Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 55
Members: 0
Total: 55
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Sql injection , waraxe plz help ! :S
Post new topicReply to topic View previous topic :: View next topic
Sql injection , waraxe plz help ! :S
PostPosted: Sat Nov 08, 2008 1:30 am Reply with quote
Maxer
Regular user
Regular user
Joined: Sep 30, 2008
Posts: 7




I found a sql injection on a site , then i try to load_file using hex and it works , i want to load a php shell with outfile on it but i don't know the full web path , do u have any idea of what i could do ?

Server:redhat
Mysql
' <--- not allowed

syntax is like this site.com/script.php?var1=blabla&var2=blabla&var3=100&var4=100&var5=100 union select @@version <--- var5 vulnerable to sql injection
i try to load_file /etc/passwd/ and it works perfeclty , but when i try to load / i have an error.

Pls help! thanks in advance.
View user's profile Send private message
PostPosted: Sat Nov 08, 2008 10:36 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




You can read file's not dir's.

Try
/etc/hosts
View user's profile Send private message
PostPosted: Sat Nov 08, 2008 8:06 pm Reply with quote
Maxer
Regular user
Regular user
Joined: Sep 30, 2008
Posts: 7




Thanks pexli , i pulled the /etc/hosts , but i didn't see too much useful information , maybe i'm missing something.

I managed to force php to produce an error so i know the full web path now Smile , when i load file the / etc / passwd , i do it without any problems , but when i try to load file the index.php file for the site , i get this:

Error: Can't get stat of '/mnt/www/Website/index.php' (Errcode: 2)

I checked loading phpinfo.php on the site to confirm the web path and yeah , it says phpinfo.php is located in /mnt/www/Website/

I don't know why i can't load file the index.php :S
Any ideas?
View user's profile Send private message
PostPosted: Sat Nov 08, 2008 8:45 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Are you sure, that it's "index.php"? When you try "http://****.com/index.php", you get normal page? Try to read ".htaccess", if it's present - default index files can be overridden.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Nov 08, 2008 9:02 pm Reply with quote
Maxer
Regular user
Regular user
Joined: Sep 30, 2008
Posts: 7




Hello waraxe , thanks for your reply!

Im sure it's there , i also tried loading the exact file that is causing the php error , also some other files that i know are present on the website.

What i find really odd , is that when i try to load a non existent file , i obviously get an error , when i try to load a folder that is valid, it just shows me the website with no error.
So, when i try to load / , no error , /var/ , no error , /mnt/ no error , but when i try /mnt/www/ just to see if it really exists , it gives me an error ...

Could this be because mnt is a mounted folder ?
I'm having headaches :S
View user's profile Send private message
PostPosted: Sat Nov 08, 2008 9:15 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I see one possible reason for this behavior. When you use "LOAD_FILE()", then file operation is done with UID/GID of MySql daemon. So based on operating system specifics you can access files, if 1) file owner is not mysql and they are world readable, and 2) if file owner is mysql. So "/" can be accessible, because it's owner is root, but it's world readable dir. But that specific website's home directory is owned by specific user! And if it's not world readable, then you can't access it!
I suggest to look for world writable directories in that specific web root. Example: "avatars", "files", "temp", "cache", "uploads", etc. Then use "INTO OUTFILE" and write your own php file. From php code level you have more possibilities to elevate your privileges, of course depending on php version, apache API and other details.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 09, 2008 12:20 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




I think you can't read .php files because this is limitation of this bug.
Why you try to read dir with load_fileSmile
Try to upload your code like waraxe says.
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 8:46 am Reply with quote
Maxer
Regular user
Regular user
Joined: Sep 30, 2008
Posts: 7




If i use:
site.com/script.php?var=999 union select load_file(0x2f6574632f706173737764)

to load_file /etc/passwd , and the web full path is /mnt/www/website/ , what would i have to do to load a simple php shell ?
I dont know how to use into outfile :S
View user's profile Send private message
Sql injection , waraxe plz help ! :S
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds