Next Page >>
query
[*] Got answer with 1 answers, 0 authorities
[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45
[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com....
[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
> [*] Got answer with 1 answers, 0 authorities
> [*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45
> [*] Checking Authoritativeness: Querying 205.178.144.45 for example.com....
> [*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
> [*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...
> [*] Sent 1000 queries and 20000 spoofed responses...
> [*] Sent 2000 queries and 40000 spoofed responses...
> [*] Sent 3000 queries and 60000 spoofed responses...
> [*] Sent 4000 queries and 80000 spoofed responses...
> [*] Sent 5000 queries and 100000 spoofed responses...
> [*] Sent 6000 queries and 120000 spoofed responses...
3.1. *Predictable DNS query ID*
[CVE-2010-1689 | 39908] Prior to MS10-024 the Windows SMTP Service
generated DNS queries with trivially guessable values in the transaction
ID field. The issue was addressed in MS10-024 by adding a call to the
'CAsyncDns::GenerateRandWord' method when building the DNS query.
3.2. *Missing validation of DNS responses*
</iq>
----- /HTTP POST request -----------------------------------------------
It is evident that SQL expressions are used to find matching items and
order the results. Using the information provided within the POST
request, two SQL queries are constructed and executed on the database
(relevant user-controlled parts marked with a leading ">"):
----- Query 1 ----------------------------------------------------------
Select EVN_ID, EVNRCR_ID, evntitle, evnnote, evnlocation, evnstartdate,
evnstarttime, evntype, evncolor, evncomplete
References: Microsoft Security Bulletin MS07-062, CVE-2007-3898
2) Vulnerability Description
Microsoft DNS server generates predictable DNS transaction IDs. If the
server is configured to allow recursive queries it is possible to insert
fake records in the DNS cache (DNS cache poisoning) by guessing the next
transaction ID that the server will use and sending a spoofed DNS reply
to the server. To observe the transaction IDs an attacker needs to
control a DNS server that is authoritative for some domain and to be
able to send a recursive queries to the caching Microsoft DNS server.
of DNS Cache. The result of this exploitation is cache poisoning/overwriting
with
new entries. The exploitation happens by querying a DNS server, that either
supports recursion or is configured with forwarders, for non-existent
hostnames
for a target domain. Along with the queries are fake reply/replies with
static
Transaction ID(s). Every query will generate another query from the DNS
server
with a random TXID. If one of the replies contains this specific TXID, the
cache
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
without any authorization. Source code snippet:
-----------------[ source code start ]---------------------------------
include ("../includes/injectionprevention.php");
$ID = numericquery($_POST["ID"]) ;
if (isset($ID)) {
$Password = preventinjection($_POST["Password"]);
$Password2 = md5($Password);
which is executed in a user's browser session in the context of an
affected site when the malicious entry is viewed.
15) Input passed to the "campaignid" parameter in "www/admin/banner-
acl.php", "www/admin/campaign-edit.php", and "www/admin/banner-
edit.php" is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
16) Input passed to the "bannerid" parameter in "www/admin/banner-
acl.php" is not properly sanitised before being used in SQL queries.
-------------------------
Invision Power Board (IPB) is a professional forum system that has
been built
from the ground up with speed and security in mind, taking advantage
of object
oriented code, highly-optimized SQL queries, and the fast PHP engine. A
comprehensive administration control panel is included to help you
keep your
board running smoothly. Moderators will also enjoy the full range of
options
available to them via built-in tools and moderators control panel.
http://www.trivantis.com
Vendor notified on 12-13-07 and the product development manager was uncooperative and hung up on us.
Sample Query Logs from Exploiter Beta:
======================================
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin')
Column found: table=Admin, column=ID
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'ID'
Column found: table=Admin, column=LastLogin
Summary
=======
Multiple Cisco products are vulnerable to DNS cache poisoning attacks
due to their use of insufficiently randomized DNS transaction IDs and
UDP source ports in the DNS queries that they produce, which may allow
an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a
vulnerable DNS server to perform recursive DNS queries. Therefore, DNS
servers that are only authoritative, or servers where recursion is not
malicious people to conduct SQL injection and script insertion
attacks.
1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
be exploited to insert arbitrary HTML and script code, which will be
executed in a user's browser session in context of an affected site
http://[host]/exportcsv/exportcsv_index.php?action=export_page&module=../../../../tmp/file
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
2) Input passed via the "sel_domain_id" POST parameter to /obm.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/obm.php" method="post">
, 193.0.14.129
, 198.32.64.12
, 202.12.27.33
;
timeout = 5;
uptest = query; # Test availability using empty DNS queries.
interval = 30m; # Test every half hour.
ping_timeout = 300; # Test should time out after 30 seconds.
purge_cache = off;
exclude = .localdomain;
policy = included;
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near 'waraxe'' at line 1
Query: DELETE FROM mybb_joinrequests WHERE uid IN(-1) AND gid=''waraxe'
Reason - incoming variables "request" and "gid" are not properly sanitized
before using in sql queries.
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Help Desk Software, which can be exploited to perform SQL injection, cross-site scripting and cross-site request forgery attacks.
1) Input passed via the user POST parameter to index.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/index.php" method="post">
Description
===========
Amit Klein from Trusteer reported that the random number generator of
ISC BIND leads, half the time, to predictable (1 chance to 8) query IDs
in the resolver routine or in zone transfer queries (CVE-2007-2926).
Additionally, the default configuration file has been strengthen with
respect to the allow-recursion{} and the allow-query{} options
(CVE-2007-2925).
Impact
people to conduct SQL injection attacks.
1) Input passed via the "bid[]" parameter to index.php (when "option"
is set to "com_booklibrary" and "task" is set to "lend_request") is
not properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "bid[]" parameter to index.php (when "option"
is set to "com_booklibrary" and "task" is set to "save_lend_request")
is not properly sanitised before being used in a SQL query. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL
The following PoC code is available:
http://[host]/index.php?message=1&message_type=%22%20onmouseover=alert%28document.cookie%29%3E
4) Input passed via the "user2" GET parameter to ask_information.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/ask_information.php?common_lessons=1&user1=professor&user2=%27%20union%20select%201,version%28%29%20--%20
http://[host]/commande/index.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.cookie%29%3E
Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")
2) Input passed via the "sortfield", "sortorder" and "sall" GET parameters to /user/index.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/user/index.php?sall=1%%27%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14%20--%20
http://[host]/user/index.php?begin=search_user=&sall=&&sortfield=SQL_CODE_HERE
GET /phpshop/admpanel/ HTTP/1.1
Cookie: log="><script>alert(document.cookie)%3b</script>
7) Input passed via the "id" GET parameter to /phpshop/admpanel/catalog/adm_catalog_new.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/phpshop/admpanel/catalog/adm_catalog_new.php?id=3%20AND%201=1
WAS Samples:
2. PlantsByWebSphere Sample multiple XSS vulnerabilities.
3. JAX-WS Web Services MTOM Sample XSS vulnerability.
4. JAX-WS Web Services Ping and Echo Sample multiple XSS vulnerabilities.
5. Dynamic Query - Employee Finder Sample multiple XSS vulnerabilities.
6. Dynamic Query - EJB Data Mediator Service Sample XSS vulnerability.
7. Application Profile - Account Management Sample multiple XSS vulnerabilities.
8. Scheduler Account Report Sample multiple XSS vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Open Query Interface in Cisco Unified
Communications Manager and Cisco Unified Presence Server
Advisory ID: cisco-sa-20110824-cucm-cups
Revision 1.0
II. DESCRIPTION
_______________
Some parameters are not properly sanitised before being
used in SQL queries.
III. ANALYSIS
_____________
> Description:
> Zen Cart is a full featured open source ecommerce web application
> written in php that allows users to build, run and promote their
> own online store. Unfortunately there are multiple SQL Injection
> issues in Zen Cart that may allow an attacker to execute arbitrary
> SQL queries on the underlying database. This may allow for an attacker
> to gather username and password information, among other things. An
> updated version of Zen Cart has been released to address these
> issues and users are encouraged to upgrade as soon as possible.
>
>
request to send a valid response.
II. Problem Description
The BIND DNS implementation does not randomize the UDP source port when
doing remote queries, and the query id alone does not provide adequate
randomization.
III. Impact
The lack of source port randomization reduces the amount of data the
Description:
Zen Cart is a full featured open source ecommerce web application
written in php that allows users to build, run and promote their
own online store. Unfortunately there are multiple SQL Injection
issues in Zen Cart that may allow an attacker to execute arbitrary
SQL queries on the underlying database. This may allow for an attacker
to gather username and password information, among other things. An
updated version of Zen Cart has been released to address these
issues and users are encouraged to upgrade as soon as possible.
Many developers still rely on escaping user's inputs by adding backslashes (like using magic_quotes_gpc or addslashes() in PHP), where it is well known that adding backslash to escape inputs in not sufficient to prevent SQL Injections attacks for many different reasons.
One of those reasons is that MS Access uses a different method to escape apostrophe (') which is doubling it ('') instead of prefixing it with a backslash (\').
It's true that injection takes place easily in this case, but leveraging it is not so easy using traditional injection technique. Since an excess slash will corrupt the query structure and causes error (actually "Syntax error (missing operator) in query expression...").
For example consider this query:
SELECT * FROM Users WHERE Username = '$user' AND Password = '$pass'
Next Page>>
|
