WEB Log   Comments   Archive   Sources   Contact me   About   RSS  

Archive 2008

Archive 2009

Archive 2010
  January
  February
  March
  April
  May
  June
  July
  August
  September

  
   Talking
  Development
  Funny
  Jokes
  Network
  Security
  Software
  Source code
  Talking
  Video
  WEB
  WEB Development
  Windows
  Windows Resources




online car loan application . mitsubishi outlander xl

Critical SQL Injection (http://cshe.berkeley.edu/)

Today we shall consider the SQL Injection error on the site http://cshe.berkeley.edu/. There is a mistake in parameter s the script http://cshe.berkeley.edu/publications/publications.php. If you add to parameter " and 1=1 " the script injects it in SQL query. It means, the mistake exists and we can use it.

Let's try to get amount of fields which are returned with the query. At me it has turned out four fields. The following inquiry was executed correctly.

http://cshe.berkeley.edu/publications/publications.php?s=1%20and%201=1%20union%20select%201,2,3,4

The parameter s=1 displays the first article from the WEB site database. Now it is necessary to make so that article at number 1 was not displayed. For this purpose find in the URL a injected condition 1=1 and replace it with 1=0. The page article with ID=1 will disappear, and appear that returns the injected query. The injected query by me returns four fields with values from 1 up to 4. It makes easier to find where on the page these fields are.

As you see, number 1 did not appear on the form. Probably it is the identifier, which is not displayed. And numbers from 2 up to 3 are displayed that is in any of these positions it is possible to introduce names of fields or other functions.

Let's try to receive database version, a user name and a database name. For this purpose put names of functions VERSION(), USER(), and DATABASE() instead of last number 4 in the URL shown above. Any of these functions will return nothing. The browser will load page with the message that anything is not present for display. As there are no error messages, we cannot precisely determine, what database used. Maybe it is not MySQL and functions are not exist?

Is it MySQL? We shall try to inject the query to connect with the table MySQL.user:

http://cshe.berkeley.edu/publications/publications.php?s=1%20and%201=0%20union %20select%201,2,3,4%20from%20mysql.user

The query passes successfully. The database is mysql exists and MySQL have the table user. It means that SQL Injection exists. We shall try to display a name of the user from this table. Instead of the 4 in URL shown above we insert the name of the field user. It is again received an error.

One more test - we shall try Instead of figures in the injected query to put the text. There is an error again!!! It means the query can return the numbers only.

Let's try to inject the next line:

CHAR (60,72,49,62,117,115,101,114,60,47,72,49,62)

It is a coded line:

<h1> user </h1>

I put this code instead of the third parameter of the injected query. There is an enjoy :). The word user has appeared on the result page, and in the view of formatting (tag <h1>). We can inject JavaScript code too!

But if the mistake was such primitive I would not began to include it in this review of bugs of an Internet. I already have rejected many sites with similar mistakes. There is something more interesting.

We can inject code and even have learned how to transfer the text with the help of function CHAR. We also can be confident, that we have the real MySQL database. And what it gives us? There is function LOAD_FILE that can load any file on the server. We shall try to load the password file /etc/passwd:

LOAD_FILE (char (47,101,116,99,47,112,97,115,115,119,100))

In brackets I have coded the path /etc/passwd.

Let's insert the code in the URL on the place of any of three parameters (except the first) and we load the page. My God! It is a list of users on the server:

---

Low cost auto insurance quotes

No need to learn many books about roulette by checking out online roulette. . All-purpose gluten free cookies recipes