Exploit
badc0re |
|
---|---|
Hi i want to report a SQL injection. The request: GET http://localhost/cotonti/index.php?e=search&sq=%5C'%5C'%5C'%5C'%5C'&rs%5Bsetlimit%5D=0&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2010&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2011&rs%5Bsetuser%5D=&rs%5Bpagsub%5D%5B%5D=all&rs%5Bpagtitle%5D=1&rs%5Bpagdesc%5D=1&rs%5Bpagtext%5D=1&rs%5Bpagsort%5D=date&rs%5Bpagsort2%5D=ASC&rs%5Bfrmsub%5D%5B%5D=all&rs%5Bfrmtitle%5D=1&rs%5Bfrmtext%5D=1&rs%5Bfrmsort%5D=updated'INJECTED_PARAM'INJECTED_PARAM&rs%5Bfrmsort2%5D=ASC HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://localhost/cotonti/index.php?e=search&sq=%27%27%27%27%27&rs[setlimit]=0&rs[day]=18&rs[month]=9&rs[year]=2010%271%27&rs[day]=18&rs[month]=9&rs[year]=2011&rs[setuser]=&rs[pagsub][]=all&rs[pagtitle]=1&rs[pagdesc]=1&rs[pagtext]=1&rs[pagsort]=date&rs[pagsort2]=ASC&rs[frmsub][]=all&rs[frmtitle]=1&rs[frmtext]=1&rs[frmsort]=updated&rs[frmsort2]=ASC Cookie: PHPSESSID=bnq658i0omp7t3u654i85llj51 Content-length: 0
Result:
2011-09-18 19:03 Fatal error: SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause' #0 cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause') called at [D:\xampp2\htdocs\cotonti\system\database.php:436] #1 CotDB->query(SELECT SQL_CALC_FOUND_ROWS p.*, t.* FROM cot_forum_posts AS p, cot_forum_topics AS t WHERE t.ft_cat IN ('pub','general','offtopic') AND (t.ft_title LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%' OR p.fp_text LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%') AND p.fp_topicid = t.ft_id GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC LIMIT 0, 50) called at [D:\xampp2\htdocs\cotonti\plugins\search\search.php:367] #2 include(D:\xampp2\htdocs\cotonti\plugins\search\search.php) called at [D:\xampp2\htdocs\cotonti\system\plugin.php:94] #3 require_once(D:\xampp2\htdocs\cotonti\system\plugin.php) called at [D:\xampp2\htdocs\cotonti\index.php:92] On version 9.4 |
esclkm |
|
---|---|
but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject littledev.ru - мой маленький зарождающийся блог о котонти.
снижение стоимости программирования и снижение стоимости производства разные вещи. Первое можно скорее сравнить с раздачей работникам дешевых инструментов, чем со снижением зарплаты |
badc0re |
|
---|---|
#30749 esclkm: Added 2 minutes later: Well the search is vulnerable. Try it by yourself. Maybe it's not exploitable but it could lead to information extraction. |
|
This post was edited by badc0re (2011-09-18 21:46, 13 years ago) |
Trustmaster |
|
---|---|
It is more path disclosure than SQL injection, but thank you for the report! May the Source be with you!
|
badc0re |
|
---|---|
Take a look at #0 cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause') And GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC It looks like sql injection to me. |
Trustmaster |
|
---|---|
It's a little harm anyways and it'll be fixed in 0.9.5, thank you once again for the report! May the Source be with you!
|
badc0re |
|
---|---|
No problem man. |
GHengeveld |
|
---|---|
Actually this isn't really a problem. Production sites should have error reporting disabled, so it won't show the SQL error or backtrace. Nevertheless its good to report these things. |