Copy-paste from inside the exploit:
######### 1. SQLInjection / User password change #########
Let's get some details, vuln it's pretty obvious , look at recover.php source:
File: recover.php
------------------------------
29. $id=$_REQUEST['id'];
30. $n=$_REQUEST['n'];
31. $username=base64_decode($id);
32 $sql="SELECT * FROM `" . table_users . "` where `user_login` =
'".$username."' AND `last_reset_request` = FROM_UNIXTIME('".$n."') AND
user_level!='Spammer'";
[...]
61. $to = $user->user_email;
62. $subject = $main_smarty->get_config_vars(
'.$main_smarty->get_config_
63.
64. $body = sprintf(
65. $main_smarty->get_config_vars(
66. $main_smarty->get_config_vars(
67. $my_base_url . $my_pligg_base . '/login.php',
68. $user->user_login,
69. $password
70. );
71.
72. $headers = 'From: ' .
$main_smarty->get_config_vars(
73. $headers .= "Content-type: text/html; charset=utf-8\r\n";
74.
75. if (!mail($to, $subject, $body, $headers))
76. {
77. $saltedPass = generateHash($password);
78. $db->query('UPDATE `' . table_users . "` SET `user_pass` =
'$saltedPass' WHERE `user_login` = '".$user->user_login."'");
79. $db->query('UPDATE `' . table_users . '` SET `last_reset_request`
= FROM_UNIXTIME('.time().') WHERE `user_login` =
"'.$user->user_login.'"');
80.
81. $current_user->Authenticate($
[...]
------------------------------
Thanks to the base64_decode there are no problems of magic_quotes or
whatever, but as an mail must be sent for the password to be reset,
you have to totally take control of the query so no sospicious
notifications will be sent.
To prevent sending clear data & quotes with the request, I'll not use
$n variable, resulting in a longer and less fancy SQLInj.
Now that we are admin we use our power to:
[+] get database data from dbsettings.php
[+] plant some code to upload a post-exploitation Weevely shell
Code it's very dirty but works
--
BlackHawk - hawkgotyou@gmail.com
Experientia senum, agilitas iuvenum.
Adversa fortiter. Dubia prudenter
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
######### 1. SQLInjection / User password change #########
Let's get some details, vuln it's pretty obvious , look at recover.php source:
File: recover.php
------------------------------
29. $id=$_REQUEST['id'];
30. $n=$_REQUEST['n'];
31. $username=base64_decode($id);
32 $sql="SELECT * FROM `" . table_users . "` where `user_login` =
'".$username."' AND `last_reset_request` = FROM_UNIXTIME('".$n."') AND
user_level!='Spammer'";
[...]
61. $to = $user->user_email;
62. $subject = $main_smarty->get_config_vars(
'.$main_smarty->get_config_
63.
64. $body = sprintf(
65. $main_smarty->get_config_vars(
66. $main_smarty->get_config_vars(
67. $my_base_url . $my_pligg_base . '/login.php',
68. $user->user_login,
69. $password
70. );
71.
72. $headers = 'From: ' .
$main_smarty->get_config_vars(
73. $headers .= "Content-type: text/html; charset=utf-8\r\n";
74.
75. if (!mail($to, $subject, $body, $headers))
76. {
77. $saltedPass = generateHash($password);
78. $db->query('UPDATE `' . table_users . "` SET `user_pass` =
'$saltedPass' WHERE `user_login` = '".$user->user_login."'");
79. $db->query('UPDATE `' . table_users . '` SET `last_reset_request`
= FROM_UNIXTIME('.time().') WHERE `user_login` =
"'.$user->user_login.'"');
80.
81. $current_user->Authenticate($
[...]
------------------------------
Thanks to the base64_decode there are no problems of magic_quotes or
whatever, but as an mail must be sent for the password to be reset,
you have to totally take control of the query so no sospicious
notifications will be sent.
To prevent sending clear data & quotes with the request, I'll not use
$n variable, resulting in a longer and less fancy SQLInj.
Now that we are admin we use our power to:
[+] get database data from dbsettings.php
[+] plant some code to upload a post-exploitation Weevely shell
Code it's very dirty but works
--
BlackHawk - hawkgotyou@gmail.com
Experientia senum, agilitas iuvenum.
Adversa fortiter. Dubia prudenter
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information