Author Topic: SQL injection + stacked queries  (Read 6644 times)

0 Members and 1 Guest are viewing this topic.

Offline worf2910

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
SQL injection + stacked queries
« on: November 26, 2011, 03:39:04 am »
Hi All.
Just a strange story :)
PHP mysql_query method does not support multiple (stacked) queries.
Then even if I can read username and password from the selected DB the problem remains cause if the password is hashed using, for instance, the MySQL PASSWORD() function is a 41 digits. Using cracker as John The Ripper or Cain and Abel and/or Rainbow tables is useful ONLY if those passwords are 7-10 digits long. If they are, for instance, 15 digits it will take centuries to decrypt them.
BUT... one of my friends has been attacked with queries using ONLY the SELECT statement. I mean, the attacker had full access to the admin page simply ovverriding the administration page! He is using PHP-MySQL. How is it possible?
Hope you can shed some more lights on this subject. Many thanks

Worf
 

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL injection + stacked queries
« Reply #1 on: November 26, 2011, 05:00:04 am »
No such thing as PHP-MySQL?

He might have uploaded a file by using the "into outfile" command perhaps, or maybe he read some config files or other sensitive info with the read_file() command. Or perhaps he just cracked the pw? The MySQL password() function is crap anyway, brute force is plausible. A dictionary attack would probably be better tho.
« Last Edit: November 26, 2011, 05:00:34 am by ande »
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline worf2910

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
Re: SQL injection + stacked queries
« Reply #2 on: November 26, 2011, 07:26:25 am »
Thank you for the answer. For sure the attack was made using some queries with SQLmap or another SQLi tool. No files uploaded nor read. As I say it is impossible to crack a password that is for sure 15 digits or more (example: Password2IS9ThiS10). The attacker used a query with only the SELECT statement. That's really incredible. I will put on my site a test. If someone is interested to try to access the site, ok, that is the challenge! The version of the program I will put in is for sure sensible to SQLi. I've tried many ways to access the administration page without success.
Cheers
Worf

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL injection + stacked queries
« Reply #3 on: November 26, 2011, 05:26:58 pm »
Thank you for the answer. For sure the attack was made using some queries with SQLmap or another SQLi tool. No files uploaded nor read. As I say it is impossible to crack a password that is for sure 15 digits or more (example: Password2IS9ThiS10). The attacker used a query with only the SELECT statement. That's really incredible. I will put on my site a test. If someone is interested to try to access the site, ok, that is the challenge! The version of the program I will put in is for sure sensible to SQLi. I've tried many ways to access the administration page without success.
Cheers
Worf

No password is impossible to crack mate. Like I said, there are other ways than brute force. And I dont understand what you mean with him only using SELECT statement. Most SQL injections are only SELECT statement(s).
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: SQL injection + stacked queries
« Reply #4 on: November 26, 2011, 05:47:23 pm »
SQL injection at login form? If so, no password cracking needed. Like
SELECT id FROM admin WHERE name='admin' and pass=MYSQL_PASSWORD('
') OR('a'='a   ---> injection, input password
')
Meh, my SQLi-jutsu is kinda rusty.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL injection + stacked queries
« Reply #5 on: November 26, 2011, 06:03:55 pm »
SQL injection at login form? If so, no password cracking needed. Like
SELECT id FROM admin WHERE name='admin' and pass=MYSQL_PASSWORD('
') OR('a'='a   ---> injection, input password
')
Meh, my SQLi-jutsu is kinda rusty.

Yup, that could be a possibility to.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline worf2910

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
Re: SQL injection + stacked queries
« Reply #6 on: November 26, 2011, 06:47:50 pm »
Ok you are the experts. My knowledge of SQLi is no or little. The attacker used a long query with only SELECT statements to access the site. That's all. And 'a'='a etc. is old hat. It doesnt work today. What I mean about SELECT statement is that it can be used only to SEARCH or RETRIEVE records from the DB. To UPDATE or INSERT new data is impossible with PHP+MySQL. I know that cracking password in not impossible if you are a God living forever. Come on. It takes centuries to crack a 15 digits password. If you think you can crack every password I give you this one: FD20F5AB4568F36067A520B22BB8F2E038CAC8A5
Ok, go for it and good luck.

Thx for your help.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL injection + stacked queries
« Reply #7 on: November 26, 2011, 07:35:08 pm »
Ok you are the experts. My knowledge of SQLi is no or little. The attacker used a long query with only SELECT statements to access the site. That's all. And 'a'='a etc. is old hat. It doesnt work today. What I mean about SELECT statement is that it can be used only to SEARCH or RETRIEVE records from the DB. To UPDATE or INSERT new data is impossible with PHP+MySQL. I know that cracking password in not impossible if you are a God living forever. Come on. It takes centuries to crack a 15 digits password. If you think you can crack every password I give you this one: FD20F5AB4568F36067A520B22BB8F2E038CAC8A5
Ok, go for it and good luck.

Thx for your help.


The and 'a'='a still works on a lot of places. Totally shit pages ofc, but it still works.

UPDATE and INSERT works just fine with PHP+MySQL? I believe what you mean is, you cant do a INSERT or UPDATE command in a SELECT query unless the script in made in such a way that it allows multiple queries.

Cracking a 15 character password takes no more time than cracking a 1 character password when using wordlist. Doing brute force on a 15 char password on the other hand, is madness.


I am not trying to be an ass, I am just stating what is obvious and most likely. There is no such thing as super SQL injection doing some magic shit.
Put your page online somewhere, or send me the script and I can tell you exactly what he did ;)
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline worf2910

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
Re: SQL injection + stacked queries
« Reply #8 on: November 26, 2011, 08:05:39 pm »
Ok ande.
I sent you a message.
« Last Edit: November 26, 2011, 08:05:56 pm by worf2910 »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL injection + stacked queries
« Reply #9 on: November 26, 2011, 08:21:59 pm »
Ok ande.
I sent you a message.

Havent gotten any
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline worf2910

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
Re: SQL injection + stacked queries
« Reply #10 on: November 26, 2011, 09:15:14 pm »
Havent gotten any

Uhm...maybe some troubles with evilzone mail.
How can I write you?

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL injection + stacked queries
« Reply #11 on: November 26, 2011, 09:16:33 pm »
Uhm...maybe some troubles with evilzone mail.
How can I write you?

How and what and where did you send? Just send a private message (http://evilzone.org/index.php?action=pm;sa=send;u=1). Or email me at ande at evilzone.org.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline worf2910

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
Re: SQL injection + stacked queries
« Reply #12 on: November 26, 2011, 09:25:33 pm »
How and what and where did you send? Just send a private message (http://evilzone.org/index.php?action=pm;sa=send;u=1). Or email me at ande at evilzone.org.

ok...sent...