Second Order SQL with Image Exif Meta Data

What is Exif Meta Data..?

EXchangeable Image file Format, officially known as Exif is a standard which specifies the formats of images, sounds, some other device and location information stored by digital cameras.

eg: Date Time info, Camera make and model, Geo Location, Copyright information and Image orientation etc.

Is it Safe..?

Since Exif tag contains metadata about image, it can pose privacy problem. For example, a photo taken with a GPS enabled camera can reveal the exact location and time it was taken, and the unique ID number of the device – this is all done by default – often without the user’s knowledge. Many users may be unaware that their photos are tagged by default in this manner, or that specialist software may be required to remove the Exif tag before publishing.

How Web Applications Affected..?

Web Applications will use Exif Meta Data in wide range of Analytics. It may be used by search engines like Google, Yahoo and Bing etc. Images uploaded to social media/photo sharing sites will remain this data for their further processing. Even Picasa and iPhoto will write the captions into embedded metadata whenever we enter them.

Proof Of Concept:

To simplify, i came up with an example of a realtime scenario where developer is looking at Exif tags while implimenting Image Based Search.

Second Order SQL Injection:

In a simple way “Stored Safe. But fetched as Unsafe” – is tagged as Multi Order SQL Injection.

I have a simple image based search application as below.

Just take a look at the functionality.

If we see Exif Data of image that we have uploaded we can identify that developer is just looking at “Artist” Meta Tag and searching based on that.

I just modified “Artist” tag with False SQL Injection Payload as ” ‘+0# “.

I’ve uploaded the modified image to see the result.

Whoa! Its displayed all images and our sql injection happened. If we take a look at code what happened exactly.

Here while uploading the image developer reading exif tags, grabbing Artist tag and updating database safely via prepared statement.

But while searching based on artist tag he is using vulnerable sql query which resulted in Second Order Sql Injection here.

I have just given idea about sql injection here but it may lead you through RCE and etc.

Mitigation:

  • No Image is Safe – Sanitize everything before storing into database.
  • Stored Procedures and Prepared Statements will mitigate the issue.

References:

  • RCE at BookFresh via ExifTags.
  • Malware Hidden Inside Image.
  • PHP Image Galleries Multiple Vulnerabilities.

Leave A Comment

Your email address will not be published. Required fields are marked *