The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


SEC-CONSULT SA20050602-2 :: Exhibit Engine Blind SQL Injection


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Thu, 02 Jun 2005 09:47:45 +0200
From: "=?ISO-8859-1?Q?Bernhard_M=FCller?=" <bmu@sec-consult.com.>
To: [email protected]
Subject: SEC-CONSULT SA20050602-2 :: Exhibit Engine Blind SQL Injection
X-Enigmail-Version: 0.91.0.0
X-Virus-Scanned: antivirus-gw at tyumen.ru

This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_lexx-1037-1117698174-0001-2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

SEC-CONSULT Security Advisory 20050602-2


                  title: Exhibit Engine Blind SQL Injection
                program: Exhibit Engine
     vulnerable version: 1.22, 1.54 RC4
               homepage: http://photography-on-the.net/ee/
                         http://photography-on-the.net/ee/beta/
                  found: 2005-06-01
                     by: sk0L / SEC-CONSULT / www.sec-consult.com



vendor description:
---------------
the Exhibit engine is a PHP/MySQL application for smooth and versatile
online photograph
display. it's especially designed to give detailed technical info on
each photo, with text
descriptions and gear info, but all that technical data is not required.


vulnerabilty overview:
---------------
SQL injection is possible on various POST parameters in the script
list.php. although
there is no way to get any output from UNION statements, there is at
least one possibility
to read arbitrary database entries via blind SQL injection.


proof of concept:
---------------

here's the relevant code section from list.php:

---- code -----

$resultcount = mysql_query(             
"
SELECT  
    ee_photo.ee_photo_id
FROM  
    [...]
WHERE  
    ee_photo.ee_photo_for_www = 'yes'  
    AND $search_row LIKE '$wildcard1$keyword$wildcard2'
    AND ...
"
    );

if (!$resultcount) {     
    $queryname = "resultcount";
    include("db_error.php");
}
 
 
$total = mysql_num_rows($resultcount);
$how_many = count($count_total);
if ($offset>$how_many)
{$offset = $how_many;
}

$fetchlist = mysql_query(             
"
SELECT  
    $q0,$q1,...,$q43
FROM  
    ee_photo,
    [...]
    ee_order_to_exhibition
WHERE  
    ee_photo.ee_photo_for_www = 'yes'  
    [...]
    AND ee_exhibition.ee_exhibition_pass = '$pass'
ORDER  
    by $sort_row $order
LIMIT  
    $offset,$perpage
"
    );  

---- /code ----

we can inject SQL into the variables $search_row, $sort_row, $order and
$perpage without the need to escape any quotes. unfortunately, UNIONs can
be put into $rearch_row only, and as $search_row is used in both queries
with a different number of columns, this will inevitably produce an error.
we can use blind sql injection, though:

* set $offset=1
* put injection string into $search_row, e.g.:
 
 
search_row=ee_photo.ee_photo_exif_iso%3D1+AND+1%3D2+UNION+SELECT+user+FROM+mysql.user+WHERE+user+LIKE+0x254125+/*+
* if we get 1 (TRUE), offset will be set to 1, FALSE will set it to 0.
* now we still have to produce an error in the second query by
  specifying some insane $order or $sort_row. the last part of the
  SQL error message will be echoed by Exhibit, so we get the value of
  $offset.

it should be relatively easy to code an exploit for this (sorry but i
don't have
the time atm).


vulnerable versions:
---------------

Exhibit Engine v1.22 is definitely vulnerable. 1.54 RC4 seems to be
vulnerable
too, although exploitation may differ slightly.
it is very likely that the vulnerability exists in most other versions of
Exhibit Engine.


vendor status:
---------------
vendor notified: 2005-06-01
vendor response: immediately
workaround found: 2005-06-02

Pekka Saarinen has published a workaround for all current versions of
Exhibit Engine. It is available at:

http://photography-on-the.net/forum/showthread.php?p=579692

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bernhard Mueller / www.sec-consult.com /
SGT ::: dfa, tke, bfi, mei, flo, walter|bruder :::

~    ___   ___
~   |   |=|_.'   .'|   .'|   .'|=|`.     .'|
~   `.  |      .'  | .' .' .'  | |  `. .'  |
 ==== `.|=|`.  |   |=|.:   |   | |   | |   |  ======
~    ___  |  `.|   |   |'. `.  | |  .' |   |  ___
~    `._|=|___||___|   |_|   `.|=|.'   |___|=|_.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-


--=_lexx-1037-1117698174-0001-2
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJuzCC
AzgwggKhoAMCAQICAw6SlDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNDI2MTY0MDMzWhcNMDYwNDI2MTY0MDMz
WjCBjjEQMA4GA1UEBBMHTXVlbGxlcjERMA8GA1UEKhMIQmVybmhhcmQxGTAXBgNVBAMTEEJl
cm5oYXJkIE11ZWxsZXIxKDAmBgkqhkiG9w0BCQEWGWIubXVlbGxlckBzZWMtY29uc3VsdC5j
b20xIjAgBgkqhkiG9w0BCQEWE2JtdUBzZWMtY29uc3VsdC5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDhXYkOzckBSmSbVRT4VyxuFp3Sx8TrwAbDTfzz0A5w3qQOsZDf
KQTAp2uXC/5GS3jeEnm3aEVzruSyGgG7MHdFJ9EEXKV9pOZWK0MTW4aoqDmADTv+r5kqrZM2
wFjy2AnDejn1YKYK4vqBHcnKCToNxnxVys6Zkfp2EvWQVWIzVGAo6r7PqcoO1stK+SCZVNyI
Iun0SjkHiTuvo1zIvaFwKzkUhS0zCbVbS86oMVTHaSYj1yt3bhClFqVlAgAzhGKS13vf04+T
FtUdFLrS/plN1ILmGzz+ir5G+wBiXY05kZVhIhptcXt1HX5lFv5Na7jReTaV+grHnFn9FB2+
fZVNAgMBAAGjSzBJMDkGA1UdEQQyMDCBGWIubXVlbGxlckBzZWMtY29uc3VsdC5jb22BE2Jt
dUBzZWMtY29uc3VsdC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQBF9TFk
pk+xaS3sfVKbYgjEccz8nS+7hji/vyxbcRfCB8ppsGsJxezg8K6jyCH9MkEfESXwdyiuf6Rh
egTv73LJVXdXpbXrtZcQu/oiOMvLEnrUzHEBgdpKqUlSQdVsu0IzwlTuB6HLR1ao30olcPSo
2Ln0VKAZfGJZxcXb7/WNljCCAzgwggKhoAMCAQICAw6SlDANBgkqhkiG9w0BAQQFADBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNDI2MTY0
MDMzWhcNMDYwNDI2MTY0MDMzWjCBjjEQMA4GA1UEBBMHTXVlbGxlcjERMA8GA1UEKhMIQmVy
bmhhcmQxGTAXBgNVBAMTEEJlcm5oYXJkIE11ZWxsZXIxKDAmBgkqhkiG9w0BCQEWGWIubXVl
bGxlckBzZWMtY29uc3VsdC5jb20xIjAgBgkqhkiG9w0BCQEWE2JtdUBzZWMtY29uc3VsdC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhXYkOzckBSmSbVRT4VyxuFp3S
x8TrwAbDTfzz0A5w3qQOsZDfKQTAp2uXC/5GS3jeEnm3aEVzruSyGgG7MHdFJ9EEXKV9pOZW
K0MTW4aoqDmADTv+r5kqrZM2wFjy2AnDejn1YKYK4vqBHcnKCToNxnxVys6Zkfp2EvWQVWIz
VGAo6r7PqcoO1stK+SCZVNyIIun0SjkHiTuvo1zIvaFwKzkUhS0zCbVbS86oMVTHaSYj1yt3
bhClFqVlAgAzhGKS13vf04+TFtUdFLrS/plN1ILmGzz+ir5G+wBiXY05kZVhIhptcXt1HX5l
Fv5Na7jReTaV+grHnFn9FB2+fZVNAgMBAAGjSzBJMDkGA1UdEQQyMDCBGWIubXVlbGxlckBz
ZWMtY29uc3VsdC5jb22BE2JtdUBzZWMtY29uc3VsdC5jb20wDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQQFAAOBgQBF9TFkpk+xaS3sfVKbYgjEccz8nS+7hji/vyxbcRfCB8ppsGsJxezg
8K6jyCH9MkEfESXwdyiuf6RhegTv73LJVXdXpbXrtZcQu/oiOMvLEnrUzHEBgdpKqUlSQdVs
u0IzwlTuB6HLR1ao30olcPSo2Ln0VKAZfGJZxcXb7/WNljCCAz8wggKooAMCAQICAQ0wDQYJ
KoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ
BgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsT
H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhh
d3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpB
MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3
dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDX
AmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16em
u59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/
AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJz
b25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UE
AxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcP
f6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQ
lGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G
/11fZU8xggM7MIIDNwIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
SXNzdWluZyBDQQIDDpKUMAkGBSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTA1MDYwMjA3NDc0NVowIwYJKoZIhvcNAQkEMRYEFKNxNRAO
6A2Vb9fIxWx91sWK/KTMMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQB
gjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMOkpQwegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3
dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgSXNzdWluZyBDQQIDDpKUMA0GCSqGSIb3DQEBAQUABIIBAFZuUehuqrR5VwrglNhx
/xeMS29G1hp5J/Z+l2ULh4Z2PfarhwIOELQ9lhmoGacl08aAZx0XPOSUv6SKCrqvCMWMqAi2
1WPebY+hUZNWOeH2VdNWTRXJDwb0yLaaPNNwIcMualV7pxKBZFDfjffichanT0Ar2BR8kEM/
JJ+l9p/37TGdKiLSGLeymuGJk5mWjqTNN/LWyAwcNQOQ5AjMMoV+HpoFWRpwgTG9o3qpOsBn
w2jDdOvdfr+ehfny0o/MTN0TuHvYQZpgG0p+WUwS2lFl66aC4o+Xe8ARBOfWa0Tjrq6V2xXN
sWAdwtcI3xZoTud10AkO37REtzto5v9BVBQAAAAAAAA=
--=_lexx-1037-1117698174-0001-2--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру