[OpenSource] 2019 ModTools for Plus

[LeChris]

Look at the source, does it look like theres any auth for that file anywhere? Nope. You're wrong end of story.

You still have yet to pull up insomnia or curl. Shut up please

 

[Ecko]

100% it's sqli able just by sending a get request to query.php

That's not injection.

If URL rewrite or any rules are configured, then yes he stops access to it directly.
You can use GET anywhere even not directly accessed. I see you haven’t passed COMP Sci 101 yet

You can force GET and POST requests regardless of rewrite rules. It doesn't need to be in the URI if it's in the headers.

 

[M8than]

That's not injection.

You can force GET and POST requests regardless of rewrite rules. It doesn't need to be in the URI if it's in the headers.

You can put raw sql in get parameters and the code is "injecting" the raw get parameter into the sql query. How is that not sqli?

 

[Ecko]

You can put raw sql in get parameters and the code is "injecting" the raw get parameter into the sql query. How is that not sqli?

That's only true at a very basic level, but doesn't indicate actual injection. Just cause I can do query.php?what=deletegroup&id=1 and it executes doesn't make it an injection. Unless you're able to cause manipulation where your own specific queries get executed (ie - having query.php do an UPDATE query), but doesn't seem like that will happen here.

Also, we do not know the stack that is running here or what all is installed that could prevent malicious requests (ModSecurity, suhosin/snuffleupagus, etc). If I had the db structure, I'd set this up on one of my servers and let you attempt to exploit it.

 

[M8than]

That's only true at a very basic level, but doesn't indicate actual injection. Just cause I can do query.php?what=deletegroup&id=1 and it executes doesn't make it an injection. Unless you're able to cause manipulation where your own specific queries get executed (ie - having query.php do an UPDATE query), but doesn't seem like that will happen here.

Also, we do not know the stack that is running here or what all is installed that could prevent malicious requests (ModSecurity, suhosin/snuffleupagus, etc). If I had the db structure, I'd set this up on one of my servers and let you attempt to exploit it.

Well seeing as he's releasing it on github I'd say a default stack of no 3rd party security tools is probably going to be the average setup of anyone using it.
It's injectable for sure, the level of injection idk im not a hacker but its probably at least possible to do a union and return a load of data.

Edit: just tried it, send a request to query.php?what=deletegroup&id=1;DROP TABLE whatever; and it deletes the whatever table

 

[Ecko]

Well seeing as he's releasing it on github I'd say a default stack of no 3rd party security tools is probably going to be the average setup of anyone using it.
It's injectable for sure, the level of injection idk im not a hacker but its probably at least possible to do a union and return a load of data.

What's a default stack? Assuming something to be true doesn't hold much weight.

It's injectable for sure, but then you're not sure what level of injection. It'd be like me putting wings on my car and saying "This is now a plane for sure, I just don't know how long or how high it can fly". Surely you can see how silly it sounds to say something with pure confidence and then follow up with uncertainty.

 

[M8than]

What's a default stack? Assuming something to be true doesn't hold much weight.

It's injectable for sure, but then you're not sure what level of injection. It'd be like me putting wings on my car and saying "This is now a plane for sure, I just don't know how long or how high it can fly". Surely you can see how silly it sounds to say something with pure confidence and then follow up with uncertainty.

I edited. You can run any query

 

[Ecko]

Got proof besides just stating it? Show the general query log. Someone give me the db structure or a sample db

 

[M8than]

Got proof besides just stating it? Show the general query log. Someone give me the db structure or a sample db

You don't need the database structure. Just use the PHP file on a dummy database and you'll see you can run a query.

 

[Ecko]

You don't need the database structure. Just use the PHP file on a dummy database and you'll see you can run a query.

This is with a default Apache stack (no ModSecurity and using PHP 5.6):

$ curl -IL "http://thedomain.tld/modtools/query.php?what=deletegroup&id=1;DROP%20TABLE%20smf_calender;"
HTTP/1.1 302 Moved Temporarily
Date: Wed, 28 Aug 2019 13:21:10 GMT
Server: Apache
Location: guilds.php?id=1;DROP TABLE smf_calender;&back=deleted
Content-Type: text/html; charset=UTF-8

HTTP/1.1 302 Moved Temporarily
Date: Wed, 28 Aug 2019 13:21:10 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b4ookfhpo7toq5703hrqtap361; path=/
Location: https://thedomain.tld/modtools/guilds?id=1;DROP+TABLE+smf_calender;&back=deleted
Content-Type: text/html; charset=UTF-8


$ mysql -e "DESCRIBE rscdump_smf371.smf_calendar;"
+------------+-----------------------+------+-----+------------+----------------+
| Field      | Type                  | Null | Key | Default    | Extra          |
+------------+-----------------------+------+-----+------------+----------------+
| id_event   | smallint(5) unsigned  | NO   | PRI | NULL       | auto_increment |
| start_date | date                  | NO   | MUL | 0001-01-01 |                |
| end_date   | date                  | NO   | MUL | 0001-01-01 |                |
| id_board   | smallint(5) unsigned  | NO   |     | 0          |                |
| id_topic   | mediumint(8) unsigned | NO   | MUL | 0          |                |
| title      | varchar(255)          | NO   |     |            |                |
| id_member  | mediumint(8) unsigned | NO   |     | 0          |                |

I adjusted query.php to so deletegroup deletes from smf_boards instead, with board_id instead of just id. board_id of 1 has been deleted, smf_calendar still exists. So yes, show me the general query log.

 

[Weasel]

I guess everyone can agree on the fact that the code is not safe to use. Let's leave it at that.

 

[ItsMeRomian]

Thanks for all your feedback. I will add a check to query.php to check if the user is logged in (this is the only page where that doesnt happen) and I will real_escape all user inputs.

 

[M8than]

Thanks for all your feedback. I will add a check to query.php to check if the user is logged in (this is the only page where that doesnt happen) and I will real_escape all user inputs.

Learn to use prepared statements instead. They are easy and much better

 

[Laynester]

i mean atleast he tried to release something good, unlike many leechers in this community, hes one of the few devs left here. its open source meaning anyone can fix things, dont h8 on him, fork and fix it for him

 

[Joe]

Despite the security flaws, the design is really nice

I'm sure you'll be able to patch this up it's nice to see users learning and releasing their work.