Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple SQLi vulnerabilities #13

Open
GoogleCodeExporter opened this issue Aug 1, 2015 · 3 comments
Open

Multiple SQLi vulnerabilities #13

GoogleCodeExporter opened this issue Aug 1, 2015 · 3 comments
Labels
auto-migrated Priority-High Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1. Pick either scanner or crawler resource, and attempt to scan some URL with 
an added apostrophe character, say http://test123.com/'
2. webvulscan tool will report a problem - Problem inserting a new test into 
the database. Please try again. 
3. check webvulscan logs in /webvulscanner_install_dir/scanner/logs/ folder

14:39:27:1027 ,scanner, Problem executing query: INSERT into 
tests(id,status,numUrlsFound,type,num_requests_sent,start_timestamp,finish_times
tamp,scan_finished,url,username,urls_found) VALUES(642,'Creating profile for 
new 
scan...',0,'scan',0,1350481167,1350481167,0,'http://testapp123.com/'','','') 

Please note the 'http://testapp123.com/'' bit in the INSERT statement captured 
in the log, the extra apostrophe beaks the SQL statement syntax - thus allowing 
successful SQL Injection attacks.

4. for more fun, attempt to scan/crawl the following URL:

http://testapp123.com/'+benchmark(90000000,sha1(1))+'

This will result into a serious jump in CPU consumption for mysql, since the 
mysql benchmark() function is successfully executed. 

Submitting more requests like this, or using an increased number of iterations 
would eventually lead to a crash of mysql process - thus leading to a 
successful DoS attack.

Analysis:

for scanner, this issue is caused by unsafe inclusion of HTTP request 
parameters into the SQL query defined in scanner_form.php, as shown below:

$query = "INSERT into 
tests(id,status,numUrlsFound,type,num_requests_sent,start_timestamp,finish_times
tamp,scan_finished,url,username,urls_found) VALUES($nextId,'Creating profile 
for new scan...',0,'scan',0,$now,$now,0,'$urlToScan','$username','')"; 
$result = $db->query($query); 

What is the expected output? What do you see instead?
Product should not be vulnerable itself to SQLi attacks.

What version of the product are you using? On what operating system?
webvulscan_v0.12

Please provide any additional information below.

Original issue reported on code.google.com by marian.v...@gmail.com on 17 Oct 2012 at 1:59
@GoogleCodeExporter
Copy link
Author

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:14

  • Added labels: Priority-Critical
  • Removed labels: Priority-Medium

@GoogleCodeExporter
Copy link
Author

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:14

  • Added labels: Priority-High
  • Removed labels: Priority-Critical

@GoogleCodeExporter
Copy link
Author

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:17

  • Changed state: Accepted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-High Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter