From: Shivakumar ST, World Informatix Cyber Security
My First Exploitation – Open Audit(GPL version) SQL injection vulnerability
To learn swimming,you have to get in to water.
Searching Searching…Searching! for the bug finding in software/Hardware and most worried on the confidence.
Finally just took some inputs from my colleague,how to start and where to post and what is procedure for the approval of the bug identification and approved by the Packetstroms and exploit-db.
Finally i too started the source code analysing and started searching on the google for the code and flow chart of the program execution.
I got to know,for most of the software there will be source code available on the gitub.
Finally found a software source code of Open audit(GPL version), open-AudIT is an application tell us exactly what is on your network, how it is configured and when it changes. Open-AudIT will run on Windows and Linux systems and it is developed using PHP.
After finding the Source code link on gitub,there were many files which were containing the threads. After analysising the many threads i found below file with SQL injection.
https://github.com/jonabbey/open-audit/blob/master/delete_missed_audit.php
delete_missed_audit.php was accessible without authentication and GET Method parameter pc is not getting filter before passing to SQL query.
Vulnerable code :
if (isset($_GET[‘pc’])) {
$link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or die(“Could not connect”);
mysql_select_db(“$mysql_database”) or die(“Could not select database”);
$query = “select system_name from system where system_uuid=’” . $_GET[‘pc’] . “‘”;
$result = mysql_query($query) or die(“Query failed at retrieve system name stage.”);
$myrow = mysql_fetch_array($result);
$name = $myrow[‘system_name’];
Still i was not confidence on the bug i suspected and explained & discussed with trick i applied with my friend.In the above mentioned source code,just i was concentrated on the GET method variable ‘pc’
Yes there was a bug.
Suddenly started doing a document of POC and sent a mail to Packetstorm and this small bug reported and published on the Packetstrom.