SQL Injection Expert Required (^_^)

rjcroasdale · February 24, 2016, 09:17:16 AM

Hello community, hope all are well this morning, afternoon or evening

I have been going through the process of server hardning, resolving all those issues you get with a new server to make it PCI compliant etc. - when I came across this, but I really am a bit of a SQL Injection nweb so I would like if someone could take a look and see, is this just false positive nonsense or is there somthing in it? For the two URLs one shows standard Joomla 404 component not found HTTP/1.1" 404, other just blank page no code at all and HTTP/1.1" 200. No httpd error or warnings produced in log. Joomla! 3.4.8, VirtueMart 3.0.12. Thank you for reading and any advice

Code Select


Status: Automatic Failure as listed by the PCI SSC (This must be resolved for your device to be compliant)
Plugin: "CGI Generic SQL Injection (blind)"
Category: "CGI abuses" Priority Urgent

Synopsis:
A CGI application hosted on the remote web server is potentially prone to SQL injection attack. Description:
By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. Note that this script is experimental and may be prone to false positives.
See also: http://www.securiteam.com/securityreviews/5DP0N1P76E.html http://www.securitydocs.com/library/2651http://projects.webappsec.org/SQL-Injection

Risk factor HIGH / CVSS BASE SCORE :7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Plugin output:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection :
+ The 'format' parameter of the /index.php CGI :
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy

-------- output --------{"success":true,"message":null,"messages":null,"data":null}
-------- vs --------------------------------

+ The 'option' parameter of the /index.php CGI :
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxyy

-------- output --------HTTP/1.1 200 OK
-------- vs --------HTTP/1.1 404 Component not found.------------------------

Solution:
Modify the affected CGI scripts so that they properly escape arguments.

Report as False Positive. 
If you believe this vulnerability is a false positive, already patched or compensating controls exist within your infrastructure please click the link above. A security expert will review your submission  and accept or reject the report.

AH · February 24, 2016, 09:36:04 AM

Code Select

&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData

what is this doing??

balai · February 24, 2016, 10:07:48 AM

Code Select

option=com_ajaxyy means that this vulnerability is detected in the ajaxxy component (NOT in Virtuemart)

AH · February 24, 2016, 10:17:20 AM

Yes

Therefore - what additional plugins and components is he running

rjcroasdale · February 24, 2016, 10:35:37 AM

Fresh install, Joomla and Virtuemart - nothing else.

Quote from: balai on February 24, 2016, 10:07:48 AM
Code Select Expand
option=com_ajaxyy means that this vulnerability is detected in the ajaxxy component (NOT in Virtuemart)

The com_ajaxxY (where xY comes from idk) is actually in the url that responds with 404, its the other url that show 200 ok

GJC Web Design · February 24, 2016, 10:38:36 AM

and how is this wild and wacky url generated?

/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy

rjcroasdale · February 24, 2016, 10:40:40 AM

Its "Generic SQL Injection" detection plugin for nessus I think? Wild and Wacky indeed

balai · February 24, 2016, 11:24:37 AM

I suggest going to your joomla's components folder and check if there is any folder named com_ajax(yy)
If it is, better remove it.

Otherwise check for possible redirects of urls containing com_ajaxyy to other urls

rjcroasdale · February 24, 2016, 11:44:13 AM

Quote from: balai on February 24, 2016, 11:24:37 AM
I suggest going to your joomla's components folder and check if there is any folder named com_ajax(yy)
If it is, better remove it.

Otherwise check for possible redirects of urls containing com_ajaxyy to other urls

com_ajax is part of the full Joomla install, the yy seems to be added to the 'wacky' url by the sql injection detection script however, the URL that responds 200 OK which is the url suspect of problem is not the URL that contains the com_ajaxyy parameter. I think perhaps you are not guiding me down the right road.

The questions is, 'does this sql injection dectection script find anything potentially prone to SQL injection attack or is just false positive?' the url in question that returns 200ok, when should return 404 or somthing is as below, the other url returns 404 which is ok.

Code Select

/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy

rjcroasdale · February 24, 2016, 11:56:25 AM

I really dont know anything much about SQL injection, or this detection script but you need to /escape things

I wish I could escaper dis thread

its prob nothing!?

balai · February 24, 2016, 12:16:50 PM

Quotethe URL that responds 200 OK which is the url suspect of problem is not the URL that contains the com_ajaxyy parameter.

200 http code has nothing to do with the injection. This means that the server answered with success to the client's request but you have no idea what happened in the server side.

I repeat again that the url you submitted is calling the com_ajax component and not Virtuemart.

Now if you want to get an insight about being positive or not, this needs code debugging.
This cannot be determined by the url. Anybody can enter anything as url, the matter is what happens in the server.
https://en.wikipedia.org/wiki/SQL_injection

rjcroasdale · February 24, 2016, 12:40:51 PM

I take on board what you are saying, but with any url should respond 404 and only 200 OK when returning a vaild url... neither url should be returning 200ok and the one that is returning 200ok is the one without the ajax parameter. I dont care about the url with ajax in it because it returns 404.

balai · February 24, 2016, 13:00:57 PM

Ok which is the option param of the 200ok url?
I don't see option=com_virtuemart at any of your urls

Also your report states

QuoteBy sending specially crafted parameters to one or more CGI scripts hosted on the remote web server

This is a CGI script and not something supplied by VM. Possibly you have custom cgi scripts in your server or get hacked

rjcroasdale · February 24, 2016, 13:11:07 PM

I will go over to Joomla and post there, just more familiar with here, i like you guys (^_^)

If any Expert opinions on this matter please do respond, thank you!

rjcroasdale · February 24, 2016, 13:36:44 PM

Quote from: balai on February 24, 2016, 12:16:50 PM
Quoteurl you submitted is calling the com_ajax component and not Virtuemart.

Sorry I see option=com_ajax in the middle of the first url now i posted over there... Ooops

News:

SQL Injection Expert Required (^_^)