Uiga Personal Portal 'index.php' SQL Injection Explained

Uiga Personal Portal 'index.php' SQL Injection Explained
What this paper is
This paper details a SQL injection vulnerability found in the 'index.php' file of the Uiga Personal Portal web application. The vulnerability allows an attacker to manipulate database queries by injecting malicious SQL code through the 'id' parameter. Specifically, the paper demonstrates how to use a UNION SELECT statement to extract administrator credentials from the 'admin' table.
Simple technical breakdown
The Uiga Personal Portal web application uses PHP to interact with a database. When a user requests a specific view (like 'photos') and provides an 'id', the application constructs a SQL query to fetch the relevant data. The vulnerability lies in how the 'id' parameter is handled. If the application doesn't properly sanitize or validate the input, an attacker can insert SQL commands within the 'id' value.
In this case, the attacker uses a UNION SELECT statement. This SQL technique allows an attacker to combine the results of an original query with the results of a second, attacker-controlled query. By carefully crafting the second query, the attacker can retrieve sensitive information, such as usernames and passwords, from other tables in the database.
The exploit targets a specific URL structure: http://www.site.com/uigaportal/index.php?view=photos&id=. The attacker appends their malicious SQL to the id parameter.
Complete code and payload walkthrough
The provided paper does not contain executable code or a full script. It presents a URL pattern and a specific SQL injection payload.
URL Pattern:http://www.site.com/uigaportal/index.php?view=photos&id=
http://www.site.com/uigaportal/index.php: This is the target script. It's the entry point for the web application's functionality.?view=photos: This is a GET parameter indicating the user wants to view photos. This likely influences the SQL query constructed by the application.&id=: This is another GET parameter, intended to specify the ID of the photo or related data to be displayed. This is the vulnerable parameter.
Exploitable Payload:http://server/uigaportal/index.php?view=photos&id=-9999+Union+Select+1,2,group_concat(admin_name,0x3a,admin_password),4,5+from+admin--
Let's break down the injected part:
-9999: This is the initial value for theidparameter. It's likely chosen to be a non-existent ID, ensuring the original query returns no results. This is a common technique to make theUNION SELECTmore effective, as it ensures the attacker's injected query's results will be displayed without being mixed with legitimate data from the original query.+: This represents a space character in a URL-encoded string.Union+Select: This is the core of the injection.UNIONallows combining result sets of two or moreSELECTstatements.SELECTis the standard SQL command to retrieve data.1,2,group_concat(admin_name,0x3a,admin_password),4,5: This is the list of columns the attacker wants to retrieve.1,2,4,5: These are literal values. They are used to match the number of columns expected by the original query. The original query (which is not fully known but implied by the injection) likely selects a certain number of columns. TheUNION SELECTstatement must have the same number of columns as the original query. These literal values are placeholders to satisfy the column count requirement.group_concat(admin_name,0x3a,admin_password): This is the critical part for data exfiltration.group_concat(): This is a MySQL function that concatenates non-NULL values from a group into a single string. It's useful for retrieving multiple rows of data into a single output cell, especially when the number of columns in theUNION SELECTis limited.admin_name: This is a column name from theadmintable, likely containing administrator usernames.0x3a: This is the hexadecimal representation of the colon character (:). It's used as a separator between the username and password.admin_password: This is a column name from theadmintable, likely containing administrator passwords.
+from+admin: This specifies the table from which to retrieve the data. The attacker is targeting theadmintable.--: This is a SQL comment. In many SQL dialects,--signifies the rest of the line is a comment. This is used to comment out any remaining part of the original SQL query that might follow theidparameter, preventing syntax errors and ensuring only the injected query is executed.
Mapping:
http://www.site.com/uigaportal/index.php?view=photos&id=-> Target URL and vulnerable parameter.-9999-> Placeholder for a non-existent ID to ensure original query yields no results.+-> URL-encoded space.Union+Select-> SQL command to combine query results.1,2,4,5-> Placeholder columns to match original query's column count.group_concat(admin_name,0x3a,admin_password)-> Function to extract and format admin credentials.from+admin-> Target table for credential extraction.---> SQL comment to terminate the original query.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No elevated privileges on the server itself are initially required, only the ability to send HTTP requests.
- Lab Preconditions:
- A vulnerable Uiga Personal Portal installation. This is crucial. The application version and configuration must match the vulnerability described.
- A web server (e.g., Apache, Nginx) running PHP and a compatible database (likely MySQL, given the
GROUP_CONCATfunction). - Knowledge of the database schema, specifically the existence of an
admintable withadmin_nameandadmin_passwordcolumns. If these names differ, the payload needs adjustment.
- Tooling Assumptions:
- A web browser for manual testing or reconnaissance.
- An HTTP proxy tool (e.g., Burp Suite, OWASP ZAP) for intercepting and modifying requests.
- SQL injection tools (e.g., sqlmap) can automate this, but understanding the manual process is key.
- A tool to decode URL-encoded strings.
- Execution Pitfalls:
- WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) are likely to detect this pattern. Evasion techniques (encoding, character substitution, using different SQL functions) might be necessary.
- Database Type: The payload uses
GROUP_CONCAT, which is common in MySQL. If the target database is PostgreSQL, SQL Server, or Oracle, the syntax for concatenating and retrieving multiple values will differ significantly. - Column Count Mismatch: The
UNION SELECTstatement must have the same number of columns as the original query. If the original query selects 3 columns, and the attacker injects 5 (1, 2,group_concat, 4, 5), the query will fail. Determining the correct column count is a prerequisite for successfulUNION SELECTattacks. This is often done through trial and error (e.g.,UNION SELECT NULL, NULL, NULL --) or by using automated tools. - Output Filtering: The application might filter or sanitize the output displayed to the user, hiding the extracted credentials.
- Error Handling: Verbose error messages from the database can reveal the injection attempt and its success or failure. Conversely, generic error messages can make it harder to pinpoint the vulnerability.
- URL Encoding: Spaces and special characters in the payload must be correctly URL-encoded.
- Tradecraft Considerations:
- Reconnaissance: Identify the target application and its version. Look for common vulnerabilities associated with that version.
- Parameter Discovery: Identify all GET and POST parameters that might be used in database queries.
- Payload Crafting: Develop payloads that are specific to the target database and application.
- Stealth: Avoid overly aggressive scanning that could trigger alerts. Use techniques to blend in with normal traffic.
- Data Exfiltration: Plan how to exfiltrate sensitive data without detection.
GROUP_CONCATcan produce very long strings, which might be noticeable.
Where this was used and when
This vulnerability was published on February 28, 2010. At that time, Uiga Personal Portal was likely in use by individuals or small organizations. SQL injection was a very prevalent and effective attack vector against web applications in the late 2000s and early 2010s. This specific exploit targets a known vulnerability in a particular application, suggesting it could have been used in targeted attacks or by individuals practicing their skills on vulnerable systems.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical defense. All user-supplied input, especially data used in database queries, must be rigorously validated and sanitized. This includes:
- Whitelisting: Allowing only known-good characters or patterns.
- Blacklisting: Rejecting known-bad characters or patterns (less effective due to evasion).
- Parameterized Queries/Prepared Statements: This is the gold standard. It separates SQL code from data, preventing injected data from being interpreted as code.
- Least Privilege: The database user account used by the web application should have only the minimum necessary permissions. It should not have direct access to sensitive tables like
adminunless absolutely required, and even then, with strict controls. - Web Application Firewalls (WAFs): Implement and properly configure WAFs to detect and block common attack patterns like SQL injection. Keep WAF rules updated.
- Regular Patching and Updates: Keep web applications and their underlying frameworks (like PHP) updated to the latest secure versions.
- Secure Coding Practices: Train developers on secure coding principles, including how to prevent common vulnerabilities like SQL injection.
- Error Handling: Configure error handling to avoid revealing sensitive information about the database structure or query execution. Generic error messages are preferred in production.
- Database Auditing: Implement database auditing to log suspicious queries or access patterns.
ASCII visual (if applicable)
This exploit is a direct manipulation of HTTP requests and database queries. A visual representation of the flow would look like this:
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| Attacker's |----->| Web Browser/ |----->| Uiga Personal |----->| Database Server |
| Machine | | Proxy Tool | | Portal (index.php)| | (MySQL) |
+-----------------+ +-----------------+ +-----------------+ +-----------------+
^ | ^
| | |
| Malicious HTTP Request | SQL Query | Data (admin creds)
| (with injected SQL) | |
+----------------------------------------------------+-----------------------+Explanation:
- The attacker crafts a malicious HTTP request, embedding SQL injection commands within the
idparameter. - This request is sent to the Uiga Personal Portal web application.
- The
index.phpscript, due to the vulnerability, incorporates the malicious SQL into its database query. - The database server executes the manipulated query.
- If successful, the database returns the requested data (in this case, administrator credentials) back to the web application.
- The web application then displays this data to the attacker, often in a place where they wouldn't normally see it.
Source references
- Paper ID: 11599
- Paper Title: Uiga Personal Portal - 'index.php' SQL Injection
- Author: Easy Laster
- Published: 2010-02-28
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/11599
- Raw URL: https://www.exploit-db.com/raw/11599
Original Exploit-DB Content (Verbatim)
----------------------------Information------------------------------------------------
+Name : Uiga Personal Portal index.php SQL Injection
+Autor : Easy Laster
+Date : 28.02.2010
+Script : Uiga Personal Portal
+Language :PHP
+Discovered by Easy Laster
+Security Group 4004-Security-Project
+Greetz to Team-Internet ,Underground Agents
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
N00bor,Damian,novaca!ne.
---------------------------------------------------------------------------------------
___ ___ ___ ___ _ _ _____ _ _
| | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_
|_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _|
|_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_|
|___| |___|
----------------------------------------------------------------------------------------
+Vulnerability : http://www.site.com/uigaportal/index.php?view=photos&id=
+Exploitable : http://server/uigaportal/index.php?view=photos&id=-9999+
Union+Select+1,2,group_concat(admin_name,0x3a,admin_password),4,5+from+admin--
-----------------------------------------------------------------------------------------