Archive for the ‘SQL Injection’ Category

h1

Advanced Shoutbox and MySql Shoutbox scripts

July 11, 2009

Today I have found an XSS hole in the “Advanced Shoutbox” script and the same XSS hole and an SQL injection vulnerability in the “MySql shoutbox” wich are available here: http://plohni.com/wb/content/php/Free_scripts.php

Advanced Shoutbox

index.php Line 37:
<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">

index.php Line 79-82:
if($display == "all"){
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>">View small shoutbox</a><?php
}else{
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>?show=all">View all shouts</a><?php
}

Very easy to exploit:
http://host/PATH_TO_SHOUTBOX/index.php/%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E%3Cspan

Affected Version: 1.0

MySql shoutbox

The XSS hole is the same as above, but on the lines 50, 55 and 97-99.

SQL Injection:
The index.php does not sanitize the users input on lines 105 and 106.

$input_name = $_POST["input_name"];
$input_text = $_POST["input_text"];
...
if($row["name"] != $input_name && $row["comment"] != $input_text){
mysql_query("INSERT INTO $db_table (name,comment) VALUES ('$input_name','$input_text');") or die(mysql_error()); //insert name and shout
}

Just send a POST request to the index.php. In the name field enter whatever you want and in the text field enter ‘+@@version+’ (including the ‘).

Affected Version: 1.0

Vendor has been informed on 27.06.2009

This post has been automatically published after two weeks since the vendor has been informed.

Advertisements
h1

SQLi: Netbeans Sample Project “AirAlliance”

July 8, 2009

Today i got a notice that NetBeans 6.8 will have support for the Symfony PHP Framework. Because I really like to work with that Framework and I never worked with Netbeans (I use Eclipse instead) I thought I should give it a try. First I downloaded, installed and opened the development version. After that i openened the “AirAlliance” sample project (it’s not a symfony project).

But what I saw was not what I’d expected:

web/confirmreservation.php Line 33-48:
if(isset($_REQUEST["IID"])){
$IID = $_REQUEST["IID"];
...
$itineraryData = getItinerary($IID);

web/itinerarymanager.php Line 329-341:
function getItinerary($IID){
 $connection = initDB();
 $query;
 if($IID == 0){
  $query = "SELECT * FROM Itinerary";
 }
 else{
  $query = "SELECT * FROM Itinerary WHERE IID='".$IID."'";
 }
 
 
 $result = mysql_query($query);
...

Ok, it’s just a sample project.
But how to learn the good things from the bad ones if you don’t know that they are bad?

I’m not sure if this says something about the IDE itself but I think I will continue my work with Eclipse…

h1

SQL Injection: barrysclipart.com

June 21, 2009

Uhhh, thats nice…

Free Image Hosting at www.ImageShack.us

http://www.barrysclipart.com/barrysclipart.com/showgallery.php?cat=172’&thumb=1

I’ve tried to send an email to ‘satellites@jupiterimages.com’ which is linked to the contact button, but all i got back was this:

Final-Recipient: rfc822;satellites@jupiterimages.com
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp;550 5.7.1 RESOLVER.RST.AuthRequired; authentication required

A whois on this domain shows me the email address stacy.blume@gettyimages.com. So i have send a quick notice to her. Let’s see if I will get an answer…