ($y = 0; $y < $x; $y++) {
if ($ip == $denyip[$y]) {
exit($blockmsg[$y]);
}
}

?>

And thats all , you need to perform a script for write in the correct form
the ips for block .

I called this sytem Blahsh*t Guard.

This is part of my ( unreleased ) whitepaper "uwahck" :

"Using Vulnerable Web Applications for HaCK into Servers " .

<<EOF

---------------
| CONCLUSIONS |
---------------

Geeklog doesn't have an input validation system and you can send
malicious data to the target geeklog installation.
This can be used by attackers for do extremely bad actions in the target
actions.
Geeklog core and modules are completly vulnerable to XSS attacks and SQL
Injection.
Definately Geeklog is not a Geek product ;-) .

for the development team and people going to use the Blahsh*t Guard:

The code is fully experimental and this one of the reasons of SAServer
unreleased.

Send Suggestions to me or join the project trough http://sas.novappc.com .

Greetings to:

0x00-Pocholo , hey , be president , cag_at_(dieresis)_at>en la *st*a ! .
0x02-rkc - no se ni pa que - ahi va ;-).
0x03-CqC Que le den a telecinco , Berlusconi y demás individuos de sci-fi.
0x04-A la chofa , por su musica "angelica" , pobrecilla , con ese bichejo en
medio...
0x05-a mrs nadie por su excelente trabajo.

NOTE: This is the first time that i write greetings but i want to do it more
, it is excelent for
the spanish poxo-family.

-----------
| CONTACT |
-----------
------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
--- Security Consultant ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://security.novappc.com
______________________

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close