sbauer at gjl-network
Mar 2, 2007, 1:23 AM
Post #1 of 6
(518 views)
Permalink
|
|
Knorr.de SQL Injection and XSS Vulnerabilities
|
|
Author: Sebastian Bauer
Web: http://blog.gjl-network.net
Date: 01/12/07
Vuln. website: http://www.knorr.de
Vulnerability: SQL Injection (mainly login authentication bypass + any
other SQL inj.
possibility), XSS
Significance: Very Critical
---------------------------------------------------------
Detailed description:
The site knorr.de is using a MS SQL database server and IIS as web server. The
programming language used is ASP (Active Server Pages).
There is a vulnerability using the login field of the site. Since user
input will not be
escpaed, it is vulnerable against SQL injection attacks.
The SQL string to authenticate the user can be escaped using single
quotes. Since the
database server is MS SQL it is possible to easily create a valid SQL
query and ignore
the rest of the SQL query by adding ;-- which ends the current query
and defines the rest
as comment.
There are several ways to bypass the authentication:
1.) Provide a SQL query that will be always true.
In this case the system selects the first possible user (which seems
to be admin but
without any special privilegues, as there is no real CMS behind this).
An attack like this would be:
Username: -1' or 'x'='x
Password: -1' or 'x'='x
This will log you in as the user "holgi" which seems to be the first
user within the user
table. The -1' will be required to be sure, that the result of this
query (WHERE username
= '-1') will be false! The first quote is used to escape from the
condition given to the
SQL database. The next condition 'x'='x will make sure, that the
condition fits on any
record. We don't provide a closing quote and use the already existing
one in the original
statement to keep a valid SQL syntax.
2.) Provide a SQL query that will provide a special username as result.
Example:
Username: -1' or username = 'anyUserName';--
Password:
This will result that the query returns the record of the user
'anyUserName' if it
exists. To tell MS SQL that this is the complete statement we put the
; and a --
afterwards, to tell it, that the rest of the statement which is inside
the code will be
handled as comment and thus not to be interpreted. We have to deliver
at least one
character for the password field, because otherwise the website
suggests us to create a
new user and does not log us in.
3.) Provide a SQL query that will provide a username which fits a
special search
condition.
This is just a small modification of the 2nd query, which makes us
possible to guess
usernames.
Example:
Username: -1' or username LIKE '%anySearchCondition%';--
Password:
This will do a normal SQL LIKE condition. You can vary it as you want.
You'll get the
first possible result as your login.
4.) It is also possible to manually insert new data into the database, receive
information about the server and get access to a SQL shell. Those will
not be described
more closely in this document, as all neccessary information required
for this are not a
miracle for anyone knowing what he is doing.
Cross-Site Scripting (XSS) Vulnerabilities:
Knorr.de is using some kind of a content loader using URL parameter
which is vulnerable
against XSS attacks. This has not been tested in detail and thus will
not described in
deep in this document.
Also form data used for the Knorr forum will not be escaped what
causes the website to
offer complete freedom for using XSS inside the forum. But since this
is a moderated
forum this issue can be rated as a low security risk, though it could
be possible to
steal the session cookie of an administrator reading an infected entry
to confirm or deny
it and hijack the session afterwards.
---------------------------------------------------------
Resumee: This login authentication is highly significant as it is
possible to login as
every user we want. Knorr.de is not a website, holding strictly
confidential information,
but you will get access to personal user data.
There may also be a risk to the system itself as it is possible to
have nearly full
access to the database to delete records, tables or even get access to
a SQL shell.
All problems found have been discussed with Unilever, the mother
company of Knorr and
have been fixed before the release of this document.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
