sandbox 2.0.3 – Multiple Vulnerabilities

• Exploit Database
• 111 阅读

• 作者： Salvatore Fresta
  日期： 2010-07-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14255/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132

  Sandbox 2.0.3 Multiple Remote Vulnerabilities   NameSandbox Vendorhttp://www.iguanadons.net Versions Affected 2.0.3   AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-07-07   X. INDEX   I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX   I. ABOUT THE APPLICATION ________________________   Sandbox is a personal website package that providesyou with a blog, image gallery, file downloads area, and the abilityto create miscellaneous customwebpages.     II. DESCRIPTION _______________   Some parameters are not sanitisedbeforebeingused in SQL queries and in danger PHP's functions. The vulnerabilities are reported in version 2.0.3.Other versions may also be affected.     III. ANALYSIS _____________   Summary:   A) Authentication Bypass B) Arbitrary File Upload C) Local File Inclusion D) SQL Injection   A) Authentication Bypass ________________________   Thesandbox_pass'scookievalueinglobal.php is not properlysanitisedbeforebeingusedin a SQL query. Sincethisvalue is used fortheauthentication system, the injection can be used to bypass it. Successful exploitationrequires that "magic_quotes_gpc" is disabled.     B) Arbitrary File Upload ________________________   When a file is sent to blog.php (and also to profile.php) a bad check for extension is did. Thecheckconsists in dividingthefile's nameinsubstrings delimited by a pointandcheckingifthe second substring's value is present in the white list. Thismethodworks fine for a file with a single extension,butif an attacker uses a file withadoubleextension, this method doesn't work well. The following is the affected code in blog.php:   $fname = $this->files['image_file']['tmp_name']; $system = explode( '.', $this->files['image_file']['name'] ); $system[1] = strtolower($system[1]);   if ( !preg_match( '/jpg|jpeg|png|gif/', $system[1] ) ) { NO UPLOAD } else { UPLOAD }   If the file's name is evil.jpg.php: $system[1] = jpg     C) Local File Inclusion _______________________   Theaparameterin admin.php is not properly sanitised beforebeingusedintherequire()PHP'sfunction. Thiscanbeexploitedto include arbitrary files from localresourcesviadirectorytraversalattacksand URL-encoded NULL bytes.     D) SQL Injection ________________   Thepparameterin modules/page.phpisnotproperly sanitised before being used in a SQL query. Thiscanbe exploitedtomanipulate SQLqueries by injecting arbitrary SQL code.     IV. SAMPLE CODE _______________   A) Authentication Bypass   cookie: sandbox_pass = 1' OR '1'='1'# cookie: sandbox_user = userid (1 for admin)     B) Arbitrary File Upload   Upload a file with a double extension.     C) Local File Inclusion   http://site/path/admin.php?a=../../../../../../../etc/passwd%00     D) SQL Injection   http://site/path/index.php?a=page&p=-1 UNION SELECT 1,2,3,4,5,6,7,CONCAT(user_name,0x3a,user_password) FROM sb_users     V. FIX ______   No fix.