========================================================== Vulnerable Software: seditio-build161 ========================================================== Downloaded from:http://neocrome.net/page.php?id=2447&a=dl # md5sum sed*.rar aad96010a15f0c38e5cc321f8a91dd1b *seditio-build161.rar Installation:Standart (i assume with default settings) Tested: ========================================================== *php.ini MAGIC_QUOTES_GPC OFF* Safe mode off /* OS: Windows XP SP2 (32 bit) Apache: 2.2.21.0 PHP Version: 5.2.17.17 mysql> select version() -> ; +-----------+ | version() | +-----------+ | 5.5.21 | +-----------+ */ ========================================================== Vuln Desc: PERSISTENT CROSS SITE SCRIPTING: ========================================================== Exploitation: Create new topic(/forums.php?m=newtopic&s=1) using the following details: Topic Title: Whatever you want. Topic Description: Whatever you want. Body: Inject this: You do not need click here!I will click it for you) Of course I ll pwn you))) Post the topic. Then you'll see it as plaintext for first time. Click the *EDIT* button but do not touch anything after this and simply Push the *UPDATE* button. After update you'll return to your post.Try to over your mouse over the link. Same rules and exploitation also applies to *Reply* section. Remember you do not need touch anything after *edit* button you need only UPDATE the topic with your "payload" and thats all. @Print screen on success pwn: http://s43.radikal.ru/i099/1203/5d/2e2dfa119083.png Other attacks also possible using XSS to steal security tokens and exploitate CSRF (change password or deface site automatically) using document.body.innerHTML(to steal administrator tokens) ========================================================== Ok now about Info And Path Disclosure: Try to Direct access:(Also previous versions too suffers from Info and Path disclosure) http://192.168.0.15/learn/9/seditio/view.php Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21 @http://www.neocrome.net/view.php http://192.168.0.15/learn/9/seditio/plugins/contact/lang/contact.en.lang.php Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\plugins\contact\lang\contact.en.lang.php on line 37 http://192.168.0.15/learn/9/seditio/system/lang/en/main.lang.php Notice: Undefined variable: cfg in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\main.lang.php on line 450 http://192.168.0.15/learn/9/seditio/system/lang/en/message.lang.php Notice: Undefined variable: usr in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 37 Notice: Undefined variable: num in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\lang\en\message.lang.php on line 104 ============================================================================================================================== http://192.168.0.15/learn/9/seditio/system/core/view/view.inc.php Parse error: syntax error, unexpected ')' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\9\seditio\system\core\view\view.inc.php on line 21 @http://www.neocrome.net/system/core/view/view.inc.php =============================================================================================================================== Info disclosure: http://192.168.0.15/learn/9/seditio/docs/new/seditio-createnew-160.sql http://192.168.0.15/learn/9/seditio/docs/upgrade/sedito_convert_to_utf8.optional.sql http://192.168.0.15/learn/9/seditio/system/install/install.parser.sql IMO Needs at least simply .htaccess rule to protect from eyes this files. =============================================================================================================================== /AkaStep ^_^ 1332959725