Report, edit, etc...Posted by Pyro-Fire on 2007-01-01 at 12:55:34
[FIXED] = no loger exploitable
[OPEN] = still exploitable. needs to be fixed.
A multi-line link defines post data is used to access the exploit. since ipb combines post data + get data, a combined link will be provided below.
SQL Injection:
[FIXED]
Loading a shout from the shoutbox
www.staredit.net/index.php?act=Shoutbox&view=saved&load=sql_query
[FIXED]
Linking to an affiliate
www.staredit.net/index.php?act=affiliate&code=01&id=sql_query
[FIXED]
Viewing a single shout
www.staredit.net/index.php?act=Shoutbox&shout=sql_query
[OPEN]
Donating an item to another member
www.staredit.net/index.php?act=store&CODE=do_donateitem
username=Pyro-Fire&message=msg&submit=Send&items%5B%5D=sql_query
www.staredit.net/index.php?act=store&CODE=do_donateitem&username=Pyro-Fire&message=msg&submit=Send&items%5B%5D=sql_query
[OPEN] = still exploitable. needs to be fixed.
A multi-line link defines post data is used to access the exploit. since ipb combines post data + get data, a combined link will be provided below.
SQL Injection:
[FIXED]
Loading a shout from the shoutbox
www.staredit.net/index.php?act=Shoutbox&view=saved&load=sql_query
[FIXED]
Linking to an affiliate
www.staredit.net/index.php?act=affiliate&code=01&id=sql_query
[FIXED]
Viewing a single shout
www.staredit.net/index.php?act=Shoutbox&shout=sql_query
[OPEN]
Donating an item to another member
www.staredit.net/index.php?act=store&CODE=do_donateitem
username=Pyro-Fire&message=msg&submit=Send&items%5B%5D=sql_query
www.staredit.net/index.php?act=store&CODE=do_donateitem&username=Pyro-Fire&message=msg&submit=Send&items%5B%5D=sql_query
Report, edit, etc...Posted by Mini Moose 2707 on 2007-01-01 at 13:25:39
Shoutbox should be fixed.
EDIT: Both fixed.
EDIT: Both fixed.
Report, edit, etc...Posted by Syphon on 2007-01-01 at 14:27:51
How exactly can you tell if one is exploitable or not?
Report, edit, etc...Posted by Mini Moose 2707 on 2007-01-01 at 14:29:41
http://en.wikipedia.org/wiki/SQL_injection
It happens when inputs in forms or URLs aren't handled properly. It can get the person using it to generate an SQL error. If they input the right code into there, they can use it to make SQL queries (DELETE, DROP, TRUNCATE, for instance).
It happens when inputs in forms or URLs aren't handled properly. It can get the person using it to generate an SQL error. If they input the right code into there, they can use it to make SQL queries (DELETE, DROP, TRUNCATE, for instance).
Report, edit, etc...Posted by DT_Battlekruser on 2007-01-01 at 15:54:53
Why on earth would anything be scripted so that is possible in the first place?
Report, edit, etc...Posted by IsolatedPurity on 2007-01-01 at 18:12:20
Laziness or ignorance. It's quite easy to make a hole and not even know it... sometimes it can be quite complicated.
Easy example is having a drop down list like...
Select 1: Blue, Orange, Red.
And assume that because the user is limited to those three by html, the input wouldn't be anything other than that...
Sometimes it gets wild.
Easy example is having a drop down list like...
Select 1: Blue, Orange, Red.
And assume that because the user is limited to those three by html, the input wouldn't be anything other than that...
Sometimes it gets wild.
Report, edit, etc...Posted by Tuxedo Templar on 2007-01-01 at 18:23:12
I'm not a php person but I'd assume that's what if statements are for. 
Report, edit, etc...Posted by Mini Moose 2707 on 2007-01-01 at 21:06:06
Most of the time it seems to be certain characters used for syntax aren't parsed out or disabled or numerical inputs that will accept text.
Report, edit, etc...Posted by DT_Battlekruser on 2007-01-01 at 22:09:30
Is there a simple way to add code at the top of index.php that will parse whatever form elements are being fed to index.php and take out anything that would be SQL injection?
Report, edit, etc...Posted by Syphon on 2007-01-02 at 00:23:21
I don't know exactly how it would look, but I'm thinknig something like an IF/ELSE that checks the post to see if it contains the text SQL, as all of the exploits would have to. Something like..
if ($_POST['']='SQL' || $_GET['']='SQL'; )
return $errorPage;
else ()
return $goodPage;
*Syphon hasn't written any php in a long, long time.
if ($_POST['']='SQL' || $_GET['']='SQL'; )
return $errorPage;
else ()
return $goodPage;
*Syphon hasn't written any php in a long, long time.
Report, edit, etc...Posted by DT_Battlekruser on 2007-01-02 at 00:32:47
I've never done PHP, but it seems that with any CGI-based webscript you should be able to run a parse of the elements passed to the script before you do anything at all to the database.
Report, edit, etc...Posted by IsolatedPurity on 2007-01-02 at 03:31:09
DTBK, that's how it is... but that doesn't mean you still can't do injection. All the ' " < > / & % gets parsed to their html entity before any script can touch the input. That, by far, doesn't stop the holes though.
Report, edit, etc...Posted by DT_Battlekruser on 2007-01-02 at 03:44:43
Is there any way to make a catch statement for each form value being passed to index.php that can tell whether the form value can execute an injection and then abort to an error page (skip the rest of the script) if so, or is it not possible to write an algorithm that can detect malicious input?
In CGI Python, which is more my forte, you can run a check on the elements of the form values from the cgi method, and if it is possible to detect SQL injections with a written algorithm than you could abort the process by not tripping a flag that the rest of the file requires. I would assume the same syntax effectively works in PHP, but what I don't know is if you can tell between queries and useful input for any form field with a blanket algorithm.
In CGI Python, which is more my forte, you can run a check on the elements of the form values from the cgi method, and if it is possible to detect SQL injections with a written algorithm than you could abort the process by not tripping a flag that the rest of the file requires. I would assume the same syntax effectively works in PHP, but what I don't know is if you can tell between queries and useful input for any form field with a blanket algorithm.
Report, edit, etc...Posted by Pyro-Fire on 2007-01-02 at 19:07:50
Updated.
Report, edit, etc...Posted by DT_Battlekruser on 2007-01-03 at 00:56:30
Psst, IP what did you do to the ACP to break the CSS and almost every form submit?
Report, edit, etc...Posted by Pyro-Fire on 2007-01-03 at 02:23:40
is anyone going to fix the latest sql injection?
Report, edit, etc...Posted by Syphon on 2007-01-03 at 09:57:19
QUOTE(DT_Battlekruser @ Jan 3 2007, 12:56 AM)
Psst, IP what did you do to the ACP to break the CSS and almost every form submit?
[right][snapback]609313[/snapback][/right]
[right][snapback]609313[/snapback][/right]
Who cares, he fixed the favicon.
