Savascript Source Code

Bluethrust Remote Code Execution Vulnerability & Exploitation

In summary; lack of knowledge always lead to vulnerability.

Hello

BluethrustClanScript is another PHP application for game players/clans http://www.bluethrust.com/download.  I had so much fun while reviewing the codes.

Analysis

Like I said before – Concrete5 RCE write-up – installation modules usually lead to code injection vulnerability. Lets start again code reviewes with installation system.

Following codes grabbed from installer/index.php between lines 60 – 93

Application needs to be sure about _config.php is writable and exist. This is an usual procedure. Then it try to include difference installation steps depends on $_GET[‘step’] parameter.

Summary of the installation process is described following part.

step1.php = database credentials form from user then redirect user to step2.php

step2.php = Administrator account fields are here then redirect user to step3.php

step3.php = Checkout database credentials one more time. Write db credentials into the config.php file then create tables, columns and etc.

Now we will have a look at step3.php codes.

Lines betweet 5 – 15. As I said before, application checks database credentials one more time and sets tableprefix. We will use tableprefix later, it will help to our duty.

Between lines 16 – 90 are not too much important for us. But 87 – 96 is too much!

It includes steps/configtemplate.php which is prototype of config.php’s content. Then puts $configInput into the _config.php file. Now it’s time to analyze configtemplate.php file.

Obviously, lines 3-4 and 6-7 are developed for prevention of php code injection. Lets me describe all of these variables.

$_POST[‘dbpass’] = Unsuitable code injection because of lines 3-4.

$_POST[‘adminkey’] =  Unsuitable code injection because of lines 3-4.

$_POST[‘dbhost’] = We can not use double quote at inside of url/ipv4.

$_POST[‘dbuser’] =Suitable!

$_POST[‘dbname’] =  Suitable!

We can create database named like “;system($_SERVER[HTTP_CMD]);$f=”. You can see this is valid database name in following part.

BUT there is one problem! We need to pass lines betweet 5 – 15 of step3.php files as said explained. In order to pass that second database credentials verification, we need to write valid credentials. Code Injection with DB_NAME is can be complicated because of syntax. After installation process, application needs to connect database but if we do injection via DB_NAME or DB_USER, application gonna be crashed.

Let me to clarify. For example we used DB_NAME for php codes injection. So config.php looks like;

Even if you pass step3.php database credentials verification, application will be crashed after installation process because of it needs to see “;system($_SERVER[HTTP_CMD]);$f=” as database name but it gets EMPTY because of config file syntax manipulation.

I decided to use $_POST[‘tableprefix’] for php code injection. Because application needs to write it too into to the config files -lines 26 of configtemplate.php-.

EXPLOITATION

Application says that “We will  remove installation folder after your first visit main page..” after installation completed it never try to remove it. It couldn’t remove it even all permission is 777. So you can call installation process for installed web sites.

In order to exploitation without any crash you need to call step3.php files two times. First one is initialization of database without any string manipulation. Second one is update config.php for code injection.

Also in order to exploit that vulnerability, you need to write valid database credentials. You can use www.freesqldatabase.com for free. That company serves free mysql server for 5 mb limited and available remote connection via 3306 port.

First Request

First request have to be like following example. When application get this request, it will connect database and create tables with given prefix which is null in first request!

Second Request

After first request application done installation process without any error. If you call main page with url you wont see any crash.  Now it’s time to second request but this time we will do string manipulation via prefix variables.

When this request arrived to the application, it will initiate new progress to create tables with given prefix. But this time it will create tables with manipulated prefix value. When process finished, we have 2 type of tables in database. Let me show a part of tables to clarify.

Let’s see Config files. It looks like following example.

Application gets EMPTY  value for $dbprefix but it’s not problem because we have 2 different prefix in our database. This is the magic way to successfully exploitation without any crash!

and it’s done! You can call http://localhost/BTCSv4-R13/_config.php like following HTTP Request example to execute command.

METASPLOIT MODULE

I developed metasploit module. You can reach it from following link

https://github.com/mmetince/metasploit-framework/blob/21c9031161fa99dd1aa5c162bb94562f79ccf5ba/modules/exploits/unix/webapp/bluethrust_install_exec.rb

bluetrush

Also source can be found here. But changes wont be reflect here. So please follow github account.

 

 RESULTS

In this write-up we see that developers of the BlueThrust thought “Users can not manipulate db names or prefix. It probably cause database syntax error.”

Each input which controlled by human are unreliable.

Feel free to ask question, write a comment.

  • Robin Dimyanoğlu

    Hocam ellerinize sağlık fakat bir sorum olacak.
    $dbname
    değişkenine “;system($_SERVER[HTTP_CMD]);$f=” şeklinde bir girdi
    girildiğinde “; ‘den sonraki kısım php kodu sayılacağından $dbname
    değişkeni boş olarak gözükecek ve database’e bağlanırken hata verir
    demişsiniz. Peki asıl exploitimizin önüne db ismimizi aracılığıyla
    escape ederek kullanırsak bunun önüne geçmemiz mümkünmüdür?

    örn: “;system($_SERVER[HTTP_CMD]);$f=”“;system($_SERVER[HTTP_CMD]);$f=”
    veya: ” . ‘“;system($_SERVER[HTTP_CMD]);$f=”’ ;system($_SERVER[HTTP_CMD]);$f=”

    Şimdiden teşekkürler.

    • Merhaba,

      Yazıyı okuyup üzerine fikir yürüttüğün için teşekkür ederim. Ben bu yazıyı hazırlarken yani daha doğrusu metasploit modülünü geliştirirken hedefim doğrudan exploiti trigger edecek yöntemi kullanmak olmuştu. Config.php dosyasına php code injection saldırısı yapıldıktan sonra süreç aslında tamda istediğimiz gibi işliyor. Database’e bağlantı kurulması için ilk iş config.php çalıştırılıyor. Bizimde enjekte ettiğimiz kodlar burada çalışmış olmakta. Daha sonra uygulama crash olup olmadığı kısmı bizi çok bağlamamakta. Eğer crash olmadan doğrudan bir exploitation gerçekleştirmek istiyorsan, $dbprefix = “”.$_POST[‘tableprefix’].””; kısmında code injection yaptıktan sonra $dbprefix değişkenini tekrar tanımlayarak bir önceki EMPTY olan değeri override edebilirsin.

      Ben teşekkür ederim.