SphereCMS Blind SQL Injection Vulnerability
##########################www.BugReport.ir##################################=
######
#
# AmnPardaz Security Research Team
#
# Title:=09=09SphereCMS Blind SQL Injection Vulnerability
# Vendor:=09=09http://sphere.xlentprojects.se/
# Vulnerable Version:=091.1 alpha (Latest version till now)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
############################################################################=
#######
####################
- Description:
####################
SphereCMS is a CMS which allow managing forum, archive posts, chat like
posts (named shoutbox), friend in the site and personal profile. It has
one theme, but a buty one.
It uses MySQL as its backend DBMS and is written in PHP language.
####################
- Vulnerability:
####################
+--> Blind SQL Injection
=09The archive page is vulnerable to SQL injection. The GET variable, =20
namely 'view',
=09is not sanitized correctly in the SQL query. This hole can be used =20
for extracting
=09admin password. For deatils see 'Exploits' section.
####################
- Exploits/PoCs:
####################
+--> Exploiting The (MySQL) Blind SQL Injection:
=09The GET variavle 'view' in archive madule can be used for hacking process=
..
=09Check URI 'example.com/archive.php?view=3D***'; SQL query can be placed =
=20
at '***'.
=09The users password is stored in=09`xcms_members` table. For extracting =
=20
password of 'Admin'
=09we could use following SQL injection vector:
?view=3D17' AND EXISTS
=09=09=09 (/*%00*/SELECT * FROM xcms_members
=09=09=09=09 WHERE username=3D'Admin'
=09=09=09=09=09=09=09=09 AND substr(/*%00*/password,#,1)=3D'@') AND '1'=3D'=
1
=09replacing # with 1, 2, 3, ... and @ with different characters. The =20
result page will show
=09the archive post with id '17' on correct and show no archive post if =20
@ was wrong.
=09So the password can be extracted in O(length of encrypted pass)=3DO(1).
+++ Special Technique for Bypassing SphereCMS Security Check:
=09SphereCMS checks all of parameters including 'view' GET parameter =20
before doing any
=09process. In these checks, any parameter which has a pattern like =20
"(*)" will result
=09to "die ()". Also we can not check the password words without =20
parenthesizes (it is
=09required for substr function and there are no substitute solution).
=09For bypassing this check, I consider MySQL and PHP together. The PHP =20
functions will consider
=09all strings JUST untill first null character. Also MySQL support =20
comment syntax
=09like /* the comment */ and before executing any SQL query, these =20
comments will be removed
=09from the query by MySQL.
=09Thus I place a null character within MySQL comment right after each =20
open parenthesis. So
=09when PHP search for parenthesises, it find nothing since it reaches =20
null and finish searching.
=09Also when query is going to be executed, the null character will be =20
removed within the comment
=09(see the '(/*%00*/' in the above SQL injection vector).
####################
- Solution:
####################
The parameters must be sanitized using the context sensitive =20
sanitizing function provided
by MySQL (mysql_real_escape_string), instead of manual sanitizing =20
which is usually error prone.
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_68.htm
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com