Full Disclosure mailing list archives
Pligg 2.x SQLi / PWD disclosure / RCE
From: BlackHawk <hawkgotyou () gmail com>
Date: Thu, 24 Jul 2014 22:21:50 +0200
Copy-paste from inside the exploit: ######### 1. SQLInjection / User password change ######### Let's get some details, vuln it's pretty obvious , look at recover.php source: File: recover.php ---------------------------------------------------------- 29. $id=$_REQUEST['id']; 30. $n=$_REQUEST['n']; 31. $username=base64_decode($id); 32 $sql="SELECT * FROM `" . table_users . "` where `user_login` = '".$username."' AND `last_reset_request` = FROM_UNIXTIME('".$n."') AND user_level!='Spammer'"; [...] 61. $to = $user->user_email; 62. $subject = $main_smarty->get_config_vars("PLIGG_Visual_Name").' '.$main_smarty->get_config_vars("PLIGG_PassEmail_Subject"); 63. 64. $body = sprintf( 65. $main_smarty->get_config_vars("PLIGG_PassEmail_PassBody"), 66. $main_smarty->get_config_vars("PLIGG_Visual_Name"), 67. $my_base_url . $my_pligg_base . '/login.php', 68. $user->user_login, 69. $password 70. ); 71. 72. $headers = 'From: ' . $main_smarty->get_config_vars("PLIGG_PassEmail_From") . "\r\n"; 73. $headers .= "Content-type: text/html; charset=utf-8\r\n"; 74. 75. if (!mail($to, $subject, $body, $headers)) 76. { 77. $saltedPass = generateHash($password); 78. $db->query('UPDATE `' . table_users . "` SET `user_pass` = '$saltedPass' WHERE `user_login` = '".$user->user_login."'"); 79. $db->query('UPDATE `' . table_users . '` SET `last_reset_request` = FROM_UNIXTIME('.time().') WHERE `user_login` = "'.$user->user_login.'"'); 80. 81. $current_user->Authenticate($user->user_login, $password); [...] ---------------------------------------------------------- Thanks to the base64_decode there are no problems of magic_quotes or whatever, but as an mail must be sent for the password to be reset, you have to totally take control of the query so no sospicious notifications will be sent. To prevent sending clear data & quotes with the request, I'll not use $n variable, resulting in a longer and less fancy SQLInj. Now that we are admin we use our power to: [+] get database data from dbsettings.php [+] plant some code to upload a post-exploitation Weevely shell Code it's very dirty but works -- BlackHawk - hawkgotyou () gmail com Experientia senum, agilitas iuvenum. Adversa fortiter. Dubia prudenter.
Attachment:
exploit.py
Description:
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Pligg 2.x SQLi / PWD disclosure / RCE BlackHawk (Jul 24)