Alicorn Circa 2004 SQL Injection / Command Injection / XSS

=============================================================================================================================================
| Alicorn Circa 2004 SQL Injection / Command Injection / XSS

=============================================================================================================================================
| # Title : Alicorn Front-End to Unicornscan in Data Correlation Module SQL Injection and Command Injection Vulnerabilities |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.unicornscan.org/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/34550/

[+] Summary : This analysis examines a PHP script from the Unicornscan network reconnaissance tool (circa 2004) that contains severe security vulnerabilities.
The code is intended for querying and correlating scan data but is fundamentally insecure due to improper input handling.

1. SQL Injection (Critical)

Location: db2response() function calls with raw user input

Impact: Full database compromise, data exfiltration, unauthorized access

Root Cause: Direct usage of $_POST/$_GET arrays without sanitization

2. Potential Command Injection

Location: banner and os parameters

Impact: Remote code execution on server

Root Cause: Lack of input validation on regex pattern fields

3. Cross-Site Scripting (XSS)

Location: urldecode() calls without output encoding

Impact: Client-side script execution, session hijacking

4. Insecure Direct Object References

Location: Direct database queries with user-controlled parameters

Impact: Unauthorized data access

[+] Attack Vectors :

SQL Injection Examples:

POST /scan_data/data_select.php
host_addr=' UNION SELECT 1,2,3,4,5,6,7,8,@@version,10--

[+] Data Exfiltration:

GET /scan_data/data_select.php?host_addr=1' OR 1=1&mask=1

[+] Risk Assessment :

Vulnerability Severity Exploit Complexity Impact
SQL Injection Critical Low Complete system compromise
Command Injection High Medium Server takeover
XSS Medium Low Client-side attacks

[+] Root Causes :

No Input Validation: Complete trust in user-supplied data

No Parameterized Queries: Direct string concatenation in SQL

No Output Encoding: Raw data displayed to users

Age of Code: Written before modern security practices (2004)

[+] Immediate Actions:

Remove from production environments

Implement parameterized queries

Apply strict input validation

Add output encoding

[+] Long-term Solutions:

Complete code rewrite using modern frameworks

Implement proper authentication/authorization

Regular security audits

Dependency updates

[+] Conclusion :

This legacy code represents a critical security risk and should be immediately isolated from any production systems.
The vulnerabilities are trivial to exploit and could lead to complete system compromise. Modern security practices must replace these antiquated coding patterns.

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================