News:

Looking for documentation? Take a look on our wiki

Main Menu

SQL Injection Expert Required (^_^)

Started by rjcroasdale, February 24, 2016, 09:17:16 AM

Previous topic - Next topic

PRO

have you tried to report it as a false positive?

this is standard joomla behavior when you request random things , when there is nothing to return.


ofcourse, in your error.php, you could always check if empty component, if so raise 404 error


rjcroasdale

Hi PRO! Thank you for your reply.

I have not tried to report as false positive but expect it to be false positive, just wanted an SQL Injection Expert's opinion on the matter ;)

Its standard to return 200OK on random 'wacky' urls? oO

The PEN SQL Injection script works as follows, from https://www.owasp.org/
QuoteIf the request (1) provides the same result as request (0) and request (2) doesn't, the scanner will conclude that SQL injection is possible.

then they go on the say...
QuoteAnother global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can't be exploited. By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.

So reading that last bit I just wanted to make sure was a false positive ;)

Thank you - still dont know if is false positive or not though (^_^) maybe I should monitor the SQL queries as I run the specific detection script.

Regards to ALL :)

PRO

Quote from: AH on February 24, 2016, 09:36:04 AM
&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData

what is this doing??

sql scanners just try to hammer urls with other things they find.

For example, they might have found the jform somewhere on the site.
Then, try & post that to somewhere else.

&& that's the thing, joomla components, mainly use jrequest, vrequest to get the data they need. & only the data they need.
So, most of the time, this BS would not even make it into the post/get

BUT! it could stay in the url.
You can take a product url, and add this to the end of the url   &jj=100=600&AH=PCI_compliant&virtuemart=forum&this=1

& nothing changes. Vmart component, is only going to grab the parts of the url needed.

PRO

Quote from: rjcroasdale on February 24, 2016, 15:41:13 PM

Its standard to return 200OK on random 'wacky' urls? oO


I cannot reproduce this on my site, not from the urls you posted.
do you have a url I can reproduce this on? Then, I can tell you how to atleast make the response change to what they want.


rjcroasdale

[26/Feb/2016:18:08:37 +0000] "GET /index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxyy HTTP/1.1" 404

[26/Feb/2016:18:03:25 +0000] "GET /index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy HTTP/1.1" 200

Hello and thank you for your posts :)

Unfortunately I am having an issue with the (joomla) FPA script as per http://forum.joomla.org/viewtopic.php?f=621&t=656394&start=90#p3370990

I am therefore giving you the information that seems relevant for now. Thank you and sorry for the delay in finding the time for this.

OS Centos 7
PHP 5.4.16
MySQLi 5.5.44
Caching Enabled
GZip Enabled
Database Collation    latin1_swedish_ci
Web Server    Apache
WebServer to PHP Interface    apache2handler
Joomla! Version    Joomla! 3.4.8 Stable [ Ember ] 24-December-2015 19:30 GMT
Joomla! Platform Version    Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT

dbtype             mysqli
sef             1 *(actually was 0 when running the injection detection)
sef_rewrite       1 *(actually was 0 when running the injection detection)
memcache_persist    1

All files and folders locked aside from /cache /administrator/cache /logs and /tmp which are fully writeable by Apache

Relevant PHP Settings

Setting          Value

Safe Mode          Off
Open basedir       None
Display Errors       Off
Short Open Tags    Off
File Uploads       On
Magic Quotes       Off
Register Globals    Off
Output Buffering    On
Session Auto Start    0
XML Enabled       Yes
Zlib Enabled       Yes
Native ZIP Enabled    Yes
Disabled Functions    None
Multibyte String   Enabled    Yes
Iconv Available    Yes

When the (joomla) FPA script was working, prior to installing PHP XML I did notice the message that potentially some modules were missing - is there a list of required modules or can someone post them please?

Aside from the FPA notice of required modules and the SQL injection detection script detection, false positive or not, everything seems to be working great!

FAO the Moderator! - IF I GAVE ANY POTENTIALLY SESNSITIVE INFO PLEASE MASK IT, or someone else please tell me so I can edit the post to mask that info.

Thank you all and as always Regards to All (^_^)

Milbo

Quote from: rjcroasdale on February 24, 2016, 12:40:51 PM
I take on board what you are saying, but with any url should respond 404 and only 200 OK when returning a vaild url
This not correctly said. A valid URL ist determined by the format. A 404 just meant in old times, the request file was not found. In joomla, you always use the index.php. So actually any 404 in joomla is not a 404, because the request page was there. It just says that the requested "meta" page, could not be delivered.

There exists for any canonical URL an unlimited number of valid URLs even pointing to the correct content!
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

rjcroasdale

Thanks for the info Milbo (^_^) best regards bra :)

Studio 42

Hi,
Your script only return "possible" URL, that you can use to hack a site.
This not mean that you can use it.
Eg adding &test=select password from jos_user in your link is a valid URL, but because "test" is not used in any case, this not permit to hack a mysql query.

rjcroasdale

Quote from: Studio 42 on March 01, 2016, 11:23:22 AM
Hi,
Your script only return "possible" URL, that you can use to hack a site.
This not mean that you can use it.
Eg adding &test=select password from jos_user in your link is a valid URL, but because "test" is not used in any case, this not permit to hack a mysql query.

Hello Studio! Thank you for your reply :)
Yes I agree, its only a possible or a false positive. I'm guessing to test it properly I actually have to monitor the SQL queries live on the server and try to either pull data out or put data in. Thank you and Regards to all.