Waraxe IT Security Portal
Login or Register
November 25, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 43
Members: 0
Total: 43
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Tricky SQL attack vector- need a tip
Post new topicReply to topic View previous topic :: View next topic
Tricky SQL attack vector- need a tip
PostPosted: Fri Jan 23, 2009 6:47 pm Reply with quote
spinsati
Beginner
Beginner
Joined: Jan 23, 2009
Posts: 3




Ok, here's the setup: I can insert table names, and so on, but these queries are pretty hostile from what I can tell to SQL injection. There is NO escaping at all, so I can put in whatever I want. If any queries fail, no error is returned at all! The only output are the queries themselves. This script is meant to be accessed via AJAX, that is, the user is not meant to see the output. The programmer has forgotten to turn off his/her debug output, and also has forgotten to validate input!

Server is MySQL running on the mysql PHP extension.

Here's the queries exactly as they are output by the script:
Code:

[[ UPDATE ab_eq_'foo' SET ab_saved = 2 WHERE user_id = -1 AND ab_saved = 1 ]]
[[ DELETE FROM ab_eq_'foo' WHERE ab_saved = 0 AND user_id = -1 ]]
[[ UPDATE mg_inv_'foo' SET is_eq = 0 WHERE is_eq IN (1,2) AND user_id = -1 ]]

I've put 'foo' right where I can insert any string. There is one exploitable input to these queries, and it's the same value repeated three times (as shown by the 'foo').

These queries are run consecutively. There appears to be no way to run them individually or in any other order.

Any tips?


Last edited by spinsati on Sun Jan 25, 2009 7:25 pm; edited 2 times in total
View user's profile Send private message
Re: Tricky SQL attack vector- need a tip
PostPosted: Fri Jan 23, 2009 9:15 pm Reply with quote
tehhunter
Valuable expert
Valuable expert
Joined: Nov 19, 2008
Posts: 261




spinsati wrote:
Ok, here's the setup: I can insert table names, and so on, but these queries are pretty hostile from what I can tell to SQL injection. There is NO escaping at all, so I can put in whatever I want. If any queries fail, no error is returned at all! The only output are the queries themselves.

Server is MySQL running on the mysql PHP extension.

Here's the queries exactly as they are output by the script:
Code:

[[ UPDATE ab_eq_{FOO ='= BAR} SET ab_saved = 2 WHERE user_id = -1 AND ab_saved = 1 ]][[ DELETE FROM ab_eq_{FOO ='= BAR} WHERE ab_saved = 0 AND user_id = -1 ]][[ UPDATE mg_inv_{FOO ='= BAR} SET is_eq = 0 WHERE is_eq IN (1,2) AND user_id = -1 ]]

I've put {FOO ='= BAR} right where I can insert any string. These queries are run consecutively. There appears to be no way to run them individually or in any other order.

Any tips?
These can't all be in one query because MySQL prohibits joining queries of different types (aka you can't use DELETE in the same query you use SELECT and you can't use UPDATE in the same one you use INSERT). So the first to realize is that it has got to be a bunch of different queries.
View user's profile Send private message
PostPosted: Fri Jan 23, 2009 10:54 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




If Mysql version is >= 4.1 with subqueries support, then you can use blind injection in UPDATE, DELETE, INSERT and other queries.
View user's profile Send private message Send e-mail Visit poster's website
Re: Tricky SQL attack vector- need a tip
PostPosted: Sun Jan 25, 2009 7:23 pm Reply with quote
spinsati
Beginner
Beginner
Joined: Jan 23, 2009
Posts: 3




tehhunter wrote:
So the first to realize is that it has got to be a bunch of different queries.

Yes, I realized that they're not one query, because the PHP mysql extension doesn't allow query stacking.

The interesting thing to note is that there is one input which gets placed in all the queries. So if I enter 'foo', then that value gets put in all the queries.

This programmer wanted to save some time by having dynamic table names, but he/she forgot to validate the input, thus I was able to discover the vulnerability.

Unfortunately, blind sql injection is tricky since I don't know: a.) the entire table schema, and b.) absolutely NO errors are output if any query fails.

I do know that this database also has phpBB tables, but again, I don't know if I can extend these queries enough to influence them.
View user's profile Send private message
PostPosted: Sun Jan 25, 2009 8:26 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




As for missing feedback - use blind injection with BENCHMARK() or SLEEP(). And database schema can be guessed or in case of mysql ver. 5.x there is INFORMATION_SCHEMA Smile
View user's profile Send private message Send e-mail Visit poster's website
Tricky SQL attack vector- need a tip
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds