##########################www.BugReport.ir######################################## # # AmnPardaz Security Research Team # # Title: SphereCMS Blind SQL Injection Vulnerability # Vendor: http://sphere.xlentprojects.se/ # Vulnerable Version: 1.1 alpha (Latest version till now) # Exploitation: Remote with browser # Fix: N/A ################################################################################### #################### - Description: #################### SphereCMS is a CMS which allow managing forum, archive posts, chat like posts (named shoutbox), friend in the site and personal profile. It has one theme, but a buty one. It uses MySQL as its backend DBMS and is written in PHP language. #################### - Vulnerability: #################### +--> Blind SQL Injection The archive page is vulnerable to SQL injection. The GET variable, namely 'view', is not sanitized correctly in the SQL query. This hole can be used for extracting admin password. For deatils see 'Exploits' section. #################### - Exploits/PoCs: #################### +--> Exploiting The (MySQL) Blind SQL Injection: The GET variavle 'view' in archive madule can be used for hacking process. Check URI 'example.com/archive.php?view=***'; SQL query can be placed at '***'. The users password is stored in `xcms_members` table. For extracting password of 'Admin' we could use following SQL injection vector: ?view=17' AND EXISTS (/*%00*/SELECT * FROM xcms_members WHERE username='Admin' AND substr(/*%00*/password,#,1)='@') AND '1'='1 replacing # with 1, 2, 3, ... and @ with different characters. The result page will show the archive post with id '17' on correct and show no archive post if @ was wrong. So the password can be extracted in O(length of encrypted pass)=O(1). +++ Special Technique for Bypassing SphereCMS Security Check: SphereCMS checks all of parameters including 'view' GET parameter before doing any process. In these checks, any parameter which has a pattern like "(*)" will result to "die ()". Also we can not check the password words without parenthesizes (it is required for substr function and there are no substitute solution). For bypassing this check, I consider MySQL and PHP together. The PHP functions will consider all strings JUST untill first null character. Also MySQL support comment syntax like /* the comment */ and before executing any SQL query, these comments will be removed from the query by MySQL. Thus I place a null character within MySQL comment right after each open parenthesis. So when PHP search for parenthesises, it find nothing since it reaches null and finish searching. Also when query is going to be executed, the null character will be removed within the comment (see the '(/*%00*/' in the above SQL injection vector). #################### - Solution: #################### The parameters must be sanitized using the context sensitive sanitizing function provided by MySQL (mysql_real_escape_string), instead of manual sanitizing which is usually error prone. #################### - Original Advisory: #################### http://www.bugreport.ir/index_68.htm #################### - Credit: #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com