Idiots in my internets.

Published on June 10, 2008

Idiots in my internets.

    "Zwei Dinge sind unendlich: Das Universum und die menschliche Dummheit. Aber beim Universum bin ich mir nicht ganz sicher. ”* - Albert Einstein


    It was evening, and doing as usual was a lot of things, but laziness.
    By a random link I came to one site, the address of which I do not cite for obvious ethical reasons. Flash craft; its essence is as follows: we poke in an empty place, and we are offered to upload our picture to this very place and assign a nickname to it. My imagination was not enough to imagine how much joy a simple Soviet flasher can deliver to a person .

    I wanted to see how protection, if done at all, was made from automatic input of information; maybe write a trivial bot and take a couple of dozen places with your pictures.
    I uploaded a picture, wrote a nickname ...

    However, what I saw in Fiddler turned out to be much more entertaining than any bot.

    So what do we see? Ordinary HTTP Post request, some kind of binary garbage in the content and - believe your eyes? - what is it? - SQL query ?!

    Yes, citizens, we have seen a lot. We saw buffer overflows in C. We saw SQL injections in bad PHP code. You won’t surprise us all with this. But Albert Germanovich was damn right, and we, the average and ordinary people, couldn’t keep up with the thought of individual individuals: would it have crossed your mind to form an SQL query on a client and send it to the server for execution? Poor, poor, our imagination.

    About the fact that there is no sanitation of input, I will not even mention it, I think this is already obvious. So, having driven in the text box with quotation mark, we get one more reason for quiet fun: the server directly and openly, as befits a decent program, gives an MySQL error.


    Yes, indeed, the syntax was not all right.

    In fairness, I must say that simply replacing SQL in the body of the Post-request will not work - the checksum will not converge somewhere in the binary part. Not much useful information will come out of the injection through the text input field: there is a limit on the length of the input text, and the server part is prudently refused to accept several commands separated by semicolons.

    This elementary precaution, of course, does not affect the main problem - the execution of the SQL query generated on the client side. With a certain desire to replace the request itself, it is quite possible, which was done by easily modifying the flash part. I will again keep silent about the details for ethical reasons. And if we also knew Flash ...

    As a proof of concept, we change the nickname of the user we just registered by executing the SQL query
    update `peoples` set name = ' new nickname ' where name = ' old nickname '

    I think it’s not necessary to say that someone else’s intentions may not be so peaceful at all.

    Of course, the site administration has been notified of the vulnerability. At least I did everything possible, since there are no addresses of either the webmaster or the administrator on the site.

    Moral: Use the brain, people. You are welcome.

    PS In the process of writing this article, a lot of people almost suffered because the Habr didn’t want to upload pictures when editing the saved version, stubbornly falling out on Javascript’s error “uncaught exception: Permission denied to get property HTMLDocument.getElementById”
    This error occurs when trying to call sts_put_opener () from the child iframe. This is due to the fact that the parent iframe is on the subdomain (paul7.habrahabr.ru), and the child is mainly, so the POST request was successful, but I did not get any results. I had to get links using the same faithful Fiddler. Outrage, frankly.

    PPS Dear CTO! If you read this topic, please do not transfer me to testers! This is temporarily so lucky for me ... I hope.

    *“There are only two endless things: the universe and human stupidity. True, I'm not sure about the universe. "