Exploit
| badc0re |
|
|---|---|
|
Hi i want to report a SQL injection. The request: GET http://localhost/cotonti/index.php?e=search&sq=%5C'%5C'%5C'%5C'%5C'&rs%5Bsetlimit%5D=0&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2010&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2011&rs%5Bsetuser%5D=&rs%5Bpagsub%5D%5B%5D=all&rs%5Bpagtitle%5D=1&rs%5Bpagdesc%5D=1&rs%5Bpagtext%5D=1&rs%5Bpagsort%5D=date&rs%5Bpagsort2%5D=ASC&rs%5Bfrmsub%5D%5B%5D=all&rs%5Bfrmtitle%5D=1&rs%5Bfrmtext%5D=1&rs%5Bfrmsort%5D=updated'INJECTED_PARAM'INJECTED_PARAM&rs%5Bfrmsort2%5D=ASC HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://localhost/cotonti/index.php?e=search&sq=%27%27%27%27%27&rs[setlimit]=0&rs[day]=18&rs[month]=9&rs[year]=2010%271%27&rs[day]=18&rs[month]=9&rs[year]=2011&rs[setuser]=&rs[pagsub][]=all&rs[pagtitle]=1&rs[pagdesc]=1&rs[pagtext]=1&rs[pagsort]=date&rs[pagsort2]=ASC&rs[frmsub][]=all&rs[frmtitle]=1&rs[frmtext]=1&rs[frmsort]=updated&rs[frmsort2]=ASC Cookie: PHPSESSID=bnq658i0omp7t3u654i85llj51 Content-length: 0
Result:
2011-09-18 19:03
Fatal error: SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause'
#0 cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause') called at [D:\xampp2\htdocs\cotonti\system\database.php:436]
#1 CotDB->query(SELECT SQL_CALC_FOUND_ROWS p.*, t.*
FROM cot_forum_posts AS p, cot_forum_topics AS t
WHERE t.ft_cat IN ('pub','general','offtopic') AND (t.ft_title LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%' OR p.fp_text LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%') AND p.fp_topicid = t.ft_id
GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC
LIMIT 0, 50) called at [D:\xampp2\htdocs\cotonti\plugins\search\search.php:367]
#2 include(D:\xampp2\htdocs\cotonti\plugins\search\search.php) called at [D:\xampp2\htdocs\cotonti\system\plugin.php:94]
#3 require_once(D:\xampp2\htdocs\cotonti\system\plugin.php) called at [D:\xampp2\htdocs\cotonti\index.php:92]
On version 9.4 |
| esclkm |
|
|---|---|
|
but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject littledev.ru - мой маленький зарождающийся блог о котонти.
снижение стоимости программирования и снижение стоимости производства разные вещи. Первое можно скорее сравнить с раздачей работникам дешевых инструментов, чем со снижением зарплаты |
| badc0re |
|
|---|---|
#30749 esclkm: Added 2 minutes later: Well the search is vulnerable. Try it by yourself. Maybe it's not exploitable but it could lead to information extraction. |
|
| This post was edited by badc0re (2011-09-18 21:46, 12 years ago) |
| Trustmaster |
|
|---|---|
|
It is more path disclosure than SQL injection, but thank you for the report! May the Source be with you!
|
| badc0re |
|
|---|---|
|
Take a look at #0 cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause') And GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC It looks like sql injection to me. |
| Trustmaster |
|
|---|---|
|
It's a little harm anyways and it'll be fixed in 0.9.5, thank you once again for the report! May the Source be with you!
|
| badc0re |
|
|---|---|
|
No problem man. |
| GHengeveld |
|
|---|---|
|
Actually this isn't really a problem. Production sites should have error reporting disabled, so it won't show the SQL error or backtrace. Nevertheless its good to report these things. |
