Waraxe IT Security Portal
Login or Register
December 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 126
Members: 0
Total: 126
Full disclosure
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> How to fix -> SA#41 - How to fix
Post new topicReply to topic View previous topic :: View next topic
SA#41 - How to fix
PostPosted: Sat Apr 16, 2005 2:55 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




OK, let's open "modules/Top/index.php" and now will find code line like:

Code:

$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc $querylang order by voters DESC limit 0,$top", $dbi);


And just add "p" char to "$querylang" so it will be "$queryplang".
Final result:

Code:

$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc $queryplang order by voters DESC limit 0,$top", $dbi);


That's all. Enjoy and have a nice day Wink


Last edited by waraxe on Sun Feb 17, 2008 4:13 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 17, 2005 5:25 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




great , litle mistake make dissaster Laughing

is there some software to check the script n found undeclarable variable ? or is it possible to made one?

*maybe like pscan or TESOgcc to find the wrong format string (in format string bof)

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 17, 2005 10:36 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




y3dips wrote:
great , litle mistake make dissaster Laughing

is there some software to check the script n found undeclarable variable ? or is it possible to made one?

*maybe like pscan or TESOgcc to find the wrong format string (in format string bof)


I use very simple handmade php script, which will read in php script file, then searches for all variables and finally lists them all with frequency of using. Result is something like:

$mid --> 12 times
$buf --> 39 times
$restr --> 1 times

It is primitive utility, but helpful.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 17, 2005 10:38 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Did you make?

Is it downloadable from somewhere?

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Sun Apr 17, 2005 10:46 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




It is written for private use and therefore the code is a mess Rolling Eyes
Try to write something similar, this is simple.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 17, 2005 12:36 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe wrote:

I use very simple handmade php script, which will read in php script file, then searches for all variables and finally lists them all with frequency of using. Result is something like:

$mid --> 12 times
$buf --> 39 times
$restr --> 1 times

It is primitive utility, but helpful.


kewl,
could you describe more detailed ? Rolling Eyes

i was thinkin somethin like that , but i dont even have an idea for detail

btw , how did u find the variable name ? input/declare it manually or u have another technique ?

*i enjoy disscuss in here Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 17, 2005 1:41 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




As i said before, code is a mess, because it was meant for private use.
But here it is:

Code:

<?php

if(empty($_REQUEST['file']))
{
?>

<HTML>
<HEAD>
<TITLE>Select file to analyze...</TITLE>
</HEAD>
<BODY>
<CENTER><br><br><br>
<H3>Enter filename ...</H3>

<FORM action="test.php" method="POST">
<INPUT type="text" name="file" length="40">
<INPUT type="submit" name="do" value="Analyze now!">
</FORM>

</CENTER>
</BODY>
</HTML>
<?php
}
else
{
if(!is_file('./'.$file.'.php'))
{
die('file can not be open, sorry...');
}
else
{
$lines = file('./'.$file.'.php');
$buf = '';

foreach ($lines as $line_num => $line)
{
$buf .= trim($line);
}
//-------------------------------------------------
$params = array();$offset = 0;
$buf = explode('$',$buf);
$nr = 0;

for ( $i = 1; $i < count($buf); $i ++ )
{
$buf2 = $buf[$i];
$len = strlen($buf2);
$len2 = 0;
for ( $j = 0; $j < $len; $j ++ )
{
$buf3 = substr($buf2,$j,1);
if(!is_var_char($buf3))
{
$len2 = $j;
$j += $len;
}
}
if($len2 > 0)
{
$buf3 = substr($buf2,0,$len2);
$old = 0;
for($j=0;$j<count($params);$j++)
{
if($params[$j][0] == $buf3)
{
$params[$j][1] ++;
$old = 1;
$j += count($params);
}
}
if($old == 0)
{
$params[$nr][0] = $buf3;
$params[$nr][1] = 1;
$nr ++;
}
}
}

sort($params);

for($i=0;$i<count($params);$i++)
{
echo '<br> $'.$params[$i][0].' --> '.$params[$i][1];
}
}
}




//---------------------------------------------------------------------------------------
function is_var_char( $buf )
{
$nr = ord( $buf );

if( ($nr > 64 && $nr < 91 ) || ($nr > 96 && $nr < 123) || ($nr > 47 && $nr < 58) || ($nr == 95) )
{
return true;
}

return false;
}

?>


Primitive ... but helpful Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 18, 2005 3:10 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




thx, im saving the file , n hope could do somethin usefull with that

thx Wink

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Thu Apr 21, 2005 8:40 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




cool as

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 22, 2005 10:48 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe, thx for the script, primitive .. but what can i say , it COOL
thx one more time,

so you just found the variable with minimum used
eg:

$wew --> 12 times
$buf --> 39 times
$we --> 1 times


is it $we is $wew
so is it possible to do something nasty with that variable

once again, THX

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Apr 30, 2005 6:59 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




can someone explain me or give some link about this kind of vulns ?
i wanna learn to discover bugs Smile
i found some RFI in home-made php script but it was more simple...
View user's profile Send private message Visit poster's website
SA#41 - How to fix
www.waraxe.us Forum Index -> How to fix
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.040 Seconds