Sql Injections and Securing Clipshare Vulnerabilities

Tags: Clipshare, PHPNuke, SQL Injection, SQL Injection Vulnerability


Just last week I was informed that two Clipshare (Youtube clone) sites were hacked.  The culprit was a SQL injection vulnerability in the code.  This article will explain a creative way of securing your site without really fixing the underlying code.

What is a SQL Injection and how do you fix it?

It means that the code was executing code that looked like this:

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

Where $_GET['id'] means the querystring parameter ID which is passed in as follows:

http://www.yoursite.com/index.php?id=5

However, because we are not "sanitizing" the data before sending it to the sql server, someone can load the URL:

http://www.yoursite.com/index.php?id=5 OR 1=1 (or http encoded as http://www.yoursite.com/index.php?id=5%20OR%201=1
What that means is the SQL statement that will be executed is

ExecuteSQL("Select salary from employees where ID = 5 OR 1=1");

When you say that to the database, return salaries for employees if 1=1 (which is always), thus it will return all records for all employees

Even worse can be done, such as when you are checking a login and password, we had a live site that executed the following SQL and checked if the user and password was correct if a record was returned:

string sql = 'select * from users where login = ' + login + ' and password = ' + password;

(C#)

you could put the login as "admin –" and anything for the password, and the password part was commented out and it would load the following:

select * from users where login = admin – and password = asidasdsad

the – indicates that the rest is a comment and should be ignored by the SQL server, thus it will only execute:

select * from users where login = admin

Now the ClipShare software is full of these vulnerabilities.  To fix them (in PHP), you have to call mysql_real_escape_string() on your querystring and form post variables.

So if we have

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

you can change this to:

ExecuteSQL("Select salary from employees where ID = ‘ + mysql_real_escape_string($_GET['id']));

If you want to fix it, you can try to see if there is an upgrade that resolves these problems.  If you have heavily modified the script, or you cannot upgrade, this might not be an option. 
You can try to fix it yourself, but I looked like every single page was vulnerable. 

How to fix your Clipshare software the easy way!

There is another solution that is stronger.  This is not the 100% foolproof solution, but it is an easy way to fix it without having to fix your entire bad codeset.  What you can do is change the actual database table name from ‘adminusers’ which everyone knows, to something like ‘purpleadmins’. It doesn’t fix the underlying problem (the door is still wide open), but the wallet is hidden somewhere else in the house and nobody can find it, even if they can get in.

Here is how you can do it.
It’s been about a year and this method has worked extremely well and my vulnerable PHP Nuke installation (version 7.1) has not been hacked again yet!
This also worked on two clipshare installations.

First you have to execute some SQL code to change the table name.

1) Rename your column (MySQL code)

ALTER TABLE oldAdminTableName RENAME newAdminTableName;

2)  Then you have to execute a search and replace on the actual PHP code. 
This will only work if you have the full source code (Some applications such as whois.cart are encoded and you cannot see the source code).  To replace in files you can run the following Linux command:

perl -e "s/SEARCH/REPLACE/g;" -pi.save $(find ./*.php -type f)


3) To verify that it actually worked, search for files (linux again)

find . -name "*.c" -exec grep -i "find me" {} /dev/null \;

References:

Other Interesting Posts

• PHP VS. ASP.NET
• Creating SqlParameters Best Practices
• Are You a Sharp Developer?? (Part 1)