[ic] SQL Injection?

Bob Puff bob at nleaudio.com
Fri Sep 19 15:58:50 UTC 2014 

Hi guys,

Looks like I may have another issue.  Again, the reference:
CentOS 6, Perl 5.10.1 (non-threaded), IC 5.8.2.  Just ran a PCI scan from
controlscan.com, and they came back with a mess of SQL Injection vulns.  Here
are a couple:


THREAT REFERENCE

Summary:
Blind SQL injection vulnerability in mv_search_field parameter to
/cgi-bin/cart/search.html?id=PC9Bp9yf

Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_blind

Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.
For example, suppose a web program passes the following
query to the database application:
SELECT * FROM USERS WHERE USERNAME='$user' AND PASSWORD='$pass'
where $user and $pass are variables supplied by the user through a web form.
So if the user were to enter the name "admin" and the password "abc", the
query would become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='abc'
and the database would return any existing record where the username is
"admin" and the password is "abc", thus authenticating
the user if the password "abc" is correct. Now suppose an attacker were to
enter a malformed password such as the following:
' OR 'a'='a
Inserting the malformed password into the query exactly as
it appears above would cause the query to become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='' OR 'a'='a'
The resulting query would return the records where the username
is "admin" and the password is null OR the string 'a' equals 'a', which is
always true.
Thus, by manipulating the SQL query, all records are returned from the table
without having known the correct password.
This is just one example of an attack which is possible
using SQL injection. Other forms of attacks could allow
the attacker to gain unauthorized read, write, or delete
access to the database, or to retrieve passwords.
There are also security bypass vulnerabilities which allow for the
bypass of anti-sql-injection filters in the software.

Information From Target:
Service: 80:TCP
MySQL-style database, SQL SET / WHERE
Response time:
0 seconds normal response
16 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/search.html?id=PC9Bp9yf HTTP/1.0
Host: www.hostname.com
User-Agent: Mozilla/5.0
Content-length: 160
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123
Received: HTTP/1.1 200 OK

--------------------------------------------------------------------
Information From Target:
Service: 443:TCP
MS-SQL-style database, SQL SET / WHERE
Response time:
1 seconds normal response
16 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/process.html HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0
Content-length: 518
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_session_id=ongV2b9t&mv_doit=refresh&mv_orderpage=ord%2Fbasket&mv_nextpage=index&quantity0=0&quantity0=1&quantity1=0&quantity1=1&quantity2=0&quantity2=1&quantity3=0&quantity3=1&quantity4=0&quantity4=1&quantity5=0&quantity5=1&quantity6=0&quantity6=1&%5C%27mv_click_map%5C%27=%5C%27Check_Out%5C%27&%5C%27mv_click_Check_Out%5C%27=%5C%27%5C%27&mv_click=Check+Out&zip=123&%5C%27mv_click_map%5C%27=%5C%27Check_Shipping%5C%27&%5C%27mv_click_Check_Shipping%5C%27=%5C%27%5C%27&mv_click=x")%20waitf

---------------------------------------------------------------------
Information From Target:
Service: 443:TCP
MS-SQL-style database, SQL SET / WHERE
Response time:
1 seconds normal response
15 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/ord/next_step.html?id=ongV2b9t HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0
Content-length: 341
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&email=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123
Received: HTTP/1.1 200 OK
-----------------------------------------------------------------------

Is there something I have forgotten?

Bob

More information about the interchange-users mailing list