ANTICHAT - Показать сообщение отдельно - Энциклопедия уязвимых скриптов

Apprain CMS

Version:0.1.X

Off Site: http://www.apprain.com/

(1.11.2010)

Заливка шелла через админку

1. Способ| Gallery -> Add New Picture

написанно "*.jpg, *.gif, *.png" но шелл заливается удачно, адресс шелла /uploads/filemanager/ *** .php

2. Способ| Store-> Add New product

PHP код:


		
			
[COLOR="#000000"]var uploadAllFiles, uploadOnlyImageFiles;

    window.onload = function() {

        uploadAllFiles = new SWFUpload({

            // Backend Settings

            upload_url: "[COLOR="#0000BB"][/COLOR][COLOR="#0000BB"]baseurl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'/common/general_upload/'[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#0000BB"]?>[/COLOR]",

            post_params: {"PHPSESSID" : "[COLOR="#0000BB"][/COLOR]"},

            // File Upload Settings

            file_size_limit : "102400",    // 100MB

            file_types : "*.*",

            file_types_description : "All Files",

            file_upload_limit : "100",

            file_queue_limit : "0",

.......[/COLOR]

Активная XSS

/member/signup

При регистрацыии Пользователя -> First Name - Last Name - Address

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_tag[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"form"[/COLOR][COLOR="#007700"],array([/COLOR][COLOR="#DD0000"]"method"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"post"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"class"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"app_form app_validation"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"signup_form"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"action"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]baseurl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/member/signup"[/COLOR][COLOR="#007700"])));

        echo[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_tag[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"ul"[/COLOR][COLOR="#007700"]);

            echo[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]get_from_row[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]__[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"First Name"[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]inputTag[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"data[Member][f_name]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],array([/COLOR][COLOR="#DD0000"]"class"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"input check_notempty"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'f_name'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'longdesc'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Please enter your first name'[/COLOR][COLOR="#007700"])) );

            echo[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]get_from_row[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]__[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Last Name"[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]inputTag[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"data[Member][l_name]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],array([/COLOR][COLOR="#DD0000"]"class"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"input check_notempty"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'l_name'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'longdesc'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Please enter your last name'[/COLOR][COLOR="#007700"])) );

            echo[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]get_from_row[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]__[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Country"[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]countryTag[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"data[Member][country]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],array([/COLOR][COLOR="#DD0000"]"title"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"Country"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"country"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"class"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"select check_notempty"[/COLOR][COLOR="#007700"]),array([/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Your Country'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'longdesc'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Please select your country'[/COLOR][COLOR="#007700"])) );

            echo[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]get_from_row[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]__[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Address"[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]App[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Helper/Html"[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]textareaTag[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"data[Member][address]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],array([/COLOR][COLOR="#DD0000"]"rows"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"3"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"class"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"input check_notempty"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'address'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'longdesc'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Enter your address infomration'[/COLOR][COLOR="#007700"])) );[/COLOR][/COLOR]

/admin/account/edit

Цитата:

Сообщение от None

В админ панели -> First Name - Last Name

/information/manage/blog-post

Редактируем "Title" на ">window.location.href='http://www.google.de/';

/admin/config/general

Admin Setting -> Site Title

и во многих других местах админки

Пассивная XSS

www.localhost/quickstart/admin/forgotlogin

\development\view\system\admin\forgotlogin.phtml

Fotgoet Password-> Enter you Email Address ->

Цитата:

Сообщение от None

value="">alert(document.cookie)"

PHP код:


		
			
[COLOR="#000000"][/COLOR][COLOR="#0000BB"]data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Admin'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'email'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Admin'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'email'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#0000BB"]?>[/COLOR]" />[/COLOR]

+

Search

\development\view\whitecloud\home\search.phtml

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]__[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Search Reasult for"[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#0000BB"]?>[/COLOR] '[COLOR="#0000BB"][/COLOR]'

    [COLOR="#0000BB"]

[/COLOR]        [COLOR="#0000BB"][/COLOR][COLOR="#0000BB"]__[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Total result found "[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#0000BB"]?>

    [/COLOR]

        [COLOR="#0000BB"][/COLOR] [COLOR="#0000BB"][/COLOR]

        [COLOR="#0000BB"][/COLOR]

        [COLOR="#0000BB"]

[/COLOR]            [COLOR="#0000BB"][/COLOR][COLOR="#0000BB"][/COLOR][/COLOR]