Sign in to follow this  
Followers 0
m.rce

Q: a query whose output isnt shown / useless injection?

2 posts in this topic

Hello,

I've found a query (in php) I can inject into, as it is in the form "select xyz where myparam=inject".

However, the query result is just compared in a yes/no fashion, so I have no real way to make it 'produce' a visible output.

Since php allows no query concatenation via ';' , is there a known way I could exploit this code weakness??

Regards.

0

Share this post


Link to post
Share on other sites

Your question is a little vague. Are we talking PHP code injection, or SQL Query injection? By the example given, "select where myparam=whatever", I'm guessing SQL injection.

If we're talking about PHP code injection, it's rather simple to do something:


<?php
system($pwned, cat /etc/shadow | grep "\root\|mysql\|admin\");
println(nl2br($pwned));
?>

OR


<?php
system($true, mv /etc/shadow /etc/shadow.bak);
if($true) {
system($access,"sed -i \'s/^root.*$/<line with predefined root hash for injecting into shadow file>/g' /etc/shadow");
}
if($access) {
echo "pwned!"
}
?>

If it's an sqli you can still add and delete records, and switch databases. MySQL uses databases to store credentials for logging into MySQL. So if permissions are not well designed you could easily update the MySQL user authentication db.. Also you can use stored routines to possibly send commends to the o/s.

EDIT: I was thinking about the PHP injection, and the examples given wouldn't work, unless the web server was running with UID 0. Or PHP was running in cgi mode at uid0. Very seldom to find that. But you could still have carte-blanche access to the system as "nobody", or whatever the web server is running as. Well unless it's chrooted to /var/www.

Edited by tekio
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0