dalogin 2.2 multiple vulnerabilites app desc: Configurable WebSite. PHP + Mysql: news zone with rss feed, private zone, languages, themes, administration panel app source: http://dalogin.sourceforge.net/ author: hc0 [1] config file disclosure you can access config.ini file from [path]/admin/include/config.ini this file contains mysql connection informations (user, pass, host etc..) its says "come here and ownz by box!!" [2] sql injection at line 115 requested http parameter id use in sql query without filtering. 114 - //LEER COMENTARIOS 115 - $Sql="SELECT * from news_comments WHERE id_new=".$_REQUEST['id']." AND state=1"; 116 - $result_comments = mysql_query($Sql); 117 - while ($row_comments=mysql_fetch_array($result_comments)) 118 - { 119 - echo '<table class="CommentTable">'; 120 - echo '<tr> 121 - <td width="100px">'.strftime(DATE_TIME_FORMAT,strtotime($row_comments['date_comment'])).' 122 - <br /><b>'.$row_comments['user_name'].'</b> 123 - </td> 124 - <td class="CommentTableImg"> 125 - '.$row_comments['comment'].' 126 - </td> 127 - </tr>'; 128 - echo '</table><br />'; 129 - } [3] xss 181 - function InsertComment() 182 - { 183 - global $link; 184 - $Sql="INSERT INTO news_comments (id_new,comment,date_comment,state,user_name) VALUES (".$_REQUEST['id'].",'".$_POST['comment_text']."',Now(),0,'".$_POST['comment_user']."')"; 185 - mysql_query($Sql); 186 - echo '<div class="CommentAlert" style=" background-color: #c5fbcd">'.COMMENT_SENT_LABEL.'</div>'; 187 - } you need post a comment that includes your xss attack payload and its saved database. its so simple :) [4] just for fun i'm so bored..................
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论