Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
(my) SQL Injection in mysql.com :-)
Posted by: alf
Date: January 12, 2007 06:31PM

http://mysql.com/customers/customer.php?id=38%20AND%201=1

imho very funny ;-)
webmaster got informed, fulldisc-list will be noticed asap after webmaster replied

cheers alf

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: jungsonn
Date: January 13, 2007 08:20AM

Cool, can you only perform logical stuff? or also potential dangerous ones?

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: alf
Date: January 13, 2007 03:51PM

hm i mean i'm no database guru, but if my "logical stuff" is executed, i could find out the table_name and DROP the table, if you find out the users table then you'll probably be able to get passwords (hashes). but thats quite much work i think


cheers

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: jungsonn
Date: January 14, 2007 04:15AM

It depends if they only allow certain logical selections, could be usefull in some cases. You could try to select tha db user, or try to count rows :) pretty harmless. But, I think it's better not try it out ^^ I'm interested what they have to say about it, do you post their reply?

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: SystemOfAHack
Date: January 26, 2007 07:39AM

If one were able to add new data into tables (say the one for forums or such), would it be possible to add PHP in which performs system() commands when parsed, then just access the data normally by browsing for it. Or would PHP not work like this and just return <?php evilness here ?> to the client?

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: jungsonn
Date: January 26, 2007 11:54AM

It's possible to run system commands, in MySQL with PHP, but in SQL server it's far more dangerous, you can do alot more with simple vectors. Protecting a SQL server is a huge task. It's also possible to move records, copy and transfer it to another record, loading the boot.ini and every Windows system file. so yes it can be done.

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: alf
Date: January 26, 2007 01:43PM

Thank you for contacting MySQL AB,

We have fixed this, thanks again for pointing it out to us.


Hope this helps,

MySQL Web Team
---------------------------------------------------------------------

nah, 2 sentences, I hoped for more :(

cheers alf

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: jungsonn
Date: January 26, 2007 09:58PM

Damn... a tad less I hoped for. Pretty weak reply certainly considering that they 'fixed' it. I really thought they would alow a few vectors pass, and respond that they 'knew'.

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: rsnake
Date: January 27, 2007 09:42PM

Hahah... that's what we call "irony". Very nice find. Too bad they weren't more gracious - you really did them a favor by responsible disclosure. More than a bad guy would have done that's for sure.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)..
Posted by: _sniff
Date: February 14, 2007 01:43AM

http://www.mysql.com/customers/customer.php?id=44%22%3C%3E

(check out different lang links, right most corner)
it is rendering into page source, but i dnt hv much time nw to play with it...
hope you ppl may find something ??
i wont say it is vulnerable to xss (hvnt tested much), but you ppl may find something out of the box.

- sn|ff

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: trev
Date: February 14, 2007 10:45AM

It is vulnerable but only in Internet Explorer (Firefox and Opera will escape the quotes):

http://www.mysql.com/customers/customer.php?id=44"/style="xss:expression(alert('xss'))"

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: _sniff
Date: February 15, 2007 01:34AM

hahaha!!
after sql injection, itz xss flaw
nybdy care to report thm????

- sn|ff

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: pOtTi
Date: February 15, 2007 03:29PM

http://www.mysql.de/company/contact/sales.html?s=%22%3Cscript%3Ealert(123);%3C/script%3E

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: _sniff
Date: February 16, 2007 01:26AM

there are sooo many of them...
lol

- sn|ff

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: rsnake
Date: February 16, 2007 05:31PM

Nah, I wouldn't waste your time. They weren't exactly gracious last time someone reported it to them. I don't think they're ready to admit they don't take security seriously.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Date: March 15, 2007 06:20PM

pOtTi Wrote:
-------------------------------------------------------
> http://www.mysql.de/company/contact/sales.html?s=%
> 22%3Cscript%3Ealert(123);%3C/script%3E


I realize me asking this is a result of my complete ignorance, but I don't understand what potential that has. I understand writing Javascript to a page and using AJAX/GET to retrieve cookies and such. These URL suffixes baffle me. I can see is an alert as I run the page. How can that possibly effect anyone else who visits a page? They're never going to open that URL unless you send it to them. I know there's a reason and I see these all over on Secunia. I just don't know what it can do.
Thank you for any information.

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: trev
Date: March 15, 2007 06:49PM

They don't need to visit mysql.de, it is enough if they visit your site (or some site you hacked). You load a specially prepared mysql.de URL in a hidden frame - and now you are running JavaScript code in the context of mysql.de with the privileges of this user. Of course you can send the same URL with spam or post it to a forum - doesn't matter as long as you can get people to going there.

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Date: March 16, 2007 11:25PM

Ahhh wow, interesting. I never thought of that.

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: ajdonnison
Date: December 16, 2007 11:52PM

I have to apologise for the curt reply, it wasn't intended to be ungracious, merely to let you know that we do appreciate your efforts and that we used the information to fix the problem. I think you may be reading far too much into the message.

We do take security seriously, and appreciate all the information received from the community. Please, keep up the good work.

Adam Donnison
Senior Web Developer, MySQL AB.

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: goku12205
Date: October 11, 2009 11:23PM

they fix the error in the web site already

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: WHK
Date: November 12, 2009 09:54PM

inyection sql and csrf in forum (phorum)

http://forums.mysql.com/control.php

POST /control.php HTTP/1.1
Host: forums.mysql.com
User-Agent: Bender-Agent Alpha Beta Final 0.00001
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-cl,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: [My Cookie]
Content-Type: application/x-www-form-urlencoded
Content-Length: 54

forum_id=0&panel=sig&panel=sig&forum_id=0&signature=xx

in signature, delete account, change mail, etc etc.



Edited 1 time(s). Last edit at 11/12/2009 09:55PM by WHK.

Options: ReplyQuote
Re: (my) SQL Injection in mysql.com :-)
Posted by: lightos
Date: November 12, 2009 11:58PM

There are a couple on the main page as well.

Options: ReplyQuote


Sorry, only registered users may post in this forum.