Author:Michael Brooks (Rook)
Application: OpenClassifieds 1.7.0.3
download: http://open-classifieds.com/download/
Exploit chain: captcha bypass->sqli(insert)->persistant xss on front page
If registration is required an extra link in the chain is added:
Exploit chain:blind sqli(select)->captcha
bypass->sqli(insert)->persistant xss on front page
sites with SEO url's enabled:
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)
or default urls:
"powered by Open Classifieds" inurl:"item-new.php" (16,500 results)
Total sites: ~100,000
CWE Violations leveraged by this exploit:
CWE-256: Plaintext Storage of a Password
CWE-804: Guessable CAPTCHA (I asked that they create this CWE when I
ran into a guy that works for Mitre.)
CWE-89: SQL Injection x2
CWE-79: Cross-site Scripting (Persistant)
I have always wanted to write a chained exploit with a captcha bypass,
so I couldn't miss this
opportunity. I spent a bit more effort on this exploit even though
there aren't very many hits (around
100k starts to be worth while). Regardless, I dug into the
application and pulled out the vulnerabilities
needed to Finnish my masterpiece. Usually when I write a Remote Code
Execution exploit for a web
app you guys just deface the site or throw up drive-by attacks. So I
figured, persistent XSS on the
front page is equally as valuable, especially with yet another IE
0-day in the wild. The chain is within
the application its self. Process sand-boxing like
chroot/AppArmor/SELinux/Application-V(MS)
doesn't come into play. It works regardless of the operating system
or configurations (Suhosin,
safemode, magic_quotes_gpc and register_globals doesn't come into
play). I focused on the
application's internal configurations that could break the
exploitation process. In this case seo friendly
urls and requiring an account before posting.
"This web application [OpenClassifieds] is developed to be fast,
light, secure and SEO friendly."
Usually when I see that an application claims to be secure, they
really don't know what the fuck they
are doing. OpenClassifieds' Security model is deeply flawed and as a
result there are MANY
vulnerabilities in this code base which allowed me to string a few
cool ones together to make an
interesting exploit. OpenClassifieds is sanitizing everything on
input using cG() and cP(), these
functions are used to perform a mysql_real_escape_string() on all
GET and POST variables. Most
servers aren't using an exotic character set so from a security stand
point this is exactly identical to
magic_quotes_gpc. So I dusted off my usual magic_quotes_gpc auditing
tricks, look for
stripslashes(),base64decode(),urldecode(),html_entity_decode() lack
of quote marks around variables
in a query, ect... Sanitation must ALWAYS be done at the time of
use, parametrized queries are a
good example of this. Its impossible to account for all the ways a
variable can be mangled once it
enters a program and if you Sanitize input when it first enters the
program there will be cases where it
will become dangerous again. This isn't only a problem for SQLi,
its also a problem for XSS. I am
inserting JS into the database, which isn't a vulnerablity, but
printing it, is persistant XSS.
The blind sql injection is a bit strange. I can't use white space or
commas, which is a pain. I had to
rewrite my general purpose Blind SQLi Class to accommodate. A
binary search is used to greatly
speed up the blind sqli attack.
(which I also used in my php-nuke exploit:
http://www.exploit-db.com/exploits/12510/)
Special thanks to Reiners for this sqli filter evasion cheat sheet:
http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
Here are some changes I had to make to my blind sql injection class:
"select substring('abc',1,1)"=>"select substring('abc' from 1 for 1)"
if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)"
=>"case ".sprintf($question,"0+".$cur).">".$pos." when true then
sleep(".$this->timeout.") end"
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerable captcha:
openclassifieds/includes/common.php line 291
function encode_str ($input){//converts the input into Ascii HTML, to
ofuscate a bit
for ($i = 0; $i < strlen($input); $i++) {
$output .= "&#".ord($input[$i]).';';
}
//$output = htmlspecialchars($output);//uncomment to escape sepecial chars
return $output;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function mathCaptcha(){//generates a captcha for the form
$first_number=mt_rand(1, 94);//first operation number
$second_number=mt_rand(1, 5);//second operation number
$_SESSION["mathCaptcha"]=($first_number+$second_number);//operation
result
$operation=" <b>".encode_str($first_number ." + ".
$second_number)."</b>?";//operation codifieds
echo _("How much is")." ".$operation;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerable persistant xss and sqli
/content/item-new.php line 41
$ocdb->insert(TABLE_PREFIX."posts
(idCategory,type,title,description,price,idLocation,place,name,email,phone,password,ip,hasImages)","".
cP("category").",".cP("type").",'$title','$desc',$price,$location,'".cP("place")."','".cP("name")."','$email','".cP("phone")."','$post_password','$client_ip',$hasImages");
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Attachment:
openclass_exp.php
Description: application/httpd-php
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/