lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5687B7B7.6090404@gmail.com>
Date: Sat, 2 Jan 2016 17:12:47 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: Open Audit SQL Injection Vulnerability

#Exploit Title   : Open Audit SQL Injection Vulnerability
#Exploit Author  : Rahul Pratap Singh
#Date            : 2/Jan/2016
#Home page Link  : https://github.com/jonabbey/open-audit
#Website	 : 0x62626262.wordpress.com
#Twitter         : @0x62626262
#Linkedin        : https://in.linkedin.com/in/rahulpratapsingh94

1. Description

"id" field in software_add_license.php is not properly sanitized, that
leads to SQL Injection Vulnerability.

"pc" field in delete_system.php, list_viewdef_software_for_system.php
and system_export.php is not properly sanitized, that leads to SQL
Injection Vulnerability.


2. Vulnerable Code:

software_add_license.php: ( line 12 to 13)

$sql = "SELECT * from software_register WHERE software_reg_id = '" .
$_GET["id"] . "'";
$result = mysql_query($sql, $db);


delete_system.php: ( line 5 to 10)

  if (isset($_GET['pc'])) {

    $link = mysql_connect($mysql_server, $mysql_user, $mysql_password)
or die("Could not connect");
    mysql_select_db("$mysql_database") or die("Could not select database");
    $query = "select system_name from system where system_uuid='" .
$_GET['pc'] . "'";
    $result = mysql_query($query)  or die("Query failed at retrieve
system name stage.");


list_viewdef_software_for_system.php: ( line 2 to 3)

$sql = "SELECT system_os_type FROM system WHERE system_uuid = '" .
$_REQUEST["pc"] . "'";
$result = mysql_query($sql, $db);


system_export.php: ( line 108 to 112)

if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){
  $pc=$_REQUEST["pc"];
  $_GET["pc"]=$_REQUEST["pc"];
  $sql = "SELECT system_uuid, system_timestamp, system_name FROM system
WHERE system_uuid = '$pc' OR system_name = '$pc' ";
  $result = mysql_query($sql, $db);

Download attachment "0x9ACF7D5F.asc" of type "application/pgp-keys" (3134 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ