DPscan.py to DrupalScan

Recently I was in the need of a simple “drupal security scanner” which enumerates all modules of a drupal project so I can do a source code audit on them. The only thing I could found for this were some you-have-to-be-a-member sites and a script called WPscan.py. Because the author’s site of the script was not accessible I decided to write an own little tool in ruby which can be easily plugged into another project I’m currently realising.

DrupalScan

DrupalScan can be installed via rubygems:

1

$ gem install DrupalScan

You can also find this project on github.

After installation you can use it directly in the command line or by requiring the lib.

Some days ago during a pentest I found a critical sql injection vulnerability which gave me access to the user database. Most of the time finding this kind of vulnerability and extracting some data from the database is enough as an proof of concept, but in this particular pentest I needed to gain access to the backend administration.

Sadly there was no way to insert data into the user table so it was not possible to create an admin account for me. I decided to dump a few entries from the user table and take a look at the encryption. The user table was in the format

1

USERNAME;EMAIL;RIGHTS;SALT;HASH

The why

Because I’m always interested in trying new things and I recently stumbled upon Octopress, a blogging framework powered on Jekyll, I just managed to switch this weekend and import the little heap of my old posts.

Another cause for this move is that I want to write more for my blog than I did until now. And because writing a post with my old blogging software was a bit more time-consuming than it should be I hope that this easy method of publishing posts octopress offers me will increase my motivation to post something.

A lot of people already wrote about their moving to octopress from all different blogging systems so I’m trying to not repeat this. Some good article I can recommend for you is written by Matt Gemmell.

The move

The setup and configuration was really easy. After the initial setup and theme customization (I slightly modified the oct2 theme) I got this blog ready in under half an hour. The importing of my old posts was also easy done because my old blogging software which I wrote by myself in python was already using the markdown syntax so I only had to make a few little changes.

The only thing I had to fix was a bug in the github.js script which occured because github deactivated their old api’s (v1 and v2). The fix was already posted on github and can be found here. Just copy the file to the ./source/javascripts/ dir and run it using patch:

1
2

cp github.js.diff rvblog/source/javascripts/
patch < github.js.diff

After this fix your github sidebar should work as it should. Because I currently have no interesting github repos to show I decided to disable it for now. Maybe I will reactivate it later when there is more to show.

Important: Please update feed subscription to this feedburner link

Some months ago (16th of Sep.) I found a security issue on an EPLUS service page, which allows you to send as much SMS as you want to their customers (only numbers from the EPLUS group are affected) with a special message.

During my tests I found that the only limit you are faced with in sending SMS is the bandwidth of your connection/their server. The SMS is send by a service hotline number and can not be traced back to you. The SMS-sending is triggered by a simple GET-request to their server.

Some weeks ago I wrote a little tool to support me when analysing webpages. The python tool recursive crawls all links from a page, collects the GET-Parameter and filters out the FORM-Data. Simple!

The idea

I recently found a security issue in myBloggie. Injeting malicious code into the SQL-statement was quite simple, the only thing you had to do is to bypass the URL-validation regex by submitting a real url merged with an injection string:

1
2
3
4
5
6
7
8
9
10
11

<?php
// [...]
function validate_url($url) {
  if ( ! preg_match('#^http\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $url, $matches) ) {
      return false;
  } else {
      return true;
  }
}
// [...]
?>

As you can see the regular expression defines the beginning (^*), the url (http…) but misses to define the end ($) of the passed $url, thus resulting in an possible injection of malicious code:

1

trackback.php?foo=bar&url=http://example.com'Injetion

The whole SQL-statement with the injected string now looks something like this:

1
2
3
4
5
6
7

INSERT INTO ".COMMENT_TBL." SET post_id='$tb_id',
                                  comment_subject='$title',
                                  comments='$excerpt',
                                  com_tstamp='$timestamp' ,
                              poster = '$blog_name',
                                  home='http://example.com'Injetion
                                  comment_type='trackback';

I wondered how this can be exploited and thought of sending several requests and playing with the primary key.

Information

Software: myBloggie 2.1.6
Severity: High
Author: Robin Verton
Date: Jun. 12 2011
Vendor: http://mybloggie.mywebland.com/

Software Description

“myBloggie is considered one of the most simple, user-friendliest yet packed with features Weblog system available to date.”

Issue details

myBloggie 2.1.6 is - again - prone to a SQL-Injection vulnerability in the trackback function. It is possible to add a malformed URL to a trackback so malicious code can be injected to insert/read out data from the database.

An unsafe regular expression which does not properly check the passed trackback-url can be bypassed to inject malicious data into an INSERT INTO statement, resulting in an persistent cross-site-scripting or be used for reading out sensitive data (see ‘Advanced INSERT INTO exploitation by taking advantage of the primary key’ described here [1]).