WackoPicko/Stored-SQL-Injection

From aldeid
Jump to: navigation, search
You are here:
Stored SQL Injection

Description

When users create an account, they are asked to supply their first name. This supplied value is then used unsanitized on a page that shows other users who have a similar first name. An attacker can exploit this vulnerability by creating a user with the name "';DROP TABLE users;#" then visiting the similar users page.

Proof of Concept

Wackopicko-drop-users.png

Wackopicko-drop-users-2.png

Info.png
Note
Notice that you are unlikely to be able to realize this attack unless you use an old version of MySQL. Indeed, MySQL has now a protection mechanism that prevents from concatenating requests with a semi-column.

How to detect?

How to protect against it?

Code

As we can see in the similar_login() function of the include/users.php script, the first request (tagged with the comment VULNERABLE REQUEST) is not properly sanitized):

  function similar_login($login, $vuln = False)
  {
     if ($vuln)
     {
        /*** VULNERABLE REQUEST ***/
        $query = "SELECT * from `users` where `firstname` like '%{$login}%' and firstname != '{$login}'";
     }
     else
     {
        /*** SANITIZED REQUEST ***/
        $query = sprintf("SELECT * from `users` where `firstname` like '%%%s%%' and firstname != '%s'",
                         mysql_real_escape_string($login),
                         mysql_real_escape_string($login));
     }
     $res = mysql_query($query);
     if ($res)
     {
        while ($row = mysql_fetch_assoc($res))
        {
           $to_ret[] = $row;
        }
        return $to_ret;
        
     }
     else
     {
        if ($vuln)
        {
           die(mysql_error());
        }
        return False;
     }
     
     
  }

Comments

Talk:WackoPicko/Stored-SQL-Injection