[VIM] BtitTracker SQL injection vuln. (and PHP mysql_query)
Heinbockel, Bill
heinbockel at mitre.org
Tue Jun 20 18:29:01 EDT 2006
Looking over the SQL injection report by r0t:
http://pridels.blogspot.com/2006/06/btittracker-sql-injection-vuln.html
The reference to the "by" and "order" parameters caught my eye, and
sure enough, the parameters are used after the "ORDER BY" clause in
an SQL statement.
>From line 175 in torrents.php:
> $query = "SELECT summary.info_hash as hash, ... FROM summary LEFT
JOIN
> namemap ON summary.info_hash = namemap.info_hash LEFT JOIN categories
> ON categories.id = namemap.category $where ORDER BY $order $by
$limit";
(a similar statement is on line 173)
Therefore the only way to perform an SQL injection would be via
multiple
SQL statements separated via a semicolon. According to the PHP
mysql_query
documentation, semicolons are not accepted and the function is
implemented
in such a way as it can only perform one SQL statement per call.
http://www.php.net/manual/en/function.mysql-query.php
Though according to this blog, multiple statement will be executed,
though
only a boolean value will be returned.
http://www.ashleyit.com/blogs/brentashley/archives/000342.html
And looking here:
http://www.php-editors.com/mysql_manual/p_manual_Clients.html
PHP mysql clients can only send multi-row queries if the
CLIENT_MULTI_QUERIES
flag is set.
http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0065.html
Stephan Esser points out that ORDER BY vectors can be exploited on some
products, depending on the data set. However, this does not seem to be
the
case here.
Does anybody have any knowledge or can verify the exact behavior of
mysql_query?
If it is the case that the multiple queries are NOT allowed, then this
is most
likely NOT a vulnerability. The typical quote ' insertion test will
cause a
forced SQL error but no exploit would be possible...
Otherwise, specifying "order=hash; [SQL] --" should work.
William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list