Welcome Guest, Not a member yet? Register   Sign In
permitted_uri_chars in application/config.php not working [serious vulnerability]

[eluser]Keat Liang[/eluser]
if i using pagination lib and my application is accept
and using active record,

class Exploit extends SOME_dry_STUFF{

function __construct()
    //blah blah blah..... load necessary lib

function index($offset = 0)
    $data = array();
    //Configuration for pagination
    $limit = 10;

    //get all result
    $data['query'] = $this->news_letter_model->get_unique_visitor(

    $total_num_result = $this->news_letter_model->count_unique_visitor($this->current_site, $search);

    $config = array(
        'base_url' => site_url('news_letter/visitor/index'),
        'total_rows' => $total_num_result,
        'per_page' => $limit,
        'uri_segment' => 4, //std in current structure
        'num_links' => 5


    $data['page_links'] = $this->pagination->create_links();
    $this->load->view('visitor/index_view', $data);

class News_letter_model extends CI_Model{

     * Get List of Unique Visitor/ Count Total Unique Visitor [by search]
     * @param int $domain_id
     * @return mixed
    function get_unique_visitor($domain_id = NULL, $search = "",
        $limit = NULL, $offset = NULL, $count = FALSE)
        if($count === FALSE)
            $this->db->select('user_id, domain_id, users.username, users.name');
            $this->db->select("COUNT(user_id) total");
        if($search != "")
            $like_str = $this->db->escape_like_str($search);
            $this->db->where("(user_id  LIKE '%$like_str%' OR
                 username LIKE '%$like_str%' OR
                 name     LIKE '%$like_str%')");
                 ->join('users', 'domain_unique_visitor.user_id = users.id', 'INNER')
                     'domain_id' => $domain_id
                 ->limit($limit, $offset); // <!!!!!------ EXPLOIT this function does not excape or check for data type....

        $query = $this->db->get();
        if($query && $query->num_rows() > 0)
            return $query;
        return FALSE;
     * Count Unique Visitor Wrapper Function
     * @param int $domain_id
     * @param string $search
     * @return int
    function count_unique_visitor($domain_id = NULL, $search = "")
        $query = $this->get_unique_visitor($domain_id, $search, NULL, NULL, TRUE);
        return $query === FALSE ? 0 : $query->row()->total;

request made
BTW the single quote is purposely put there to make SQL error

error message will appear. i know i should turn off db debug, but sometime shit happen Big Grin
A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', 10' at line 5

SELECT `owner_opt_out`.`user_id`, `users`.`username`, `users`.`name` FROM (`owner_opt_out`) INNER JOIN `users` ON `owner_opt_out`.`user_id` = `users`.`id` WHERE `domain_id` = 9 LIMIT 7', 10

Filename: /modules/news_letter/models/news_letter_model.php

Line Number: 234

some SQL injection tool try to do some evil thing,,,,
potential SQL injection Sad
Analyzing http://localhost/index.php/news_letter/visitor/ban/1
Host IP: ~~~~~~
Web Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ mod_perl/2.0.4 Perl/v5.8.8
Powered-by: PHP/5.3.3
Keyword Found: Visitor
I guess injection type is Integer?! If injection failed, retry with a manual keyword.
DB Server: MySQL
Findig columns count for MySQL failed!
Bypassing illegal union failed! Turning off this feature
MySQL time based injection method can't be used
Target Vulnerable :D

because of the url allow single quote which default does not.
but it allow it anyway.........

test under mac osx 10.6.7

Messages In This Thread
permitted_uri_chars in application/config.php not working [serious vulnerability] - by El Forum - 06-16-2011, 10:06 AM

Theme © iAndrew 2016 - Forum software by © MyBB