Waraxe IT Security Portal
Login or Register
November 18, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 71
Members: 0
Total: 71
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> My first steps with sql injections
Post new topicReply to topic View previous topic :: View next topic
My first steps with sql injections
PostPosted: Wed May 11, 2005 1:47 pm Reply with quote
anselmes
Beginner
Beginner
Joined: May 11, 2005
Posts: 4
Location: France




Hello everybody


I' discovered this website with a recent advisory .. and i found many things which are very interessant .

Let present my self , I 'm a young french php developper ( I think my english is verry poor but i hope that you will understand me ) .
I principally work on e107 , and my personal Portal (which is no public for the moment maybe soon if i securise it ) .


I try to understand some security advisorys and more precisely when they concern php ...


Maybe you will accept to answer to my beginners questions ..

Indeed i try to learn more about sql injections , try to understand the logic in order to securise my website and my portal ..

2 days ago , someone published on adivsory concerning e107
I was very interessed by this kind of injection

Quote:

lets move on

forum_viewforum.php ~196

if($sql -> db_Select("forum_t", "*", "thread_forum_id='".$forum_id."' AND thread_parent='0'

ORDER BY thread_s DESC, thread_lastpost DESC, thread_datestamp DESC LIMIT $from, $view")){

forum_viewforum.php?5.[INJECTION]#



So i thinks that the problem is with the variable $from

$from is set at the beginning of forum_viewforum.php by
Quote:

else{
$tmp = explode(".", e_QUERY);
$forum_id = $tmp[0]; $from = $tmp[1];
if(!$from){ $from = 0; }
}



So we can see that we can enter a sql request (of course if this requires mysql version to support subqueries)

So logically a injection like that sould be ok
http://[target]/forum_viewforum.php?7.0 UNION SELECT user_password FROM e107_user WHERE user_id=1#

But it doesn't work .. so i'm not sur about my logic ... Maybe i'm tottaly wrong with the concept of sql injection ..


If someone could help that will be fine ..

PS :

Maybe i found a solution to resolve this sql injection we can use intval() When we define $forum_id and $from ?


I hope that you understood my message ..


Have a good day
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Wed May 11, 2005 11:46 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Hi and welcome to forum!

First of all, that specific sql injection occurs in "ORDER BY x LIMIT y,z" section, so it is not very dangerous in case of mysql 3.x or 4.x. This is my personal opinion, maybe i am wrong.

Next, that intval() using - yes, this is exactly that, what i will recommend.
If you look to ways, how to secure e107 or some other php script, then you must analyze ALL the input variables, what potential attacker can deliver to script, located in webserver. I mean - GET/POST/COOKIE/USER_AGENT/REFERER. Now if input variable is meant to be integer, then yes, use intval(). If it must be > 0 , use max().
And so on.

Anyway, e107 is not very secure software. Many advisories have been about e107 in the past and still they deliver new versions with lots of security holes. I am not sure, that you can yourself secure that code. So there is my advise - if you put your e107 based website online, then make sql database backups as frequently as possible - every day, twice in day, whatever. You can use cron for this, so it will make backups and upload them for example to some remote ftp server. In this way, if your website will get hacked and/or defaced, you can restore it very quickly and with ease.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 12, 2005 7:07 pm Reply with quote
anselmes
Beginner
Beginner
Joined: May 11, 2005
Posts: 4
Location: France




hi



thanks for your anser waraxe ...


so my logic was not totally wrong .. i prefer that ..

and thanks for your adivses . But as for as i'm concerned i dont use e107 for my website i prefer my personnal code .. but i dont want to make the code public because i know that there is lots of security holes ... Anyway i think that e107 is nice cms which can be very useful very basic needs ...

so for my first lessons with sql injections i learn some useful tips :
UNION can't be used after the LIMIT agument ( Well it looks like a php lessons Very Happy Very Happy Very Happy ).

Well thank you very much for all this advices ... If i find other questions which deal with that i ill share with you ...


Bye ...


Anselme
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Tue May 17, 2005 7:16 pm Reply with quote
anselmes
Beginner
Beginner
Joined: May 11, 2005
Posts: 4
Location: France




Well


good afternoon everyone ...


I want to go further with sql injections so i have some other questions , but i think that it's useless to open another topic for that ( I know consequences when a DB is overcrowded Wink )



So when i code i generally uses this type of syntaxe

example with my forum :

Quote:

showpost.php
$thread=$DB_site->query_first("SELECT * FROM thread WHERE threadid=$threadid");


And then

echo " <table><td><tr><a href=showthread.php?$thread[threadid]>$thread[title]</td></tr></table>";




It's an example
We will say that $threadid is defined in the URL but when i want to use my result i use in my code $thread[title]
.


For example so if somebody wants to make sql injection he can try to put in the url http://www.example.com/showpost.php?threadid=1 UNION SELECT * FROM users WHERE userid=adminsiteid

But it 's useless because he cannot acess to his results because there isn't a definition of $thread[password] after ... So it will not print the result on the page ..


Am i right ?

I know that my post could appear to be very confusing , because my english is very poor but maybe somebody will understand it , and my question is : IS there some other possibilities to exploit this syntaxes ?

because to my mind , sql injection are used for find admin acess ? no ?

It may exist some other methods more malicious than mine ?


Maybe i'm wrong and i'm sure i'm wrong ..


Thanks for your attention ..


BYe
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Tue May 17, 2005 9:49 pm Reply with quote
d3vilbox
Beginner
Beginner
Joined: May 02, 2005
Posts: 3




hey anselmes

If RDBMS is MSSQL server , there are some other methods to bypass such problems , for example in ms-sql u can make sql server pass ur wanted data in returned error message.

ex: http://www.example.com/showpost.php?threadid=1 and threadid=convert(SELECT pwd FROM users WHERE userid=adminsiteid,int)

then it returns error message including admin`s pwd

there are nother ways in ms-sql like :

executing system commands by xp_cmdshell (extended stored procedure)
executing T-SQL by using ; character after end of each query statement
brute-forcing DB to find pwd of DBA (DataBase Admin) by using simple T-sql
...

but in MYSQL , as i know there is no way to exploit ur example page,and it`s useless !

maybe using some special SQL commands to writting returned data in bulk-file be usefull but i`m not sure !

Tell me if u found answer , d3vilbox [at] yahoo [d0t] com

tnx
View user's profile Send private message
PostPosted: Wed May 18, 2005 2:19 pm Reply with quote
anselmes
Beginner
Beginner
Joined: May 11, 2005
Posts: 4
Location: France




thanks for your answer d3vilbox


fortunately for me i only use mysql Smile


But it's very intersting it give me lots of ideas Very Happy


But i was wondering .. UNION can be used with an INSERT after ? ..

I will check it after .. but i think it can't ...

Bye
View user's profile Send private message Visit poster's website MSN Messenger
My first steps with sql injections
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.044 Seconds