Lucene search
+L

ExhibitSQL.txt

🗓️ 18 Jun 2005 00:00:00Reported by sk0LType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 36 Views

Exhibit Engine Blind SQL Injection in versions 1.22 and 1.54 RC4 allowing unauthorized database acces

Code
`SEC-CONSULT Security Advisory 20050602-2  
=============================================================================  
title: Exhibit Engine Blind SQL Injection  
program: Exhibit Engine  
vulnerable version: 1.22, 1.54 RC4  
homepage: http://photography-on-the.net/ee/  
http://photography-on-the.net/ee/beta/  
found: 2005-06-01  
by: sk0L / SEC-CONSULT / www.sec-consult.com  
=============================================================================  
  
vendor description:  
---------------  
the Exhibit engine is a PHP/MySQL application for smooth and versatile  
online photograph  
display. it's especially designed to give detailed technical info on  
each photo, with text  
descriptions and gear info, but all that technical data is not required.  
  
  
vulnerabilty overview:  
---------------  
SQL injection is possible on various POST parameters in the script  
list.php. although  
there is no way to get any output from UNION statements, there is at  
least one possibility  
to read arbitrary database entries via blind SQL injection.  
  
  
proof of concept:  
---------------  
  
here's the relevant code section from list.php:  
  
---- code -----  
  
$resultcount = mysql_query(   
"  
SELECT   
ee_photo.ee_photo_id  
FROM   
[...]  
WHERE   
ee_photo.ee_photo_for_www = 'yes'   
AND $search_row LIKE '$wildcard1$keyword$wildcard2'  
AND ...  
"  
);  
  
if (!$resultcount) {   
$queryname = "resultcount";  
include("db_error.php");  
}  
  
  
$total = mysql_num_rows($resultcount);  
$how_many = count($count_total);  
if ($offset>$how_many)  
{$offset = $how_many;  
}  
  
$fetchlist = mysql_query(   
"  
SELECT   
$q0,$q1,...,$q43  
FROM   
ee_photo,  
[...]  
ee_order_to_exhibition  
WHERE   
ee_photo.ee_photo_for_www = 'yes'   
[...]  
AND ee_exhibition.ee_exhibition_pass = '$pass'  
ORDER   
by $sort_row $order  
LIMIT   
$offset,$perpage  
"  
);   
  
---- /code ----  
  
we can inject SQL into the variables $search_row, $sort_row, $order and  
$perpage without the need to escape any quotes. unfortunately, UNIONs can  
be put into $rearch_row only, and as $search_row is used in both queries  
with a different number of columns, this will inevitably produce an error.  
we can use blind sql injection, though:  
  
* set $offset=1  
* put injection string into $search_row, e.g.:  
  
search_row=ee_photo.ee_photo_exif_iso%3D1+AND+1%3D2+UNION+SELECT+user+FROM+mysql.user+WHERE+user+LIKE+0x254125+/*+  
* if we get 1 (TRUE), offset will be set to 1, FALSE will set it to 0.  
* now we still have to produce an error in the second query by  
specifying some insane $order or $sort_row. the last part of the  
SQL error message will be echoed by Exhibit, so we get the value of  
$offset.  
  
it should be relatively easy to code an exploit for this (sorry but i  
don't have  
the time atm).  
  
  
vulnerable versions:  
---------------  
  
Exhibit Engine v1.22 is definitely vulnerable. 1.54 RC4 seems to be  
vulnerable  
too, although exploitation may differ slightly.  
it is very likely that the vulnerability exists in most other versions of  
Exhibit Engine.  
  
  
vendor status:  
---------------  
vendor notified: 2005-06-01  
vendor response: immediately  
workaround found: 2005-06-02  
  
Pekka Saarinen has published a workaround for all current versions of  
Exhibit Engine. It is available at:  
  
http://photography-on-the.net/forum/showthread.php?p=579692  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Bernhard Mueller / www.sec-consult.com /  
SGT ::: dfa, tke, bfi, mei, flo, walter|bruder :::  
  
~ ___ ___  
~ | |=|_.' .'| .'| .'|=|`. .'|  
~ `. | .' | .' .' .' | | `. .' |  
==== `.|=|`. | |=|.: | | | | | | ======  
~ ___ | `.| | |'. `. | | .' | | ___  
~ `._|=|___||___| |_| `.|=|.' |___|=|_.  
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Jun 2005 00:00Current
7.4High risk
Vulners AI Score7.4
36