Hey Danett,
On Sat, 21 Jul 2007, Danett song wrote:
Hello
I'm pentesting a customer in a blackbox method, I found a Mysql
Injection based in error response.
[snip]
a) Via another flaw I could disclosure the DocumentRoot, which is
/web/site, If I try to read the index.php file, using the same
injection, but only replacing the /etc/passwd with
/web/site/files/index.php (obvious hex encoding it) I got no reply! It
doesn't return any content of the index.php! It also work for
/etc/hosts. Why it isn't working? Strange ahn? The default umask allow
every users to read new created files, I think is very uncommon a
developer which remove the read permissions of all .php file he upload.
Do you mean that is the case? Or I'm missing something?
Some random thoughts:
- If the PHP interpreter is not executed as a CGI via suEXEC wrapper, you
should be able to read .php files...
- Are you sure the document root returned by the other flaw is correct?
How about grabbing Apache's configuration files (exploiting the SQL
injection, of course;) and double check it?
- Did you try with other files inside the document root (.php, .html,
.whatever)?
b) My goal is be able to gain acess to the linux running, the server
have only the port 80 opened. My best try was to create a .php file
inside the DocumentRoot and try to acess it via browser, but this file
never got created. I'm not sure if cause it doesn't have permissions, or
problems related with quotes!
I tryed using the method in question a) but replacing
the union for:
Select <?phpinfo.php>? into outfile
'/http/arquivos/phpinfo.php'
As a side note, your PHP code seems to be wrong. Instead, it should be
something along the lines of:
SELECT '<?php some_evil_php_code ?>' INTO OUTFILE
'/var/www/accessible_by_db';
I tryed encoding both the php code as the filename with hex. I also
tryed replace the quote (') in the name by (%). But nothing worked.
The OWASP testing guide say that if my server have magic_quotes on which
is my case, it's not possible.
http://www.owasp.org/index.php/Testing_for_MySQL
However, NGSsoftware disagree:
http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
I also tryed to use char() encoding and the GBK 0xbf27 (never had tryed
it before, but appear not work in this case).
Any idea how to complain this attack?
I don't believe this can work with magic quotes enabled.
c) Cause I'm using a bunch of NULL to validade the union statment, I
can't do (at last i don't know how to do) complex select, which require
use the comma (,), else it will break my union statment. How to deal
when my injected query have MORE comma's than the comma's used in NULL
to validade the select?
Sorry, but i'm not sure i got your point;)
d) Any idea how to break from mysql to the linux system?
Beside uploading a PHP script, depending on factors such as configuration,
privileges, etc. you can try to execute OS commands directly from MySQL.
Although probably it won't work in your case (you said 80/tcp is the only
port you can reach and the SQL injection you found doesn't look very
promising), here you can find some code that might help you (this concept
works particularly well against Windows-based installations):
http://www.0xdeadbeef.info/exploits/raptor_udf.c
http://www.0xdeadbeef.info/exploits/raptor_udf2.c
http://www.0xdeadbeef.info/exploits/raptor_winudf.tgz
PS. You already grabbed the contents of the database, didn't you?;)
Hope this helps,
--
Marco Ivaldi, OPST
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
