[eluser]Keat Liang[/eluser]
if i using pagination lib and my application is accept
and using active record,
controller
Code:
class Exploit extends SOME_dry_STUFF{
function __construct()
{
//blah blah blah..... load necessary lib
$this->load->model('news_letter_model');
}
function index($offset = 0)
{
$data = array();
//Configuration for pagination
$limit = 10;
//get all result
$data['query'] = $this->news_letter_model->get_unique_visitor(
$this->current_site,
$search,
$limit,
$offset
);
$total_num_result = $this->news_letter_model->count_unique_visitor($this->current_site, $search);
$config = array(
'base_url' => site_url('news_letter/visitor/index'),
'total_rows' => $total_num_result,
'per_page' => $limit,
'uri_segment' => 4, //std in current structure
'num_links' => 5
);
$this->load->library('pagination');
$this->pagination->initialize($config);
$data['page_links'] = $this->pagination->create_links();
$this->load->view('visitor/index_view', $data);
}
}
model
Code:
class News_letter_model extends CI_Model{
/**
* Get List of Unique Visitor/ Count Total Unique Visitor [by search]
* @param int $domain_id
* @return mixed
*/
function get_unique_visitor($domain_id = NULL, $search = "",
$limit = NULL, $offset = NULL, $count = FALSE)
{
if($count === FALSE)
$this->db->select('user_id, domain_id, users.username, users.name');
else
$this->db->select("COUNT(user_id) total");
if($search != "")
{
$like_str = $this->db->escape_like_str($search);
$this->db->where("(user_id LIKE '%$like_str%' OR
username LIKE '%$like_str%' OR
name LIKE '%$like_str%')");
}
$this->db->from('domain_unique_visitor')
->join('users', 'domain_unique_visitor.user_id = users.id', 'INNER')
->where(array(
'domain_id' => $domain_id
))
->limit($limit, $offset); // <!!!!!------ EXPLOIT this function does not excape or check for data type....
$query = $this->db->get();
if($query && $query->num_rows() > 0)
{
return $query;
}
return FALSE;
}
/**
* Count Unique Visitor Wrapper Function
*
* @param int $domain_id
* @param string $search
* @return int
*/
function count_unique_visitor($domain_id = NULL, $search = "")
{
$query = $this->get_unique_visitor($domain_id, $search, NULL, NULL, TRUE);
return $query === FALSE ? 0 : $query->row()->total;
}
}
request made
BTW the single quote is purposely put there to make SQL error
Code:
index.php/news_letter/visitor/ban/7'
error message will appear. i know i should turn off db debug, but sometime shit happen
IM using HMVC BTW
Code:
A Database Error Occurred
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', 10' at line 5
SELECT `owner_opt_out`.`user_id`, `users`.`username`, `users`.`name` FROM (`owner_opt_out`) INNER JOIN `users` ON `owner_opt_out`.`user_id` = `users`.`id` WHERE `domain_id` = 9 LIMIT 7', 10
Filename: /modules/news_letter/models/news_letter_model.php
Line Number: 234
some SQL injection tool try to do some evil thing,,,,
potential SQL injection
Code:
Analyzing http://localhost/index.php/news_letter/visitor/ban/1
Host IP: ~~~~~~
Web Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
Powered-by: PHP/5.3.3
Keyword Found: Visitor
I guess injection type is Integer?! If injection failed, retry with a manual keyword.
DB Server: MySQL
Findig columns count for MySQL failed!
Bypassing illegal union failed! Turning off this feature
MySQL time based injection method can't be used
Target Vulnerable :D
because of the url allow single quote which default does not.
but it allow it anyway.........
test under mac osx 10.6.7