Re: Injected, whats next

From: DokFLeed (dokfleed@dokfleed.net)
Date: Fri Aug 18 2006 - 14:18:16 EDT

• Next message: Ng, Kenneth (US): "RE: Clueless firewall configuration ?"
• Previous message: Carl: "Online Pharmacy - No Prescription needed!"
• In reply to: Brendan Dolan-Gavitt: "Re: Injected, whats next"
• Next in thread: A. Ramos: "Re: SQL injection (or not?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tried that, and it looked promising , however got stuck with the magic
quotes.
I never thought I would say, but magic quotes is a good thing ! :)
I am trying the =CHAR now to by pass it ,

my point is, even if you proof to a client they have some SQL injection you
have to explore the threats, risk level etc.. for them
(most clients don't really know why they hired you :) so far all I can tell
them is , yeah I can run a SELECT which I can't even see the output since
its controlled by "echo "

thanks
Dok

----- Original Message -----
From: "Brendan Dolan-Gavitt" <mooyix@gmail.com>
To: "DokFLeed" <dokfleed@dokfleed.net>
Cc: <pen-test@securityfocus.com>
Sent: Friday, August 18, 2006 7:04 PM
Subject: Re: Injected, whats next

> You should be able to use SELECT ... INTO OUTFILE to write the results
> of a SELECT statement out to a file on the server's filesystem. Since
> you can SELECT things that don't actually reference any table, this
> should let you write arbitrary data to the filesystem with the
> permissions of the database user.
>
> Since it uses PHP, I would try to find a writable, web-accessible
> directory on the server and do something like
>
> SELECT '<?php some_evil_php_code ?>' INTO OUTFILE
> '/var/www/accessible_by_db/';
>
> Have fun :)
>
> -Brendan
>
> On 8/17/06, DokFLeed <dokfleed@dokfleed.net> wrote:
>> I am testing a web application, I can run UPDATE & SELECT
>> Does anyone know a way to upload a file to a server through MySQL !
>> does it allow running system commands or a way to dump a file from the
>> database to the server?
>> its LAMP , Linux, Apache, MySQL, PHP
>> any ideas!!
>>
>> Dok
>> smoke dope, eat soap, fly home in a bubble
>>
>>
>> ------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>> http://www.cenzic.com/products_services/download_hailstorm.php
>> ------------------------------------------------------------------------
>>
>>
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Ng, Kenneth (US): "RE: Clueless firewall configuration ?"
• Previous message: Carl: "Online Pharmacy - No Prescription needed!"
• In reply to: Brendan Dolan-Gavitt: "Re: Injected, whats next"
• Next in thread: A. Ramos: "Re: SQL injection (or not?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:45 EDT