EvilZone

Hacking and Security => Hacking and Security => : peak August 31, 2012, 05:11:54 AM

: how to find webVulns by Script?
: peak August 31, 2012, 05:11:54 AM

Hi EZ Members

I'm have a quite good knowledge and some experience in sqli and lfi.
Yet I struggle to copy that into a script. The big Question is actually how to determine a vulnerability if there is no error output?
What is the fastest way?

I had a few thoughts...

about sqli without error output:
    1. numeric input if id=7 is the same as id=8-1. there is a good chance for sqli
    2. if site=home and site=substring('home',1,4) is the same there is also a good chance for sqli

   
about lfi without error output:
    1. just try ../..  (...)  ../etc/passwd and boot.ini and check for a difference in content length 


so the scripts looks at a specific get/post field:

suppose I need '
    1. generate query with ' at the end of the standard value ( if any )
    2. search in the content for sql errors, php errors, other errors -> exit if yes
    3. try something  like ' and '1'='1 and see if you get same ouput then normal ??? ??
        I really don't know how to check this case ???

suppose I don't need '
    4. if numeric try the subtraction (1.) and if not try the substring (2.) -> exit if content length is the same as normal input

and lfi:
    5. try passwd and boot.ini and compare content length

    6. not vuln or try some other stuff ..

   

: Re: how to find webVulns by Script?
: peak September 02, 2012, 12:55:47 PM

*push*

how do I see if a sqli works when I have to use ' and there is no error message displayed?

: Re: how to find webVulns by Script?
: NeX September 02, 2012, 05:17:55 PM

That's called Blind SQL injection.. Doing ' and 1=1 should display normal page, but when doing ' and 1=2, the page should be (a bit) different. :)

: Re: how to find webVulns by Script?
: Ragehottie September 02, 2012, 07:34:23 PM

I would not use a script. You can see every error with the human brain. Your script might overlook something big.

: Re: how to find webVulns by Script?
: peak September 03, 2012, 08:31:47 AM

ah I see ...  I can do it by hand! Not a problem and I know different kinds of blind ty NeX.
But my Crawler makes so much output that I cant do them all by hand. I'll just do the ones I know that they are vuln.

And @ragehottie to be correct, you mixed it up bbtw. its either ' and '1'='1 or just and 1=1  .... ofc you run into problem if it is not a normal "where" injection without any brackets.

Well I guess you dont really can't. Thanks for your input anyay. I'll just drop them. Since I will have enough results...