search

dermotblair / webvulscan

Web Application Vulnerability Scanner.
https://code.google.com/p/webvulscan/
GNU General Public License v3.0
149 stars 73 forks source link

Multiple SQLi vulnerabilities #13

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Pick either scanner or crawler resource, and attempt to scan some URL with 
an added apostrophe character, say http://test123.com/'
2. webvulscan tool will report a problem - Problem inserting a new test into 
the database. Please try again. 
3. check webvulscan logs in /webvulscanner_install_dir/scanner/logs/ folder

14:39:27:1027 ,scanner, Problem executing query: INSERT into 
tests(id,status,numUrlsFound,type,num_requests_sent,start_timestamp,finish_times
tamp,scan_finished,url,username,urls_found) VALUES(642,'Creating profile for 
new 
scan...',0,'scan',0,1350481167,1350481167,0,'http://testapp123.com/'','','') 

Please note the 'http://testapp123.com/'' bit in the INSERT statement captured 
in the log, the extra apostrophe beaks the SQL statement syntax - thus allowing 
successful SQL Injection attacks.

4. for more fun, attempt to scan/crawl the following URL:

http://testapp123.com/'+benchmark(90000000,sha1(1))+'

This will result into a serious jump in CPU consumption for mysql, since the 
mysql benchmark() function is successfully executed. 

Submitting more requests like this, or using an increased number of iterations 
would eventually lead to a crash of mysql process - thus leading to a 
successful DoS attack.

Analysis:

for scanner, this issue is caused by unsafe inclusion of HTTP request 
parameters into the SQL query defined in scanner_form.php, as shown below:

$query = "INSERT into 
tests(id,status,numUrlsFound,type,num_requests_sent,start_timestamp,finish_times
tamp,scan_finished,url,username,urls_found) VALUES($nextId,'Creating profile 
for new scan...',0,'scan',0,$now,$now,0,'$urlToScan','$username','')"; 
$result = $db->query($query); 

What is the expected output? What do you see instead?
Product should not be vulnerable itself to SQLi attacks.

What version of the product are you using? On what operating system?
webvulscan_v0.12

Please provide any additional information below.

Original issue reported on code.google.com by marian.v...@gmail.com on 17 Oct 2012 at 1:59

GoogleCodeExporter commented 9 years ago

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:14

GoogleCodeExporter commented 9 years ago

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:14

GoogleCodeExporter commented 9 years ago

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:17