[FD] TheHostingTool 1.2.6: Multiple SQL Injection

Security Advisory - Curesec Research Team 1. Introduction Affected Product: TheHostingTool 1.2.6 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://ift.tt/1PfEAu7 Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description There are three SQL Injections in the admin area of TheHostingTool 1.2.6. The problem is that the defense against SQL Injection depends in part on the global GET and POST variables being sanitized using mysql_real_escape_string if accessed via postvar or getvar. This makes them relatively safe to use in a query if the parameter is surrounded by quotes. But for places where the parameter is not surrounded by quotes, this will not prevent SQL injection. Please note that admin credentials are required for all SQL injections shown here. 3. Details SQL Injection 1 The POST value "type" is used as the column name in a WHERE clause when using the ajax search. Encoding single quotes does not prevent SQL injection in this case. It should also be noted that letting the user choose the column of a LIKE query on a user table is not a good idea in general, as it will be easy to iterate passwords this way. Proof of Concept: POST http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=search type=user` %3D 1 union all select 1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 from tht_users %23&value=test Code: includes/ajax.php public function search() { global $main, $db, $style; if($_SESSION['logged']) { //echo '