Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 624
Members: 0
Total: 624
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> How to fix -> SA#41 - How to fix
Post new topic  Reply to topic View previous topic :: View next topic 
SA#41 - How to fix
PostPosted: Sat Apr 16, 2005 2:55 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




OK, let's open "modules/Top/index.php" and now will find code line like:

Code:

$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc $querylang order by voters DESC limit 0,$top", $dbi);


And just add "p" char to "$querylang" so it will be "$queryplang".
Final result:

Code:

$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc $queryplang order by voters DESC limit 0,$top", $dbi);


That's all. Enjoy and have a nice day Wink


Last edited by waraxe on Sun Feb 17, 2008 4:13 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 17, 2005 5:25 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




great , litle mistake make dissaster Laughing

is there some software to check the script n found undeclarable variable ? or is it possible to made one?

*maybe like pscan or TESOgcc to find the wrong format string (in format string bof)

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 17, 2005 10:36 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




y3dips wrote:
great , litle mistake make dissaster Laughing

is there some software to check the script n found undeclarable variable ? or is it possible to made one?

*maybe like pscan or TESOgcc to find the wrong format string (in format string bof)


I use very simple handmade php script, which will read in php script file, then searches for all variables and finally lists them all with frequency of using. Result is something like:

$mid --> 12 times
$buf --> 39 times
$restr --> 1 times

It is primitive utility, but helpful.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 17, 2005 10:38 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Did you make?

Is it downloadable from somewhere?

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Sun Apr 17, 2005 10:46 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




It is written for private use and therefore the code is a mess Rolling Eyes
Try to write something similar, this is simple.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 17, 2005 12:36 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe wrote:

I use very simple handmade php script, which will read in php script file, then searches for all variables and finally lists them all with frequency of using. Result is something like:

$mid --> 12 times
$buf --> 39 times
$restr --> 1 times

It is primitive utility, but helpful.


kewl,
could you describe more detailed ? Rolling Eyes

i was thinkin somethin like that , but i dont even have an idea for detail

btw , how did u find the variable name ? input/declare it manually or u have another technique ?

*i enjoy disscuss in here Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 17, 2005 1:41 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




As i said before, code is a mess, because it was meant for private use.
But here it is:

Code:

<?php

if(empty($_REQUEST['file']))
{
?>

<HTML>
<HEAD>
<TITLE>Select file to analyze...</TITLE>
</HEAD>
<BODY>
<CENTER><br><br><br>
<H3>Enter filename ...</H3>

<FORM action="test.php" method="POST">
<INPUT type="text" name="file" length="40">
<INPUT type="submit" name="do" value="Analyze now!">
</FORM>

</CENTER>
</BODY>
</HTML>
<?php
}
else
{
   if(!is_file('./'.$file.'.php'))
   {
      die('file can not be open, sorry...');
   }
   else
   {
      $lines = file('./'.$file.'.php');
      $buf = '';
      
      foreach ($lines as $line_num => $line)
      {
         $buf .= trim($line);
      }
      //-------------------------------------------------
      $params = array();$offset = 0;
      $buf = explode('$',$buf);
      $nr = 0;
      
      for ( $i = 1; $i < count($buf); $i ++ )
      {
         $buf2 = $buf[$i];
         $len = strlen($buf2);
         $len2 = 0;
         for ( $j = 0; $j < $len; $j ++ )
         {
            $buf3 = substr($buf2,$j,1);
            if(!is_var_char($buf3))
            {
               $len2 = $j;
               $j += $len;
            }
         }
         if($len2 > 0)
         {
            $buf3 = substr($buf2,0,$len2);
            $old = 0;
            for($j=0;$j<count($params);$j++)
            {
               if($params[$j][0] == $buf3)
               {
                  $params[$j][1] ++;
                  $old = 1;
                  $j += count($params);
               }
            }
            if($old == 0)
            {
               $params[$nr][0] = $buf3;
               $params[$nr][1] = 1;
               $nr ++;
            }
         }
      }
      
      sort($params);
      
      for($i=0;$i<count($params);$i++)
      {
         echo '<br> $'.$params[$i][0].' --> '.$params[$i][1];
      }
   }
}




//---------------------------------------------------------------------------------------
function is_var_char( $buf )
{
   $nr = ord( $buf );
   
   if( ($nr > 64 && $nr < 91 ) || ($nr > 96 && $nr < 123) || ($nr > 47 && $nr < 58) || ($nr == 95) )
   {
      return true;
   }
   
   return false;
}

?>


Primitive ... but helpful Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 18, 2005 3:10 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




thx, im saving the file , n hope could do somethin usefull with that

thx Wink

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Thu Apr 21, 2005 8:40 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




cool as

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 22, 2005 10:48 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe, thx for the script, primitive .. but what can i say , it COOL
thx one more time,

so you just found the variable with minimum used
eg:

$wew --> 12 times
$buf --> 39 times
$we --> 1 times


is it $we is $wew
so is it possible to do something nasty with that variable

once again, THX

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Apr 30, 2005 6:59 pm Reply with quote
KingOfSka
Advanced user
Advanced user
 
Joined: Mar 13, 2005
Posts: 61




can someone explain me or give some link about this kind of vulns ?
i wanna learn to discover bugs Smile
i found some RFI in home-made php script but it was more simple...
View user's profile Send private message Visit poster's website
SA#41 - How to fix
  www.waraxe.us Forum Index -> How to fix
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.166 Seconds