1) LOGIN PAGE authenticate() SQL INJECTION $username and $password are not checked $detail = $Auth->authenticate($username, $password); -------------- in vAuthenticate.php -------------- // Change the path to auth.php and authconfig.php if you moved // vAuthenticate.php from its original directory. include_once ("auth.php"); include_once ("authconfig.php"); $username = $_POST['username']; $password = $_POST['password']; echo '
USER: '.$username; // ASCII echo 'PASS: '.$password; // ASCII $Auth = new auth(); $detail = $Auth->authenticate($username, $password); -------------------------------------------------- ------------------ in auth.php ------------------- function authenticate($username, $password) { echo 'USER: '.$username; // ASCII echo 'PASS: '.$password; // ASCII $utils = new utils(); $query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'"; echo 'QUER: '.$query; // ASCII $UpdateRecords = "UPDATE authuser SET lastloginDate = CURRENT_DATE(),lastloginTime = CURRENT_TIME(), logincount = logincount + 1 WHERE uname='$username'"; echo 'QUER: '.$UpdateRecords; // ASCII -------------------------------------------------- USER: ' PASS: ' USER: ' PASS: ' QUER: SELECT * FROM authuser WHERE uname=''' AND passwd=MD5(''') AND status <> 'inactive' QUER: UPDATE authuser SET lastloginDate = CURRENT_DATE(),lastloginTime = CURRENT_TIME(), logincount = logincount + 1 WHERE uname=''' in $Auth->authenticate() there are 2 sql injections then in the same function if $numrows != 0 ------------------ in auth.php ------------------- $Update = mysql_query($UpdateRecords); $utils->add_userIp($username,$macAddress,$ipAddress,$level); $utils->updateTimeStamp($username,"loginStartDate","CURRENT_DATE()"); $utils->updateTimeStamp($username,"loginStartTime","CURRENT_TIME()"); -------------------------------------------------- 2) add_userIp() SQL INJECTION $username is not checked ------------------ in utils.php ------------------ function add_userIp($username,$macAddress,$ipAddress,$level) { [..CUT..] $qUserId = "SELECT id FROM authuser WHERE uname='$username'"; $result = mysql_query($qUserId); -------------------------------------------------- 3) updateTimeStamp() SQL INJECTION $username is not checked ------------------ in utils.php ------------------ function updateTimeStamp($username,$field,$timestamp){ $qUserId = "SELECT id FROM authuser WHERE uname='$username' order by id desc"; $result = mysql_query($qUserId ); -------------------------------------------------- 4) authuser.php USER DELETE SQL INJECTION ------------------ in utils.php ------------------ if ($action=="Cancella") { [..CUT..] // Delete record in authuser table $delete = $user->delete_user($username); // Delete record in signup table $deletesignup = mysql_query("DELETE FROM signup WHERE uname='$username'"); -------------------------------------------------- POST /milkeyway/milkeyway/admin/authuser.php HTTP/1.1 username=sa&password=&team=Admin&level=1&status=active&action=Cancella ^^ ^^^^^^^^ 5) delete_user() SQL INJECTION ------------------ in auth.php ------------------- function delete_user($username) { $qDelete = "DELETE FROM authuser WHERE uname='$username'"; [..CUT..] $result = mysql_query($qDelete); -------------------------------------------------- 6) authuser.php MODIFY USER modify_user() SQL INJECTION ---------------- in authuser.php ----------------- if (isset($_POST['action'])) { $username = $_POST['username']; $password = $_POST['password']; $team = $_POST['team']; $level = $_POST['level']; $status = $_POST['status']; $action = $_POST['action']; [..CUT..] $ipAddress = $_POST['ipAddress']; $ipAddress = $_POST['macAddress']; } elseif (isset($_GET['act'])) { $act = $_GET['act']; [..CUT..] -------------------------------------------------- then ------------------ in auth.php ------------------- function modify_user($username, $password, $team, $level, $status) { // If $password is blank, make no changes to the current password if (trim($password == '')) { $qUpdate = "UPDATE authuser SET team='$team', level='$level', status='$status' WHERE uname='$username'"; } else { $qUpdate = "UPDATE authuser SET passwd=MD5('$password'), team='$team', level='$level', status='$status' WHERE uname='$username'"; } [..CUT..] $result = mysql_query($qUpdate); return 1; -------------------------------------------------- 7) authuser.php MULTIPLE XSS ---------------- in authuser.php ----------------- if (isset($_POST['action'])) { $ipAddress = $_POST['ipAddress']; $ipAddress = $_POST['macAddress']; [..CUT..] print ""; ?> -------------------------------------------------- note that many other vars are affected by xss vulns $username, $password 8) authuser.php EDIT MULTIPLE XSS ---------------- in authuser.php ----------------- if ($act == "Edit") { $username = $_GET['username']; $listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'"); -------------------------------------------------- /milkeyway/admin/authuser.php?act=Edit&username=sa ^^^^ ^^ 9) authuser.php RELEASE USER SQL INJECTION ---------------- in authuser.php ----------------- if (strcmp($action, "Rilascia Utente") == 0) { [..CUT..] $utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()"); // VULNERABLE, already seen $utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()"); // VULNERABLE, already seen $utils->releaseUser($username); // VULNERABLE, SEE THE NEXT POINT $update = $user->modify_user($username, $password, $team, $level, "inactive"); // VULNERABLE, already seen on chap 6 POST /milkeyway/milkeyway/admin/authuser.php HTTP/1.1 username=sa&password=&team=Admin&level=1&status=active&action=Rilascia+Utente ^^ ^^^^^^^^^^^^^^^ 10) releaseUser() SQL INJECTION ------------------ in utils.php ------------------ function releaseUser($username){ //Update userData $qUserId = "SELECT id FROM authuser WHERE uname='$username'"; $result = mysql_query($qUserId ); $rows = mysql_fetch_array($result); $id = $rows[0]; $qUserMac ="SELECT macAddress from userData where userId=$id order by loginStartDate desc,loginStartTime desc"; $SelectedDB = mysql_select_db($this->DBNAME); $result = mysql_query($qUserMac); } -------------------------------------------------- 11) authuser.php ORDERING SQL INJECTION sql is injectable by $_GET['filter'] ---------------- in authuser.php ----------------- if ($direction =="DESC") $direction ="ASC"; else $direction ="DESC"; $orderingFilter = $_GET['filter']; if ($orderingFilter == '') $orderBy ="order by uname ASC" ; else $orderBy ="order by ".$orderingFilter." ".$direction; $result = mysql_query("SELECT * FROM authuser ".$orderBy ); -------------------------------------------------- 12) authgroup.php ADD GROUP SQL INJECTION ---------------- in authgroup.php ---------------- if (isset($_POST['action'])) { $action = $_POST['action']; [..CUT..] $teamname = $_POST['teamname']; $teamlead = $_POST['teamlead']; $status = $_POST['status']; } elseif (isset($_GET['act'])) { $act = $_GET['act']; [..CUT..] if ($action == "Aggiungi") { $situation = $group->add_team($teamname, $teamlead, $status); // VULNERABLE, SEE BELOW -------------------------------------------------- 13) add_team() SQL INJECTION ------------------ in auth.php ------------------- function add_team($teamname, $teamlead, $status="active") { $qGroupExists = "SELECT * FROM authteam WHERE teamname='$teamname'"; $qInsertGroup = "INSERT INTO authteam(teamname, teamlead, status) VALUES ('$teamname', '$teamlead', '$status')"; [..CUT..] // Check if all fields are filled up if (trim($teamname) == "") return "blank team name"; $group_exists = mysql_query($qGroupExists); -------------------------------------------------- 14) authgroup.php DELETE GROUP SQL INJECTION ---------------- in authgroup.php ---------------- if (isset($_POST['action'])) { $action = $_POST['action']; [..CUT..] $teamname = $_POST['teamname']; $teamlead = $_POST['teamlead']; $status = $_POST['status']; } elseif (isset($_GET['act'])) { $act = $_GET['act']; [..CUT..] if ($action=="Cancella") { $delete = $group->delete_team($teamname); // VULNERABLE, SEE BELOW -------------------------------------------------- 15) delete_team() SQL INJECTION ------------------ in auth.php ------------------- function delete_team($teamname) { $qDelete = "DELETE FROM authteam WHERE teamname='$teamname'"; $qUpdateUser = "UPDATE authuser SET team='Ungrouped' WHERE team='$teamname'"; [..CUT..] $result = mysql_query($qUpdateUser); [..CUT..] $result = mysql_query($qDelete); -------------------------------------------------- 16) authgroup.php MODIFY TEAM SQL INJECTION ---------------- in authgroup.php ---------------- if (isset($_POST['action'])) { $action = $_POST['action']; [..CUT..] $teamname = $_POST['teamname']; $teamlead = $_POST['teamlead']; $status = $_POST['status']; } elseif (isset($_GET['act'])) { $act = $_GET['act']; [..CUT..] if ($action == "Modifica") { $update = $group->modify_team($teamname, $teamlead, $status); // VULNERABLE, SEE BELOW -------------------------------------------------- 17) modify_team() SQL INJECTION ------------------ in auth.php ------------------- function modify_team($teamname, $teamlead, $status) { $qUpdate = "UPDATE authteam SET teamlead='$teamlead', status='$status' WHERE teamname='$teamname'"; $qUserStatus = "UPDATE authuser SET status='$status' WHERE team='$teamname'"; [..CUT..] $userresult = mysql_query($qUserStatus); [..CUT..] $result = mysql_query($qUpdate); -------------------------------------------------- 18) traffic.php MULTIPLE SQL INJECTION note there are two identical traffic.php files one in the root and the other in admin/ first sql injection ($_GET['date']) ----------------- in traffic.php ----------------- $act = $_GET['act']; $idToProcess = $_GET['id']; if ($act=='trafficDetails') { $date = $_GET['date']; [..CUT..] $trafficQuery = "SELECT * FROM userData u where loginStartDate='".$date."' order by loginStartDate,loginStartTime "; $result = mysql_query($trafficQuery); -------------------------------------------------- second sql injection ($_GET['date']) ----------------- in traffic.php ----------------- $trafficByUser = "SELECT * FROM traffic where time <= '".$upper."' and time >= '".$lower."' and date='''.$date.'''"; $result = mysql_query($trafficByUser); -------------------------------------------------- third sql injection ($_GET['id']) ----------------- in traffic.php ----------------- else if ($act=='groupDate'){ [..CUT..] $trafficQuery = 'SELECT *,count(loginStartDate) FROM userData u where userId='.$idToProcess.' group by loginStartDate order by loginStartDate,loginStartTime'; $result = mysql_query($trafficQuery); -------------------------------------------------- /milkeyway/admin/traffic.php?id=1&act=groupDate ^ 19) userstatistics.php ADD USER SQL INJECTION -------------- in userstatistics.php ------------- if (isset($_POST['action'])) { $username = $_POST['username']; $password = $_POST['password']; $team = $_POST['team']; $level = $_POST['level']; $status = $_POST['status']; $action = $_POST['action']; $ipAddress = $_POST['ipAddress']; $ipAddress = $_POST['macAddress']; } elseif (isset($_GET['act'])) { $act = $_GET['act']; [..CUT..] if ($action == "Add") { $situation = $user->add_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 2 -------------------------------------------------- 20) userstatistics.php DELETE USER SQL INJECTION -------------- in userstatistics.php ------------- if ($action=="Delete") { $delete = $user->delete_user($username); // VULNERABLE, SEE POINT 5 -------------------------------------------------- 21) userstatistics.php MODIFY USER SQL INJECTION -------------- in userstatistics.php ------------- if ($action == "Modify") { $update = $user->modify_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 6 -------------------------------------------------- 22) userstatistics.php EDIT USER SQL INJECTION -------------- in userstatistics.php ------------- if ($act == "Edit") { $username = $_GET['username']; $listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'"); -------------------------------------------------- 23) userstatistics.php MULTIPLE XSS for example the variable $username is taken an other time from GET and then printed -------------- in userstatistics.php ------------- if ($act == "statistics") { $username = $_GET['username']; [..CUT..] echo $username ?> -------------------------------------------------- 24) userstatistics.php $_GET['username'] SQL INJECTION 1 -------------- in userstatistics.php ------------- if ($act == "statistics") { $username = $_GET['username']; [..CUT..] $result = mysql_query("SELECT id FROM authuser where uname = '$username'"); -------------------------------------------------- 25) userstatistics.php $_GET['username'] SQL INJECTION 2 -------------- in userstatistics.php ------------- $result= mysql_query ("select id from authuser where uname = '$username'"); -------------------------------------------------- 26) chgpwd.php MULTIPLE SQL INJECTION 1 -------------------- chgpwd.php ------------------ if (isset($_POST['submit'])) { $USERNAME = $_COOKIE['USERNAME']; $PASSWORD = $_COOKIE['PASSWORD']; $submit = $_POST['submit']; $oldpasswd = $_POST['oldpasswd']; $newpasswd = $_POST['newpasswd']; $confirmpasswd = $_POST['confirmpasswd']; [..CUT..] $userdata = mysql_query("SELECT * FROM authuserWHERE uname='$USERNAME' and passwd='$PASSWORD'"); -------------------------------------------------- 27) chgpwd.php MULTIPLE SQL INJECTION 2 -------------------- chgpwd.php ------------------ // If everything is ok, use auth class to modify the record $update = $user->modify_user($USERNAME, $newpasswd, $check["team"], $check["level"], $check["status"]); // VULNERABLE, SEE CHAPTER 6 -------------------------------------------------- 28) logout.php SQL INJECTION -------------------- chgpwd.php ------------------ $username=$_GET['username']; [..CUT..] $utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()"); $utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()"); -------------------------------------------------- 29) CONCLUSION no conclusion. fuck em. every function is bogous. i hope you have magic_quotes on Francesco 'ascii' Ongaro