By exploitdb papers bot•November 23, 2006•

papers

Exploiting Wallpaper Complete Website 1.0.09 via SQL Injection

What this paper is

This paper details a SQL injection vulnerability found in the "Wallpaper Complete Website" software, version 1.0.09. The vulnerability allows an attacker to extract sensitive data, specifically usernames and passwords from the users table, by manipulating input parameters in a web request.

Simple technical breakdown

The core of the vulnerability lies in how the web application handles user-supplied input for the wallpaperid parameter. When this parameter is used in a database query without proper sanitization, an attacker can inject SQL commands. In this case, the attacker uses a UNION SELECT statement to combine the results of their malicious query with the intended query. This allows them to retrieve specific columns (login and password) from a different table (users) than what the original query was supposed to access.

Complete code and payload walkthrough

The provided paper does not contain executable code or shellcode in the traditional sense. Instead, it provides a Proof of Concept (PoC) URL that demonstrates the SQL injection.

PoC URL Breakdown:

http://[target]/[path]/wallpaper.php?wallpaperid=1%20UNION%20SELECT%20login,0,0,0,0,password%20FROM%20users%20/*

Let's break down this URL:

http://[target]/[path]/wallpaper.php: This is the base URL of the vulnerable application, pointing to the wallpaper.php script.
- [target]: This placeholder represents the IP address or domain name of the vulnerable server.
- [path]: This placeholder represents the directory path where the wallpaper.php script is located.
?wallpaperid=: This indicates the start of query parameters, and wallpaperid is the specific parameter being targeted.
1: This is the original, legitimate value for wallpaperid. The attacker starts with a valid-looking input to ensure the initial query executes.
%20: This is the URL-encoded representation of a space character. Spaces are crucial for separating SQL keywords and clauses.
UNION: This SQL keyword is used to combine the result set of two or more SELECT statements. The attacker is using it to append their own data retrieval to the application's original query.
SELECT login,0,0,0,0,password: This is the attacker's injected SELECT statement.
- login: This specifies that the login column from the users table should be retrieved.
- 0,0,0,0: These are placeholder values. The UNION SELECT statement requires the number of columns in both the original query and the injected query to match. Since the original query likely selects multiple columns (implied by the need for 5 zeros), the attacker provides dummy values (zeros) to satisfy this requirement. The exact number of zeros needed depends on the original query's structure, which is not explicitly provided in the paper.
- password: This specifies that the password column from the users table should be retrieved.
FROM users: This indicates that the data should be fetched from the users table.
/*: This is the start of a single-line SQL comment. In many SQL dialects, /* starts a multi-line comment, and */ ends it. However, when used at the end of a query, it effectively comments out any remaining part of the original query that might interfere with the injected statement. This is a common technique to truncate the original SQL query.

Mapping list:

http://[target]/[path]/wallpaper.php: Target script execution.
?wallpaperid=1: Legitimate initial query parameter to get a specific wallpaper.
%20UNION%20SELECT: Injects a UNION clause to combine results and selects specific columns.
login,0,0,0,0,password: Specifies columns to extract (username, dummy values, password).
FROM users: Specifies the table to extract data from.
/*: Comments out the rest of the original query to prevent syntax errors.

Execution Flow:

The web server receives the crafted URL.
The wallpaper.php script processes the wallpaperid parameter.
The script constructs a SQL query that includes the wallpaperid value.
Due to a lack of input sanitization, the injected UNION SELECT statement is appended to the original query.
The database executes the combined query.
The results of the attacker's SELECT statement (usernames and passwords) are returned alongside or instead of the original query's results.
If the application displays these results directly on the web page, the attacker can see the extracted credentials.

Practical details for offensive operations teams

Required Access Level: Low. This is a remote, unauthenticated vulnerability. An attacker only needs to be able to send HTTP requests to the target web server.
Lab Preconditions:
- A vulnerable instance of "Wallpaper Complete Website" 1.0.09 deployed on a web server (e.g., Apache with PHP and a MySQL database).
- Knowledge of the target's IP address or domain name.
- Knowledge of the path to the wallpaper.php script.
- A database containing a users table with login and password columns.
Tooling Assumptions:
- A web browser for manual testing or a command-line tool like curl.
- An automated web vulnerability scanner might identify this if configured to test for SQL injection.
- SQL injection tools (e.g., SQLMap) can automate the discovery and exploitation process, especially for determining the exact number of columns and data types.
Execution Pitfalls:
- Incorrect Number of Columns: The most common pitfall. The UNION SELECT statement must have the same number of columns as the original query. If the attacker guesses incorrectly, the query will fail with a syntax error. The PoC uses 5 zeros, implying the original query selects 6 columns. This might need adjustment.
- URL Encoding: Incorrectly encoded spaces or special characters can break the query.
- Firewalls/WAFs: Web Application Firewalls (WAFs) might detect and block common SQL injection patterns like UNION SELECT. Obfuscation techniques might be necessary.
- Database Errors: The application might not display database errors, making it harder to debug the injection.
- Data Format: The extracted data might be displayed in a format that's difficult to parse if not handled carefully by the application.
- Path Discovery: Determining the correct [path] to wallpaper.php might require directory brute-forcing or other reconnaissance techniques.
Tradecraft Considerations:
- Reconnaissance: Before attempting exploitation, identify the exact version of the software and the web server configuration.
- Stealth: Avoid noisy, brute-force attempts. Start with targeted injections.
- Payload Delivery: The "payload" here is the extracted data. The objective is to exfiltrate credentials.
- Post-Exploitation: If credentials are obtained, they can be used for further access to the application or potentially other systems if credentials are reused.

Where this was used and when

Software: Wallpaper Complete Website 1.0.09
Vulnerability Class: SQL Injection
Discovery Date: November 23, 2006 (as per Exploit-DB publication date).
Context: This vulnerability would have been relevant for any organization using this specific version of the "Wallpaper Complete Website" software on their web servers. Given the publication date, it would have been a concern in the mid-to-late 2000s. Such web applications were common for content management and community sites.

Defensive lessons for modern teams

Input Validation and Sanitization: This is the paramount defense. All user-supplied input, especially data used in database queries, must be rigorously validated and sanitized to prevent injection attacks. Use parameterized queries (prepared statements) or stored procedures.
Principle of Least Privilege: Database accounts used by web applications should have only the necessary permissions. They should not have broad access to all tables or administrative privileges.
Web Application Firewalls (WAFs): While not a silver bullet, WAFs can provide a layer of defense by detecting and blocking common attack patterns. However, they should not be the sole defense.
Regular Patching and Updates: Keep all web applications and their underlying frameworks and libraries updated to the latest secure versions. This vulnerability was specific to an older version.
Secure Coding Practices: Train developers on secure coding principles, including common vulnerabilities like SQL injection and how to prevent them.
Error Handling: Configure applications to log detailed errors internally but display generic error messages to users. This prevents attackers from gaining information from detailed error outputs.
Database Auditing: Monitor database activity for suspicious queries or data access patterns.

ASCII visual (if applicable)

This vulnerability is primarily about manipulating HTTP requests and database queries. A direct ASCII visual of the exploit itself is not particularly illuminating beyond the URL structure. However, we can visualize the data flow:

+-----------------+      +-----------------+      +-----------------+      +-----------------+
| Attacker's      |----->| Web Server      |----->| Web Application |----->| Database Server |
| Browser/Tool    |      | (e.g., Apache)  |      | (wallpaper.php) |      | (MySQL)         |
+-----------------+      +-----------------+      +-----------------+      +-----------------+
       ^                                                                           |
       |                                                                           |
       | Crafted HTTP Request                                                      | SQL Query Execution
       | (with injected SQL)                                                       | (UNION SELECT)
       |                                                                           |
       |                                                                           v
       |                                                                    +-----------------+
       |                                                                    | Attacker sees   |
       |                                                                    | Sensitive Data  |
       |                                                                    | (login, password)|
       +--------------------------------------------------------------------+

Source references

Paper ID: 2835
Paper Title: Wallpaper Complete Website 1.0.09 - SQL Injection
Author: GregStar
Published: 2006-11-23
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/2835
Raw URL: https://www.exploit-db.com/raw/2835

Original Exploit-DB Content (Verbatim)

*************************************************************************************************************************#
                                                              					          		 #
			               			 Coding 4 Fun     						 #	
			                                      						  		 #
*************************************************************************************************************************#
													  		 #
* Wallpaper Complete Website  1.0.09  (http://www.easysitenetwork.com/modules.php?name=Content&pa=showpage&pid=7) ; 	 #
													  		 #	
* Class = SQL Injection ;										  		 #
   													  		 #
* Download = http://www.easysitenetwork.com/modules.php?name=Downloads&d_op=getit&lid=8 ;				 #
													  		 #
* Found by = GregStar (gregstar[at]c4f[dot]pl) (http://c4f.pl) ;				          		 #
												  	  		 #
-------------------------------------------------------------------------------------------------------------------------#
													  		 #
													  		 #
- PoC:												          		 #
													  		 #
http://[target]/[path]/wallpaper.php?wallpaperid=1%20UNION%20SELECT%20login,0,0,0,0,password%20FROM%20users%20/* 	 #
															 #
															 #
*************************************************************************************************************************#													  				
Gr33tz:  sASAn,marcel3miasto,masS,kaziq,Abi,kociaq,SlashBeast,chochlik,rfl,d3m0n,java,reyw,kw@ch.	  		 #
												          		 #
*************************************************************************************************************************#

# milw0rm.com [2006-11-23]