1) LOGIN PAGE authenticate() SQL INJECTION

$username and $password are not checked

$detail = $Auth->authenticate($username, $password);

-------------- in vAuthenticate.php --------------

// Change the path to auth.php and authconfig.php if you moved
// vAuthenticate.php from its original directory.
include_once ("auth.php");
include_once ("authconfig.php");

$username =  $_POST['username'];
$password =  $_POST['password'];

echo '<pre>USER: '.$username; // ASCII
echo '<pre>PASS: '.$password; // ASCII

$Auth = new auth();
$detail = $Auth->authenticate($username, $password);

--------------------------------------------------

------------------ in auth.php -------------------

function authenticate($username, $password) {
 echo '<pre>USER: '.$username; // ASCII
 echo '<pre>PASS: '.$password; // ASCII
 $utils = new utils();
 $query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
 echo '<pre>QUER: '.$query; // ASCII
 $UpdateRecords = "UPDATE authuser SET lastloginDate = CURRENT_DATE(),lastloginTime = CURRENT_TIME(), logincount = logincount + 1 WHERE uname='$username'";
 echo '<pre>QUER: '.$UpdateRecords; // ASCII


--------------------------------------------------

USER: '
PASS: '
USER: '
PASS: '
QUER: SELECT * FROM authuser WHERE uname=''' AND passwd=MD5(''') AND status <> 'inactive'
QUER: UPDATE authuser SET lastloginDate = CURRENT_DATE(),lastloginTime = CURRENT_TIME(), logincount = logincount + 1 WHERE uname='''

in $Auth->authenticate() there are 2 sql injections

then in the same function if $numrows != 0

------------------ in auth.php -------------------

$Update = mysql_query($UpdateRecords);
$utils->add_userIp($username,$macAddress,$ipAddress,$level);
$utils->updateTimeStamp($username,"loginStartDate","CURRENT_DATE()");
$utils->updateTimeStamp($username,"loginStartTime","CURRENT_TIME()");

--------------------------------------------------

2) add_userIp() SQL INJECTION

$username is not checked

------------------ in utils.php ------------------

function add_userIp($username,$macAddress,$ipAddress,$level) {

[..CUT..]

$qUserId = "SELECT id FROM authuser WHERE uname='$username'";
$result = mysql_query($qUserId);

--------------------------------------------------

3) updateTimeStamp() SQL INJECTION

$username is not checked

------------------ in utils.php ------------------

function updateTimeStamp($username,$field,$timestamp){
		
$qUserId = "SELECT id FROM authuser WHERE uname='$username' order by id desc";
$result = mysql_query($qUserId ); 

--------------------------------------------------

4) authuser.php USER DELETE SQL INJECTION

------------------ in utils.php ------------------

if ($action=="Cancella") {
[..CUT..]
 // Delete record in authuser table
 $delete = $user->delete_user($username);
 // Delete record in signup table
 $deletesignup =  mysql_query("DELETE FROM signup WHERE uname='$username'");

--------------------------------------------------

POST /milkeyway/milkeyway/admin/authuser.php HTTP/1.1
username=sa&password=&team=Admin&level=1&status=active&action=Cancella
         ^^                                                   ^^^^^^^^

5) delete_user() SQL INJECTION

------------------ in auth.php -------------------

function delete_user($username) {
 $qDelete = "DELETE FROM  authuser WHERE uname='$username'";	
 [..CUT..] 
 $result = mysql_query($qDelete); 
		
--------------------------------------------------

6) authuser.php MODIFY USER modify_user() SQL INJECTION

---------------- in authuser.php -----------------

if (isset($_POST['action'])) {
 $username = $_POST['username'];
 $password = $_POST['password'];
 $team = $_POST['team'];
 $level = $_POST['level'];
 $status = $_POST['status'];
 $action = $_POST['action'];
 [..CUT..]
 $ipAddress = $_POST['ipAddress']; 
 $ipAddress = $_POST['macAddress'];  
} elseif (isset($_GET['act'])) {
 $act = $_GET['act'];
 [..CUT..]

--------------------------------------------------

then 

------------------ in auth.php -------------------

function modify_user($username, $password, $team, $level, $status) {
 // If $password is blank, make no changes to the current password
 if (trim($password == '')) {
  $qUpdate = "UPDATE authuser SET team='$team', level='$level', status='$status' WHERE uname='$username'";
 } else {
  $qUpdate = "UPDATE authuser SET passwd=MD5('$password'), team='$team', level='$level', status='$status' WHERE uname='$username'";
 }

 [..CUT..]
 
 $result = mysql_query($qUpdate); 
 return 1;
 
--------------------------------------------------

7) authuser.php MULTIPLE XSS

---------------- in authuser.php -----------------

if (isset($_POST['action'])) {
 $ipAddress = $_POST['ipAddress']; 
 $ipAddress = $_POST['macAddress']; 

[..CUT..]

<? print "<input type=\"text\" DISABLED name=\"ipAddress\" size=\"20\" maxlength=\"25\" value=\"$ipAddress\">"; ?>

--------------------------------------------------

note that many other vars are affected by xss vulns

$username, $password

8) authuser.php EDIT MULTIPLE XSS

---------------- in authuser.php -----------------

if ($act == "Edit") {
 $username = $_GET['username'];
 $listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d  on u.id=d.userid where  u.uname='$username'");

--------------------------------------------------

/milkeyway/admin/authuser.php?act=Edit&username=sa
                                  ^^^^          ^^

9) authuser.php RELEASE USER SQL INJECTION

---------------- in authuser.php -----------------

if (strcmp($action, "Rilascia Utente") == 0) {
 [..CUT..]
 $utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()"); // VULNERABLE, already seen
 $utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()"); // VULNERABLE, already seen
 $utils->releaseUser($username); // VULNERABLE, SEE THE NEXT POINT
 $update = $user->modify_user($username, $password, $team, $level, "inactive"); // VULNERABLE, already seen on chap 6


POST /milkeyway/milkeyway/admin/authuser.php HTTP/1.1
username=sa&password=&team=Admin&level=1&status=active&action=Rilascia+Utente
         ^^                                                   ^^^^^^^^^^^^^^^

10) releaseUser() SQL INJECTION

------------------ in utils.php ------------------

function releaseUser($username){
 //Update userData
 $qUserId = "SELECT id FROM authuser WHERE uname='$username'";
 $result = mysql_query($qUserId ); 
 $rows = mysql_fetch_array($result);
 $id = $rows[0];
 $qUserMac ="SELECT macAddress from userData where userId=$id order by loginStartDate desc,loginStartTime desc";
 $SelectedDB = mysql_select_db($this->DBNAME);
 $result = mysql_query($qUserMac);
}

--------------------------------------------------

11) authuser.php ORDERING SQL INJECTION

sql is injectable by $_GET['filter']

---------------- in authuser.php -----------------

if ($direction =="DESC") $direction ="ASC"; 
else $direction ="DESC";
$orderingFilter = $_GET['filter'];
if ($orderingFilter == '') $orderBy ="order by uname ASC" ; 
else $orderBy ="order by ".$orderingFilter." ".$direction; 
$result = mysql_query("SELECT * FROM authuser ".$orderBy ); 

--------------------------------------------------

12) authgroup.php ADD GROUP SQL INJECTION

---------------- in authgroup.php ----------------

if (isset($_POST['action'])) {
 $action = $_POST['action'];
 [..CUT..]
 $teamname = $_POST['teamname'];
 $teamlead = $_POST['teamlead'];
 $status = $_POST['status'];
} elseif (isset($_GET['act'])) {
 $act = $_GET['act'];

[..CUT..]

if ($action == "Aggiungi") {
 $situation = $group->add_team($teamname, $teamlead, $status); // VULNERABLE, SEE BELOW

--------------------------------------------------

13) add_team() SQL INJECTION

------------------ in auth.php -------------------

function add_team($teamname, $teamlead, $status="active") {
 $qGroupExists = "SELECT * FROM authteam WHERE teamname='$teamname'";
 $qInsertGroup = "INSERT INTO authteam(teamname, teamlead, status) VALUES ('$teamname', '$teamlead', '$status')";
 [..CUT..]
 // Check if all fields are filled up
 if (trim($teamname) == "") return "blank team name";
 $group_exists = mysql_query($qGroupExists); 

--------------------------------------------------

14) authgroup.php DELETE GROUP SQL INJECTION

---------------- in authgroup.php ----------------

if (isset($_POST['action'])) {
 $action = $_POST['action'];
 [..CUT..]
 $teamname = $_POST['teamname'];
 $teamlead = $_POST['teamlead'];
 $status = $_POST['status'];
} elseif (isset($_GET['act'])) {
 $act = $_GET['act'];

[..CUT..]

if ($action=="Cancella") {
 $delete = $group->delete_team($teamname); // VULNERABLE, SEE BELOW

--------------------------------------------------

15) delete_team() SQL INJECTION

------------------ in auth.php -------------------

function delete_team($teamname) {
 $qDelete = "DELETE FROM authteam WHERE teamname='$teamname'";
 $qUpdateUser = "UPDATE authuser SET team='Ungrouped' WHERE team='$teamname'";	
 [..CUT..]
 $result = mysql_query($qUpdateUser); 
 [..CUT..]
 $result = mysql_query($qDelete); 
 
--------------------------------------------------

16) authgroup.php MODIFY TEAM SQL INJECTION

---------------- in authgroup.php ----------------

if (isset($_POST['action'])) {
 $action = $_POST['action'];
 [..CUT..]
 $teamname = $_POST['teamname'];
 $teamlead = $_POST['teamlead'];
 $status = $_POST['status'];
} elseif (isset($_GET['act'])) {
 $act = $_GET['act'];

[..CUT..]

if ($action == "Modifica") {
	$update = $group->modify_team($teamname, $teamlead, $status); // VULNERABLE, SEE BELOW

--------------------------------------------------

17) modify_team() SQL INJECTION

------------------ in auth.php -------------------

function modify_team($teamname, $teamlead, $status) {
 $qUpdate = "UPDATE authteam SET teamlead='$teamlead', status='$status' WHERE teamname='$teamname'";
 $qUserStatus = "UPDATE authuser SET status='$status' WHERE team='$teamname'";
 [..CUT..]
 $userresult = mysql_query($qUserStatus); 
 [..CUT..]
 $result = mysql_query($qUpdate); 

--------------------------------------------------

18) traffic.php MULTIPLE SQL INJECTION

note there are two identical traffic.php files one in the 
root and the other in admin/

first sql injection ($_GET['date'])

----------------- in traffic.php -----------------

$act = $_GET['act'];
$idToProcess = $_GET['id'];
if ($act=='trafficDetails') {
 $date = $_GET['date']; 	
 [..CUT..]
 $trafficQuery = "SELECT * FROM userData u where loginStartDate='".$date."' order by loginStartDate,loginStartTime ";
 $result =  mysql_query($trafficQuery);

--------------------------------------------------

second sql injection ($_GET['date'])

----------------- in traffic.php -----------------

$trafficByUser =  "SELECT * FROM traffic where time <= '".$upper."' and time >= '".$lower."' and date='''.$date.'''";
$result =  mysql_query($trafficByUser);

--------------------------------------------------

third sql injection ($_GET['id'])

----------------- in traffic.php -----------------

else if ($act=='groupDate'){
 [..CUT..]
 $trafficQuery = 'SELECT *,count(loginStartDate) FROM userData u where userId='.$idToProcess.' group by loginStartDate order by loginStartDate,loginStartTime';
 $result =  mysql_query($trafficQuery);

--------------------------------------------------

/milkeyway/admin/traffic.php?id=1&act=groupDate
                                ^

19) userstatistics.php ADD USER SQL INJECTION

-------------- in userstatistics.php -------------

if (isset($_POST['action'])) {
 $username = $_POST['username'];
 $password = $_POST['password'];
 $team = $_POST['team'];
 $level = $_POST['level'];
 $status = $_POST['status'];
 $action = $_POST['action'];
 $ipAddress = $_POST['ipAddress']; 
 $ipAddress = $_POST['macAddress']; 
} elseif (isset($_GET['act'])) {
 $act = $_GET['act'];

[..CUT..]

if ($action == "Add") {
 $situation = $user->add_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 2

--------------------------------------------------

20) userstatistics.php DELETE USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($action=="Delete") {
 $delete = $user->delete_user($username); // VULNERABLE, SEE POINT 5

--------------------------------------------------

21) userstatistics.php MODIFY USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($action == "Modify") {
 $update = $user->modify_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 6

--------------------------------------------------

22) userstatistics.php EDIT USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($act == "Edit") {
 $username = $_GET['username'];
 $listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'");

--------------------------------------------------

23) userstatistics.php MULTIPLE XSS

for example the variable $username is taken an other time from GET and then printed

-------------- in userstatistics.php -------------

if ($act == "statistics") {
 $username = $_GET['username'];

[..CUT..]

<? echo $username ?>

--------------------------------------------------

24) userstatistics.php $_GET['username'] SQL INJECTION 1

-------------- in userstatistics.php -------------

if ($act == "statistics") {
 $username = $_GET['username'];

[..CUT..]

$result = mysql_query("SELECT id  FROM  authuser where uname = '$username'");

--------------------------------------------------

25) userstatistics.php $_GET['username'] SQL INJECTION 2

-------------- in userstatistics.php -------------

$result= mysql_query ("select id from authuser where uname = '$username'");

--------------------------------------------------

26) chgpwd.php SQL INJECTION 1

-------------------- chgpwd.php ------------------

if (isset($_POST['submit']))	{
 $USERNAME = $_COOKIE['USERNAME'];
 $PASSWORD = $_COOKIE['PASSWORD'];
 $submit = $_POST['submit'];
 $oldpasswd = $_POST['oldpasswd'];
 $newpasswd = $_POST['newpasswd'];
 $confirmpasswd = $_POST['confirmpasswd'];
 [..CUT..]
 $userdata = mysql_query("SELECT * FROM authuserWHERE uname='$USERNAME' and passwd='$PASSWORD'");

--------------------------------------------------

27) chgpwd.php SQL INJECTION 2

-------------------- chgpwd.php ------------------

// If everything is ok, use auth class to modify the record
$update = $user->modify_user($USERNAME, $newpasswd, $check["team"], $check["level"], $check["status"]); // VULNERABLE, SEE CHAPTER 6

--------------------------------------------------

28) logout.php SQL INJECTION

-------------------- chgpwd.php ------------------

$username=$_GET['username'];
[..CUT..]
$utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()");
$utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()");

--------------------------------------------------

29) CONCLUSION

I hope you have magic_quotes on.

Francesco 'ascii' Ongaro