Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Target software description:
SiteX is a versitile web tool that will enable you to start your own
dynamic website in under 5 minutes. Driven by PHP and MySQL, SiteX
consists of components common to most personal and professional websites.
Vulnerabilities: Sql Injection in "search.php"
Let's analyze "search.php" source code:
$search = stripslashes($search);
$search = trim(stripslashes($search));
$sxPhotoResults = sxPhotoSearchResults($search);
As we can see, stripslashes() is used against search string, so that
"magic_quotes" will not help against sql injection. And following function
"sxPhotoSearchResults()" is not sanitizing search string either.
So let's have a test:
and we get nice error message:
SiteX experienced error #1 with an SQL bash readout of : You have an error
in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near
'Brien%' OR SiteX_Photos.name LIKE '%O'Brien%' OR
SiteX_Photos.description LIKE '' at line 2
Yep, sql injection exists here. Now, some facts about this injection:
1. This seems to be exploitable only as blind sql injection. I have written
proof-of-concept exploit for this and it is working as expected.
2. "magic_quotes" does not matter, because "stripslashes()" is used.
3. "register_globals" is not important either, because attack comes from "$_GET".
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and all other people who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Janek Vind "waraxe"
Copyright © by Waraxe IT Security Portal All Right Reserved.
Published on: 2007-09-27 (7734 reads)[ Go Back ]