SQL injection + stacked queries

[worf2910]

Hi All.
Just a strange story
PHP mysql_query method does not support multiple (stacked) queries.
Then even if I can read username and password from the selected DB the problem remains cause if the password is hashed using, for instance, the MySQL PASSWORD() function is a 41 digits. Using cracker as John The Ripper or Cain and Abel and/or Rainbow tables is useful ONLY if those passwords are 7-10 digits long. If they are, for instance, 15 digits it will take centuries to decrypt them.
BUT... one of my friends has been attacked with queries using ONLY the SELECT statement. I mean, the attacker had full access to the admin page simply ovverriding the administration page! He is using PHP-MySQL. How is it possible?
Hope you can shed some more lights on this subject. Many thanks

Worf
 

[ande]

No such thing as PHP-MySQL?

He might have uploaded a file by using the "into outfile" command perhaps, or maybe he read some config files or other sensitive info with the read_file() command. Or perhaps he just cracked the pw? The MySQL password() function is crap anyway, brute force is plausible. A dictionary attack would probably be better tho.

[worf2910]

Thank you for the answer. For sure the attack was made using some queries with SQLmap or another SQLi tool. No files uploaded nor read. As I say it is impossible to crack a password that is for sure 15 digits or more (example: Password2IS9ThiS10). The attacker used a query with only the SELECT statement. That's really incredible. I will put on my site a test. If someone is interested to try to access the site, ok, that is the challenge! The version of the program I will put in is for sure sensible to SQLi. I've tried many ways to access the administration page without success.
Cheers
Worf

[ande]

Thank you for the answer. For sure the attack was made using some queries with SQLmap or another SQLi tool. No files uploaded nor read. As I say it is impossible to crack a password that is for sure 15 digits or more (example: Password2IS9ThiS10). The attacker used a query with only the SELECT statement. That's really incredible. I will put on my site a test. If someone is interested to try to access the site, ok, that is the challenge! The version of the program I will put in is for sure sensible to SQLi. I've tried many ways to access the administration page without success.
Cheers
Worf

No password is impossible to crack mate. Like I said, there are other ways than brute force. And I dont understand what you mean with him only using SELECT statement. Most SQL injections are only SELECT statement(s).

[ca0s]

SQL injection at login form? If so, no password cracking needed. Like
SELECT id FROM admin WHERE name='admin' and pass=MYSQL_PASSWORD('
') OR('a'='a   ---> injection, input password
')
Meh, my SQLi-jutsu is kinda rusty.

[ande]

SQL injection at login form? If so, no password cracking needed. Like
SELECT id FROM admin WHERE name='admin' and pass=MYSQL_PASSWORD('
') OR('a'='a   ---> injection, input password
')
Meh, my SQLi-jutsu is kinda rusty.

Yup, that could be a possibility to.

[worf2910]

Ok you are the experts. My knowledge of SQLi is no or little. The attacker used a long query with only SELECT statements to access the site. That's all. And 'a'='a etc. is old hat. It doesnt work today. What I mean about SELECT statement is that it can be used only to SEARCH or RETRIEVE records from the DB. To UPDATE or INSERT new data is impossible with PHP+MySQL. I know that cracking password in not impossible if you are a God living forever. Come on. It takes centuries to crack a 15 digits password. If you think you can crack every password I give you this one: FD20F5AB4568F36067A520B22BB8F2E038CAC8A5
Ok, go for it and good luck.

Thx for your help.

[ande]

Ok you are the experts. My knowledge of SQLi is no or little. The attacker used a long query with only SELECT statements to access the site. That's all. And 'a'='a etc. is old hat. It doesnt work today. What I mean about SELECT statement is that it can be used only to SEARCH or RETRIEVE records from the DB. To UPDATE or INSERT new data is impossible with PHP+MySQL. I know that cracking password in not impossible if you are a God living forever. Come on. It takes centuries to crack a 15 digits password. If you think you can crack every password I give you this one: FD20F5AB4568F36067A520B22BB8F2E038CAC8A5
Ok, go for it and good luck.

Thx for your help.

The and 'a'='a still works on a lot of places. Totally shit pages ofc, but it still works.

UPDATE and INSERT works just fine with PHP+MySQL? I believe what you mean is, you cant do a INSERT or UPDATE command in a SELECT query unless the script in made in such a way that it allows multiple queries.

Cracking a 15 character password takes no more time than cracking a 1 character password when using wordlist. Doing brute force on a 15 char password on the other hand, is madness.


I am not trying to be an ass, I am just stating what is obvious and most likely. There is no such thing as super SQL injection doing some magic shit.
Put your page online somewhere, or send me the script and I can tell you exactly what he did

[worf2910]

Ok ande.
I sent you a message.

[ande]

Ok ande.
I sent you a message.

Havent gotten any

[worf2910]

Havent gotten any

Uhm...maybe some troubles with evilzone mail.
How can I write you?

[ande]

Uhm...maybe some troubles with evilzone mail.
How can I write you?

How and what and where did you send? Just send a private message (http://evilzone.org/index.php?action=pm;sa=send;u=1). Or email me at ande at evilzone.org.

[worf2910]

How and what and where did you send? Just send a private message (http://evilzone.org/index.php?action=pm;sa=send;u=1). Or email me at ande at evilzone.org.

ok...sent...