[OpenSource] 2019 ModTools for Plus

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
100% it's sqli able just by sending a get request to query.php
That's not injection.
If URL rewrite or any rules are configured, then yes he stops access to it directly.
You can use GET anywhere even not directly accessed. I see you haven’t passed COMP Sci 101 yet
You can force GET and POST requests regardless of rewrite rules. It doesn't need to be in the URI if it's in the headers.
 

M8than

yes
Mar 16, 2012
463
102
That's not injection.

You can force GET and POST requests regardless of rewrite rules. It doesn't need to be in the URI if it's in the headers.
You can put raw sql in get parameters and the code is "injecting" the raw get parameter into the sql query. How is that not sqli?
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
You can put raw sql in get parameters and the code is "injecting" the raw get parameter into the sql query. How is that not sqli?
That's only true at a very basic level, but doesn't indicate actual injection. Just cause I can do query.php?what=deletegroup&id=1 and it executes doesn't make it an injection. Unless you're able to cause manipulation where your own specific queries get executed (ie - having query.php do an UPDATE query), but doesn't seem like that will happen here.

Also, we do not know the stack that is running here or what all is installed that could prevent malicious requests (ModSecurity, suhosin/snuffleupagus, etc). If I had the db structure, I'd set this up on one of my servers and let you attempt to exploit it.
 

M8than

yes
Mar 16, 2012
463
102
That's only true at a very basic level, but doesn't indicate actual injection. Just cause I can do query.php?what=deletegroup&id=1 and it executes doesn't make it an injection. Unless you're able to cause manipulation where your own specific queries get executed (ie - having query.php do an UPDATE query), but doesn't seem like that will happen here.

Also, we do not know the stack that is running here or what all is installed that could prevent malicious requests (ModSecurity, suhosin/snuffleupagus, etc). If I had the db structure, I'd set this up on one of my servers and let you attempt to exploit it.
Well seeing as he's releasing it on github I'd say a default stack of no 3rd party security tools is probably going to be the average setup of anyone using it.
It's injectable for sure, the level of injection idk im not a hacker but its probably at least possible to do a union and return a load of data.

Edit: just tried it, send a request to query.php?what=deletegroup&id=1;DROP TABLE whatever; and it deletes the whatever table
 
Last edited:

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
Well seeing as he's releasing it on github I'd say a default stack of no 3rd party security tools is probably going to be the average setup of anyone using it.
It's injectable for sure, the level of injection idk im not a hacker but its probably at least possible to do a union and return a load of data.
What's a default stack? Assuming something to be true doesn't hold much weight.

It's injectable for sure, but then you're not sure what level of injection. It'd be like me putting wings on my car and saying "This is now a plane for sure, I just don't know how long or how high it can fly". Surely you can see how silly it sounds to say something with pure confidence and then follow up with uncertainty.
 

M8than

yes
Mar 16, 2012
463
102
What's a default stack? Assuming something to be true doesn't hold much weight.

It's injectable for sure, but then you're not sure what level of injection. It'd be like me putting wings on my car and saying "This is now a plane for sure, I just don't know how long or how high it can fly". Surely you can see how silly it sounds to say something with pure confidence and then follow up with uncertainty.
I edited. You can run any query
 

M8than

yes
Mar 16, 2012
463
102
Got proof besides just stating it? Show the general query log. Someone give me the db structure or a sample db

You don't need the database structure. Just use the PHP file on a dummy database and you'll see you can run a query.
 
Last edited:

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
You don't need the database structure. Just use the PHP file on a dummy database and you'll see you can run a query.
This is with a default Apache stack (no ModSecurity and using PHP 5.6):
Code:
$ curl -IL "http://thedomain.tld/modtools/query.php?what=deletegroup&id=1;DROP%20TABLE%20smf_calender;"
HTTP/1.1 302 Moved Temporarily
Date: Wed, 28 Aug 2019 13:21:10 GMT
Server: Apache
Location: guilds.php?id=1;DROP TABLE smf_calender;&back=deleted
Content-Type: text/html; charset=UTF-8

HTTP/1.1 302 Moved Temporarily
Date: Wed, 28 Aug 2019 13:21:10 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b4ookfhpo7toq5703hrqtap361; path=/
Location: https://thedomain.tld/modtools/guilds?id=1;DROP+TABLE+smf_calender;&back=deleted
Content-Type: text/html; charset=UTF-8


$ mysql -e "DESCRIBE rscdump_smf371.smf_calendar;"
+------------+-----------------------+------+-----+------------+----------------+
| Field      | Type                  | Null | Key | Default    | Extra          |
+------------+-----------------------+------+-----+------------+----------------+
| id_event   | smallint(5) unsigned  | NO   | PRI | NULL       | auto_increment |
| start_date | date                  | NO   | MUL | 0001-01-01 |                |
| end_date   | date                  | NO   | MUL | 0001-01-01 |                |
| id_board   | smallint(5) unsigned  | NO   |     | 0          |                |
| id_topic   | mediumint(8) unsigned | NO   | MUL | 0          |                |
| title      | varchar(255)          | NO   |     |            |                |
| id_member  | mediumint(8) unsigned | NO   |     | 0          |                |

I adjusted query.php to so deletegroup deletes from smf_boards instead, with board_id instead of just id. board_id of 1 has been deleted, smf_calendar still exists. So yes, show me the general query log.
 

ItsMeRomian

Member
Oct 3, 2015
190
22
Thanks for all your feedback. I will add a check to query.php to check if the user is logged in (this is the only page where that doesnt happen) and I will real_escape all user inputs.
 

M8than

yes
Mar 16, 2012
463
102
Thanks for all your feedback. I will add a check to query.php to check if the user is logged in (this is the only page where that doesnt happen) and I will real_escape all user inputs.
Learn to use prepared statements instead. They are easy and much better
 

Users who are viewing this thread

Top