Penetration Testing mailing list archives
Breaking from MySQL to Linux system (SQL Injection).
From: Danett song <danett18 () yahoo com br>
Date: Sat, 21 Jul 2007 22:28:12 -0300 (ART)
Hello I'm pentesting a customer in a blackbox method, I found a Mysql Injection based in error response. I'm able to explore it using a query like this one: http://site/files/index.php?url=search.php&id=251%20UNION%20SELECT%20load_file(0x2F6574632F706173737764),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/*&coditem=251 It worked ok, so I could extract the contents of passwd file. The server is with magic quotes on, so i needed to hex enquote the filenames. The php files are connected as user mysql. I made some tests without sucess: a) Via another flaw I could disclosure the DocumentRoot, which is /web/site, If I try to read the index.php file, using the same injection, but only replacing the /etc/passwd with /web/site/files/index.php (obvious hex encoding it) I got no reply! It doesn't return any content of the index.php! It also work for /etc/hosts. Why it isn't working? Strange ahn? The default umask allow every users to read new created files, I think is very uncommon a developer which remove the read permissions of all .php file he upload. Do you mean that is the case? Or I'm missing something? b) My goal is be able to gain acess to the linux running, the server have only the port 80 opened. My best try was to create a .php file inside the DocumentRoot and try to acess it via browser, but this file never got created. I'm not sure if cause it doesn't have permissions, or problems related with quotes! I tryed using the method in question a) but replacing the union for: Select <?phpinfo.php>? into outfile '/http/arquivos/phpinfo.php' I tryed encoding both the php code as the filename with hex. I also tryed replace the quote (') in the name by (%). But nothing worked. The OWASP testing guide say that if my server have magic_quotes on which is my case, it's not possible. http://www.owasp.org/index.php/Testing_for_MySQL However, NGSsoftware disagree: http://www.ngssoftware.com/papers/HackproofingMySQL.pdf I also tryed to use char() encoding and the GBK 0xbf27 (never had tryed it before, but appear not work in this case). Any idea how to complain this attack? c) Cause I'm using a bunch of NULL to validade the union statment, I can't do (at last i don't know how to do) complex select, which require use the comma (,), else it will break my union statment. How to deal when my injected query have MORE comma's than the comma's used in NULL to validade the select? d) Any idea how to break from mysql to the linux system? Cheers Flickr agora em português. Você cria, todo mundo vê. http://www.flickr.com.br/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Breaking from MySQL to Linux system (SQL Injection). Danett song (Jul 23)
- Re: Breaking from MySQL to Linux system (SQL Injection). Marco Ivaldi (Jul 26)