##########################www.BugReport.ir##############################
##########
#
# AmnPardaz Security Research Team
#
# Title: SphereCMS Blind SQL Injection Vulnerability
# Vendor: http://sphere.xlentprojects.se/
# Vulnerable Version: 1.1 alpha (Latest version till now)
# Exploitation: Remote with browser
# Fix: N/A
########################################################################
###########
####################
- Description:
####################
SphereCMS is a CMS which allow managing forum, archive posts, chat like
posts (named shoutbox), friend in the site and personal profile. It has
one theme, but a buty one.
It uses MySQL as its backend DBMS and is written in PHP language.
####################
- Vulnerability:
####################
+--> Blind SQL Injection
The archive page is vulnerable to SQL injection. The GET variable,
namely 'view',
is not sanitized correctly in the SQL query. This hole can be used
for extracting
admin password. For deatils see 'Exploits' section.
####################
- Exploits/PoCs:
####################
+--> Exploiting The (MySQL) Blind SQL Injection:
The GET variavle 'view' in archive madule can be used for hacking process.
Check URI 'example.com/archive.php?view=***'; SQL query can be placed
at '***'.
The users password is stored in `xcms_members` table. For extracting
password of 'Admin'
we could use following SQL injection vector:
?view=17' AND EXISTS
(/*%00*/SELECT * FROM xcms_members
WHERE username='Admin'
AND substr(/*%00*/password,#,1)='@') AND '1'='1
replacing # with 1, 2, 3, ... and @ with different characters. The
result page will show
the archive post with id '17' on correct and show no archive post if
@ was wrong.
So the password can be extracted in O(length of encrypted pass)=O(1).
+++ Special Technique for Bypassing SphereCMS Security Check:
SphereCMS checks all of parameters including 'view' GET parameter
before doing any
process. In these checks, any parameter which has a pattern like
"(*)" will result
to "die ()". Also we can not check the password words without
parenthesizes (it is
required for substr function and there are no substitute solution).
For bypassing this check, I consider MySQL and PHP together. The PHP
functions will consider
all strings JUST untill first null character. Also MySQL support
comment syntax
like /* the comment */ and before executing any SQL query, these
comments will be removed
from the query by MySQL.
Thus I place a null character within MySQL comment right after each
open parenthesis. So
when PHP search for parenthesises, it find nothing since it reaches
null and finish searching.
Also when query is going to be executed, the null character will be
removed within the comment
(see the '(/*%00*/' in the above SQL injection vector).
####################
- Solution:
####################
The parameters must be sanitized using the context sensitive
sanitizing function provided
by MySQL (mysql_real_escape_string), instead of manual sanitizing
which is usually error prone.
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_68.htm
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com