PvPGN Stats - Multiple SQL Injection Vulnerabilties

September 19, 2017 in PvPGN Hacking
https://rchase.com/static/img/sqli.png

Overview

I discovered 5 SQL injection vulnerabilities in PvPGN Stats version 2.4.6.

There is not a patch available at the time of this posting because the code is using functions which are deprecated and will require a complete rewrite. Would not recommend using this utility until a new version is released fixing these vulnerabilities.

Here is the issue I posted on the Github repo:

I wouldn’t recommend for anyone to host this utility in its current state.

Current SQL handler classes do not filter database queries, allowing SQL injection vulnerabilities An attacker can obtain full access to PvPGN database including all emails, usernames, and passwords (easy to crack XSHA1) In addition to the SQL injection vulnerabilities, the mysql_* database functions have been removed from PHP7 in favor of MySQLi and PDO, so it won’t run on new OS installs, for example Debian 9.

Both issues can be fixed by updating the code to use PDO. I began working on a patch but didn’t finish it yet, hopefully someone else who is more familiar with PHP can upgrade the util.

SQL Injection Vulnerable Parameters:

CVE-2017-18287:

POST /ladder/stats.php?action=search HTTP/1.1 game=W2BN&type=team&user_search=[INJECT]&x=1&y=10

CVE-2017-18288, CVE-2017-18289, CVE-2017-18290:

GET /ladder/stats.php?game=[INJECT]&type=[INJECT]&sortBy=username&sort_direction=[INJECT] HTTP/1.1

CVE-2017-18291:

GET /ladder/stats.php?game=W2BN&type=1&user=[INJECT] HTTP/1.1

Subscribe for updates

comments powered by Disqus

Latest Posts

IoT Hacking: Momentum IP Camera - Penetration Test Report
Apr 23, 2018
IoT Hacking: Momentum IP Camera - Penetration Test Report
Read More
IoT Hacking: Momentum IP Camera - Custom Firmware
Apr 13, 2018
IoT Hacking: Momentum IP Camera - Custom Firmware
Read More
IoT Hacking: Momentum IP Camera - Getting Root
Apr 12, 2018
IoT Hacking: Momentum IP Camera - Getting Root
Read More