Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: bu-1831.htm

SphereCMS Blind SQL Injection Vulnerability



SphereCMS Blind SQL Injection Vulnerability
SphereCMS Blind SQL Injection Vulnerability



##########################www.BugReport.ir######################################## 
#
#        AmnPardaz Security Research Team
#
# Title:=09=09SphereCMS Blind SQL Injection Vulnerability
# Vendor:=09=09http://sphere.xlentprojects.se/ 
# Vulnerable Version:=091.1 alpha (Latest version till now)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
###################################################################################

####################
- Description:
####################

SphereCMS is a CMS which allow managing forum, archive posts, chat like
posts (named shoutbox), friend in the site and personal profile. It has
one theme, but a buty one.
It uses MySQL as its backend DBMS and is written in PHP language.


####################
- Vulnerability:
####################

+--> Blind SQL Injection
=09The archive page is vulnerable to SQL injection. The GET variable,  
namely 'view',
=09is not sanitized correctly in the SQL query. This hole can be used  
for extracting
=09admin password. For deatils see 'Exploits' section.

####################
- Exploits/PoCs:
####################

+--> Exploiting The (MySQL) Blind SQL Injection:
=09The GET variavle 'view' in archive madule can be used for hacking process.
=09Check URI 'example.com/archive.php?view=***'; SQL query can be placed  
at '***'.
=09The users password is stored in=09`xcms_members` table. For extracting  
password of 'Admin'
=09we could use following SQL injection vector:
              ?view=17' AND EXISTS
=09=09=09     (/*%00*/SELECT * FROM xcms_members
=09=09=09=09                  WHERE username='Admin'
=09=09=09=09=09=09=09=09  AND substr(/*%00*/password,#,1)='@') AND '1'='1
=09replacing # with 1, 2, 3, ... and @ with different characters. The  
result page will show
=09the archive post with id '17' on correct and show no archive post if  
@ was wrong.
=09So the password can be extracted in O(length of encrypted pass)=O(1).

+++ Special Technique for Bypassing SphereCMS Security Check:
=09SphereCMS checks all of parameters including 'view' GET parameter  
before doing any
=09process. In these checks, any parameter which has a pattern like  
"(*)" will result
=09to "die ()". Also we can not check the password words without  
parenthesizes (it is
=09required for substr function and there are no substitute solution).

=09For bypassing this check, I consider MySQL and PHP together. The PHP  
functions will consider
=09all strings JUST untill first null character. Also MySQL support  
comment syntax
=09like /* the comment */ and before executing any SQL query, these  
comments will be removed
=09from the query by MySQL.
=09Thus I place a null character within MySQL comment right after each  
open parenthesis. So
=09when PHP search for parenthesises, it find nothing since it reaches  
null and finish searching.
=09Also when query is going to be executed, the null character will be  
removed within the comment
=09(see the '(/*%00*/' in the above SQL injection vector).

####################
- Solution:
####################

The parameters must be sanitized using the context sensitive  
sanitizing function provided
by MySQL (mysql_real_escape_string), instead of manual sanitizing  
which is usually error prone.

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_68.htm 

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir 
www.AmnPardaz.com 



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH