Go Back   Nexodyne Forums > General > Off Topic
Reload this Page SQL Vulnerability
User Name
Password
Reply
 
Thread Tools Display Modes

  #1  
Old 04-21-2011, 08:07 PM
Christouffer Christouffer is offline
Administrator
 
Join Date: Apr 2002
Age: 32
Posts: 1,729
Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.Christouffer is a God.
SQL Vulnerability

Found it here:

http://www.jpcsp.org/index.php?p=Compat&c=b

To see what I'm talking about, change the trailing 'b' on that URL to '
__________________
"We can only see a short distance ahead, but we can see plenty there that needs to be done."
Alan Turing

"We make our world significant by the courage of our questions and by the depth of our answers."
Carl Sagan


Reply With Quote

  #2  
Old 04-23-2011, 03:21 AM
Biddykins's Avatar
Biddykins Biddykins is offline
Administrator
I am Bid!  
Join Date: Oct 2001
Age: 32
Posts: 6,725
Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1"

?
__________________
"Bid is the man of the hour, get him a damn award or somthing."
"I party with my dad, we've done a few things together I probably shouldn't speak about."
"As a Christian, I find all forms of religion (except Christianity) to be very harmful to it's members"
"If he is not smart enough to invent something to improve his own quality of life how is he smart enough to tell us all there is no GOD"
Reply With Quote

  #3  
Old 04-23-2011, 10:16 AM
Rick's Avatar
Rick Rick is offline
Contributor of Idiocy
 
Join Date: Aug 2002
Location: USA
Age: 30
Posts: 3,666
Rick is a splendid one to beholdRick is a splendid one to beholdRick is a splendid one to beholdRick is a splendid one to behold
Quote:
Originally Posted by Biddykins
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1"

?

Exactly. That's how you know it's vulnerable lol.

Good find Chris, however there isn't much to be done with that site. I aim for exploiting a lot of oscommerce or other shopping sites, since you can sometimes get access to customer information and sell them on sites such as cardersplace.info, infraud.cc, carder.su, etc...
__________________
Quote:
(7:32:05 PM) Crescent0mega: brb smoking this 4 year old cock

Reply With Quote

  #4  
Old 04-29-2011, 03:18 AM
Biddykins's Avatar
Biddykins Biddykins is offline
Administrator
I am Bid!  
Join Date: Oct 2001
Age: 32
Posts: 6,725
Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.
Quote:
Originally Posted by Rick
Exactly. That's how you know it's vulnerable lol.

Good find Chris, however there isn't much to be done with that site. I aim for exploiting a lot of oscommerce or other shopping sites, since you can sometimes get access to customer information and sell them on sites such as cardersplace.info, infraud.cc, carder.su, etc...

Do explain. It just looks like an error to me
__________________
"Bid is the man of the hour, get him a damn award or somthing."
"I party with my dad, we've done a few things together I probably shouldn't speak about."
"As a Christian, I find all forms of religion (except Christianity) to be very harmful to it's members"
"If he is not smart enough to invent something to improve his own quality of life how is he smart enough to tell us all there is no GOD"
Reply With Quote

  #5  
Old 04-29-2011, 10:10 AM
Jakub's Avatar
Jakub Jakub is offline
Contributor
 
Join Date: Dec 2003
Posts: 4,294,966,002
Jakub is an unknown quantity at this point
Quote:
Originally Posted by Biddykins
Do explain. It just looks like an error to me

yah us un1337 haqers don't know what you're all gibber gabbing about.
Reply With Quote

  #6  
Old 04-29-2011, 10:42 AM
Dragoon Dragoon is offline
Contributor Pirate
 
Join Date: Jul 2004
Age: 31
Posts: 1,555
Dragoon is a jewel in the roughDragoon is a jewel in the rough
Send a message via MSN to Dragoon
Quote:
Originally Posted by Biddykins
Do explain. It just looks like an error to me


Basically, that error seems to indicate that it's just plugging the value from the URL directly into an SQL query without sanitizing it (removing special characters like the single-quote, ' ). If one were so inclined, they could take advantage of this by injecting their own code into the query, by changing that string to something like

Robert'); DROP TABLE students;--

And because their shitty website doesn't bother to make sure that string is safe before plugging it in, the parser will execute the command to drop the entire table named 'students' if there is one. Could do all sorts of fun things with this.
Reply With Quote

  #7  
Old 04-29-2011, 01:46 PM
Rick's Avatar
Rick Rick is offline
Contributor of Idiocy
 
Join Date: Aug 2002
Location: USA
Age: 30
Posts: 3,666
Rick is a splendid one to beholdRick is a splendid one to beholdRick is a splendid one to beholdRick is a splendid one to behold
Quote:
Originally Posted by Dragoon
Basically, that error seems to indicate that it's just plugging the value from the URL directly into an SQL query without sanitizing it (removing special characters like the single-quote, ' ). If one were so inclined, they could take advantage of this by injecting their own code into the query, by changing that string to something like

Robert'); DROP TABLE students;--

And because their shitty website doesn't bother to make sure that string is safe before plugging it in, the parser will execute the command to drop the entire table named 'students' if there is one. Could do all sorts of fun things with this.

I thought there was an update a while ago that made it so you can't do multiple commands in a single query. So the whole

[COMMAND]; [COMMAND] doesn't work --
if the SQL query is SELECT * FROM students WHERE i = (url input), you couldn't write 1'; DROP TABLE students;--

If I'm wrong and you CAN run multiple commands, then I must've been doing it wrong and lost profit on tons of systems.
__________________
Quote:
(7:32:05 PM) Crescent0mega: brb smoking this 4 year old cock

Reply With Quote

  #8  
Old 04-29-2011, 05:24 PM
Biddykins's Avatar
Biddykins Biddykins is offline
Administrator
I am Bid!  
Join Date: Oct 2001
Age: 32
Posts: 6,725
Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.Biddykins is a God.
Quote:
Originally Posted by Rick
I thought there was an update a while ago that made it so you can't do multiple commands in a single query. So the whole

[COMMAND]; [COMMAND] doesn't work --
if the SQL query is SELECT * FROM students WHERE i = (url input), you couldn't write 1'; DROP TABLE students;--

If I'm wrong and you CAN run multiple commands, then I must've been doing it wrong and lost profit on tons of systems.

And how does SQL injection relate to profit at all? I'm seriously lost here, haha.
__________________
"Bid is the man of the hour, get him a damn award or somthing."
"I party with my dad, we've done a few things together I probably shouldn't speak about."
"As a Christian, I find all forms of religion (except Christianity) to be very harmful to it's members"
"If he is not smart enough to invent something to improve his own quality of life how is he smart enough to tell us all there is no GOD"
Reply With Quote

  #9  
Old 04-29-2011, 10:14 PM
Dragoon Dragoon is offline
Contributor Pirate
 
Join Date: Jul 2004
Age: 31
Posts: 1,555
Dragoon is a jewel in the roughDragoon is a jewel in the rough
Send a message via MSN to Dragoon
Quote:
Originally Posted by Rick
I thought there was an update a while ago that made it so you can't do multiple commands in a single query. So the whole

[COMMAND]; [COMMAND] doesn't work --
if the SQL query is SELECT * FROM students WHERE i = (url input), you couldn't write 1'; DROP TABLE students;--

If I'm wrong and you CAN run multiple commands, then I must've been doing it wrong and lost profit on tons of systems.


No idea, I've only got the vaguest understanding of PHP/SQL security right now. That description was from my own memory rather than a more reliable source, so it's likely not entirely accurate or up to date.

Quote:
Originally Posted by Biddykins
And how does SQL injection relate to profit at all? I'm seriously lost here, haha.


Well, like Rick said, you can sometimes get the site to dump out all sorts of information that might be worth something in the seedier parts of the interwebs, like credit card info or mailing/email addresses for spam.
Reply With Quote

  #10  
Old 04-30-2011, 02:50 PM
Rick's Avatar
Rick Rick is offline
Contributor of Idiocy
 
Join Date: Aug 2002
Location: USA
Age: 30
Posts: 3,666
Rick is a splendid one to beholdRick is a splendid one to beholdRick is a splendid one to beholdRick is a splendid one to behold
Quote:
Originally Posted by Dragoon
Well, like Rick said, you can sometimes get the site to dump out all sorts of information that might be worth something in the seedier parts of the interwebs, like credit card info or mailing/email addresses for spam.


Exactly. It's rare that oscommerce sites store cc info, but every once in a while you can find one that does. A DB with thousands of valid CCs can be sold for quite a bit of money. You don't even have to use the cards yourself, thus making it a little safer.

You can also harvest emails and sell them to spam companies. I hacked the pentel db (www.pentel.com) a while back, it had hundreds of thousands of email addresses. I sold them for a couple hundred bucks, which is pretty cheap considering they were all unique and non-public emails.

The pentel DB also had the passwords to all those emails (the password for their login for the site) -- I ran that with a Paypal checker, testing those emails with the passwords, and got a few thousand working PPs as well.
__________________
Quote:
(7:32:05 PM) Crescent0mega: brb smoking this 4 year old cock

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



All times are GMT -5. The time now is 07:59 AM.


vBulletin style developed by Transverse Styles

Powered by: vBulletin Version 3.0.7
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
All content copyright ©2004 NeoHacks LLC. (http://nexodyne.com/)