News:

Looking for documentation? Take a look on our wiki

Main Menu

SQL Injection Expert Required (^_^)

Started by rjcroasdale, February 24, 2016, 09:17:16 AM

Previous topic - Next topic

rjcroasdale

Hello community, hope all are well this morning, afternoon or evening :)

I have been going through the process of server hardning, resolving all those issues you get with a new server to make it PCI compliant etc. - when I came across this, but I really am a bit of a SQL Injection nweb so I would like if someone could take a look and see, is this just false positive nonsense or is there somthing in it? For the two URLs one shows standard Joomla 404 component not found HTTP/1.1" 404, other just blank page no code at all and HTTP/1.1" 200. No httpd error or warnings produced in log. Joomla! 3.4.8, VirtueMart 3.0.12. Thank you for reading and any advice  :-*


Status: Automatic Failure as listed by the PCI SSC (This must be resolved for your device to be compliant)
Plugin: "CGI Generic SQL Injection (blind)"
Category: "CGI abuses" Priority Urgent

Synopsis:
A CGI application hosted on the remote web server is potentially prone to SQL injection attack. Description:
By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. Note that this script is experimental and may be prone to false positives.
See also: http://www.securiteam.com/securityreviews/5DP0N1P76E.html http://www.securitydocs.com/library/2651http://projects.webappsec.org/SQL-Injection

Risk factor HIGH / CVSS BASE SCORE :7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Plugin output:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection :
+ The 'format' parameter of the /index.php CGI :
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy

-------- output --------{"success":true,"message":null,"messages":null,"data":null}
-------- vs --------------------------------

+ The 'option' parameter of the /index.php CGI :
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxyy

-------- output --------HTTP/1.1 200 OK
-------- vs --------HTTP/1.1 404 Component not found.------------------------

Solution:
Modify the affected CGI scripts so that they properly escape arguments.

Report as False Positive.
If you believe this vulnerability is a false positive, already patched or compensating controls exist within your infrastructure please click the link above. A security expert will review your submission  and accept or reject the report.

AH

&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData

what is this doing??
Regards
A

Joomla 4.4.5
php 8.1

balai

option=com_ajaxyy means that this vulnerability is detected in the ajaxxy component (NOT in Virtuemart)

AH

Yes

Therefore - what additional plugins and components is he running
Regards
A

Joomla 4.4.5
php 8.1

rjcroasdale

#4
Fresh install, Joomla and Virtuemart - nothing else.

Quote from: balai on February 24, 2016, 10:07:48 AM
option=com_ajaxyy means that this vulnerability is detected in the ajaxxy component (NOT in Virtuemart)
The com_ajaxxY (where xY comes from idk) is actually in the url that responds with 404, its the other url that show 200 ok

GJC Web Design

and how is this wild and wacky url generated?

/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

rjcroasdale

Its "Generic SQL Injection" detection plugin for nessus I think? Wild and Wacky indeed :D

balai

#7
I suggest going to your joomla's components folder and check if there is any folder named com_ajax(yy)
If it is, better remove it.

Otherwise check for possible redirects of urls containing com_ajaxyy to other urls

rjcroasdale

Quote from: balai on February 24, 2016, 11:24:37 AM
I suggest going to your joomla's components folder and check if there is any folder named com_ajax(yy)
If it is, better remove it.

Otherwise check for possible redirects of urls containing com_ajaxyy to other urls
com_ajax is part of the full Joomla install, the yy seems to be added to the 'wacky' url by the sql injection detection script however, the URL that responds 200 OK which is the url suspect of problem is not the URL that contains the com_ajaxyy parameter. I think perhaps you are not guiding me down the right road.

The questions is, 'does this sql injection dectection script find anything potentially prone to SQL injection attack or is just false positive?' the url in question that returns 200ok, when should return 404 or somthing is as below, the other url returns 404 which is ok.
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy

rjcroasdale

I really dont know anything much about SQL injection, or this detection script but you need to /escape things ;) I wish I could escaper dis thread :D its prob nothing!?

balai

#10
Quotethe URL that responds 200 OK which is the url suspect of problem is not the URL that contains the com_ajaxyy parameter.
200 http code has nothing to do with the injection. This means  that the server answered with success to the client's request but you have no idea what happened in the server side.

I repeat again that the url you submitted is calling the com_ajax component and not Virtuemart.

Now if you want to get an insight about being positive or not, this needs code debugging.
This cannot be determined by the url. Anybody can enter anything  as url, the matter is what happens in the server.
https://en.wikipedia.org/wiki/SQL_injection

rjcroasdale

I take on board what you are saying, but with any url should respond 404 and only 200 OK when returning a vaild url... neither url should be returning 200ok and the one that is returning 200ok is the one without the ajax parameter. I dont care about the url with ajax in it because it returns 404.

balai

#12
Ok which is the option param of the 200ok url?
I don't see option=com_virtuemart at any of your urls

Also your report states
QuoteBy sending specially crafted parameters to one or more CGI scripts hosted on the remote web server
This is a CGI script and not something supplied by VM. Possibly you have custom cgi scripts in your server or get hacked

rjcroasdale

I will go over to Joomla and post there, just more familiar with here, i like you guys (^_^)

If any Expert opinions on this matter please do respond, thank you! :)

rjcroasdale

#14
Quote from: balai on February 24, 2016, 12:16:50 PM
Quoteurl you submitted is calling the com_ajax component and not Virtuemart.

Sorry I see option=com_ajax in the middle of the first url now i posted over there... Ooops ;)